No File Left Behind: Practical Tips on Electronic Records Management
Issue Index | Related Articles
What three things do Martha Stewart, Frank Quattrone and Arthur Andersen have in common? All three built successful corporations whose reputation was later marred in obstruction-of-justice cases relating to the mishandling of electronic records. And in all three cases, it was discovered too late that not having a systematic practice process for electronic records management was most certainly "Not a good thing!"
Cases like these highlight the risks that all types of companies, including medical practices (and their physicians and managers), face when key business documents are not properly preserved. They also graphically illustrate how important it is for health care to develop and enforce effective records management systems, especially as those systems relate to electronic records. That is because every company has a duty to preserve all paper and electronic data (including, but not limited to, e-mails and computerized business and medical documents) that may be relevant to governmental investigations and pending and "reasonably foreseeable" litigation.1 Failure to do so can result in potentially ruinous spoliation of evidence claims or, as noted above, obstruction of justice charges. Indeed, a wave of civil and criminal sanctions has caught corporate America in its undercurrent. And there’s a perfect storm brewing of billions of individual electronic records without any means to manage them.
The stark reality, however, is that most medical practice’s e-records retention policies, practices and processes are either woefully inadequate or completely nonexistent. E-mail and other individual electronic data have become the lifeblood of many medical practices’ communications. Unfortunately, however, most companies’ records managers (and IT department, if there is one) are simply not currently up to the task of managing this geometric proliferation of e-records.
For example, a 2004 study conducted by Cohasset & Associates, a consulting firm specializing in document-based information management, found that more than 59 percent of companies don’t have any formal e-mail retention policy and more than 47 percent don’t include electronic records in their retention schedules at all. In the zeal to cut costs, companies’ trusty paper-record file clerks have been eliminated, but no one has been brought in to handle the mushrooming growth of electronic records. As a result, a records management vacuum has been created and employees have become their own de facto electronic records manager. Given all of this, it is no wonder that the cases cited above occurred.
What’s more, the recent e-discovery sanctions levied in Zubulake and United States v. Philip Morris2 have corporate America drowning in a sea of competing interests. On the one hand, companies are now clearly "on notice" of their electronic records retention obligations, according to Judge Shira A. Scheindlin, judge of the United States District Court for the Southern District of New York in the Zubulake case. On the other hand, no "one-button" solution exists to meet this challenge. And experts say we are several years away from technology that seamlessly integrates records retention and e-discovery functions.
So what practices are likely to get you in trouble? The following document-retention practices (or lack thereof) have the potential for bringing about obstruction of justice or spoliation claims.
- Document destruction in the absence of a document-retention policy. Destruction of documents on an ad hoc basis without any policy or plan is a bad idea. If no plan is in place, it is easy for an investigator or judge to view such action as destruction of evidence. A good document-retention program can help keep your practice from getting caught in a difficult position.
- "Unreasonable" document-retention policies. The 6th Circuit stated that some document-retention policies could be so unreasonable as to constitute misconduct. The court determined that a one-week retention period would constitute misconduct, but concluded (without explanation) that a seven-year document retention period could not.3 The 8th Circuit took a slightly different approach, finding that a document-retention policy must be: (1) instituted in good faith and (2) reasonable "considering the facts and circumstances surrounding the relevant documents."
What does this mean for the medical practice? At a minimum, the practice must maintain paper and electronic records in compliance with all relevant mandated and/or strongly recommended retention periods. [While a discussion of mandated retention periods is beyond the scope of this article, every practice should consult with its attorney to make sure its document-retention program fully complies with applicable legal requirements.] The practice must also consider what types of documents it creates and receives, giving careful consideration to how those documents impact the efficient, cost-effective operation of the business. On the “reasonableness” scale, the more thoughtful consideration that is given to the creation of a document-retention plan, the more likely it is that a court would find the plan to be reasonable.
