|
Increasing legislative, regulatory, and litigation-related demands require effective means to identify, retain, and access digital and paper archives. Yet many organizations have no policies in place for retaining, managing, and purging documents. This paper looks at some of the basic components of a document strategy?retention, management, and destruction?and highlights some of the current compliance drivers that make it all necessary.
Today, organizations of all sizes and in all industries are faced with a rapidly growing amount of paper and electronic documents.
Digital and paper archives are growing exponentially, for instance:
Digital hard disk storage has grown 85 percent a year over the last eight years (How Much Information, UC Berkeley SIMS). 2.7 billion new sheets of paper are filed into folders every day (ATG & Rheinner, Reuters).
Increasing legislative, regulatory, and litigation-related demands require effective means to identify, retain, and access this data. Yet many organizations have no policies in place for retaining, managing, and purging documents.
This paper looks at some of the basic components of a document strategy?retention, management, and destruction?and highlights some of the current compliance drivers that make it all necessary.
Compliance Drivers for Change
Companies are just getting started with implementing compliance initiatives. A recent AIIM report shows that 56 percent of the surveyed organizations either had not yet begun compliance initiatives or are in the early stages of implementing policies around data retention and compliance. Additionally, many of these companies have not defined a clear approach to the issue (AIIM Industry Watch Survey 2006).
The following are just a few of the legislative and regulatory mandates that illustrate the importance of effective policies for document retention/access, management, and destruction.
FDA Rule: Electronic Records, Electronic Signatures
The US Food and Drug Administration (FDA) introduced 21 CFR part 11, titled "Electronic Records; Electronic Signatures," in 1997. The rule determines the requirements of computerized systems that must be fulfilled in order to permit electronic signatures and electronic records in lieu of traditional, paper-based records and hand-written signatures.
Many industries are subject to FDA regulations. For example, the biotechnology, pharmaceutical, personal care, medical devices, food, and beverage industries are required to document and acknowledge conditions and events at several points during the manufacturing process to ensure that exact manufacturing procedures are followed. A searchable record archive can enable organizations to quickly and easily retrieve the documentation necessary to prove that proper steps were followed in the manufacturing process.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), mandated the Department of Health and Human Services to publish new rules to ensure: Standardization of electronic patient information Unique health identifiers for individuals, employ ers, health plans, and healthcare providers Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future HIPAA affects virtually all healthcare providers, health plans, public health authorities, healthcare clearinghouses, life insurers, and selfensured employers, and calls for severe civil and criminal penalties for noncompliance:
Fines up to $25,000 for multiple violations
Fines up to $250,000 and/ or imprisonment for the misuse of information
The final Security Rule was published in 2003 and required most healthcare entities to implement record archiving by April 21, 2005.
International Privacy Regulations The United Kingdom's Data Protection Act and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) are two on the growing list of privacy laws that organizations must be aware of when doing business abroad. Regulations relate to appropriate use of personally identifiable information, and include requirements for its management and destruction.
Data Protection Act Principle 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
PIPEDA 4.5 Principle 5 ? Limiting Use, Disclosure, and Retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
PIPEDA 4.5.2. Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods.
|
