• No results found

Managing Records: Retention, Destruction and Disposal

N/A
N/A
Protected

Academic year: 2021

Share "Managing Records: Retention, Destruction and Disposal"

Copied!
31
0
0

Loading.... (view fulltext now)

Full text

(1)

Managing Records: Retention,

Destruction and Disposal

April 10, 2014

Presentation by Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, CT

(2)

Today’s Program

• Identify the universe of records involved

– Distinguish patient care/client records from other records

– Discuss best practices versus minimum retention periods

• Discuss destruction “holds”

• Explain “e-discovery” and its impact on document planning and record retention

• Review HIPAA requirements

– Media re-use rules (and dangers)

• Identify appropriate destruction and disposal methods

(3)

Creating and Maintaining Policies

• Never have a policy with which you are unlikely to comply

• Assign a committee or work group to do periodic review of the oversight

• Adjust practices (and update policies) as needed

• Who needs to be involved in the policy creation?

(4)

Team Process Needed

• Record retention and destruction planning is multi-purpose, interdisciplinary in nature

Compliance

Risk

HIM

Governance,

Finance

Effective Record Management

(5)

Document Management Planning

Create a written retention schedule and policy

• Enterprise-wide approach is important

• Capture universe of records you need to maintain and track

• Recognize specific requirements for each type of record

– Clinical including billing records for care)

– Client (but non-HIPAA)

(6)

Is There A Template Policy For This?

• Unfortunately, no.

• This is not a one-size-fits-all situation

• While there are some core items to identify, the planning should be customized for each entity

• Start by:

– (1) preparing a list of the types of data involved

(7)

No Template, But Various Online

Resources

• NACHC has a 2007 guide for both non-clinical and clinical records (good place to start)

– www.nachc.com/client/documents/publications-resources/rm_18_07.pdf

• AHIMA has various guides

• HHS has HIPAA guides that discuss destruction:

– www.hhs.gov/ocr/privacy/hipaa/administrative/se curityrule/index.html

(8)

Retention Minimums:

Not Even Half The Battle

• Do not concentrate only on regulatory retention minimums

• Not always clear from just regulation

– payer rules, exceptions, other standards can extend periods

• Use longest time it could be (not the shortest)

• Clinical record minimums vary (more than you think)

(9)

Clinical Patient Record Retention

Minimums

• Connecticut law for clinic records: – 5 years from last date of care

– Do not destroy as you go, entire cycle of record should be maintained

• Connecticut law for practitioner records

– 7 years from last date of care (or 3 from date of death)

– Do not destroy as you go, entire cycle of records

• Some records must be kept for 10 years!!

Instead, focus on all uses, not just the DPH/HHS

(10)

Clinical Records: Diverse Life Cycle

Records Serve Many Purposes

Intake

Care and billing

Audit and backup

QI/QA, research, population management, analytics Program evaluation, investigation, litigation Destruction and disposal

(11)

Non-Patient/Client Records

• While we tend to focus on clinical and client records, you need a plan for non-clinical as well

– Business: corporate, governance, HR, grants, accreditation, program evaluation, policies and procedures

– Financial: CMS look back (4 year minimum, 10 years to be safe), tax records

• Some of these areas have their own minimums!!

10 years is the lowest common denominator for most

Core corporate and governance materials should be retained in perpetuity

(12)

Contracts, Grants And Programs

• Retention obligations are often in the fine print of a contract, grant or program

• Important to have someone read for those issues when new contracts, grants, programs start

• Flagging or increasing retention of materials that may fall into more than one bucket is critical

(13)

Holds

• Although materials may have exceeded the timeframe in your policy, there are specific times you would “hold” off on destruction:

– Litigation or investigation

– Prolonged audit or billing issue

– Special request

(14)

Implementing Hold Policy And Process

• Prior to actual destruction, consider whether anything is on hold

– how are holds communicated within the enterprise?

(15)

E-Discovery

• Federal and state court rules that prohibit you from destroying potential evidence in a claim, and require you to turn over relevant e-materials

• Applies in litigation or in anticipation of litigation

• More common in HR or contract claims than

malpractice, but can apply in any litigation matter

• Hard to implement, and needs to be a priority in the event of (anticipated) litigation

(16)

E-Discovery (cont)

• Intersection of administrative document management and IT/IS

• Four key steps in planning for potential e-discovery situations:

– Determine where the data exist in the enterprise

– How is it identified (can it be located rapidly)?

