Ensure Strong Privacy and Compliance Within Your Waste Stream

Christine Uri, Chief Legal and Human Resources Officer at ENGIE Insight

Waste disposal can be risky business for many organizations. We are not talking about mixing regular trash with recycling, forgetting to compost, or overflowing bins. Waste is increasingly subject to varied legal requirements, from General Data Protection Regulation (GDPR) to industry-specific state, local and federal regulations.

Many healthcare organizations have made headlines for multimillion-dollar violations resulting from improper disposal of medical waste, hazardous waste, and protected health information. In the past six years alone, the Office of Civil Rights, the enforcement agency of HIPAA regulation, has received more than 180,000 complaints and initiated over 891 compliance reviews. In 55 cases, it has imposed collectively more than $78.8 million in fines on pharmacies, medical centers, and doctors’ offices.

Even companies with robust privacy and compliance programs would be shocked to discover what ends up in their trash. Think about how much your organization spent in the last year to ensure your technology systems comply with GDPR. All that work could be undone by an employee absent-mindedly throwing a thumb drive in the trash, or forgetting to shred certain paper records.

Although many people contribute to an organization’s waste stream, the organization is ultimately responsible for ensuring that its waste practices comply with regulatory requirements. Compliance requires you to think broadly. For example, if you run a medical facility, your nurses and doctors may print paperwork that contains Protected Health Information (PHI) for patients. Patients might throw away their own paperwork as they exit the building. And, regulators could conduct a random audit of your waste stream at any time. Imagine how much better a regulatory visit would go if you had conducted regular audits, discovered the risk of patients adding PHI into your waste stream and can provide documentation of your mitigation strategies to a regulator.

For this reason, waste audits are an essential component of a strong privacy and compliance program. Proper documentation of your findings reveals greatest areas of risk, provides evidence of implementation, and measures ongoing program effectiveness. Today, this documentation is more important than ever, helping to not only minimize violations, but lessen fines should violations occur.

How to conduct a successful audit:

From the hundreds of audits ENGIE Insight has conducted, we’ve found one consistency: when it comes to waste, “you don’t know what you don’t know.” You may be confident in your compliance program, but what if something is slipping through the cracks? To conduct a systematic waste audit, it’s important to:

  1. Collect representative samples. Select locations that reflect your site portfolio. Examine service details to identify when containers are likely to be full, and have a team audit what is in the containers.
  2. Determine consistent methodology to match your goals. Determine your primary focus: are you investigating privacy violations (e.g. GPDR, HIPPA, Gramm-Leach-Bliley), medical waste infractions, recycling rates? Customize your sample selection, measurements and methodology to your goals.
  3. Document everything! Record your complete methodology, where you collected samples, what you found (qualitative and quantitative data), recommendations for changes or improvements, follow-up actions and – as you conduct regular audits – comparison against benchmarks and previous audits.
  4. Be flexible and open to new discoveries. During your audit you are likely to see trends that you didn’t expect. For instance, are there certain departments/locations that have violations more than others? Be sure to document trends and patterns as these will be essential to your program design.

Whatever your goal: compliance, risk management, cost savings or a combination, a waste audit is your most valuable tool to gain the quantitative and qualitative data to ensure program effectiveness. Get a head start with a deep dive into your waste today.

Related Content:



  • Gary Blokhuis

    The broad term “waste” can be very misleading. It generally covers rubbish or household items that are spoiled, or broken, and as such no longer useful or needed. But your application in using the waste in broader sense makes one stop and think. We begin to realize why the world is drowning in waste.

Comment on this post