Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules

Guest blogger and HIPAA expert, Tom Dumez aka HIPAAMAN and President of Prime Compliance, shares his thoughts and insights on the modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules.  As we all know keeping up with HIPAA changes and requirements is an ongoing and challenging process.   Perhaps in this blog Tom can shed some light on this complicated and evolving work of HIPAA Compliance.

The “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” Notice of Proposed Rulemaking (NPRM) was initially published in July, 2010. The Office of Management and Budget (OMB) received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules that had been bundled together in what was called ”Omnibus Final Rulemaking”. One of the biggest problems in rulemaking is the delay in the issuance of rules due to legal requirements, bureaucratic elements, and political influences.   For covered entities (CE’s-which are your clients), business associates (BA’s-you) and their agents and subcontractors (the people you outsource a covered service to), things are changing.

The original NPRM read: “The HHS/OCR will issue final rules to modify the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as necessary to implement the privacy, security, enforcement, and breach notification provisions of Subtitle D of the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009), and will modify the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008.” We originally expect the Rules to be finalized in early 2012. Fast forward to 2013.

We knew that the NPRM would contain changes to the Final Rules for four of the HIPAA-HITECH related rules.  The rules to be included were: Genetic Information Non-discrimination Act (GINA) NPRM, Breach Notifications Interim Final Rule (IFR), Enforcement and Compliance IFR, and HITECH Privacy/Security/Enforcement NPRM.

The HITECH changes address areas such as business associates (BA), enforcement, electronic access (Accounting of Disclosures), marketing, fundraising, not permitting the selling on any PHI and the right to request restrictions. 

Among the biggest changes will be those related to BA’s, subcontractors and other parties as HITECH casts a much wider net over millions of organizations. HITECH Sections 13401 and 13404 make BA’s accountable to consumers and to HHS for protecting the privacy and security of protected health information and directly liable for criminal and civil penalties for violations of certain provisions of the HIPAA Privacy and Security Rules.  As it specifically relates to those in the document destruction business (as a BA), the NPRM originally proposed the following:

1. Requiring that BAs comply with the technical, administrative, and physical safeguard requirements under the Security Rule.
2. Prohibiting a BA from making a use or disclosure in violation of the Privacy Rule.
3. Clarifying BAs are liable, whether or not they have an agreement in place with the CE.
4. Defining subcontractors as BAs; clarifying that BA liability flows to all subcontractors.
5. Higher fines for failing to secure protected health information.

My opinion is that these amendments will stay true to these suggestions. The lines continue to blur as we look at the differences between BA’s and covered entities. There are rules that BA’s will be expected to follow, that have historically only applied to CE’s. The 4 items above will impact BA’s. However, these are also simply good business practices.  More regulations, more liability, more responsibility, and more risk. This is just one more reason that a real world, relevant training program for your employees is paramount.

Tom Dumez
President
Prime Compliance
Grand Rapids, MI

Tom Dumez spent more than 12 years at a full suite commercial records management company before launching his own company, Prime Compliance, in 2012. With extensive operational and managerial experience, as well as his unique perspective of the industry, he provides your employees with a ‘real world’ educational experience. He is a Certified HIPAA Professional, as well as Certified Security Compliance Specialist. Tom has spoken at many conferences, including PRISM, NAID, ARMA, the West MI AITP. He has also authored many articles. Tom has provided the industry’s original HIPAA training program to more than 40 commercial record centers, scanning/imaging companies, and document destruction companies since 2010. In addition to training, Tom provides policy and procedure and handbook review, business associate agreement review, and he also provides risk assessments. Contact Tom at tdumez@thehipaaman.com.

10 Critical Steps to Creating a Sound Disaster Recovery Plan

Disasters, natural or man-made, are bound to happen at any given moment, which is why it is important to have an up-to-date disaster recovery plan to protect your business’s infrastructure and keep it going after the impact. Not only does the presence of a disaster recovery plan minimize risk of delays, but it also provides a sense of security for your employees and clients.

There are 10 steps in creating a disaster recovery plan*:

1. Obtain Top Management Commitment
A great deal of effort and planning must go into a disaster recovery plan in order to maximize effectiveness. Thus, it is important to ensure that your board of directors is onboard with your plan. To achieve this step, it is a good idea to present your board with an official proposal.

