By John Burchfield
Healthcare companies and hospitals have more sensitive records and added regulations than other industries. They also must deal with an ever-increasing amount of electronically stored information (ESI), including data collected from computers, social media, the cloud, deleted information and mobile devices. Because of this, each custodian, i.e., user of a computer, typically has a minimum of three to seven gigabytes of data that could be collected during the eDiscovery phase of litigation. That amounts to 200,000 to 400,000 pages of information.
This explosion of data points to the urgent need that most, if not all, healthcare companies have for a document retention policy. However, many executives do not know how to create a policy or what it should entail.
Why It Is Important
There are two main risks to not having a document retention policy. One: There may be data on your servers – that could have been legally deleted – that can be used against you in litigation. Two: Much of this data will have to be collected during litigation, and having terabytes of electronic data leads to unnecessarily high eDiscovery costs, not to mention that it takes up valuable data storage that could be put to better use.
Following a retention policy, which includes deleting information in the normal course of business, ensures that you will not be penalized in court for destruction of relevant data. The key is to comply with all regulatory or legal hold requirements, which should be part of any document retention policy.
Where to Start
In our experience, implementing a policy is much tougher than writing one. The most important step is gaining strong support from upper management. Deleting information through a governance or retention policy is a significant cultural change, so C-level support can help the human resources and IT departments implement the policy.
To implement, appoint records coordinators for each department. These people will be on the front line of changing corporate culture to start identifying and getting rid of files that are no longer needed. Department heads make the final decision on what to save or delete for each department. Having the chief information officer and his or her team perform audits can ensure that department heads aren’t retaining too much data.
Document retention policies must observe regulatory retention requirements. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule requires organizations to have policies and procedures to address electronic protected health information (PHI) and the hardware or electronic media it is stored on. Procedures for the removal of electronic PHI before the media it was on can be re-used are also required.
If a document or email isn’t part of an important business use, isn’t subject to regulatory compliance and isn’t part of an existing or anticipated legal issue, it should be deleted within the time frame defined by the policy. It is crucial to remember that anticipation of litigation triggers a litigation hold requirement.
One way to define what is relevant to an important business use is to rely on a committee of people drawn from throughout the company to make these decisions. For example, one healthcare company we worked with defined the data essential to running the business as documents that were: marketing plans and materials, customer service records, purchasing records and financial records.
Typically, policies include a timeline for deleting old emails and data. For example, you may decide that anything older than 90 days should be deleted. The HIPPA Privacy Rule does not require organizations to keep patients’ medical records for any specific amount of time, but most states have laws about how long records should be retained. Make sure the IT department knows about any exceptions to the policy, including information under legal hold or records that must be kept for regulatory compliance.
The most important thing for a document retention policy is consistency of enforcement. It could be worse to have a policy in place that you do not enforce than to not have any policy at all. Obviously, we recommend having a policy, but you must handle incidents the same way each time.
ESI has made a retention policy exponentially more critical. As the data volume explodes (a single gigabyte of email could easily contain 10,000 records), so does the risk and expense of retaining that data. Each corporation potentially deals with data from social media, the cloud, platforms like SharePoint, email, mobile devices and more. The huge amount of data in each company today has led to large IT costs in maintaining data, higher review costs, and escalating risk.
John Burchfield is executive vice president of Nashville-based DSi, which provides advanced eDiscovery and digital forensics services. He can be reached at [email protected].