Skip Navigation

Certification changes open for member comment

15 Jan. 2014

The 2014 changes to the NAID AAA Certification Program are now available for online comment. To review the changes and make comments, please click here. A username and password is required to access this page. If you do not know your login information, you may request it by sending an email to The comment period is open until Feb. 1, 2014. Below is a summary of the new 2014 requirements for the certification program, as approved by the NAID Board of Directors:

HIPAA risk assessment:With the recent changes to HITECH, it is important – now more than ever before – for destruction service providers to maintain and verify compliance as business associates (BA) under HIPAA, especially as it relates to risk assessment. Therefore, several new requirements were added in an effort to make NAID certification synonymous with HIPAA compliance, for both BAs and covered entities (CE).

Audit reports available upon request: Detailed audit reports will now be available to certified companies at their request. The company may keep it for their own records, or they may distribute it to confirm compliance with the NAID Certification criteria and HIPAA. NAID will only provide audit reports to the certified member to which it applies.

Data breach notification to NAID (Agreement 20 and Section 2.1c): Should a certified company experience a security data breach incident that requires them to notify their customer(s) by applicable state and/or federal laws, the company must also notify NAID. This will allow NAID to ensure that any non-compliance issues with the certification criteria and/or NAID Code of Ethics are corrected in a timely manner.

Security data breach incidence response plan (Section 2.1d): The company has a written response plan in place for handling data security breach incidents. This plan must include a post-incident business impact analysis and a process for documenting all incidents and their outcomes, in accordance with HIPAA Security Rule 164.308(a)(6)(ii).    

Access employees must be trained (Section 2.1g): Access employees must be trained to comply with the NAID AAA Certification requirements. Training must meet the requirements of HIPAA Security Rule 164.308(a)(d)(i).

Acquisition and relocation audits (Agreements 25 and 26): Since its inception, NAID Certification has required companies that have undergone a change in ownership or a relocation of plant-based operations to submit to an audit within six months of the change. To clarify some confusion, that policy is now being added to the certification application as an agreement to be signed during the application process.

Notify NAID of problems with CCTV system (Section 2.15): If there is a problem with the CCTV system that results in loss of data, certified companies must notify NAID within 48 hours. This allows NAID to provide guidance and verify that the system is brought back into compliance in a reasonable amount of time. It also benefits the certified company by ensuring that if an audit does occur during the CCTV downtime, it will not count against the company, provided NAID was notified within the required timeframe and the company has corrected the issue.

Please keep in mind that companies that are already certified are bound by the rules of the latest application they submitted to NAID; therefore, they will not be required by NAID to adhere to this new criteria until a new application is submitted for renewal. However, it is a good idea to begin implementing these changes as soon as possible, as they were added to align the certification criteria with the recent changes to HITECH/HIPAA that impact service providers.

For questions or help submitting comments about these program changes, please contact NAID at 602-788-6243 or