2. Establish a planning committee
A planning committee is necessary to oversee the development and implementation of the disaster recovery plan. To ensure that all aspects of the organization are considered in the creation of the plan, the committee should include representatives from all areas of the organization. It would then be the committee’s job to define the scope of the plan.

3. Perform a Risk Assessment
While performing a risk assessment, the planning committee has to consider the severity and the likelihood of the possible consequences of a disaster. In this step, the committee will also develop the worst-case scenario that could occur, to ensure a thorough plan can be created.

4. Establish Priorities for Processing and Operations
A Business Impact Analysis is then conducted to rank the organization’s aspects in order of important. Since an organization does not have unlimited resources, this method is used to determine which functions are priorities. Time tiers are often used in this step, where Tier One includes functions that need to be back online within a few minutes to 24 hours and Tier Two includes functions that need to be back online within 24 to 36 hours.

5. Determine Recovery Strategies
In this phase, the planning committee researches and evaluates the most practical solutions in case of a disaster. Such alternatives may include hot sites, warm sites, cold sites, and reciprocal agreements. Written agreements are then prepared for each alternative plan, specifying contract duration, termination conditions, cost, and equipment required for processing.

6. Collect Data
Data is then collected, usually using pre-formatted forms. In addition to the previously discussed data that needs to be collected for the disaster recovery plan, critical telephone number lists, insurance policies, and software retention schedules are also gathered.

7. Organize and Document a Written Plan
After an outline of the plan is approved by the board, a detailed procedure is written. In this phase, the procedures to be used before, during, and after a disaster are clearly documented. It is important to write the plan in a standard form to allow for consistency and ease of use later on.

8. Develop Testing Criteria and Procedures
Disaster recovery plans should be tested and evaluated on a regular basis. It is important to test to identify areas in the plan that need modification, provide training to team members, and determine the feasibility of the procedures.

9. Test the Plan
In this phase, a dry run of the plan is conducted. This test will help determine changes in procedures that are necessary for the disaster recovery plan. This initial test is to be conducted in sections and after normal business hours to minimize disruptions to overall operations. Later tests should be conducted during business hours.

10. Obtain Plan Approval
Finally, the plan is to be submitted to management for approval.

Bob Arnold, President of the Disaster Recovery Journal, provided his insight regarding Disaster Recovery plans for the Smart Storage Solutions® blog:

“These 10 steps are a great basis of any business continuity plan but keep in mind that you must regularly test and update your plan(s).Without revisiting the critical steps in the planning process annually, or more frequently if your environment requires, these planning efforts may not work as effectively as you planned.

According to the DRJ Business Continuity Glossary, Business Continuity Management is defined as: holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities; the management of recovery or continuity in the event of a disaster. Also the management of the overall program through training, rehearsals, and reviews, to ensure the plan stays current and up to date.”

This said each plan must require a step 11, and that is test, test, and test again. Then update as needed. This is the only way you can know with a degree of certainty that your plan is fully executable.

A disaster recovery plan is essential to any organization as it will minimize downtime, data loss and can mean the difference in business survival in the event of a disaster.

To learn more about disaster recovery an excellent source is the Disaster Recovery Journal: www.drj.com. To learn more about Data Protection and vault storage visit the 2-20 Family of Companies.

*Source: http://www.drj.com/new2dr/w2_002.htm

Research and collaboration for this post of the Smart Storage Solutions® blog was provided by Cindy Chen, Marketing Strategist, the 2-20 Family of Companies.  Our thanks also go out to Bob Arnold, President of the Disaster Recovery Journal for his input.

 

RIM Insight: What Everyone Should Know About the Ban Halon and its Replacement FM200

Fire suppression systems are a must have in a records center as well as in any area used for data protection. In the latter example where media is involved, gas based alternatives have been implemented to avoid the dispensing of water. Yet determining what fire suppression method to use has become a question of environmental concern and safety as well as fire protection. Such concerns have led to the ban on Halon and the introduction of its replacement, FM200.

