Record Management & Retention Policy

Size: px

Start display at page:

Download "Record Management & Retention Policy"

Kerry Weaver
6 years ago
Views:

POLICY TYPE: Corporate Divisional EFFECTIVE DATE: INITIAL APPROVAL DATE: NEXT REVIEW DATE: POLICY NUMBER: May 15, 2010 May - 2010 March 2015 REVISION APPROVAL DATE: 5/10, 3/11, 5/12, 9/13, 4/14,

1 POLICY TYPE: Corporate Divisional EFFECTIVE DATE: INITIAL APPROVAL DATE: NEXT REVIEW DATE: POLICY NUMBER: May 15, 2010 May March 2015 REVISION APPROVAL DATE: 5/10, 3/11, 5/12, 9/13, 4/14, 11/14 APPLIES TO PRODUCT TYPE: Medi-Cal Medicare CCI 1 of 5 POLICY APPLIES TO: SUBJECT: All Division Departments Record Management & Retention Policy Policy: This policy is consistent with Community Health Group s ( CHG ) legal requirements and sound business practices, it is the policy of CHG and its subsidiaries (the Company ) to retain and manage its business, member records (as defined below) in accordance with uniform guidelines, practices, and procedures. All Company employees and other personnel ( Personnel ) shall manage and protect Company Records and maintain Company Records in accordance with this Records Management and Retention Policy (the Policy ) and the Records Retention Schedule (the Retention Schedule or Schedule ) attached hereto as Exhibit A. Purpose: It is the intent of this Policy to insure that all Records necessary for business and legal reasons will be retained for a period of time that will reasonably assure their availability when needed, but for no period of time longer than reasonably necessary. All Records required to be retained to document the Company s legal compliance, or otherwise required by law, rule or regulation to be retained, shall be retained for no less than the periods required by law. with this Policy will also assist the Company in complying with court rules and orders during litigation, such as the Federal Rules of Civil Procedure and similar rules applicable in state court litigation. All Records required to be retained due to pending or threatened litigation or investigation shall be retained for so long as the litigation or investigation is active. The Retention Schedule establishes the Record categories covered by this Policy and the retention period for each category. To the extent that a Record is included in more than one category, the longer retention period shall apply. Definitions: Active Record means a Record that is regularly referenced or required for current uses. A Record is considered Active if it meets at least one of the following criteria: 1. There is a regulatory or statutory requirement to keep a Record; 2. It would be advantageous to the Company to be able to access a Record quickly; 3. A Record will be needed for reference at a specific time in the future; or 4. The custodian of the Record makes the determination that a Record may be retained as an Active Record. Electronically Stored Information or ESI means any and all electronic Records, including without limitation s, computer files, database records, voice mail messages, and all other Records, files and other information stored in electronic or digital format. Inactive Record means a Record that is no longer needed for current business. Inactive Records need not be readily available but still must be retained for legal, fiscal, operational or historical purposes. Inactive Records may be archived at a remote location(s).

