DOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS

Similar documents
CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

10 Steps to Establishing an Effective Retention Policy

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

Selling/Closing a Medical Practice

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

PHI Air Medical, L.L.C. Compliance Plan

University of Louisiana System

Electronic Discovery How can I be prepared? September 2010

Best Practices Series Document Retention and Best Practices

Litigation Hold Notices & Electronic Discovery A R E S O U R C E F O R W S U E M P L OY E E S

University Healthcare Physicians Compliance and Privacy Policy

Measures Regarding Litigation Holds and Preservation of Electronically Stored Information (ESI)

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

United Cerebral Palsy of Greater Chicago Records and Information Management Policy and Procedures Manual, December 12, 2008

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA BUSINESS ASSOCIATE AGREEMENT

Preservation and Production of Electronic Records

BUSINESS ASSOCIATE AGREEMENT

HOWARD UNIVERSITY POLICY

Discovery Technology Group

HIPAA & HITECH AND THE DISCOVERY PROCESS

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

INTERNATIONAL SOS. Data Retention, Archiving and Destruction Policy. Version 1.07

Why Lawyers? Why Now?

HIPAA Compliance in Litigation and Discovery 10 Key Concepts Click to edit Master title style

PsyBar, LLC 6600 France Avenue South, Suite 640 Edina, MN Telephone: (952) Facsimile: (952)

Fraud, Waste and Abuse Prevention and Education Policy

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

Special Report The HITECH Act

HIPAA Privacy and Business Associate Agreement

E-Discovery: The New Federal Rules of Civil Procedure A Practical Approach for Employers

E-DISCOVERY: BURDENSOME, EXPENSIVE, AND FRAUGHT WITH RISK

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

SOUTHWEST VIRGINIA COMMUNITY COLLEGE RECORDS MANAGEMENT POLICY

The Importance of Appropriate Record Retention Policies

102 ediscovery Shakedown: Lowering your Risk. Kindred Healthcare

DOCSVAULT WhitePaper. Concise Guide to E-discovery. Contents

Solving Key Management Problems in Lotus Notes/Domino Environments

HACKENSACK UNIVERSITY MEDICAL CENTER Administrative Policy Manual

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for Committee Substitute for House Bill No.

Information Governance: How to Assess Your Status

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Making Sure The Left Hand Knows What The Right Hand Is Doing Representing Health Care Providers In Medical Negligence Cases by: Troy J. Crotts, Esq.

TOWN OF COTTESLOE POLICY MANAGEMENT

Health Partners HIPAA Business Associate Agreement

Information Governance for Social Business. Unleashing the Full Potential of Enterprise Social

COMPLIANCE ALERT 10-12

Electronic Discovery: Litigation Holds, Data Preservation and Production

BUSINESS ASSOCIATE AGREEMENT. Recitals

FirstCarolinaCare Insurance Company Business Associate Agreement

The Legal Advantages of Retaining Information

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

SAMPLE BUSINESS ASSOCIATE AGREEMENT

State of Michigan Records Management Services. Frequently Asked Questions About E mail Retention

HIPAA Security Rule Compliance

IFRS FOUNDATION DOCUMENT RETENTION AND DESTRUCTION POLICY

Products Liability: Putting a Product on the U.S. Market. Natalia R. Medley Crowell & Moring LLP 14 November 2012

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Keeping watch over your best business interests.

HIPAA The Law Explained. Click here to view the HIPAA information.

TJ RAI, M.D. THERAPY MEDICATION WELLNESS PRIVACY POLICY STATEMENT

New Jersey Health Care Quality Institute Policy for Accounting Practices, and Records and Document Retention

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE AGREEMENT

VNSNY CORPORATE. DRA Policy

Page 1 of 15. VISC Third Party Guideline

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

HIPAA Security Alert

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Lowering E-Discovery Costs Through Enterprise Records and Retention Management. An Oracle White Paper March 2007

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

Electronic Records Management Guidelines

ediscovery: The New Information Management Battleground Developments in the Law and Best Practices

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

RONALD V. MCGUCKIN AND ASSOCIATES Post Office Box 2126 Bristol, Pennsylvania (215) (215) (Fax) childproviderlaw.

