Tiered e-Archives for Patient Records and Electronic Mail
How long should an enterprise retain e-data? What's a smart policy on e-record destruction? Hear how East Carolina University answered the questions for e-mail, medical records and security videos.
The institution retains those three classes of data in a dedicated archival system (more than just normal production records and backup).
East Carolina retains e-mail of top school administrators seven years, then purges it. In my experience, seven years is the traditionally-recognized period for responsible retention of important financial records.
East Carolina elected to retain e-mail of faculty and staff for three years.
It archives security video (very voluminous) 30 days.
The university saves patient records until 20 years after patient's death.
To reduce costs, the university retains archives in tiers. Newer or higher-priority archives are in higher-performance "primary" storage, whereas older archives are relegated to slower storage, outside the network backup program.
On the topic of tiers, I’ll go one step further than what I read about East Carolina U. I envision another, even lower and less expensive tier, where archives are retained and organized but not accessible by fully-automated means.
From the perspective of e-discovery theory, a rationale for tiered storage is this: E-discovery law is most intolerant when records are destroyed too early. In the e-records world, too-early destruction is the most common type of "spoliation" or "obstruction of justice". E-discovery law is also intolerant (but maybe a bit less so) when a litigant possesses records, but she doesn’t know it and can’t find them.
Finally, e-discovery law seems to be more tolerant when a litigant possesses records, knows she possesses them, knows more or less where they are, but just can't get to them very easily. When this is the case in a lawsuit, a litigant is much less likely to be charged with spoliation. Instead, the plaintiff and defendant are prone to go before the judge and argue about the extent to which the dusty old e-archives are important and about who should pay for how much of the cost of retrieving them.
-–Benjamin Wright
Mr. Wright is an advisor to Messaging Architects, thought leader in e-record archival.
Patient Records are retained under the retention policy for 20 after death. How do they know when a x-patient dies. As far as I can tell only if they happen to die at that location. Apparently, all their patients die after treatment. Think I would ask for a second opinion.
Unless you have access to all death notification throughout the world and match them against your database it is impossible for the location to destroy the records using a 20 year after death retention.
Posted by: R W Dalton, CRM | September 19, 2008 at 08:05 PM
Since East Carolina is no doubt a public institution I wonder if their email retention policy complies with state records retention schedule for universities?
http://www.records.ncdcr.gov/schedules/unc_system_general_schedule.pdf
if one takes a look at the above they will see that emails are discussed but they are not listed as an individual item on the schedule. but I'm not surprised because as any professional records manager knows retention is determined by content and not media. Email is a transport method.
this same schedule provides various retention periods for videotapes depending upon what type of videos they are.
finally lets not use the term "archival" to describe a storage system. Archival has a specific meaning in the records and information management profession. It means primarily that the item primarily has a historical value to the institution.
Posted by: pak152 | September 22, 2008 at 10:06 PM
pak152: Thank you for your comment. You said: "retention is determined by content and not media. Email is a transport method." The content-determined standard for records retention does not seem to work for e-mail. E-mail is so voluminous, and it mixes so many kinds of content, that it is impratical to set a content-based retention period for it. The seemingly smarter approach is to retain all e-mail of decision-makers a good long time, like 7 years (and motivate them to take their personal e-correspondence to a personal account, such as at yahoo or hotmail). What do you (and others) think? --Ben
Posted by: Benjamin Wright | September 22, 2008 at 10:35 PM
In addition to agreeing with pak152's comments about e-mail not being a records series of its own, I will note that the "archival" (your use not mine) technologists where he and I work are now beginning to understand that "archiving" and disposition (disposal/destruction as well as LTDP) are not separate animals, and that with a little effort the retention rules pursuant to legal, regulatory, and valid business requirements can be applied to the "archived" records.
Seven years may be the limit to many financial obligations, but considering patients records are death +20 years, I can surely imagine some e-mails having longer than 7 years retention needs based on their subject matter.
In the US (SSA) there is a government website where you can enter a person's SSN and see get death verifications. Not sure if institutions such as hospitals search this database at intervals to determine disposal triggers for x-patient records.
Posted by: TXC, CRM | September 23, 2008 at 12:27 PM
Mr. Wright asserts:
"The content-determined standard for records retention does not seem to work for e-mail. E-mail is so voluminous, and it mixes so many kinds of content, that it is impratical to set a content-based retention period for it."
Unfortunately no matter how many times or how loud IT and others make this assertion, it will fall on deaf ears if used in conjunction with an organization that has an approved retention schedule in place for their records. If they have a policy for retention of records and a definition of what constitutes a record, then it applies to e-mail and all other forms of information within their organization. E-mail is NOT a "series", it is a method of conveyance.
