Managing Records: Retention,
Destruction and Disposal
April 10, 2014
Presentation by Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, CT
Today’s Program
• Identify the universe of records involved
– Distinguish patient care/client records from other records
– Discuss best practices versus minimum retention periods
• Discuss destruction “holds”
• Explain “e-discovery” and its impact on document planning and record retention
• Review HIPAA requirements
– Media re-use rules (and dangers)
• Identify appropriate destruction and disposal methods
Creating and Maintaining Policies
• Never have a policy with which you are unlikely to comply
• Assign a committee or work group to do periodic review of the oversight
• Adjust practices (and update policies) as needed
• Who needs to be involved in the policy creation?
Team Process Needed
• Record retention and destruction planning is multi-purpose, interdisciplinary in nature
Compliance
Risk
HIM
Governance,
Finance
Effective Record Management
Document Management Planning
• Create a written retention schedule and policy
• Enterprise-wide approach is important
• Capture universe of records you need to maintain and track
• Recognize specific requirements for each type of record
– Clinical including billing records for care)
– Client (but non-HIPAA)
Is There A Template Policy For This?
• Unfortunately, no.
• This is not a one-size-fits-all situation
• While there are some core items to identify, the planning should be customized for each entity
• Start by:
– (1) preparing a list of the types of data involved
No Template, But Various Online
Resources
• NACHC has a 2007 guide for both non-clinical and clinical records (good place to start)
– www.nachc.com/client/documents/publications-resources/rm_18_07.pdf
• AHIMA has various guides
• HHS has HIPAA guides that discuss destruction:
– www.hhs.gov/ocr/privacy/hipaa/administrative/se curityrule/index.html
Retention Minimums:
Not Even Half The Battle
• Do not concentrate only on regulatory retention minimums
• Not always clear from just regulation
– payer rules, exceptions, other standards can extend periods
• Use longest time it could be (not the shortest)
• Clinical record minimums vary (more than you think)
Clinical Patient Record Retention
Minimums
• Connecticut law for clinic records: – 5 years from last date of care
– Do not destroy as you go, entire cycle of record should be maintained
• Connecticut law for practitioner records
– 7 years from last date of care (or 3 from date of death)
– Do not destroy as you go, entire cycle of records
• Some records must be kept for 10 years!!
• Instead, focus on all uses, not just the DPH/HHS
Clinical Records: Diverse Life Cycle
Records Serve Many Purposes
Intake
Care and billing
Audit and backup
QI/QA, research, population management, analytics Program evaluation, investigation, litigation Destruction and disposal
Non-Patient/Client Records
• While we tend to focus on clinical and client records, you need a plan for non-clinical as well
– Business: corporate, governance, HR, grants, accreditation, program evaluation, policies and procedures
– Financial: CMS look back (4 year minimum, 10 years to be safe), tax records
• Some of these areas have their own minimums!!
– 10 years is the lowest common denominator for most
– Core corporate and governance materials should be retained in perpetuity
Contracts, Grants And Programs
• Retention obligations are often in the fine print of a contract, grant or program
• Important to have someone read for those issues when new contracts, grants, programs start
• Flagging or increasing retention of materials that may fall into more than one bucket is critical
Holds
• Although materials may have exceeded the timeframe in your policy, there are specific times you would “hold” off on destruction:
– Litigation or investigation
– Prolonged audit or billing issue
– Special request
Implementing Hold Policy And Process
• Prior to actual destruction, consider whether anything is on hold
– how are holds communicated within the enterprise?
E-Discovery
• Federal and state court rules that prohibit you from destroying potential evidence in a claim, and require you to turn over relevant e-materials
• Applies in litigation or in anticipation of litigation
• More common in HR or contract claims than
malpractice, but can apply in any litigation matter
• Hard to implement, and needs to be a priority in the event of (anticipated) litigation
E-Discovery (cont)
• Intersection of administrative document management and IT/IS
• Four key steps in planning for potential e-discovery situations:
– Determine where the data exist in the enterprise
– How is it identified (can it be located rapidly)?
– Do you have policies for BYOD?
– Will you need an outside vendor to retrieve the data?
E-Discovery: Needle In A Hay Haystack
• Communications are hard to find if you do not know where to look
E-Discovery (cont)
• Primary areas: email and documents (includes draft documents you retain)
• If you do not consider these issues until a litigation matters occurs, it will be too late
• When litigation or claim commences, ask counsel immediately about any e-discovery steps you need to take
• Have “hold” capability for the sources of data that might be affected
HIPAA Specific Requirements
• Records must be rendered unreadable, indecipherable, and not able to be
reconstructed
• You can use a vendor – but will need a business associate agreement, and clear
understanding of what the vendor will do with the materials to destroy them
Acceptable Destruction Methods
• Paper
– Shredding, burning, chemical destruction (pulping)
• Electronic materials, depends on what they are, and what method makes them unreadable and indecipherable. Examples:
– Clearing
– Purging (degaussing or magnetic field disruption)
– Physical destruction (pulverization, melting, incineration, shredding)
Never Throw PHI In The Trash
HIPAA Rules For Destruction
• You can use a locked shred-it box, or opaque bags in a secure area, while awaiting
disposition
• You are not required to insist on onsite
destruction from a vendor (but if they’ll do it that way, great)
Things That Are Not Always Obvious
When PHI is involved…
• Watch out for printers in remote areas or offices, train the users carefully
• Do not allow shared passwords or log-in
• Do not allow shared media storage devices
• If you allow BYOD, what is the plan for destruction?
HIPAA: Media Re-Use
• Electronically stored information is located in a variety of devices and media that could be re-used
• Ensure that once data are not needed, or a workforce member’s reason for access to the
data has ended, you do not put a device or media back into use before purging the PHI on the
device or media – hardware and software.
• Consider anything with a memory, anything portable, anything that can store PHI:
– Ex: Flash drives, back-up tapes, copiers, laptops, hard drives, CD, dvd, laser discs, etc.
Documentation of Destruction
• Policies should reflect plan for documenting record destruction
Documenting Destruction
• Create a log of what types of data were destroyed
– For patient/client files, you may want to include a batched list of names with another identifier,
preferably record or account number (not d/o/b or SSN)
• Ask vendors for proof of destruction and methods
Documentation of Destruction:
Machines and Hard drives
• Be careful with machines that have memory that are being:
– reclaimed off lease
– used in another department
– donated
• Try to get in writing from leasing agent or vendor that the machine is clear of memory
Documentation of Destruction:
Portable Storage Media
• Are you internally re-using flash drives, CDs, or DVDs?
– You will want a central processing point
• Plan for central collection of spent or no
longer usable media to process for destruction
– For HIPAA, you need an inventory – when media is taken out of service and or destroyed, update the inventory
Do Not Forget Virtual Records
• Cloud storage that contains “copies” of your data should be addressed in your policies and procedures for retention and destruction
Third Party Copies
• Business associates have obligations in your BAA to return or destroy PHI when it is no longer needed
• Other vendors’ copies should be planned for return or destruction
• You do not need a receipt or certificate if the contract (including BAA) says they will destroy it