– Do you have policies for BYOD?

– Will you need an outside vendor to retrieve the data?

(17)

E-Discovery: Needle In A Hay Haystack

• Communications are hard to find if you do not know where to look

(18)

E-Discovery (cont)

• Primary areas: email and documents (includes draft documents you retain)

• If you do not consider these issues until a litigation matters occurs, it will be too late

• When litigation or claim commences, ask counsel immediately about any e-discovery steps you need to take

• Have “hold” capability for the sources of data that might be affected

(19)

HIPAA Specific Requirements

• Records must be rendered unreadable, indecipherable, and not able to be

reconstructed

• You can use a vendor – but will need a business associate agreement, and clear

understanding of what the vendor will do with the materials to destroy them

(20)

Acceptable Destruction Methods

• Paper

– Shredding, burning, chemical destruction (pulping)

• Electronic materials, depends on what they are, and what method makes them unreadable and indecipherable. Examples:

– Clearing

– Purging (degaussing or magnetic field disruption)

– Physical destruction (pulverization, melting, incineration, shredding)

(21)

Never Throw PHI In The Trash

(22)

HIPAA Rules For Destruction

• You can use a locked shred-it box, or opaque bags in a secure area, while awaiting

disposition

• You are not required to insist on onsite

destruction from a vendor (but if they’ll do it that way, great)

(23)

Things That Are Not Always Obvious

When PHI is involved…

• Watch out for printers in remote areas or offices, train the users carefully

• Do not allow shared passwords or log-in

• Do not allow shared media storage devices

• If you allow BYOD, what is the plan for destruction?

(24)

HIPAA: Media Re-Use

• Electronically stored information is located in a variety of devices and media that could be re-used

• Ensure that once data are not needed, or a workforce member’s reason for access to the

data has ended, you do not put a device or media back into use before purging the PHI on the

device or media – hardware and software.

• Consider anything with a memory, anything portable, anything that can store PHI:

– Ex: Flash drives, back-up tapes, copiers, laptops, hard drives, CD, dvd, laser discs, etc.

(25)

Documentation of Destruction

• Policies should reflect plan for documenting record destruction

(26)

Documenting Destruction

• Create a log of what types of data were destroyed

– For patient/client files, you may want to include a batched list of names with another identifier,

preferably record or account number (not d/o/b or SSN)

• Ask vendors for proof of destruction and methods

(27)

Documentation of Destruction:

Machines and Hard drives

• Be careful with machines that have memory that are being:

– reclaimed off lease

– used in another department

– donated

• Try to get in writing from leasing agent or vendor that the machine is clear of memory

(28)

Documentation of Destruction:

Portable Storage Media

• Are you internally re-using flash drives, CDs, or DVDs?

– You will want a central processing point

• Plan for central collection of spent or no

longer usable media to process for destruction

– For HIPAA, you need an inventory – when media is taken out of service and or destroyed, update the inventory

(29)

Do Not Forget Virtual Records

• Cloud storage that contains “copies” of your data should be addressed in your policies and procedures for retention and destruction

(30)

Third Party Copies

• Business associates have obligations in your BAA to return or destroy PHI when it is no longer needed

• Other vendors’ copies should be planned for return or destruction

• You do not need a receipt or certificate if the contract (including BAA) says they will destroy it

(31)

Q&A

References

Related documents

As mentioned at the end of section 4.3 quantitative analysis was conducted for simultaneously calculating soot and ammonia loading for the four light soot loading cases,

Manage records until no longer required for business purposes Manage records until disposal date can be calculated Minimum retention period met.. Manage records

Management of Information access Including: Publication scheme maintenance, compliance audit, privacy impact assessment, data controller notification, information rights

If a person makes oath before a judge that he or she has probable cause to believe and does believe that a house or other building, room, or place is used as and for a common

¶ 22 After argument, the trial court found defendant guilty of one count each of predatory criminal sexual assault (penetration of defendant's penis to M.B.'s mouth) and aggravated

This is the area which is said to be strong as Wal-Mart has done a lot of corporate citizen initiatives and effective management.. They have also established

Exhibitor agrees to defend, indemnify and hold harmless National Safety Council and its affiliates, subsidiaries, licensee, distributors, officers, agents, employees, members

Super-resolution of missing data for a high-resolution SST field: first row, real high-resolution (HR) image, initial interpolation using the low-resolution image, interpolated