Alliance for Better Health Care, LLC

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

HIPAA PRIVACY AND SECURITY AWARENESS

FDU - Records Retention policy Final.docx

BUSINESS ASSOCIATE AGREEMENT

Information Governance Challenges and Solutions

THE IMPACT OF THE ELECTRONIC DISCOVERY RULES ON THE EEOC PROCESS

HIPAA and Privacy Policy Training

Texas Environmental, Health and Safety Audit Privilege Act

CHAPTER 9 RECORDS MANAGEMENT (Revised April 18, 2006)

BUSINESS ASSOCIATE AGREEMENT

Department of Veterans Affairs VA Directive 6311 VA E-DISCOVERY

BUSINESS ASSOCIATE AGREEMENT

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Code of Conduct. 3. SCOPE: All PHI Air Medical Personnel

BUSINESS ASSOCIATE AGREEMENT

Transcription:

Overview. DOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS A comprehensive and consistently applied document retention policy is necessary to reduce the risk of being charged with spoliation of evidence or being accused of failure to comply with discovery obligations. Operating without any formalized document retention policy or having a policy in place, but not including electronic data is no longer acceptable practice. To avoid legal risk, it is necessary to have a consistently enforced and comprehensive document retention policy that includes electronic data. The financial cost of retaining information is high, but the failure to keep key business documents could be even more expensive. If a company can reasonably anticipate that it may be a defendant in litigation and either negligently or intentionally destroys relevant documents, the court may assume, or instruct the jury that it may assume, that the missing documents contained harmful information. A plaintiff who is found to have intentionally destroyed relevant documents may have its case dismissed outright. Either side may be subject to fines and sanctions for spoliation of evidence. Spoliation in this context includes standard business practices such as recycling backup tapes and throwing out old computers at a time when litigation is reasonably anticipated. It does not require intentional wrongdoing. A business may be exposed to unnecessary risk as a consequence of an inadequate or improperly enforced document retention policy. Documents which are retained longer than necessary may expose a company to unnecessary risks of liability should that information be produced in litigation. On the other hand, the destruction of documents and data that should have been retained can expose a company to charges of spoliation and potential sanctions. If documents and electronic data are organized in such a manner that the company

is aware of what information it retains and the location of that information, the retrieval and production for discovery of such information is maximized. Document Retention Policies: Goals and Purposes. A good document retention policy serves a number of legitimate goals, including: (a) preservation of valuable computer memory and physical storage space; (b) reduction of the volume of stored documents and data facilitating the retrieval of information when called; and (c) making it less likely that discovery of electronic data will reveal harmful or embarrassing information. This is particularly true in the case of stored e-mail. E-mail is the most likely data to become a liability if it is kept beyond its useful life. It is also the most likely to contain harmful or embarrassing information. The most important reasons to implement a document retention policy are: 1. Compliance with statutory and regulatory duties and requirements; 2. Avoidance of liability for spoliation of evidence; 3. To oppose or support a contention in an investigation or in litigation; 4. To avoid unnecessary expense, effort and time during discovery; 5. To maintain control in discovery and e-discovery; and 6. To keep information confidential and avoid disclosure of confidential or proprietary information to competitors and other outsiders. Special Considerations for Healthcare Organizations. Healthcare organizations are subject to multiple legal requirements to retain documents. There are currently over ten thousand federal, state and local laws and regulations addressing the manner in which records must be stored, accessed, maintained and retained. Principal among these are the following: Health Care Insurance Portability and Accountability Act. The Health Insurance Portability and Accountability Act HIPAA which affects any organization that creates, receives or maintains 2

healthcare information including hospitals, health maintenance organizations and healthcare insurers. Generally speaking HIPAA requires that Protected Health Information (PHI) must be kept secure and archived for at least six (6) years or two (2) years after a patient s death. This includes: (a) patient medical records, (b) billing records, (c) authorization forms from physicians, and (d) all communications between patient and physician. Medicare and Medicaid Regulations. 42 CFR 482.24,.26 and.53 regulate the retention of medical records of hospitals that participate in Medicare. These regulations require the applicable records to be retained for at least five (5) years. Sarbanes-Oxley Act. ( SOX ) Section 802, Regulation SX, Rule 2-06 mandates the retention of documents used for financial audits and reporting and requires that documentation be centrally controlled and tested to provide management level visibility to document retention weaknesses. All audit materials must be retained for a minimum of seven (7) years. Gramm Leach-Bliley Act. Like HIPAA, the Gramm Leach-Bliley Act provides privacy protections against the disclosure of private patient information to third parties and requires institutions to have an administrative, physical and technical structure to protect the confidentiality and integrity of personal consumer information. Pennsylvania State Law. (a) Pennsylvania healthcare providers must maintain for four (4) years all medical and fiscal records that disclose the nature and extent of the services rendered to medical assistance patients. 55 Pa.Code 1101.51(e)(1). 3