Halon 1301 was extremely successful for many years because it could be used in data centers, IT rooms, museums, libraries, and even surgical suites. Unfortunately, it was banned by the U.S. Environmental Protection Agency in 1994 when the Montreal Protocol determined it was deleting the ozone layer. It should be noted that many records centers who utilized Halon for fire suppression were grand fathered in to maintain their existing Halon units. Yet moving forward, the installation of a new Halon system was prohibited and Halon alternatives began to appear.

Halocarbon-based agents, inert gas agents, and water-based agents began to surface as alternatives for Halon. Water-based agents of course, would not be ideal for locations that contain electronics, media or vital archival collections. Halocarbon-based agents work by absorbing heat, while inert gas agents work by removing the oxygen in the area. These two methods are known as “clean agents” because they are safe to use around electronics, unlike water-based or foaming agents.

Over time, FM200 soon emerged as a front runner and replacement for Halon. It is a waterless system that is used in over one hundred thousand applications, protecting some of the world’s most important documents, media and vital records. FM200 is currently in place in Certified Records Management FEMA and NARA complaint Dome Vault to name one high end data protection facility that currently has this system installed.

FM200 is so popular because it is the fastest fire protection available: successfully extinguishing fires in 10 seconds or less.

The primary ingredient, heptafluoropropane – a relatively safe halocarbon – is stored as a liquid and pressurized with nitrogen, also making the FM200 system extremely space efficient. FM200 takes up to seven times less storage space than the previously mentioned systems that are based on inert gases.

Yet perhaps one of the largest and impactful benefits of FM200 is it is considered a ‘Green Alternative’ to Halon. Although heptafluoropropane decomposes to form carbon monoxide and carbon dioxide, it does not cause ozone depletion. FM200 actually has a ZERO ozone depletion rate which is an enormous environmental benefit. In summation, Fire suppression systems are not just about extinguishing the fire, but the long term after effects they pose to our environment. Thus FM200 acts as a clean agent, can not only rapidly extinguishing a fire, but does not negatively impact the environment.

Learn more about Certified Records Management FEMA and NARA compliant Dome Vault and its use of FM200 in a real world setting.

Research and collaboration for this post of the Smart Storage Solutions® blog was provided by Cindy Chen, Marketing Strategist, the 2-20 Family of Companies.

Storetrieve Meets Document Storage Growth Demands with New Records Center in Rancho Cucamonga

It is always exciting to see growth. We are proud to announce additional growth in California. Below is a Press Release that become blog worthy as we had clients literally waiting for us to open our door to our second facility for Storetrieve in California. Happy New Year to all.  It is already an exciting year for the 2-20 Family of Companies.

———————————————————–

Storetrieve Meets Document Storage Growth Demands with New Records Center in Rancho Cucamonga

Montebello, California – January 2, 2013– Storetrieve, of Montebello, California, announces its expansion in California with the addition of a new records storage facility in Rancho Cucamonga.

With the opening of its Rancho Cucamonga facility, Storetrieve can broaden its reach from Montebello and meet the demands for Storetrieve’s exceptional paper-based document storage, digital and destruction services throughout San Bernardino County.

‘Servicing our growing California customer base remains a top priority at Storetrieve,” states Avishay Levanovsky, Chief Executive Officer, the 2-20 family of companies. “With companies poised and waiting for entrance to our Rancho Cucamonga facility, we look forward to not only meeting their needs with our exceptional service, but exceeding their expectations with our Smart Storage Solutions®. As we expand our document, data, digital and destruction solutions throughout the state of California, we further the national presence of the 2-20 family of companies.”

Storetrieve’s Rancho Cucamonga and Montebello team of industry professionals welcome you to tour their facilities and take advantage of the proprietary information management benefits of its Smart Storage Solutions® that often accompany a savings of 30% or more. To learn more visit http://www.storetrieve.net or call 800-541-2480.

eWaste: Destruction of the 21st Century

Budgets, typically finalized this time of year for the year ahead, invariably includes line items for some form of electronic devices: tablets, Smart Phones and multi-generations of each of these items. Investments are no sooner made then the next generation arrives. Yet how does a business dispose of the outdated technology in a secure, environmentally sound and complaint manner? The answer is the exploding area of destruction known as eWaste.

eWaste as a service is one of the fastest growing subsets of the destruction market and the statistics tell the story here. In a word: DEMAND.

