[Login]

Litigation Response Planning and Policies for E-Discovery. AHIMA Model E-Discovery Policies: Retention, Storage, and Destruction of Paper and Electronic Health Information and Records

AHIMA Model e-Discovery Policy

Subject/Title

Retention, Storage, and Destruction of
Paper and Electronic Health Information
and Records

Page _ of _

Revision History

Effective Date:

Departments

Affected

Health Information Management,
Information Technology, Legal Services
Departments/Data Owners

Original Issue Date:

Last Reviewed:

Last Revision:

PURPOSE: The purpose of this policy is to achieve a complete and accurate accounting of all relevant records within the organization; to establish the conditions and time periods for which paper-based and electronic health information and records will be stored, retained, and destroyed after they are no longer active for patient care or business purposes; and to ensure appropriate availability of inactive records.

SCOPE: This policy applies to all enterprise health information and records whether the information is paper-based or electronic. It applies to any health record, regardless of whether it is maintained in the Health Information Management Department or by the clinical or ancillary department that created it.

POLICY: It is the policy of this organization to maintain and retain enterprise health information and records in compliance with applicable governmental and regulatory requirements. The organization will adhere to retention schedules and destruction procedures in compliance with regulatory, business, and legal requirements.

Data Owners: Each department or unit that maintains patient health records, either in electronic or paper form, is required to designate a records management coordinator who will ensure that records in his or her area are preserved, maintained, and retained in compliance with records management policies and retention schedules established by the Health Information Management Department [or other designated authority].

Property Rights: All enterprise health information and records generated and received are the property of organization. No employee, by virtue of his or her position, has any personal or property right to such records even though he or she may have developed or compiled them.

Workforce Responsibility: All employees and agents are responsible for ensuring that enterprise health information and records are created, used, maintained, preserved, and destroyed in accordance with this policy.

Destruction of Enterprise Health Information and Records: At the end of the designated retention period for each type of health record and information, it will be destroyed in accordance with the procedures in this policy unless a legal hold/preservation order exists or is anticipated.

Unauthorized Destruction: The unauthorized destruction, removal, alteration, or use of health information and records is prohibited.

PROCEDURE:

Responsible

Action

Data Owner/Departments

Data owners/departments will designate records coordinator for their areas and report that designation to the Records Committee and Litigation Response Team.

Record Committee

[Note: This may be an existing committee, such as the Medical Record Committee, that has membership representing Legal, Compliance, IS/IT, Information Security, HIM, Clinical, and others as appropriate]

The record committee’s role is to authorize any changes to the Retention, Storage, and Destruction policy and procedures; review and approve retention schedules and revisions to current retention schedules; address compliance audit finding; and review and approve control forms relating to business records.

HIM

HIM will convene the Record Committee as needed [or at regular intervals] and maintain responsibility for the following:

  • Review, maintain, publish, and distribute retention schedules and records management policies.
  • Audit compliance with records management (both electronic and paper) policies and retention schedules and report findings to Record Committee.
  • Serve as point of contact for Records Coordinators.
  • Provide training for Records Coordinators. Training will be provided on an individual basis to Records Coordinators and any individual or department that needs assistance.
  • Oversee operation of designated offsite record storage center(s) for archival storage of paper health records and information or serve as contract administrator for such services.
  • Contract for destruction of paper and electronic records and certification thereof.

IT/HIM/Data Owners

IT/HIM/Data Owners will ensure that electronic storage of enterprise health information and records is carried out in conjunction with archiving and retention policies.

Records Coordinators

Records coordinators are responsible for implementing and maintaining records management programs for their designated areas.

They will organize and manage online records management control forms relating to enterprise records and information in their areas of responsibility to accomplish the following:

  • Transfer records to storage
  • Identify, control, and maintain records in storage
  • Retrieve and/or return records from/to storage
  • Document the destruction of records and the deletion of records from the records inventory
  • Monitor the records management process

Record coordinators will obtain (if not already trained) and maintain records management skills.

