Patient data storage and access is becoming one of the most costly, challenging and risky areas of healthcare delivery. With the rapid proliferation of data, technology advancing faster than companies can keep up and increasing enforcement actions resulting from data security breaches, establishing an effective records management and data retention program is essential to an organization's ability to thrive and adapt to the dynamic changes it faces. This is especially true for healthcare organizations, which rely heavily on records as part of their core service — primarily, medical records involved in patient care. An effective records management program is key to ensuring that valuable and necessary patient records are not lost, misplaced or improperly secured in the transition.
Similarly, yet often overlooked, it is vital that electronic records be readily accessible and usable when migrating from one system, platform or technology to another. Lifecycle management of clinical images is the largest component of data storage and migration. Use of vendor neutral archiving systems can be helpful in addressing the data storage and migration challenges many healthcare organizations face.
Overlaying the practical business difficulties of managing this ever-increasing volume of records and data and the related data migration issues are a patchwork of federal and state laws that impose strict standards on anyone dealing with patient information. For example, the Privacy and Security Rules of the federal Health Insurance Portability and Accountability Act, known as HIPAA, and related HITECH Act requirements, prohibit the unauthorized use or disclosure of individuals' medical records, and require healthcare providers and vendors, such as billing and storage companies, to implement administrative, physical and technical safeguards to protect that information.
As evidenced by the recent significant increase in HIPAA enforcement actions and related fines and penalties levied by HHS' Office of the Inspector General, inadequate record management leaves organizations open to undue risk for both civil and criminal liability. Often, inadequate management is a result of not understanding what records and data the organization actually has created, what its responsibilities are in maintaining such records and who has access to the records.
Regulators claim that the health system failed to have an appropriate written agreement in place with Sure File to protect the confidentiality of the records, and failed to safeguard electronic communications with Sure File (e.g., sending unencrypted emails). State and federal regulators continue to investigate this matter. Although the outcome for the health system and Sure File is yet to be determined, in light of recent HIPAA enforcement actions, the outcome is likely to be painful.
For example, in 2011 one hospital settled an alleged HIPAA violation for $1 million with HHS when copies of paper records were left on a subway by an employee. Also, many other providers and health plans have reached settlement agreements with HHS in the millions when laptop computers or other mobile devices that contained patient information were stolen or lost.
Steps to establishing an effective records management and data retention program
What should a healthcare provider do to establish an effective records management program?
1. Appoint a records manager if one does not already exist. Someone within the organization must be dedicated to maintaining and safeguarding the organization's records.
2. Establish a records management committee comprised of all the key stakeholders in the organization, including members of senior management, to help the records manager develop and implement the records management program. If there is not senior management buy-in on the front-end, the program will be delayed, misdirected and possibly die on the back-end. '
3. Develop a detailed project work plan and schedule, identifying specific roles, responsibilities and timelines for completing tasks to implement the program.
4. Establish a records retention policy. The records retention policy is the governing document for establishing and implementing the program. This should address:
5. Develop record retention and destruction schedules that are attached to the records retention policy. Records will be retained for the period of time during which records have operational, legal, fiscal or historical value. To ascertain how long a particular record should be retained, healthcare organizations should evaluate a number of factors. First, the organization should determine how long the record is needed for business operations. Second, the organization should verify any legal or regulatory retention requirements for the record, taking into consideration the statute of limitations for different potential causes of action involving the organization. Other retention considerations include the needs of internal and external parties and the cost of storing various records. Prior to destruction of any record, a record destruction approval form should be completed and signed off on by the appropriate record custodian, a representative from legal and/or a representative from the records department.
6. Conduct a comprehensive inventory of all "records," including electronic records, wherever located. To conduct the inventory, the organization must first identify which "records" are included within the scope of the program and records retention policy. In general, a "record" is anything intended as a memorial, preservation or evidence of the matter to which it relates. A record can be either a tangible item, such as a paper chart, or digital information, such as an email. The inventory should include all relevant information such as: record types, record location, record custodian, storage medium, current retention period and intended retention period. Use of a standard record inventory form is helpful during this process to ensure all appropriate information is obtained.
7. Securely store and limit access to all records in accordance with applicable law and business needs. Failing to securely store records, permitting unauthorized access to records and permitting overly broad access to records create the most significant regulatory risks for an organization. To ensure that records are being properly secured and accessed, the records retention policy should also dovetail with an organization's HIPAA privacy and security policies.
8. Ensure that all electronic records are readily accessible and usable when stored or when migrating from one system, platform or technology to another. As mentioned, lifecycle management of clinical images is the largest component of data storage and migration. Vendor neutral archiving systems are becoming increasingly popular in addressing data storage and migration of clinical images. According to InMedica, 31 percent of radiology studies are estimated to be stored on VNAs by 2016, a dramatic increase from 5.4 percent in 2011. For example, if an organization is transferring from one vendor's picture archiving and communications system to another vendor's PACS, it may be difficult to read the DICOM images on the new vendor's PACS. In such case, use of a VNA would be helpful to ensure that the images can continue to be read on the new system. There are a handful of companies, such as TeraMedica, that offer VNAs.