EPA Statistics on eWaste in 2009:

	Ready for End-of-Life Management (million of units)	Disposed (million of units)	Collected for Recycling (million of units)	Rate of Collection for Recycling (by weight)
Computers	47.4	29.4	18	38%
Televisions	27.2	22.7	4.6	17%
Mobile Devices	141	129	11.7	8%

The Environmental Protection Agency (EPA) estimates that in 2009 alone, 47 million computers were ready for end-of-life management. 141 million mobile devices entered end-of-life management in 2009, more than any other type of product included in the analysis; yet they comprise less than one percent of end-of-life electronics by weight.

Information Controls
What this increase in technology and more specifically, portable technology, information is circulating in various forms on multiple devices that have now become mobile. Destruction and management of these mediums at the end of their life cycle must become an essential element in every Records and Information Management program. When a budget includes new technology, it must account for proper destruction of the old technology.

One method often considered to dispose of electronics is resale. THINK AND EVALUATE THIS OPTION CAREFULLY. Did you know, even photocopiers contain data? Before you even think of resale, you must control the information within the device. Let’s learn from the State of New Jersey. “When the State of New Jersey was preparing to place computer equipment up for auction to the public, it didn’t realize it was about to auction off the private data…”  Read Story…

Security and Compliance
Now the increasing magnitude of electronics and the need to properly dispose these items is further highlighted by the security breach that can be reached if one of these items moves into the wrong hands. The Ponemon Institute’s Annual Cost of a Data Breach study reported the cost of each comprised record at $197. Medical records, bank account numbers, emails, social security numbers and the list goes on and on and on, one more dangerous than the next. Equally dangerous is the non-compliance with the varying governing standards such as HIPAA and Sarbanes Oakley just to name a few.

Ask the Questions

When developing a eWaste destruction protocol and selecting a vendor, a thorough investigation of HOW the materials will be destroyed must be entered. The vendor must commit to degaussing the materials before any form of physical destruction. The degaussing process leaves the magnetic domains in random patterns with no preference for orientation, thereby rendering previous data unrecoverable. A vendor not committed to true destruction and places computers in a land fill doesn’t only impact the environment but puts you at risk. REVIEW the methods your vendor will take to destroy your information.

Familiarize yourself with certifications such as: Recycling Practices for Electronics Recyclers (R2) certification and the ISO 14001.

R2 Certification is an established certification for achieving a very high level of process and performance in managing end-of-life electronics. It’s a rigorous standard to assess electronics recycling/reuse and environmental, worker health and safety, and security practices. In 2006, the EPA facilitated a multi-stakeholder group to develop this best practice. R2 is a voluntary standard which includes principles and practices for electronics recyclers in disassembling or reclaiming used electronics equipment.1

ISO 14001 is a family of standards related to environmental management that exists to help organizations (a) minimize how their operations (processes etc.) negatively affect the environment (i.e. cause adverse changes to air, water, or land); (b) comply with applicable laws, regulations, and other environmentally oriented requirements, and (c) continually improve in the above.2

Environmental Impact

Another entirely different yet, paramount reason to properly dispose of your eWaste is the detrimental effect it is having on the environment. Computers, smart phones and other technology placed in land fills pose a great risk for our environment that in some areas of the world are being seen actualized. 60 Minutes dedicated a show to eWaste entitled ‘Electronic Wasteland.’

60 Minutes Electronic Wasteland

It is worth the viewing to see the impact that landfill eWaste dumping is having on our environment.

Green house gas emissions are one threat to the environment. The other is due to the decomposition of the various metals when the metallic properties such as nickel, cadmium, mercury and lead, begin to enter our water systems posing various environmental dangers to both humans, animals and aquatic life. It is for these reasons mentioned the Environmental Protection Agency continues to study the destruction of eWaste and regulations are not only a reality but a necessity.

In closing, we could write pages and pages on the topic of eWaste. One thing we know for sure is eWaste is a growing issue that Records Managers and corporations must address. Instituting a policy, finding a methodology and meeting compliance standards, is a must have to any records management program. eWaste is not only here to stay, but a growing problem. We encourage every business to create a proper eWaste destruction program to protect both themselves and the environment today.

