Most companies and medical facilities have voluminous amounts of stored paper and electronic files. That’s due in large part to industry-specific laws and regulations that require files and records be retained for a certain number of years before they can be shredded or otherwise disposed of.
For those in the healthcare industry, HIPAA and HIPAA-HITECH compliance rules must be followed for paper and electronic records respectively. And all industries that accept and store consumer credit information are expected to follow rules set out under FACTA, or the Fair and Accurate Credit Transactions Act of 2003, which requires organizations to take precautions to preserve privacy and prevent identity theft.
Different regulations have different timelines:
- HIPAA requires medical facilities to retain medical records for six years from the date of their creation or last use (whichever is later).
- The Alabama Board of Medical Examiners & Medical Licensure Commission of Alabama recommends retaining paper and electronic records for a minimum of 10 years.
Document management is the process of handling documents and files in such a way that the information they contain can be created, shared, organized, stored, and disposed of efficiently and appropriately. Adopting a comprehensive file management strategy enables your organization to avoid human error and non-compliance penalties.
The High Cost of File Management Non-Compliance
There are severe penalties for failing to comply with record retention and disposal rules and regulations.
The top five HIPAA violations are:
- Failure to perform an organization-wide risk analysis for confidentiality, integrity, and availability of protected health information, or PHI.
- Failure to enter into a HIPAA-compliance business associate agreement.
- Failure to safeguard PHI.
- Impermissible disclosure of PHI.
- Delayed breach notifications.
Because it’s impossible to prevent data breaches from ever happening, HIPAA compliance is about reducing breach risk to an appropriate and acceptable level. Failure to do so has come at a great cost to medical organizations of all types and sizes. The University of Rochester Medical Center paid $3 million in penalties for a case where an unencrypted flash drive and laptop computer were stolen. Sentara Hospitals paid $2.175 million to settle a claim for impermissible disclosure of PHI in a mailing. And Tennessee based Touchstone Medical Imaging reached a $3 million settlement for not protecting the PHI of more than 300,000 individuals.
Your own organization’s financial consequences for non-compliance depends on the level of negligence and the number of records potentially exposed by a breach. Fines may include:
- From $100 to $50,000 for violation of HIPAA attributed to ignorance.
- Penalties of $1,000 to $50,000 for violations that occur despite reasonable vigilance.
- Willful neglect penalties corrected within 30 days attract fines of between $10,000 and $50,000. Those not corrected within 30 days carry the maximum $50,000 fine.
FACTA penalties include:
- Civil liabilities of actual damages (which can be large if identity theft results) and statutory damages up to $1000 per affected customer.
- Class action damages, including punitive damages and attorneys fees, that can be in the millions or billions of dollars depending on the violation.
- Federal penalties up to $2,500 for each violation and state penalties up to $1,000 for each violation that affects a state’s residents.
To mitigate the risk of non-compliance penalties, it’s important to create and follow a file retention and destruction schedule that protects patients and customers from identity theft and other crimes.
File Management Best Practices
The goal of file management is to assist your organization in reducing compliance costs while helping it manage records more efficiently. With a file management program in place you’re able to easily balance your need to stay compliant with the laws and regulations for your industry. The goal should be to make your files and records retention and disposal more secure, more accessible, and cost-efficient.
One of the best ways to ensure compliance and prevent liability is to regularly schedule professional paper shredding and data disposal. This not only helps keep outdated records and files from accumulating but shows consistency in action and intent.
Many organizations find themselves overwhelmed with boxes and devices filled with obsolete yet sensitive patient and customer data. Attempting to dispose of these records in-house can be both time-consuming and risky. Partnering with a professional service to securely destroy media and paper documents ensures the job is done right and complies with all state and federal laws.
Don’t let your files become a liability. If you need to destroy paper-based or digital records, through May 15th, 2020 we're offering free labor to help insure proper and secure disposal of all customer, client, and patient records and files.