Seven Things You Need to Know About Long-Term Document Storage and Compliance
Who Is Westbrook?
Seven things you need to know about long-term
document storage and compliance
U.S. companies are required by law to retain documents and data in both physical and electronic format. Implementing comprehensive retention policies protects you from unnecessary risks while helping to control business costs. While there are many recent regulations that impact a company’s content management strategy, people are most familiar with the Health Insurance Portability and Accountability Act (HIPAA) which the U.S. Congress passed in October 1996, and the Sarbanes-Oxley Act (SOX) which came into force in July 2002. SOX introduced major changes to the regulation of corporate governance and fi nancial practice. Prior to its passage, no company in the U.S. had a system of controls, auditing and reporting in place that would completely satisfy the new law.
Enterprise content management helps put practices in place to ensure continued compliance which typically incorporates long-term archival storage. In addition, content management software provides tools for business process management and auditing, as well as document versioning. In general, a content management implementation should have the fl exibility to address retention requirements specifi c to an organization’s industry and the states in which it operates.
It’s important to look for a granular security model that prevents unauthorized users from accessing documents and data. The document archive should be fully secure, even when information is shared over the Internet.
Automating document lifecycle processes also helps ensure regulatory compliance and provides an audit trail that reports on who has accessed, modifi ed or deleted documents. Plan to carefully track user and administrator activities to assure compliance with Sarbanes-Oxley, HIPAA, state records management rules and other industry-specifi c regulations. Audited user activities should include indexing, modifying, deleting, viewing, forwarding, emailing and printing data and documents. Your information management strategy should include the ability to track versions, audit system changes, and protect intellectual property from unauthorized access.
1
1
What do you need to know before starting?
Begin by conducting a needs assessment, or discovery, to identify the best way to use content management in your organization. The implementation methodology is not a rigid process; but rather, it is a foundation of crucial steps. The purpose is to foster two-way communication between IT, other departments, and the software vendor so that everyone is in agreement on the types of services needed, how they fi t into the overall implementation, and integrate with existing systems. Clearly defi ne the project scope in each department or functional group. All stakeholders have to be involved in a discovery process to defi ne the types of documents, data, photos, graphics, audio and video fi les that will be archived. Businesses need to defi ne and plan for industry-specifi c requirements such as the ability to archive and retrieve email for e-Discovery or, in the case of public entities, to respond to Freedom of Information Act requests.
2
2
What will you need to get started and follow through
to implementation?
Post-discovery, the exchange of ideas that takes place on-site should result in a document
exchange between vendor and those who will accept the project plan. Creating a detailed project plan mitigates the risks associated with a technology purchase. Your organization should receive a “blueprint” from the vendor that refl ects your design specifi cations and a bill of materials that shows all the components, implementation and training required to deliver the ROI you mandated. Once the project plan is approved, schedule the implementation with your vendor who will
3
3
What best practices should you follow for making
sure data is preserved properly?
The document storage archive should have a strong security model and audit trail. Version control is another important feature that assures you are working with and ultimately archiving the most current, approved information. Also look for full text search, automated batch import, indexing and tools for sharing information via the Web.
Once a retention schedule is established for each document type, purging the documents is the fi nal component within a records management workfl ow. Documents that meet the specifi c criterion will be eliminated after a particular number of days or years. Having an automated system enables organizations to limit liability and mitigate the costs associated with storing documents for longer than necessary.
4
4
4
How do you decide what needs to be archived?
Document retention requirements vary by state and by industry. Securities brokers and dealers, for example, are required to retain all business-related communications for three years, the fi rst two years in an accessible format. Trucking companies must keep the results of employee alcohol tests for up to fi ve years. All businesses must retain federal payroll tax records for at least four years from the date the tax is paid.
There are currently over ten thousand federal, state and local laws and regulations addressing document retention. The most widely enforced include:
Health Insurance Portability and Accountability Act (HIPAA): HIPAA affects any organization
that creates, receives or maintains healthcare information. HIPAA requires that Protected Health Information (PHI) be kept secure and archived for at least six years or two years after an individual’s death. This includes patient medical records, billing records, authorization forms from physicians, and all communications between patient and physician – basically any healthcare information that can be linked to a specifi c individual.