Further Reading:
• EPA: Summary baseline eWaste Report 2011
• eNewsletters from Recycling Today Weekly

1: R2 Certification description as reported by Anything IT, Inc.
2. Source: Wikipedia

Records and Information Management Compliance: SAS 70 vs. SSAE 16

Compliance goes hand in hand with Information Management.  At the 2-20 Family of Companies that include, Arizona Records Storage Center, Storetrieve, Certified Records Management and InfoStore Records Management, we have built a business around managing information in SMART innovative ways through our proprietary Smart Storage Solutions^®.  That is why we make it a priority to remain informed on changes, additions, or updates in compliance.

One of the more recent compliance changes came is that of the Statement of Auditing Standards No. 70, SAS 70 to its applicable replacement Statement on Standards for Attestation Engagements  No. 16, SSAE 16, in the overall SOC (Service Organization Controls) Framework.  SAS 70 has become a well-known acronym representing an in-depth audit of a third-party service organization¹.

Because of this replacement standard we wanted to provide a complete blog post regarding SSAE 16.  In order to ensure our information is up-to-date and accurate, we have drawn on the expertise of NDB Accountants & Consultants, LLP.  They not only provided portions of this information directly, but also proofed this post for technical accuracy. You can visit their web-site to learn more about SSAE 16.  Wikipedia was also a source of notable information.  For further commentary please see 
http://www.ssae16.org
  AND 
http://www.ndbcpa.com

What is SSAE 16?

SSAE 16 Definition: Statement on Standards for Attestation Engagements (SSAE) No. 16 is an
attestation standard put forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) that addresses engagements undertaken by a service auditor for reporting on controls at organizations (i.e., service organizations) that provide services to user entities, for which a service organization’s controls are likely to be relevant to a user entities “Internal Controls over Financial Reporting” (ICFR).

SSAE 16 effectively replaces Statement on Auditing Standards No. 70 (SAS 70) for service auditor’s reporting periods ending on or after June 15, 2011. Two types of SSAE 16 reports may be issued, a Type 1 and a Type 2. Additionally, SSAE 16 requires that the service organization provide a description of its “system” along with a “written assertion by management.” ²

Type 1 & Type 2 Reporting

Thesis:  Auditors under SSAE 16 may produce two reports identifying two measurements.  Simply put the Type One report is the measurement of the design of the controls with a written assertion (not required under SAS 70) and the Type Two report is the reporting on the design of the controls AND reporting on the effectiveness of the controls specifications themselves. 

Type I service auditor’s report includes the service auditor’s opinion  based on the service organization‘s management assertion of the fairness of the presentation of the service organization’s description of controls that had been placed in operation “as of” a particular date (point in time) and the suitability of the design of the controls to achieve the specified control objectives.

Type II service auditor’s report includes the information contained in a Type I service auditor’s report and also includes the service auditor’s opinion based on the service organization‘s management assertions on whether the specific controls were operating effectively during the period under review (usually at least six months).

What qualifies for a ‘service organization’?

Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers and in particular ICFR. Examples of service organizations are insurance and medical claims processors, trust companies, payroll processors, application service providers (ASPs), credit or loan processing organizations, and clearinghouses.

Why the change from SAS70 to SSAE16? 

Thesis:  SSAE 16 more closely mirrors the ISAE 3402 international standard. (International Statement on Attestation Engagements 3402)   for reference see    http://www.isae3402audits.com/

NDB Accountants and Consultants describe the need for this change:

SSAE 16 now provides additional information for which intended users of this report can have greater confidence in the reporting of controls at service organizations. Specifically, SSAE 16 arguably requires a more in-depth description of the service organization’s “system” along with an actual written assertion by management. The written assertion was never required by SAS 70 and the description of the service organization’s system now requires management to place a greater emphasis on describing and documenting this system for the user organizations for purposes of SSAE 16 reporting.

In short, SSAE 16 meets or exceeds the ISAE 3402 standard, and in doing so, allows the U.S. standard to be well-positioned for effectively meeting the growing needs of reporting on controls at service organizations. Furthermore, SSAE 16 and the overall SOC Framework effectively remove any limitations that were starting to evolve in the information technology world with SAS 70.

Look upon the emergence of SSAE 16 and ISAE 3402 as a collaborative effort between two standards that greatly seek to bring about transparency and a high degree of consistency for reporting on controls at service organizations.

