Records Storage Related
The following retention periods shown are not offered as final authority, but as guideposts against which to check your company needs. Statutes of limitations, as well as regulations of government agencies pertaining to your business must be considered. A final precautionary step is to have your CPA or attorney approve your records retention timetable in its final form.
We have provided this example retention schedule that you can download. Please remember that this is an example only and should not be used as definite timeframes.
To download in pdf format click here.
Why is understanding chain of custody important you ask?
The business of securing and managing information assets for over 1000 customers is on many levels quite basic. Provide a safe and secure environment for information and make this information accessible at a moments notice. Of course there is much more to this but in many ways each element when considered individually is in fact rather simple.
That said, there is one element that is in total complex. As illustrated below we have made a tremendous investment in a system that tracks your records from the point of release to DataSite, in transit to the record center and the final disposition in our shelving. The same process is reversed when an order is placed for retrieval. Our couriers scan boxes and files as they are released to you and when we pick-up boxes and files for return or initial submission to the records center.
Quality and Security Assurances in the Processing and Fulfillment of Orders
For an expanded view of a workflow document that speaks to the numerous levels of quality and security assurances see the graphic below.
Regulatory Compliance Info and Links:
What is FACTA?
FACTA (or FACT Act) is the Fair and Accurate Credit Transaction Act, a federal law designed to reduce the risk of consumer fraud and identity theft created by improper disposal of consumer information.
What you should know about the FACTA Disposal Rule:
- It applies to virtually every person and business in the United States
- It requires the destruction of all consumer information before it is discarded
- Potentially severe penalties await violators
The Federal Trade Commission (FTC) has issued their FACTA Disposal Rule. And, while the FTC has singled out lenders, insurers, employers, landlords, government agencies, mortgage brokers and automobile dealers; it applies to every individual business subject to their jurisdiction, which includes virtually every person and every business in the United States.
According to the FTC’s FACTA Disposal Rule “any person who maintains or otherwise possesses consumer information for a business purpose” must properly destroy discarded consumer information.
The FTC’s FACTA Disposal Rule further states that every person and/or business “must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
Reasonable measures are defined in FACTA as “burning, pulverizing, or shredding of papers containing consumer information” or entering into “a contract with another party in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule.
Civil Liability: FACTA provides for substantial civil liability. In some cases, consumers may be entitled to recover their actual damages sustained as a result of a violation of the rule which, in the case of identity theft, could be very large. In other cases, consumers may be able to recover statutory damages of up to $1,000 for each consumer affected by a violation of the rule.
Class Action: Where large numbers of consumers are affected, they may be able to bring class actions seeking potentially massive statutory damages. If 1,000 consumers were affected, for example, a class action might seek up to $1,000,000.00 in statutory damages. Courts are also authorized to award punitive damages in either an individual suit or a class action. Finally, a successful plaintiff, or class of plaintiffs, may recover reasonable attorneys’ fees.
Federal Enforcement: The federal government is also authorized to bring enforcement actions in federal court for violations of the disposal rule. In some cases, the government may bring an action in federal district court for up to $2,500 in penalties for each independent violation of the rule.
State Enforcement: The states are also authorized to bring actions on behalf of their residents and, in appropriate cases, may recover up to $1,000 for each willful or negligent violation of the rule. In cases involving multiple violations, such statutory penalties might quickly add up to very large sums. As with private lawsuits, moreover, the state may recover its attorneys’ fees if successful in such an action.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 specifies a series of administrative, physical and technical safeguards to assure the confidentiality, integrity and availability of protected health information. Individuals, organizations and agencies that meet the definition of a covered entity must comply with the Rules specified to protect the privacy and security of patient health information. Providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies are considered a “covered entity” and are required by law to follow the rules of HIPAA. Any breach of confidentiality such as improperly discarded documents, must be reported to the authorities, and in cases involving over 500 records, to local media as well.
Under HIPAA law, every healthcare provider is required to prevent unauthorized access to Protected Health Information (PHI) at all times. PHI consists of any information about patients including diagnosis, treatment, x-rays, prescription, billing, address, and virtually anything else pertaining to a patient and/or case.
No healthcare organization is too small for outsourced shredding services.
Small or large, medical organizations benefit greatly from the protection, regulation compliance and indemnification offered by DataSite’s document destruction services. Employees are busy at their jobs and often overlook the importance of taking the time to shred proprietary data. A discarded document in the trash could lead to heavy regulatory fines, lawsuits and loss of community trust.
But is it only medical organizations that should worry about HIPAA?
No. For a business to assume that HIPAA affects only healthcare service providers and insurers is shortsighted: In addition to the healthcare industry, HIPAA also affects those providing certain information or services to or for healthcare providers. For example, a company that performs medical billing or other services involving “protected information” for healthcare providers is governed by the HIPAA privacy requirements.
What is HITECH?
After the implementation of HIPAA, much of its regulations were considered ineffective or unenforceable. Many legislators called for a revision or a new program altogether that would contain strict enforcement laws. Thus, in 2009, Congress passed a law that would greatly increase the security and enforcement of HIPAA known as the Health Information Technology for Economic and Clinical Health act (HITECH). As a result of the American Recovery and Revitalization Act, better known as the “stimulus package,” Congress wasted no time in orchestrating ways to recoup some of the billions of dollars fed into the system by heavily fining law breakers. HITECH is that guard dog.
Here is a partial list of provisions according to HITECH:
- Health Data Breach Notification – Requires that healthcare providers notify patients and local authorities when there has been a potential data breach.
- States’ Attorneys General – New training programs are in place educating States’ Attorneys General how to enforce HIPAA laws and methods to collect and retain fines incurred from violators.
- Mandatory Fines – The new laws mandate investigations and fines for offenses that willfully violate information security provisions. Maximum fines have increased from $25,000 to $1,500,000, a 6000% increase from HIPAA’s initial rulings.
As a result of HITECH, State attorneys general are now responsible to enforce HIPAA laws and are additionally eligible to retain fees from fines that are levied. A Texas based medical facility was recently fined $990,000 for placing medical records in a garbage dumpster. A 2010 study conducted in Toronto, Canada showed that 3 out of 4 doctors’ offices had not instituted secure shredding programs and thus discarded patient documentation in the trash.