Overview. DOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS A comprehensive and consistently applied document retention policy is necessary to reduce the risk of being charged with spoliation of evidence or being accused of failure to comply with discovery obligations. Operating without any formalized document retention policy or having a policy in place, but not including electronic data is no longer acceptable practice. To avoid legal risk, it is necessary to have a consistently enforced and comprehensive document retention policy that includes electronic data. The financial cost of retaining information is high, but the failure to keep key business documents could be even more expensive. If a company can reasonably anticipate that it may be a defendant in litigation and either negligently or intentionally destroys relevant documents, the court may assume, or instruct the jury that it may assume, that the missing documents contained harmful information. A plaintiff who is found to have intentionally destroyed relevant documents may have its case dismissed outright. Either side may be subject to fines and sanctions for spoliation of evidence. Spoliation in this context includes standard business practices such as recycling backup tapes and throwing out old computers at a time when litigation is reasonably anticipated. It does not require intentional wrongdoing. A business may be exposed to unnecessary risk as a consequence of an inadequate or improperly enforced document retention policy. Documents which are retained longer than necessary may expose a company to unnecessary risks of liability should that information be produced in litigation. On the other hand, the destruction of documents and data that should have been retained can expose a company to charges of spoliation and potential sanctions. If documents and electronic data are organized in such a manner that the company
is aware of what information it retains and the location of that information, the retrieval and production for discovery of such information is maximized. Document Retention Policies: Goals and Purposes. A good document retention policy serves a number of legitimate goals, including: (a) preservation of valuable computer memory and physical storage space; (b) reduction of the volume of stored documents and data facilitating the retrieval of information when called; and (c) making it less likely that discovery of electronic data will reveal harmful or embarrassing information. This is particularly true in the case of stored e-mail. E-mail is the most likely data to become a liability if it is kept beyond its useful life. It is also the most likely to contain harmful or embarrassing information. The most important reasons to implement a document retention policy are: 1. Compliance with statutory and regulatory duties and requirements; 2. Avoidance of liability for spoliation of evidence; 3. To oppose or support a contention in an investigation or in litigation; 4. To avoid unnecessary expense, effort and time during discovery; 5. To maintain control in discovery and e-discovery; and 6. To keep information confidential and avoid disclosure of confidential or proprietary information to competitors and other outsiders. Special Considerations for Healthcare Organizations. Healthcare organizations are subject to multiple legal requirements to retain documents. There are currently over ten thousand federal, state and local laws and regulations addressing the manner in which records must be stored, accessed, maintained and retained. Principal among these are the following: Health Care Insurance Portability and Accountability Act. The Health Insurance Portability and Accountability Act HIPAA which affects any organization that creates, receives or maintains 2
healthcare information including hospitals, health maintenance organizations and healthcare insurers. Generally speaking HIPAA requires that Protected Health Information (PHI) must be kept secure and archived for at least six (6) years or two (2) years after a patient s death. This includes: (a) patient medical records, (b) billing records, (c) authorization forms from physicians, and (d) all communications between patient and physician. Medicare and Medicaid Regulations. 42 CFR 482.24,.26 and.53 regulate the retention of medical records of hospitals that participate in Medicare. These regulations require the applicable records to be retained for at least five (5) years. Sarbanes-Oxley Act. ( SOX ) Section 802, Regulation SX, Rule 2-06 mandates the retention of documents used for financial audits and reporting and requires that documentation be centrally controlled and tested to provide management level visibility to document retention weaknesses. All audit materials must be retained for a minimum of seven (7) years. Gramm Leach-Bliley Act. Like HIPAA, the Gramm Leach-Bliley Act provides privacy protections against the disclosure of private patient information to third parties and requires institutions to have an administrative, physical and technical structure to protect the confidentiality and integrity of personal consumer information. Pennsylvania State Law. (a) Pennsylvania healthcare providers must maintain for four (4) years all medical and fiscal records that disclose the nature and extent of the services rendered to medical assistance patients. 55 Pa.Code 1101.51(e)(1). 3
(b) Pennsylvania hospitals are required to keep records for seven (7) years beyond the age of majority or for a period as long as records of adult patients are kept. 28 Pa.Code 115.23. (c) If a Pennsylvania hospital discontinues operations, it is required to give public notice in at least two forms (legal notice and display advertisement in a newspaper of general circulation) and must maintain these records for five (5) years after closure. 28 Pa.Code 115.23 (d) In Pennsylvania, the statute of limitations for medical malpractice is two (2) years. 42 Pa.C.S. 5525. (e) The Pennsylvania statute of limitations for wrongful death is also two (2) years. 42 Pa.C.S. 5524. False Claims Act. The False Claims Act allows claims to be brought up to seven (7) years after an incident. 31 U.S.C. 3729. Federal Civil Statute of Limitations. The federal statute of limitations for civil penalties under Federal Health Care Programs is six (6) years. 42 C.F.R. 1003. Other Considerations: The corollary to the issue of how long to retain documents is the issue of when and how to dispose of documents. Beyond the reasons set forth above in favor of implementing a document retention program is the need to establish a standardized disposition policy. A healthcare organization may choose to retain records of patients beyond their legally mandated time in order to maintain an exhaustive patient history or to measure the effectiveness of its medical staff. On the other hand, the healthcare organization may wish to reduce its liability by disposing of records when they can do so legally. Some healthcare administration experts believe US-based organizations should maintain copies of patient records for at least as long as the statute of limitations for medical malpractice lawsuits in a particular state. 4
Establishment of the Document Retention Policy To establish an adequate document retention policy, a healthcare organization should, at a minimum, do the following: 1. Develop and consistently enforce a written document retention policy which includes electronic data which complies with statutory document retention periods and preserves documents at least for the duration of statutes of limitations applicable to potential claims. 2. Impose a clear line of responsibility to enforce the policy which includes executive level management, information systems personnel and all technology users. (a) Information technology personnel charged with ensuring that the system loses no data must be made to understand the risks of keeping too much data for too long. (b) All users must be taught not to utilize business systems for personal uses. 3. All employees must be educated in electronic data management. This may be implemented by: (a) Providing a document management program which classifies electronic documents as they are stored, and (b) The automatic deletion of e-mail unless the sender or recipient affirmatively acts to store the message as a business record. 4. Establish regular intervals at which various types of records will be destroyed and ensure that the policy is consistently applied. Keep a detailed record of the type of material destroyed. 5
5. Conduct regular checks to ensure that the policy is being followed and if necessary, adjust it. 6. If litigation is threatened or imminent, have in place an established mechanism to preserve all possible relevant evidence and to notify all appropriate users not to delete or destroy such records. Conclusion. The courts look to the reasonableness of a document retention policy. If the policy serves the legitimate business interests of an enterprise, complies with applicable statutory and regulatory requirements, is uniformly applied and serves to preserve records which may be relevant to a claim or defense involved in threatened or pending litigation, there is little risk of court imposed sanctions. By following the common sense measures recommended above, your organization will reduce its risk of legal sanctions and will be able to promptly and properly respond to discovery in the event of litigation Mark A. Willard, Esquire* Eckert Seamans Cherin & Mellott, LLC 600 Grant Street, 44 th Floor Pittsburgh, PA 15219 412.566.6171 mwillard@eckertseamans.com *Mr. Willard is a commercial litigation partner, the Chair of the Technology Committee and the Litigation Technology Coordinator of the Litigation Division of Eckert Seamans Cherin & Mellott, LLC. Mark A. Willard, 2006 6