Ultimately, establishing a robust records management and data retention program offers numerous benefits. An effective record management program can help an organization eliminate unnecessary records. Most organizations retain up to 70 percent more records than required by law or necessary for their operation. Over 85 percent of records in the average organization will never be retrieved or used for any purpose. If a record is over three years old, there is greater than a 95 percent chance that the record will never be retrieved. Other benefits of an effective record management program include:
So, avoid a regulatory and public relations nightmare, save some money and make a lot of patients happier by establishing a robust and effective records management and data retention program.
Mark Garsombke is a shareholder in the Milwaukee office of Hall Render. He serves as corporate counsel to a variety of Fortune 500 and technology-based companies; healthcare providers and plans; health information exchanges; and other businesses on HIPAA security and privacy, the HITECH Act, research, information technology and supply chain-related legal matters. He also frequently speaks and writes on privacy and information technology-related legal matters. Previously, he has served as in-house counsel to a $45 billion mutual fund company. Mr. Garsombke was honored with The Business Journal of Milwaukee's Forty Under 40 award.
Kendra Conover's practice is devoted to healthcare law. Her work involves day-to-day counsel regarding hospital, physician, home health agency and DMEPOS supplier issues. She advises her clients on transactional, regulatory, licensing and compliance-related matters. Kendra currently serves on the Board of Directors for Mental Health America of Indiana and the Indiana University Richard M. Fairbanks School of Public Health-Health Administration Alumni Council. She previously served on the advisory board for the Indiana Healthcare Executives Network and the Board of Directors for the Indianapolis Senior Center.
Similarly, yet often overlooked, it is vital that electronic records be readily accessible and usable when migrating from one system, platform or technology to another. Lifecycle management of clinical images is the largest component of data storage and migration. Use of vendor neutral archiving systems can be helpful in addressing the data storage and migration challenges many healthcare organizations face.
Overlaying the practical business difficulties of managing this ever-increasing volume of records and data and the related data migration issues are a patchwork of federal and state laws that impose strict standards on anyone dealing with patient information. For example, the Privacy and Security Rules of the federal Health Insurance Portability and Accountability Act, known as HIPAA, and related HITECH Act requirements, prohibit the unauthorized use or disclosure of individuals' medical records, and require healthcare providers and vendors, such as billing and storage companies, to implement administrative, physical and technical safeguards to protect that information.
As evidenced by the recent significant increase in HIPAA enforcement actions and related fines and penalties levied by HHS' Office of the Inspector General, inadequate record management leaves organizations open to undue risk for both civil and criminal liability. Often, inadequate management is a result of not understanding what records and data the organization actually has created, what its responsibilities are in maintaining such records and who has access to the records.
A records management nightmare
Kaiser Permanente, one of the nation's largest and well respected health plans and healthcare providers, recently learned that nightmares are not limited to bad dreams. As reported in the Los Angeles Times, the health system is currently under investigation by both state and federal officials for a record storage arrangement it had previously utilized. Federal and state officials are examining whether the health system violated patient privacy rules when it contracted with a small "mom and pop" record storage company, Sure File Filing Systems, located in Indio, Calif., to store nearly 300,000 medical records. In what can only be described as incredulous in this high-tech age and heavily regulated area, Sure File stored paper records in a rented storage facility that it shared with another person, his Ford Mustang and party rental business. Sure File also stored emails and other files from the health system listing thousands of patients' names, dates of birth and treatment information on the owners' home computers. In court filings, the health system claimed the owners left two computer hard drives containing patient records in their garage with the door open. In response, the owner moved the hard drives to a spare room in his house. The owner stated that those hard drives contained spreadsheets on thousands of health system patients, prepared at the health system's request. The health system has since taken steps to retrieve the inappropriately stored patient information.Regulators claim that the health system failed to have an appropriate written agreement in place with Sure File to protect the confidentiality of the records, and failed to safeguard electronic communications with Sure File (e.g., sending unencrypted emails). State and federal regulators continue to investigate this matter. Although the outcome for the health system and Sure File is yet to be determined, in light of recent HIPAA enforcement actions, the outcome is likely to be painful.
For example, in 2011 one hospital settled an alleged HIPAA violation for $1 million with HHS when copies of paper records were left on a subway by an employee. Also, many other providers and health plans have reached settlement agreements with HHS in the millions when laptop computers or other mobile devices that contained patient information were stolen or lost.
Steps to establishing an effective records management and data retention program
What should a healthcare provider do to establish an effective records management program?
1. Appoint a records manager if one does not already exist. Someone within the organization must be dedicated to maintaining and safeguarding the organization's records.