Legal Services

Legal Services serves as subject matter expert and provides counsel regarding records designations and legal and statutory requirements for records retention and pending legal matters.

It ensures that access to or ownership of records is appropriately protected in all divestitures of property or lines of business or facility closures.

Guidelines for Retention of Records/Information and Schedules:

Record Retention

 

Unless otherwise stipulated, retention schedules apply to all records. Records will only be discarded when the maximum specified retention period has expired, the record is approved for destruction by the record owner, and a Certificate of Destruction is executed.

Non-record Retention

 

Non-records are maintained for as long as administratively needed, and retention schedules do not apply. Non-records may and should be discarded when the business use has terminated.

For example, when the non-record information, such as an employee’s personal notes, is transferred to a record, such as an incident report, the notes are no longer useful and should be discarded. Preliminary working papers and superseded drafts should be discarded, particularly after subsequent versions are finalized.

Instances where an author or recipient of a document is unsure whether a document is a record as covered or described in this policy should be referred to the Compliance Officer for determination of its status and retention period.

E-mail Communication Retention

 

Depending on content, e-mail messages between clinicians and between patients and clinicians and documents transmitted by e-mail may be considered records and are subject to this policy. If an e-mail message would be considered a record based on its content, the retention period for that e-mail message would be the same for similar content in any other format.

The originator/sender of the e-mail message (or the recipient of a message if the sender is outside Organization) is the person responsible for retaining the message if that message is considered a record. Users must save e-mail messages in a manner consistent with departmental procedures for retaining other information of similar content. Users should be aware of Messaging Policies that establish disposal schedules for e-mail and manage their e-mail accordingly.

Development of Records Retention Schedules

 

Retention Schedule Determined by Law: All records will be maintained and retained in accordance with Federal and state laws and regulations. [Note: attach minimum retention schedules are attached to this policy]. Electronic records must follow the same retention schedule as physical records, acknowledging the format and consolidated nature of records within an application or database.

Changes to Retention Schedule: Proposed changes to the record retention schedules will be submitted to the Records Committee for initial review. The Records Committee, in consultation with the Legal Services Department, will research the legal, fiscal, administrative, and historical value of the records to determine the appropriate length of time the records will be maintained and provide an identifying code. The proposed revisions will be submitted to the Records Committee for review and approval. The approved changes will be published and communicated to the designated Records Coordinators.

Retention of Related Computer Programs: Retention of records implies the inherent ability to retrieve and view a record within a reasonable time. Retained electronic data must have retained with it the programs required to view the data. Where not economically feasible to pay for maintenance costs on retired or obsolescent software only for the purpose of reading archived or retained data, then data may be converted to a more supportable format, as long as it can be demonstrated that integrity of the information is not degraded by the conversion. Data Owners should work closely with IT personnel in order to comply with this section.

Retention of Records in Large Applications: Retention of data for large-scale applications, typically those that reside in the data center and are accessed by a larger audience, shall be the responsibility of the IT department. The Data Owner shall establish policy for the systems and format for the retained data consistent with the requirements of the Data Ownership policy [reference policy].

Retention of Records on Individual Workstations: Primary responsibility for retention of data created at the desktop level—typically with e-mail, Microsoft “Office” applications such as Word, Excel, PowerPoint, Access, or other specialized but locally run and saved computer applications—shall be with the user/author. The user/author will ensure that the documents are properly named and saved to be recognizable by the user in the future, and physically saved to a “shared drive.” By saving a copy in this manner, IT will create an archive version of the saved document for a specified number of years after the user deletes the copy from the shared drive. Records with retention periods in excess of this period will require an alternative means of retention. Users are responsible for the security of any confidential information and/or protected health information created or maintained on their workstations.

Storage and Destruction Guidelines

Active/Inactive Records

Records are to be reviewed periodically by the Data Owner to determine if they are in the active, inactive, or destruction stage. Records that are no longer active will be stored in the designated off-site storage facility.