Where Will SSAE16 Have its Greatest Impact

Listed below are some business sectors that have undergone SAS 70 compliance and will also become prime candidates for the new SSAE 16 standard, the SOC Framework, or even possibly the ISAE 3402 standard.   In reality, there is a large and ever-growing list of industries and business sectors that are (and will be) considered service organizations for purposes of SSAE 16 compliance and the SOC Framework. The sheer growth in outsourcing, coupled with rigorous mandates for security, governance, and compliance will require more and more businesses to comply with the SOC reporting requirements for service organizations.

• Software as a Service (SaaS)
• Application Service Providers (ASP)
• Credit Card Processing Platforms
• Cloud Computing | Virtualization | on demand Computing Services
• Internet Service Providers (ISP)
• Web Design and Development
• Web Hosting
• Social Media | Content Tagging and Aggregators
• Data Center and Co-Location Providers
• Managed Services
• Third Party Administrators (TPA) |
• Captive Providers
• Medical Billing
• Print and Mail Delivery
• Online Fulfillment
• Rebate Processing | Online and Mail
• Transportation Services
• Tax Credit and Empowerment Services
• Payroll Services
• Registered Investment Advisors (RIA)

Conclusion
With businesses crossing borders, currencies and times zone, and outsourcing firmly finding it place, compliance standards have been challenged for a greater degree of uniformity to meet the demands of a global marketing place.

ENFORCEMENT OF ELECTRONIC DOCUMENT RETENTION POLICIES IN THE AGE OF METADATA

A topical blog post derived from an interesting series of events…

Like many of you, I too follow many Records, Document and Electronic Information Management Groups on LinkedIn.  This is a great way to share and learn industry specific information.   Recently I came across a post with facts about document management posted by Vasant S. Pulari, a service delivery professional from the Mumbai Area in India; amazing how the web brings us all together from across the globe.  The post had figures and statistics that for those of us in the business of providing Records and Information Management services demonstrates why this industry keeps growing and evolving.   Here is a link to this document:  Facts About Document Management.

Equally interesting was the discussion that followed this post.  This lively discussion centered  on the lack of statistics on Email Retention and the management of Metadata.  The thoughts were that this electronic information must now be an integral component to both retention schedules and records and information management programs.  After some research on the matter I came across Phil Karter, Attorney at Law at Chamberlain Hrdlicka.  Mr. Karter’s practice focuses on federal tax disputes and he had written an excellent post on the importance of the management of Metadata from a legal perspective.  I thought this was great information for our readers and Mr. Karter has far more expertise than I alone could provide.   After some discussion,  Mr. Karter was kind enough to tailor a post on this very subject matter for the 2-20 Family of Companies | Smart Storage Solution® blog. This provides legal insight into something very topical and clearly identifies the importance of clear policies on the management of electronic data.  Our thanks to  Mr. Karter for his time and  insight.  The management of email, texts and attachments had added an entirely new dimension to the term Information Management.  This alone could warrant pages and pages of texts and hours of conversation.  Let this give us food for thought.

NOTE:  We welcome you to join the 2-20 Records Management Group on LinkedIn where the sharing of Records and Information knowledge is the common goal.

ENFORCEMENT OF ELECTRONIC DOCUMENT RETENTION POLICIES
IN THE AGE OF METADATA

By Philip Karter[1]
Chamberlain Hrdlicka
Philadelphia, PA
pkarter@chamberlainlaw.com

More than ninety percent of information in business today is created and stored electronically.  Aldous Huxley’s Brave New World is upon us and if you’re in business, you better have thought about, and hopefully implemented, a policy on how to handle all this electronic data.  Recent studies indicate that as much as 80% of companies in the U.S. actually have a document retention policy.  That is a relatively encouraging statistic in terms of companies recognizing the importance of creating and implementing a strategy for managing the retention of company records.  Less encouraging is that many of these policies were developed years ago, when a much larger percentage of documents were stored in traditional paper format.  Moreover, only about half of all companies have updated their policies to keep up with the pace of technology and the movement toward overwhelmingly storing documents in electronic rather than paper format.