2. Establish a records management committee comprised of all the key stakeholders in the organization, including members of senior management, to help the records manager develop and implement the records management program. If there is not senior management buy-in on the front-end, the program will be delayed, misdirected and possibly die on the back-end. '
3. Develop a detailed project work plan and schedule, identifying specific roles, responsibilities and timelines for completing tasks to implement the program.
4. Establish a records retention policy. The records retention policy is the governing document for establishing and implementing the program. This should address:
- The purpose and scope of the policy
- Retention and destruction schedules,
- Email retention
- Legal hold orders
- Responsibility for records
- Procedures and methods for securely storing, transferring and destroying vital records
- Access controls
- The relationship between record retention and other aspects of the record management program, such as archives, microfilm or electronic image collections and historical records
- Failure to comply with the policy
- Training and auditing
- A process for revising and updating the policy and related retention schedules
5. Develop record retention and destruction schedules that are attached to the records retention policy. Records will be retained for the period of time during which records have operational, legal, fiscal or historical value. To ascertain how long a particular record should be retained, healthcare organizations should evaluate a number of factors. First, the organization should determine how long the record is needed for business operations. Second, the organization should verify any legal or regulatory retention requirements for the record, taking into consideration the statute of limitations for different potential causes of action involving the organization. Other retention considerations include the needs of internal and external parties and the cost of storing various records. Prior to destruction of any record, a record destruction approval form should be completed and signed off on by the appropriate record custodian, a representative from legal and/or a representative from the records department.
6. Conduct a comprehensive inventory of all "records," including electronic records, wherever located. To conduct the inventory, the organization must first identify which "records" are included within the scope of the program and records retention policy. In general, a "record" is anything intended as a memorial, preservation or evidence of the matter to which it relates. A record can be either a tangible item, such as a paper chart, or digital information, such as an email. The inventory should include all relevant information such as: record types, record location, record custodian, storage medium, current retention period and intended retention period. Use of a standard record inventory form is helpful during this process to ensure all appropriate information is obtained.
7. Securely store and limit access to all records in accordance with applicable law and business needs. Failing to securely store records, permitting unauthorized access to records and permitting overly broad access to records create the most significant regulatory risks for an organization. To ensure that records are being properly secured and accessed, the records retention policy should also dovetail with an organization's HIPAA privacy and security policies.
8. Ensure that all electronic records are readily accessible and usable when stored or when migrating from one system, platform or technology to another. As mentioned, lifecycle management of clinical images is the largest component of data storage and migration. Vendor neutral archiving systems are becoming increasingly popular in addressing data storage and migration of clinical images. According to InMedica, 31 percent of radiology studies are estimated to be stored on VNAs by 2016, a dramatic increase from 5.4 percent in 2011. For example, if an organization is transferring from one vendor's picture archiving and communications system to another vendor's PACS, it may be difficult to read the DICOM images on the new vendor's PACS. In such case, use of a VNA would be helpful to ensure that the images can continue to be read on the new system. There are a handful of companies, such as TeraMedica, that offer VNAs.
Ultimately, establishing a robust records management and data retention program offers numerous benefits. An effective record management program can help an organization eliminate unnecessary records. Most organizations retain up to 70 percent more records than required by law or necessary for their operation. Over 85 percent of records in the average organization will never be retrieved or used for any purpose. If a record is over three years old, there is greater than a 95 percent chance that the record will never be retrieved. Other benefits of an effective record management program include:
- Reduction in operation costs
- Lower business risk
- Compliance with laws and regulations
- Accuracy, reliability and trustworthiness of records
- Higher return on investment
- Better preparation for litigation
- Transition away from costly paper records to electronic records
- Ability to accurately and securely capture and maintain corporate history
So, avoid a regulatory and public relations nightmare, save some money and make a lot of patients happier by establishing a robust and effective records management and data retention program.
Mark Garsombke is a shareholder in the Milwaukee office of Hall Render. He serves as corporate counsel to a variety of Fortune 500 and technology-based companies; healthcare providers and plans; health information exchanges; and other businesses on HIPAA security and privacy, the HITECH Act, research, information technology and supply chain-related legal matters. He also frequently speaks and writes on privacy and information technology-related legal matters. Previously, he has served as in-house counsel to a $45 billion mutual fund company. Mr. Garsombke was honored with The Business Journal of Milwaukee's Forty Under 40 award.
Kendra Conover's practice is devoted to healthcare law. Her work involves day-to-day counsel regarding hospital, physician, home health agency and DMEPOS supplier issues. She advises her clients on transactional, regulatory, licensing and compliance-related matters. Kendra currently serves on the Board of Directors for Mental Health America of Indiana and the Indiana University Richard M. Fairbanks School of Public Health-Health Administration Alumni Council. She previously served on the advisory board for the Indiana Healthcare Executives Network and the Board of Directors for the Indianapolis Senior Center.