When it comes to document retention obligations, life used to be so easy. As some older readers will recall, there was a time when a business’s records existed on paper, were kept in folders, in alphabetic order, and then placed in big metal things called file cabinets. For large enough entities, there then used to be file rooms filled with rows upon rows of file cabinets, and then for older records, there were outside storage facilities. The files could be seen, touched, catalogued, indexed and saved – in a known physical place.
Those days, however, are long gone, and for those who are responsible for complying with a company’s, institution’s, or health care provider’s document retention policies, the challenges grow ever larger, daily, with each new iteration of some electronic means of creating something in writing.
The following checklist is designed to help those responsible for some aspect of document retention stay up to date – and ever vigilant – about ensuring that records are retained and not lost into the cyber ether.
1. Why Are There Document Retention Policies?
This may seem like a simplistic question, but document retention policies exist because there are extensive legal requirements under both federal and state laws requiring a business to maintain its records.
For example, there are federal and state statutory and regulatory requirements for all businesses dealing with, for example, tax matters, financial record-keeping, municipal building codes, and environmental concerns. Then, of course, there are federal, state and regulatory bodies’ separate and distinct document retention requirements or guidelines applicable to the health care field.
Additionally, there are often non-binding guidance documents that may impose additional best practice document retention practice that should be considered. For example, US Medicare Conditions of Participation impose retention requirements and the associated interpretive guidelines provide more detail regarding best practices for specific types of facilities and clinics. It is also possible that relevant Boards such as the Board of Medicine may have posted guidelines or informal guidance on its website. Additionally, if an entity or employee does not properly fulfill these regulatory requirements, the entity and, even the individual employee, may face legal jeopardy and/or hefty fines.
There is another reason that document retention policies develop – the possibility of potential or existing legal proceedings, such as litigation or governmental (state or federal) regulatory investigations, or even internal investigations. In those situations, the company will be obligated to collect and produce copies of documents relevant to the legal case or investigation.
All of these factors – legal and regulatory requirements, as well as the specter of litigation or investigation – lead to the need for an enterprise to develop a thorough and well-maintained policy, or set of policies, for document retention.
2. What Document Retention Policies Exist?
This may seem basic, but to meet document retention goals, appropriate people must know what document retention policies exist and to whom do they apply. For example, it well may be that retention obligations are different for people in different departments and whose work touches upon different aspects of the company’s or facility’s operations.
Therefore, step one is to locate and review the existing document retention policies that exist and then to determine if there are holes in the system. If there are, revised and updated policies will need to be prepared and then distributed to the appropriate groups, departments, and people to whom those policies apply.
3. Are the Existing Policies Understandable? Are They Up-to-Date?
No document retention policy will be successful if it is not easily understandable and cannot be readily implemented by the employees creating electronic records. Existing policies need to be kept up to date with any new statutory/regulatory requirements, as well as any changes in the entity’s technology and computer system.
If the policy is not kept up to date, then there will be types of written records and communications that will fall through the cracks and fail to be captured within the required retention net. If the policy or policies are not understandable or are outdated, they need to be re-written so that employees know what their obligations are and how to conform their daily practices.
4. Training Is Essential
No document retention policy will be successful without consistent training of all personnel who create, review, or modify records. While contemporary electronic platforms and computer systems often have some level of automatic retention mechanisms built into the programming, conscious and deliberate human interaction remains essential.
Employees must be taught what information they are required to save and how to do so, especially as not all steps will necessarily be intuitive. Depending on the capacity of an entity’s Compliance Department, an entity’s Compliance Department may be a good resource to ensure employees are properly trained on their regulatory document retention responsibilities.
5. Monitoring Compliance With Retention Policies Is Important
In addition to regular training, it is important to ensure that there are monitoring procedures in place so that problems with document retention practices are identified as soon as possible rather than only after a glaring hole is discovered.
Therefore, record retention audits should be performed at regular intervals to determine if required records are being maintained consistent with the existing policies and if documents are being electronically stored in the proper repositories and archives.
6. Who Really Knows How All the Systems Work and Interact?
Most people’s jobs may involve using a computer, or a tablet, or a mobile screen of some sort, but only a very few people actually have real insight into how the systems work and whether they are properly configured to meet all required document retention obligations.