Active stage is that period when reference is frequent and immediate access is important. Records should be retained in the office or close to the users. Data Owners, through their Records Coordinator, are responsible for maintaining the records in an orderly, secure, and auditable manner throughout this phase of the record life-cycle.

Inactive stage is that period when records are retained for occasional reference and for legal reasons. Inactive records for which scheduled retention periods have not expired or records scheduled for permanent retention will be cataloged and moved to the designated off-site storage facility.

Destruction stage is that period after records have served their full purpose, their mandated retention period, and finally are no longer needed.

Storage of Inactive Records

All inactive records identified for storage will be delivered with the appropriate Records Management Forms to the designated off-site storage facility where the records will be protected, stored, and will remain accessible and cataloged for easy retrieval. Except for emergencies, the designated off-site storage facility will provide access to records during normal business hours.

Records Destruction

General Rule: Records that have satisfied their legal, fiscal, administrative, and archival requirements may be destroyed in accordance with the Records Retention Schedules.

Permanent Records: Records that cannot be destroyed include records of matters in litigation or records with a permanent retention. In the event of a lawsuit or government investigation, the applicable records that are not permanent cannot be destroyed until the lawsuit or investigation has been finalized. Once the litigation/investigation has been finalized, the record may be destroyed in accordance with the Records Retention Schedules but in no case shall records used in evidence to litigation be destroyed earlier than a specified number of years from the date of the settlement of litigation.

Destruction of Records Containing Confidential Information: Records must be destroyed in a manner that ensures the confidentiality of the records and renders the information unrecognizable. The approved methods to destroy records include: [Note: specify based on local, state, and federal rule; these could potentially include recycling, shredding, burning, pulping, pulverizing, and magnetizing.) A Certificate of Destruction form must be approved and signed by the appropriate management staff prior to the destruction of records. The Certificate of Destruction shall be retained by the off-site storage facility manager.

Destruction of Non-Records Containing Confidential Information: Destruction Non-Records containing personal health information or other forms of confidential corporate, employee, member, or patient information of any kind shall be rendered unrecognizable for both source and content by means of shredding, pulping, etc., regardless of media. This material shall be deposited in on-site, locked shred collection bins or boxed, sealed, and marked for destruction.

Disposal of Electronic Storage Media: Electronic storage media must be assumed to contain confidential or other sensitive information and must not leave the possession of the organization until confirmation that the media is unreadable or until the media is physically destroyed.

Disposal of Electronic Media: Electronic storage media, such as CD-ROMS, tape reels, or floppy disks containing confidential or sensitive information may only be disposed of by approved destruction methods. These methods include: [Note: specify based on local, state, and federal rules; these could potentially include: burning, shredding, or some other approach which renders the media unusable; degaussing, which uses electro-magnetic fields to erase data; or, preferred for magnetic media when media will not be physically destroyed, “zeroization” programs (a process of writing repeated sequences of ones and zeros over the information]. CD-ROMs, magneto-optical cartridges and other storage media that do not use traditional magnetic recording approaches must be physically destroyed.

Disposal of IT Assets: Department managers must coordinate with the IT Department on disposing surplus property that is no longer needed for business activities according to Disposal of IT Assets Policy. Disposal of information system equipment, including the irreversible removal of information and software, must occur in accordance with approved procedures and will be coordinated by IT personnel.

APPROVALS:

Legal Department Approval:

Date:

HIM Department Approval:

Date:

IT Department Approval:

Date:

[Specify Other Department]

Date:

Article citation:
AHIMA e-Discovery Task Force. "Litigation Response Planning and Policies for E-Discovery. AHIMA Model E-Discovery Policies: Retention, Storage, and Destruction of Paper and Electronic Health Information and Records." Journal of AHIMA 79, no.2 (February 2008): BoK Extras