- Neglect, abandonment or departures from sound document-retention program. Failure to enforce polices or changing policies at critical junctures can cause serious problems if your practice ever faces an obstruction of justice charge. Once a program is in place, it is essential for a practice to stick to the program. Any departure could be seen by the court (of law and public opinion) as an attempt to destroy evidence.
- Failure to have effective "circuit breaker" policies and controls in place. A manager must be able to immediately exclude from the normal destruction cycle those documents that become implicated by actual or anticipated need, for instance through a lawsuit, investigation or threatened litigation. Consequences of destroying potentially relevant documents, even if done under an otherwise reasonable protocol, can be severe.
- Failure to accord electronic documents adequate protections. It is easy to overlook e-mail and other electronic documents, but it is important to adequately protect them. Remember that even e-mail and other electronic documents (don’t forget about archived data and data retained for disaster-recovery purposes) concerning a decision, investigation, problem, resolution or other "material" facts should be retained for the applicable retention period assigned to the category of document under the document-retention program. This could be difficult if employment changes occur. For example, consider how the company will retrieve and retain data stored on the departing employee’s leased or personal computer. It is important for a practice to think ahead regarding these issues, because once a hold is necessary, the practice must ensure that both paper and electronic documents are retained.4
So, what should a medical practice do? Where does it start in unraveling this complex puzzle of legal, IT, records retention and compliance challenges? Here is a list of practical steps practices you can follow when approaching this task.5
- Stop the bleeding. If your practice is hemorrhaging e-records that need to be preserved due to legislation, regulation or litigation, triage your efforts by focusing first on a practice-wide, records-hold notice process. This will help cure exposure to civil sanctions for spoliation or criminal sanctions for obstruction of justice.
- Get your house in order. Create or revisit your records-retention policies. As soon as possible, review existing records-retention policies to ensure they adequately consider electronic records, including e-mail and other electronically stored information.
- Appoint a leader. Identify a practice-wide, records-retention compliance officer. Compliance officers are uniquely suited for this role. This person needs to be responsible and accountable for communication, coordination and monitoring compliance with records retention and hold notice requirements for both print and electronic records. This person needs to have sufficient IT knowledge and awareness to ensure due diligence with respect to identifying and retaining pertinent electronic records.
- Remember where problems start. E-mails are interesting because while they are seemingly deleted easily, they are also everywhere. Even when e-mails have been deleted from one computer, they may remain in others. Additionally, savvy computer people can often retrieve old e-mails that were supposedly deleted.
Unfortunately, employees often do not understand the significance of what they put in an e-mail. Employees put in writing thoughts and comments that they would never put in a formal memo or letter. This can be a problem when analyzed years later during an investigation. Train your employees on proper use of e-mail. Make sure they understand the significance of what they send. Remind them that what they write now could eventually be read by strangers later.
- Communicate. Train your employees, using every reasonable means at your disposal, about their records-retention obligations — particularly hold notices. For example, consider using e-mail notices, printed notices, intranet postings and computer-based training in this effort. Draw upon any internal marketing or training resources for support. This will help you to avoid the "What we’ve got here is a failure to communicate" critical error that Judge Scheindlin noted in Zubulake.
- Coordinate. Ensure that the practice understands and can execute on records hold notice directives with respect to any hard copy or electronic information in the cross-hairs, including some or all of the following: e-mail, voicemail, instant messaging, removable media (diskettes, removable hard drives, USB tokens, CD-ROM, DVD, etc.) databases, back-up tapes, historical data, archive data, Web-based data and third-party data.
- Know thyself. Take the time and devote the resources necessary to understand the current print and electronic records landscape at the practice. This may require hardware, software and system inventories that do not currently exist or that are out-of-date. It may require developing maps of your network connectivity and infrastructure. It may require identifying historical, archive, disaster recovery, current online, offline and other locations of pertinent electronic information. As necessary, interview the data owners to identify individually stored electronic information that may be pertinent.