2 2 of 5 Record: A Record means a document, file or record created, received or obtained by any Company Personnel while acting within the course and scope of his or her employment pertaining to Company business or operations by any means upon any tangible thing including, but not limited to, paper files, documents and records, computer records, electronic mail ( ), voice mail messages, handwritings, photographs, photocopies, or facsimile, regardless of the manner in which the record has been stored. Specific categories and types of Records are contained in the Retention Schedule. Litigation Hold: The retention periods set forth in the Retention Schedule shall be suspended ( Legal Hold ) when in the judgment of the Company s General Counsel, a Record or group of Records relate or may relate to an actual, threatened or reasonably foreseeable legal claim, investigation or other legal proceeding ( Legal Proceedings ) A sample Confidential Legal Hold Memorandum is attached hereto as Exhibit B. The Legal Hold requires preservation of Records relating to the Legal Proceeding. Company s General Counsel will determine and identify what Company Records are required to be placed under a Legal Hold. If Company Records are held by outside counsel or third party contractor, Company s General Counsel will notify outside counsel or the third party contractor, as applicable. Employees who become aware of actual or potential Legal Proceedings prior to receiving a Legal Hold notification shall (a) retain and preserve all records which relate or may relate to the Legal Proceeding and (b) immediately notify an appropriate manager or the Company s General Counsel. The General Counsel shall notify responsible Company Personnel if a Legal Hold is placed on Records for which such Personnel are responsible. Personnel so notified shall then locate and preserve all the applicable Records relevant to the Legal Hold. If there are questions as to whether a particular record is covered under a Legal Hold, Personnel shall protect the document until he or she has checked with the General Counsel with respect to the applicability and interpretation of the Legal Hold. A Legal Hold remains effective until it is released in writing by the Company s General Counsel. Once released, the affected Records shall be returned to their prior location and shall thereafter be subject to the handling procedures of this Policy and to the relevant provisions of the Retention Schedule. Generally, the definition of Record, this Policy applies to paper, electronic records and other ESI, including computer created / generated records and . This Section of the Policy provides a general description and overview of the Company s ESI storage and retention systems and policies. More detailed and technical information may be obtained through the Company s IT Department. communications are records, and shall be created, retained and destroyed in accordance with the Company s Policy. The Policy shall contain procedures to ensure s that constitute records of the Company (as opposed to informal communications not requiring retention) are migrated to the Company s ESI management system, or otherwise retained, in a manner to avoid destruction of Company records which originate in format. Storage of ESI: , computer files and other ESI must be stored in accordance with permitted storage locations or as otherwise authorized by the Company. Laptops: In addition to the requirements above, all employees with Company issued laptops shall protect and safeguard such laptops and related peripherals and equipments. Refer to Hardware, Software and Network Security Policy # 4102 for more information pertaining to the use of laptops, encryption and transferring files to network. Employees shall immediately notify the appropriate supervisor or manager of any known or suspected damage to, loss, theft, or unauthorized access of any Company laptop.

3 3 of 5 STORAGE, ACCESSIBILITY AND RETRIEVAL Confidentiality and Security: Certain Records of the Company are confidential, such as member protected health information (PHI), non-public financial information, business plans, employee medical and health information, third party financial information (credit applications, credit card information, etc.), credit reports, and attorney-client communications (all collectively referred to as Confidential Information ). All employees shall keep Confidential Information strictly confidential and not disclose Confidential Information to any person outside the Company without written approval of an authorized supervisor or manager. Employees shall disclose Confidential Information to other employees of the Company only if the recipient employee has a need to know the information. The Company will employ commercially reasonable measures and safeguards to maintain the security of all Records, including appropriate administrative and technological safeguards with respect to all electronically stored information. Employees shall immediately report any actual, threatened or suspected breaches in confidentiality or security of the Company s Records to an appropriate supervisor or manager. Format and Accessibility: The format of the Records to be retained may vary, e.g., hard copy original, photocopy, facsimile, microfilm, microfiche, computer file, , computerized image. Active Records should be readily accessible by the Company. Inactive Records do not need to be readily accessible, but must be stored in a system and in a format that permit identification and retrieval if necessary. Reproducibility of Electronic Records: All ESI should be maintained in a manner and utilize technology that provides the ability to print a paper copy of the ESI. Scanned and/or electronic images are a replacement of the original document; as long as the scanned copy is in a format that cannot be altered or over-written after it has been made. Scanned images of paper Records should utilize technology that creates an exact or near exact facsimile or copy of the paper Record. The Scanned images must be reviewed to confirm that it is an exact copy of the original document before records are destroyed. The technology utilized for storage of ESI shall also permit the efficient migration to new formats as technology advances so that the ESI will continue to be accessible and readable for as long as the Record is required to be retained. Removal / Retrieval: Procedures shall be implemented that identify the location or destination of Records leaving the storage facility or that is removed from their designated storage location within the facility. The procedure shall require the completion of a removal form identifying the individual taking possession of the Records (including verified, current contact information for that individual), the date the Records were removed, the purpose of their removal, the place to which the records will be moved, and the expected date the Records will be returned. Records retention personnel should monitor the return of the records as indicated by the form. HEALTH PLAN RECORD RETENTION REQUIREMENTS As a licensed health plan, CHG is subject to regulatory and contractual requirements: Knox-Keene Act/DMHC Requirements Pursuant to Title 28, Section CHG must comply with the following regarding all records required by the Knox-Keene Act and the Title 28 regulations there under:

