Best Practices for creating a comprehensive healthcare data retention plan
One of the more difficult aspects of maintaining HIPAA compliance is making sure that data is being properly retained and protected.
The first step in establishing a data retention plan is to figure out what types of data might potentially need to be retained. In healthcare organizations this typically includes electronic health records, Picture Archiving and Communications System (PACs) data, and E-mail messages. However, this list is far from being comprehensive. Depending upon the nature of the healthcare organization there may be other types of data that need to be retained.
The next step that should generally be taken is to determine your retention obligations for each data type. Although it might at first seem that the retention requirements should be made abundantly clear within the HIPAA regulations, determining your data retention obligations is actually more complex. On top of the HIPAA requirements, states and localities impose additional data retention mandates. Furthermore, these mandates often differ depending on whether a patient is an adult or a child.
Determining the retention requirements will likely be an exhaustive process. The reason for this is that there are often specific business functions that have an impact on the retention requirements. For example, healthcare organizations that also take part in clinical trials for new drugs are usually (depending on the circumstances) required to retain email messages and data related to the drug testing for a longer period of time than what would otherwise be required for more routine types of healthcare data.
Although it is no small feat, having a good understanding of the healthcare industry should be able to help you to determine exactly what data needs to be retained, and for how long. Of course it is ultimately up to the organization’s IT staff to develop and implement a plan for complying with the retention mandates. Fortunately, there are some things that the IT staff can do to make it easier to comply with data retention mandates.
One of the most critical aspects of complying with data retention requirements is that of employee training. Employees in healthcare organizations need to know exactly what is expected of them with regard to the proper handling of data. From a legal perspective it is beneficial to implement a formalized program to educate employees on data retention and other aspects of HIPAA compliance. Each employee’s participation in this program should be documented, and the employee should be required to sign a statement indicating that they have been through the training program and understand the requirements for handling data.
Use security mechanisms to steer data retention
Experience has shown that even when a healthcare organization provides employees with training on how data should be handled; there are some employees who will inevitably break the rules whether intentionally or by accident. You can reduce the chances of this happening by using security policies to help prevent the mishandling of data. For example, suppose that your organization has a policy requiring employees to save patient data to a specific encrypted server volume where the data is secured and backed up. In that type of situation, you would not want employees to save patient data to the hard drives on their PCs. To prevent this from happening, you might use security policies to block users from saving data to local hard drives, and then use server backup services where data is encrypted and sent to secure offsite locations. That’s just one example of a way in which you might be able to use security mechanisms to ensure that data is handled in the proper manner.
Automate data retention whenever possible
Security mechanisms can be used to prevent users from storing data improperly, but security alone will not ensure compliance with retention policies. Because employees cannot always be counted on to properly retain data, you should develop and implement appropriate retention policies and processes to keep your health information in compliance.
Remember that retention is only half the battle
As you develop retention policies, it is important to remember that retention is only one aspect of the overall data lifecycle management. Another important aspect of lifecycle management is to purge data that the organization is no longer required to retain.
While retaining data “forever” may be commonplace, that data can also be used against your organization in the event of wrongdoing. From a legal perspective it is best not to keep data beyond its retention period, as you can create the risk of potentially incriminating data to be used against the organization in the event of a subpoena.
Outsourcing provides expertise
Complying with regulatory mandates tends to be a major challenge for IT professionals. IT pros tend to have a technical background and may not always have a solid legal or healthcare background that would help them to comply with complex regulations such as those related to data retention. Additionally, today’s healthcare organizations continually grapple with the dilemma of which records to keep and which to destroy. Considering increased litigation risks, discovery costs and storage requirements, it seems natural for organizations to want to store everything forever. Although, without an effective records management system, data retrieval becomes challenging at best, and not being able to find critical information when it’s needed, can have serious consequences for an organization.
However, there are solutions to ensure that an organization’s compliance initiatives are not misguided. Selecting a partner who understands your data lifecycle needs and requirements is important in this initiative to assist your organization in decreasing risks and minimizing costs. Iron Mountain understands the risks and benefits of establishing a consistent, defensible records management program and can help you avoid numerous potential pitfalls. The information management leader provides a custom approach for a comprehensive records management program which includes a solid, detailed records retention schedule supported by federal and state legal requirements to reduce storage costs, increase efficiencies and improve an organization’s reputation as a leader in the industry.
As a world leader in information management services, Iron Mountain offers a wide variety of healthcare related data retention services ranging from medical image archiving to storing physical records such as patient files, and X-rays. From strategy to solution deployment, Iron Mountain can help you tackle backup, recovery and archiving requirements by deploying high-impact tape and cloud technologies for healthcare IT management best practices.
Take a look at Iron Mountain’s Healthcare Solutions and find out how we have the experience necessary to help your healthcare organization determine applicable data retention requirements and to develop and implement a plan of action that will result in proven success.
Do you have more questions about your current Health Information and Management strategy? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s consulting services team. You’ll be connected with a knowledgeable product and services specialist who can address your information management challenges.