It is this group of people who will be best able to conduct the regular audits and tests described above and determine if the electronic systems’ existing retention programming is actually capturing and keeping the documents and data consistent with the enterprise’s written policies and goals.
This auditing process is particularly important if litigation is involved, and various individuals are instructed to retain all documents regarding certain subjects. Only the computer systems specialists can make sure that document retention instructions are being followed – for example, that automatic purge settings are disabled, that archiving systems are enabled, and that mailbox size limitations are eliminated.
Additionally, computer specialists must be kept abreast of any changes in the document retention policy, especially when modifications are due to a change in regulatory requirements.
In short, the computer systems department and its staff are crucial to developing, monitoring, and maintaining a successful retention infrastructure.
7. Do Not Discount Former Employees’ Records
In any business or institution, new employees join and other employees leave. It is not unusual for enterprises to have a policy calling for the deletion of a former employee’s emails and other electronic records within, for example, 60 or 90 days after an employee leaves. However, such broad policies can run afoul of the enterprise’s wider retention policies and legal requirements.
Therefore, before a former employee’s records are eliminated, a retention checklist should be conducted by the IT department (or whoever is in charge of the electronic systems) to determine whether deletion of the departed employee’s records can be conducted wholesale or whether a more surgical approach should be undertaken.
This retention checklist must be sure to accurately encompass all document retention regulatory requirements.
8. Do Not Forget About Paper Documents
While the volume of paper records has significantly decreased since the electronic era dawned, paper has not disappeared entirely. There are some people who still prefer to print out important materials to review in hardcopy. Others like to print out PowerPoint slides and make notes on the pages during a meeting or video conference. Moreover, there are some people who prefer to maintain handwritten notes reflecting daily “to-do” lists or jot down comments made during a meeting.
With the increase of employee remote work-from-home options, paper records that once would have been found solely in a business office or at a cubicle now may only be located at an employee’s home office or in a residential basement storage area. Those records, however, very well can be equally subject to company document retention policies, and both the employee and that person’s supervisor(s) need to be aware of those obligations.
This is especially important if the person is terminated or otherwise leaves the employment. His or her paper records well may need to be gathered and retained somewhere other than the person’s home.
9. Personal Cell Phones Can Be Subject to Retention Policies
Many people regularly use their personal cell/mobile phones – i.e., the ones that they personally pay for – for business purposes. This is particularly true in terms of texting and taking of photos – and this is true even when the enterprise’s document creation and retention policies specifically instruct that personal mobile devices should not be used for business purposes.
People more and more find that texting is too easy and too ubiquitous to avoid, and despite an official policy, they wind up communicating via text for business purposes. Likewise, photos of, for example, whiteboard meeting notes, or even pictures of a patient or an insurance card are a business record and subject to retention obligations.
Unfortunately, employees are often shocked when they are informed that for purposes of ongoing litigation or a government investigation or even a departmental audit, information stored on their personal cell phone will need to be collected. Depending on the type of phone, remote collection may be possible (typically for Apple iPhones), but for other types of phones using an Android system, it is much more likely that the physical phone will need to be taken for some hours (or even a day) in order to collect the data.
The collection process also is not limited to a discrete set of texts or photographs. Rather, to forensically capture the specific texts or photos, etc., all of the phone’s data must be collected – a reality that raises the privacy hackles of employees who find themselves in this situation.
In short, the use of personal cell phones for business purposes is fraught with complexities and should be discouraged as much as possible.
10. Ephemeral Messaging Is Not Immune to Retention Requirements
A “next gen” issue arises when retention needs meet ephemeral messaging – such as communications conducted in-house via “slack” or “Teams” messaging, etc., or programs such as WhatsApp or self-erasing messaging systems.
Some employees regard such communications as “casual” and as if they are not somehow part of the official records of their employment activities. Others use these avenues believing they can perform an end-run around the enterprise’s retention policies.
The truth, however, is that if the communication is discussing a business topic, it absolutely can be subject to retention obligations and the end-run needs to be thwarted.
Employees need to be instructed that these “alternative” communications methods are not outside of their retention obligations, and they are expected either to avoid using these channels except for truly the most casual and non-substantive purposes – and the IT department must understand that retention requirements can extend to these convenience communication options.