- Ensure compliance. Ask employees to sign an acknowledgment of the practice’s records-retention requirements, take a random sampling of records-retention activities and develop a process for remediation of any variances, in order to establish a positive record of corporate compliance. Reasonableness, not perfection, is the standard. But, without a process to ensure compliance, it is difficult to carry your burden of persuasion on this element with the court or governmental agency that will be evaluating your conduct.
- Make lemonade from lemons. Approach records retention as an opportunity, not just an obstacle. Consider electronic records management systems that can help streamline electronic records retention and IT functions that can eliminate unnecessary duplication of efforts and reduce the cost of handling electronic records throughout the entire information life cycle. An often-overlooked benefit includes the potential use of such systems as knowledge management assets to preserve the institutional knowledge of the practice.
- Guidelines for an effective document-retention program:
- Policies should not be motivated by litigation or to eliminate adverse evidence.
- Focus should be on business needs, such as eliminating unnecessary and duplicative documents, and having efficient access to business documents.
- Retain records of development and implementation. Demonstrate business justification and motivation for policies.
- Policies should be all-inclusive, with clearly defined schedules for retaining various types of documents, including hard copies and electronic data.
- Include "cyber policies"; make sure employees understand they have "no privacy rights" with e-mail, Internet, intranet, etc.
- Provide and instruct tripping the "circuit breaker," designate a position with responsibility for the "circuit breaker." This person should be at the top of the reporting system regarding investigations and other proceedings involving the practice and others in the industry.
- Include standard, uniform instructions on when and how documents should be destroyed.
- Monitor to ensure strict and consistent adherence to policies. For example, have periodic reminders to all employees reminding them to comply with the policies, as well as mandatory training and information sessions.
- Periodically review, audit and revise the procedures.
Following these steps can help your practice manage all of its records cost-effectively, while also reducing the risk of non-compliance with its legal and business requirements. Keep in mind also that, as electronic records management technology improves, the "best practices" bar is raised for what is deemed "reasonable" in terms of practice conduct in this area.
In this information age, businesses will do well to focus their efforts on what might be called the "Zen of Zubulake" — communication, coordination and compliance. Companies that are proactive and innovative stand the best chance of calming the stormy seas of civil and criminal sanctions relating to electronic records retention.
Issue Index | Related Articles
* * *
About the author: Carol Poindexter is a partner in the Shook, Hardy & Bacon National Health Law Group. She is also a member of the firm’s White Collar Group. Carol's health law practice focuses on the areas of health care regulatory compliance counseling, including: federal and state health care, fraud enforcement, defense and investigative assistance; corporate integrity agreements; internal investigations and due diligence; and Health Insurance Portability and Accountability Act privacy and security compliance.
- Zubulake v. UBS Warburg LLC, 2004 U.S. Dist. LEXIS 13574 (S.D.N.Y. July 20, 2004) (Zubulake V).
- United States v. Philip Morris USA Inc., 2004 WL 1627252 (D.D.C. July, 21, 2004)
- Jordan v. Paccar, Inc., No. 95-3478, 1996 U.S. App. LEXIS 25358 at *28 (6th Cir. Sept. 17, 1996).
- See, e.g., Procter & Gamble Company v. Haugen, 179 F.R.D. 622, 632 (D. Utah 1998) (finding that "P&G’s failure to search or preserve e-mail communications of the five individuals that P&G had itself identified as having relevant information constitutes a sanctionable breach of P&G’s discovery duties," the court awarded Amway $10,000 for bad-faith destruction of e-mail records); see also, Illinois Tool Works, Inc. v. Metro Mark Products, Ltd., 43 F.Supp. 2d 951, 954 (N.D. Ill. 1999).
- A discussion of the potential implications of the HIPAA Privacy and Security regulations on the practice’s document retention plan is beyond the scope of this article. Each practice should seek guidance from competent counsel when crafting or updating its record retention policies and procedures.