Managing Records: Retention, Destruction and Disposal Presentation by Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, CT April 10, 2014
Today s Program Identify the universe of records involved Distinguish patient care/client records from other records Discuss best practices versus minimum retention periods Discuss destruction holds Explain e-discovery and its impact on document planning and record retention Review HIPAA requirements Media re-use rules (and dangers) Identify appropriate destruction and disposal methods Outline best practices for documentation of disposal 2
Creating and Maintaining Policies Never have a policy with which you are unlikely to comply Assign a committee or work group to do periodic review of the oversight Adjust practices (and update policies) as needed Who needs to be involved in the policy creation? 3
Team Process Needed Record retention and destruction planning is multi-purpose, interdisciplinary in nature Compliance Risk Effective Record Management HIM Governance, Finance 4
Document Management Planning Create a written retention schedule and policy Enterprise-wide approach is important Capture universe of records you need to maintain and track Recognize specific requirements for each type of record Clinical including billing records for care) Client (but non-hipaa) Business/financial 5
Is There A Template Policy For This? Unfortunately, no. This is not a one-size-fits-all situation While there are some core items to identify, the planning should be customized for each entity Start by: (1) preparing a list of the types of data involved (2) identifying your facility s approach 6
No Template, But Various Online Resources NACHC has a 2007 guide for both non-clinical and clinical records (good place to start) www.nachc.com/client/documents/publicationsresources/rm_18_07.pdf AHIMA has various guides HHS has HIPAA guides that discuss destruction: www.hhs.gov/ocr/privacy/hipaa/administrative/se curityrule/index.html 7
Retention Minimums: Not Even Half The Battle Do not concentrate only on regulatory retention minimums Not always clear from just regulation payer rules, exceptions, other standards can extend periods Use longest time it could be (not the shortest) Clinical record minimums vary (more than you think) 8
Clinical Patient Record Retention Minimums Connecticut law for clinic records: 5 years from last date of care Do not destroy as you go, entire cycle of record should be maintained Connecticut law for practitioner records 7 years from last date of care (or 3 from date of death) Do not destroy as you go, entire cycle of records Some records must be kept for 10 years!! Instead, focus on all uses, not just the DPH/HHS shortest timeframe 9
Clinical Records: Diverse Life Cycle Intake Destruction and disposal Care and billing Records Serve Many Purposes Program evaluation, investigation, litigation Audit and backup QI/QA, research, population management, analytics 10
Non-Patient/Client Records While we tend to focus on clinical and client records, you need a plan for non-clinical as well Business: corporate, governance, HR, grants, accreditation, program evaluation, policies and procedures Financial: CMS look back (4 year minimum, 10 years to be safe), tax records Some of these areas have their own minimums!! 10 years is the lowest common denominator for most Core corporate and governance materials should be retained in perpetuity 11
Contracts, Grants And Programs Retention obligations are often in the fine print of a contract, grant or program Important to have someone read for those issues when new contracts, grants, programs start Flagging or increasing retention of materials that may fall into more than one bucket is critical 12
Holds Although materials may have exceeded the timeframe in your policy, there are specific times you would hold off on destruction: Litigation or investigation Prolonged audit or billing issue Special request Pending requests 13
Implementing Hold Policy And Process Prior to actual destruction, consider whether anything is on hold how are holds communicated within the enterprise? 14
E-Discovery Federal and state court rules that prohibit you from destroying potential evidence in a claim, and require you to turn over relevant e-materials Applies in litigation or in anticipation of litigation More common in HR or contract claims than malpractice, but can apply in any litigation matter Hard to implement, and needs to be a priority in the event of (anticipated) litigation 15
E-Discovery (cont) Intersection of administrative document management and IT/IS Four key steps in planning for potential e- discovery situations: Determine where the data exist in the enterprise How is it identified (can it be located rapidly)? Do you have policies for BYOD? Will you need an outside vendor to retrieve the data? 16
E-Discovery: Needle In A Hay Haystack Communications are hard to find if you do not know where to look 17
E-Discovery (cont) Primary areas: email and documents (includes draft documents you retain) If you do not consider these issues until a litigation matters occurs, it will be too late When litigation or claim commences, ask counsel immediately about any e-discovery steps you need to take Have hold capability for the sources of data that might be affected 18
HIPAA Specific Requirements Records must be rendered unreadable, indecipherable, and not able to be reconstructed You can use a vendor but will need a business associate agreement, and clear understanding of what the vendor will do with the materials to destroy them 19
Acceptable Destruction Methods Paper Shredding, burning, chemical destruction (pulping) Electronic materials, depends on what they are, and what method makes them unreadable and indecipherable. Examples: Clearing Purging (degaussing or magnetic field disruption) Physical destruction (pulverization, melting, incineration, shredding) 20
Never Throw PHI In The Trash Using trash alone is a HIPAA Failure 21
HIPAA Rules For Destruction You can use a locked shred-it box, or opaque bags in a secure area, while awaiting disposition You are not required to insist on onsite destruction from a vendor (but if they ll do it that way, great) 22
Things That Are Not Always Obvious When PHI is involved Watch out for printers in remote areas or offices, train the users carefully Do not allow shared passwords or log-in Do not allow shared media storage devices If you allow BYOD, what is the plan for destruction? Back up and copies must be considered 23
HIPAA: Media Re-Use Electronically stored information is located in a variety of devices and media that could be reused Ensure that once data are not needed, or a workforce member s reason for access to the data has ended, you do not put a device or media back into use before purging the PHI on the device or media hardware and software. Consider anything with a memory, anything portable, anything that can store PHI: Ex: Flash drives, back-up tapes, copiers, laptops, hard drives, CD, dvd, laser discs, etc. 24
Documentation of Destruction Policies should reflect plan for documenting record destruction 25
Documenting Destruction Create a log of what types of data were destroyed For patient/client files, you may want to include a batched list of names with another identifier, preferably record or account number (not d/o/b or SSN) Ask vendors for proof of destruction and methods 26
Documentation of Destruction: Machines and Hard drives Be careful with machines that have memory that are being: reclaimed off lease used in another department donated Try to get in writing from leasing agent or vendor that the machine is clear of memory 27
Documentation of Destruction: Portable Storage Media Are you internally re-using flash drives, CDs, or DVDs? You will want a central processing point Plan for central collection of spent or no longer usable media to process for destruction For HIPAA, you need an inventory when media is taken out of service and or destroyed, update the inventory 28
Do Not Forget Virtual Records Cloud storage that contains copies of your data should be addressed in your policies and procedures for retention and destruction 29
Third Party Copies Business associates have obligations in your BAA to return or destroy PHI when it is no longer needed Other vendors copies should be planned for return or destruction You do not need a receipt or certificate if the contract (including BAA) says they will destroy it 30
Q&A Questions? 31