Sarbanes-Oxley Act (SOX): SOX mandates the retention of records used for fi nancial audits
and reporting for at least seven years. A record is any material containing information about the company, including plans, results, policies or performance. All records may be subject to an audit. The lack of a good records management and retention system is a red fl ag for auditors. Under SOX, the annual report of a company must include a review of the effectiveness of internal controls of the document management system, as well as the policies and processes of the company as a whole. The records also must be searchable and quickly made available upon request.
5
5
What products, tools or programs might you need?
Organizations need a product that’s simple to use and easily adaptable to the requirements of multiple departments across an organization. The ability to search and access documents or data via the Web is typically important. Organizations will also want to invest in off-site backup for additional disaster recovery protection.
Disaster recovery software should provide real-time back-up at the byte level while offering continuous high availability of data and documents with automatic failover capabilities. Features to look for include:
• Real-Time Data Protection
– Allows continuous replication over any shared or private IP-based LAN, WAN or SAN, ensuring that altered information is protected and can be quickly restored at all times
• Application Agnostic
– Ability to work with your existing hardware to protect documents and data within all software applications
• Continuous Data Protection
6
What are the benefi ts of following the
recommended practices?
Risk Reduction
Archive all electronic and paper-based documents:
Store documents that must be retained in a secure electronic repository
Security and retention: Create
and communicate strict policies around security and document retention
Business process automation:
Publish, enforce, and audit mandated business processes
Transparency: Enable rapid
access to all appropriate business documents
Discovery: Be able to search
corporate documents to discover all information pertaining to specifi c business issues
Monitor Access: Prevent
unauthorized use, editing or deletion of documents
Confi dentiality: Safeguard
private data through access security and redaction
Solution Mechanism
Advanced capture and secure retention: Image
and archive all incoming and outgoing paper and electronic communications
Revision control: Place all
offi ce documents (Microsoft Word, email, faxes,
spreadsheets, memos) under revision control and enforce pre-determined retention strategy
Automated processes: Ensure
compliance by providing electronic notifi cation and automatic escalation to minimize human error
Comprehensive audit trail:
Detailed reporting on who views, accesses, prints, and changes all documents
Full text search: Index
content for easy retrieval, audit and discovery
Compliance Benefi ts
With the right content management system, your organization can:
• Ensure adherence to compliance regulations and corporate best practices • Audit all access and modifi cations to corporate documents
7
7
7
What pitfalls do you need to watch out for?
It is important to plan for exceptions to every retention rule. For example, typically an invoice is retained for seven years. However if that invoice has never been paid or may be required as evidence for an ongoing court case, you will want a mechanism to fl ag that invoice and save it. Be aware that multiple laws may affect the retention period of the same record or fi le. The common exceptions to retention rules can be discussed during the initial discovery process.
Summary
Long-term document storage, or archiving, means keeping documents and data around for a defi ned period. Organizations can successfully use content management and related archiving to be in compliance with a defi ned set of legal or regulatory requirements, and then be able to prove that they actually meet those requirements.
Westbrook Technologies, Inc 22 Summit Place, Branford, CT 06405 U.S.A. Tel: +1 203 483 6666 · Fax: +1 203 483 3350
westbrooktech.com
THIS DOCUMENT IS PROVIDED TO YOU FOR INFORMATIONAL PURPOSES ONLY. The information furnished in this document, believed by Westbrook Technologies, Inc. to be accurate as of the date of this publication, is subject to change without notice. Westbrook assumes no responsibility for any errors or omissions in this document and shall have no obligation to you as a result of having this document available to you or based upon the information it contains. The Westbrook logo is a registered trademark of Westbrook Technologies, Inc. Westbrook, Fortis and FortisBlue are trademarks of Westbrook Technologies, Inc. All other products and services are the registered trademarks of their respective holders.
©Copyright 1997-2011, Westbrook Technologies, Inc. All Rights Reserved.
1150 National Pky. Mansfi eld OH, 44906 877-529-8295 | 419-529-8295