4 4 of 5 Preserve records for a minimum of five years. Preserve records at an easily accessible place at the CHG office for a minimum of two years. Following that two-year period, records may be maintained at a secured warehouse for the remainder of the five-year retention requirement, however, the records must be stored in such a manner so that they may be made available to the Director of DHCS within five days after CHG receives a request for records. Medi-Cal/DHCS CONTRACT Requirements - applicable to all records related to our Medi-Cal line of business must be kept at a minimum of five years from the end of the Fiscal Year in which the contract expires or is terminated, or from the date we are duly notified since the last audit by DHCS or whichever is later. (Five years after the end of the State fiscal year would be June 30, 2016.) Healthy Families/MRMIB Contract Requirements, applicable to all records related to our Healthy Families line of business. MRMIB requires a minimum of three years record retention; however, CHG will adopt Title 28 regulations requiring a record retention period of five years. DESTRUCTION OF RECORDS Generally: It is the intent of this Policy that Records shall be destroyed with reasonable promptness upon the expiration of the applicable retention period provided; however, Records subject to a Legal Hold must be retained in accordance with the Legal Hold procedures and instructions. Assigned Personnel shall carry out the destruction as soon as is reasonably practicable follow the expiration of the retention period provided that the Records in question are not subject to a Legal Hold. Any Records so retained shall be destroyed when there no longer exists any valid reason for their continued retention. Destruction methods should be used that ensure the Records, whether paper or electronic, are not capable of being reconstructed. Personnel carrying out the destruction shall maintain a record of the destruction. Confidential Records / Personal Information: Special care and attention should be given to the destruction of Confidential Information, including without limitation, and or other sensitive records which could cause loss or damage to the Company in the event of unauthorized disclosure. Certain laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB), contain requirements and guidelines for the destruction of personally identifiable information and other confidential or sensitive information. The mode of disposal or destruction of all Confidential Information shall safeguard the confidentiality of the Records, be reasonable and appropriate to prevent the unauthorized access to or use of Confidential Information, and shall render them no longer recognizable as Company Records. The following practices comply with this Policy: 1. Shred papers containing Confidential Information so that the information cannot be read or reconstructed; 2. Destroy or erase electronic files or media containing Confidential Information so that the information cannot be read or reconstructed; 3. Conduct due diligence and hire a document destruction contractor to dispose of material containing Confidential Information consistent with this Policy and applicable law. Due diligence could include: a. Reviewing an independent audit of a disposal company s operations and/or its compliance with this Policy and applicable law;

5 5 of 5 b. Obtaining information about the disposal company from several references; c. Requiring that the disposal company be certified by a recognized trade association; d. Contractually requiring the disposal company to comply with all applicable disposal and destruction laws and regulations; and e. Reviewing and evaluating the disposal company s information security policies or procedures. Policy Status: Signed (Signature on File) Active Draft Policy in Development References 1. Health Insurance Portability and Accountability Act (HIPAA) Privacy & Security Rule, 45 CFR California Medical Information Act, California Civil Code Section 56 et seq. 2. California Code of Regulations, Title 28, Section Business Records Exception, Federal Evidence 803(6) 4. California Hospital Association Records Retention Guide CFR (d)(2)(iii), (d) 6. Medi-Cal Managed Care Plan Contract, Exhibit E, Attachment 2 Approved By: Signature: Department Head: Officer Date: Signature: Division Chief: Chief Executive Officer Date:

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE As many of you know, Gramm-Leach-Bliley requires "financial institutions" to establish and implement a Safeguard Rule Compliance