An even more troubling statistic is that among companies that have instituted and updated their records retention policies, a majority of them are still not in a position to know whether those policies are actually being enforced.  Even companies that have a records retention policy providing for the controlled deletion of electronic records after a specified period of time may not implement disciplined rules that prevent individual employees from perpetuating such information on their individual computers or other forms of media. This is particularly a problem with email and email attachments because of the ease of transmittal to multiple recipients, including persons outside the organization, which can compromise privileged matters.

What can happen from such lax oversight?  Perhaps the most notable example over the last decade was the failure of the accounting firm Arthur Andersen to follow its own document disposal policy until an investigation had been launched into the Enron case.  By that time, it was too late to follow the policy, and the company’s belated directive to dispose of documents in the midst of a government investigation led to its ultimate demise.  So the reality is that, while it is critically important to have a records retention policy, that policy is only as effective as it is followed.  Even the most comprehensive policies are absolutely useless unless they are treated as an essential component of overall firm governance.

Why Do Companies Need Record Retention Policies?

There are multiple reasons why records (both paper and electronic) need to be maintained.  For example, under legislation passed on the heels of a number of high profile corporate scandals, Congress passed the Sarbanes-Oxley Act, which imposes strict controls on document retention and can even impose criminal penalties for violations.  If a company anticipates a potential legal dispute, it may also be under a duty to preserve particular records that may be pertinent to that dispute. From a tax compliance standpoint, the IRS requires companies to maintain books and records as long as their contents may be material to the internal revenue laws.  In some cases, that’s as long as a tax year is open.  However, it can be longer, such as records that establish the cost of an asset that may be sold in the future, because the gain or loss on that asset will depend on what you paid for it.

By the same token, simply keeping records forever – past their usefulness or compliance requirements – is neither cost-effective nor prudent.  The key is to implement a policy for the length of time records must be maintained after which those records should be disposed of.

The Implications Of Metadata In Records Retention

In simplest terms, metadata is information embedded within an electronic file that provides additional details about its content.  For example, a text document’s metadata may contain information about how long the document is, who the author is, when the document was written, who reviewed the documents, whether revisions were made (track changes) and by whom.  (If the document was encrypted, metadata can, for example, show who had access to it.)

Or let’s consider the most common form of electronic documents, email.  An e-mail carries information about its author, creation date, attachments, and identities of all recipients, including those who received a cc or bcc.  As e-mail “conversations” take place, the e-mail accumulates a conversation thread: replies to the sender, to other recipients, and forwards. That history becomes part of the message’s metadata, allowing reviewers to trace a message or reconstruct an e-mail conversation. Such information can even determine whether a document is protected from disclosure by the attorney-client privilege because it may prove that the document was sent or shown to a third-party, thereby losing the protection of confidentiality.

What metadata does is settle factual disputes about a document’s history: the document tells its own story.  And not surprisingly, one organization particularly interested in such information is the Internal Revenue Service, which has begun to request electronic files as part of taxpayer examinations.  For companies subject to tax audits, it is no longer sufficient to print out your corporate files and turn over the paper copies.  The IRS wants, and will seek to obtain the original electronic files even if you offer them a paper alternative.  For that reason, companies are well advised to know what records they are actually keeping, and not just those that they are supposed to be keeping.  More generally, and as noted above, commercial disputes are more likely than ever to implicate the availability of electronic data, and the metadata contained within it.  Recent amendments to the Federal Rules of Civil Procedure, the rules that govern legal disputes in Federal courts, have made it critically important for companies to gain control over what they have and why they are keeping it.

Summing It Up

Records retention policies are only as valuable as they are enforceable within the organization.  They should be well thought out, consistent with the various legal requirements applicable to the organization (including those applicable to the industry in which the organization operates), rigorously applied and thereafter monitored for compliance.  Given the increasing importance of metadata in disputes, whether with the IRS, another government agency or between private parties, knowing what is in your electronic files, including what the underlying metadata may reveal, may obviate a great deal of regret – not to mention expense – down the road.  Finally, if you don’t have the capability to manage this information in-house, outsourcing the responsibility to professional records management consultants and service providers is a far better solution than sticking one’s head in the sand.

---

[1] Philip Karter is an attorney with the law firm of Chamberlain Hrdlicka.  Mr. Karter’s practice focuses on federal tax disputes.