(b) Pennsylvania hospitals are required to keep records for seven (7) years beyond the age of majority or for a period as long as records of adult patients are kept. 28 Pa.Code 115.23. (c) If a Pennsylvania hospital discontinues operations, it is required to give public notice in at least two forms (legal notice and display advertisement in a newspaper of general circulation) and must maintain these records for five (5) years after closure. 28 Pa.Code 115.23 (d) In Pennsylvania, the statute of limitations for medical malpractice is two (2) years. 42 Pa.C.S. 5525. (e) The Pennsylvania statute of limitations for wrongful death is also two (2) years. 42 Pa.C.S. 5524. False Claims Act. The False Claims Act allows claims to be brought up to seven (7) years after an incident. 31 U.S.C. 3729. Federal Civil Statute of Limitations. The federal statute of limitations for civil penalties under Federal Health Care Programs is six (6) years. 42 C.F.R. 1003. Other Considerations: The corollary to the issue of how long to retain documents is the issue of when and how to dispose of documents. Beyond the reasons set forth above in favor of implementing a document retention program is the need to establish a standardized disposition policy. A healthcare organization may choose to retain records of patients beyond their legally mandated time in order to maintain an exhaustive patient history or to measure the effectiveness of its medical staff. On the other hand, the healthcare organization may wish to reduce its liability by disposing of records when they can do so legally. Some healthcare administration experts believe US-based organizations should maintain copies of patient records for at least as long as the statute of limitations for medical malpractice lawsuits in a particular state. 4

Establishment of the Document Retention Policy To establish an adequate document retention policy, a healthcare organization should, at a minimum, do the following: 1. Develop and consistently enforce a written document retention policy which includes electronic data which complies with statutory document retention periods and preserves documents at least for the duration of statutes of limitations applicable to potential claims. 2. Impose a clear line of responsibility to enforce the policy which includes executive level management, information systems personnel and all technology users. (a) Information technology personnel charged with ensuring that the system loses no data must be made to understand the risks of keeping too much data for too long. (b) All users must be taught not to utilize business systems for personal uses. 3. All employees must be educated in electronic data management. This may be implemented by: (a) Providing a document management program which classifies electronic documents as they are stored, and (b) The automatic deletion of e-mail unless the sender or recipient affirmatively acts to store the message as a business record. 4. Establish regular intervals at which various types of records will be destroyed and ensure that the policy is consistently applied. Keep a detailed record of the type of material destroyed. 5

5. Conduct regular checks to ensure that the policy is being followed and if necessary, adjust it. 6. If litigation is threatened or imminent, have in place an established mechanism to preserve all possible relevant evidence and to notify all appropriate users not to delete or destroy such records. Conclusion. The courts look to the reasonableness of a document retention policy. If the policy serves the legitimate business interests of an enterprise, complies with applicable statutory and regulatory requirements, is uniformly applied and serves to preserve records which may be relevant to a claim or defense involved in threatened or pending litigation, there is little risk of court imposed sanctions. By following the common sense measures recommended above, your organization will reduce its risk of legal sanctions and will be able to promptly and properly respond to discovery in the event of litigation Mark A. Willard, Esquire* Eckert Seamans Cherin & Mellott, LLC 600 Grant Street, 44 th Floor Pittsburgh, PA 15219 412.566.6171 mwillard@eckertseamans.com *Mr. Willard is a commercial litigation partner, the Chair of the Technology Committee and the Litigation Technology Coordinator of the Litigation Division of Eckert Seamans Cherin & Mellott, LLC. Mark A. Willard, 2006 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information