If an organization has allowed e-mail to grow unchecked and hasn't established a policy of how to manage it, a knee-jerk decision to delete all e-mail older than X days or over an arbitrary volume WILL be viewed as selective destruction.
And as mentioned by others, a "E-mail archiving product" doesn't constitute an archive OR an electronic records management system, it's simply a repository used to manage copies of e-mail harvested at the server level.
The proper way to go about managing e-mail is to develop a policy that is consistent with existing records management policy that calls for non-record e-mail to be deleted within specified time frames and record e-mail to be managed along with other records for retention periods consistent with the approved schedule.
To go on shouting at the rain that there's too much of it to manage is ridiculous.
Larry Medina
RIM Professional
Posted by: Larry | September 23, 2008 at 02:44 PM
Mr. Medina and pak152: I am grateful to hear your thoughtful comments. I'd like to understand your perspective better. Mr. Medina speaks of a "policy that calls for non-record e-mail to be deleted within specified time frames and record e-mail to be managed along with other records for retention periods consistent with the approved schedule." Question: As a practical matter, how does a large enterprise distinguish between "record e-mail" and "non-record e-mail"? In other words, how does it segretate the two kinds of e-mail so that one can be retained and the other deleted? Further, I surmise that for "record e-mail" you envision various retention periods depending on e-mail content. By what practical means do you envision "record e-mail" be divided into the various retention periods? Do you expect e-mail users manually to examine each e-mail and decide whether it is a non-record e-mail, or it is a record e-mail that fits in category X, or Y or Z? Thank you. --Ben
Posted by: Benjamin Wright | September 23, 2008 at 03:45 PM
Ben-
Policy typically determines what constitutes a record- as a general rule, it's anything that documents a business decision or transaction, or provides instruction/guidance to others in a business context. I think one way to look at it is if an office manager/administrator is sorting though the postal mail on receipt, there may be POs, Contracts, Invoices, Correspondence, Data Requests, Invitations to a picnic, blind solicitations from vendors, magazines, trade journals, etc. Some of this is decided to constitute a business record, others are not. The non-records are typically recycled, or sent for a cursory review and then recycled, the balance (the records) are then "actioned" for lack of a better term.
And yes, you're right they all have differing retention periods, some based on a legal or regulatory requirements, some based on this plus any business needs that may exceed the required retention. And on a daily basis, businesses made these decisions routinely... on receipt.
One way some organizations are doing this involves establishing some rules that are "role based" depending on the threshold of responsibility or authority associated with the level and functional role an individual holds in an organization. IT STILL requires a decision be made of "record or non-record" based on the organization's definition, but the second decision can either be made based on a period assigned to ALL e-mail that the individual declares a record (and naturally, some would be kept too long, and hopefully very little would not be kept long enough) or there could be two options- one for CY plus 2 years, and one for CY plus 7 years, which may be the longest retention associated wit the role and function of the individual.
Over time, these periods could be "tweaked" and adjusted to be more appropriate, and if the resulting repository is checked for accuracy, a threshold could be set for X% after which the retention could be applied more 'automagically'
It's not ME that expects it, it's EVERY organization that should. The option is to save everything for the maximum retention, and depending on the industry you work in, that could be upwards of 25 years. Given that many studies show that 75-80% of all e-mail is non-record, imagine how much additional cost an organization would be exposed to if taking the easy way out and keeping everything... NOW, imagine the risk they'd be exposed to if they kept this much information and 80% of it posed an undue risk during a discovery action. The extra time to search though it alone would be ridiculous.
Larry
Posted by: Larry | September 23, 2008 at 05:04 PM
" As a practical matter, how does a large enterprise distinguish between "record e-mail" and "non-record e-mail"? "
The same way it handles the thousands of pieces of physical mail that arrives every day. Individuals open the envelopes (email) and read the content. Once they have read the message they determine where is the best place to file the item. What is the main topic of the item? If related to a contract you would file it with the contract.
If physical mail were handled the same way that IT proposes handling email then organizations would gather up all the physical and place it one large room with no rhyme or reason for filing. individuals would have to comb through all the mail to locate what they are seeking. But of course they are filed one way and that is chronologically since we must through out all mail after 3 years. Now we know that a letter can effectively serve as a contract or modify a contract. But since we don't file the letters any longer with the contract itself we will throw it out after 3 years, but 2 years later we're in litigation and that letter is key to our defense and we no longer have it. Gee what a shame.
Organizations need to provide better training to their employees on how to handle email, something they really don't do today.
There are email software products on the market that can capture emails based upon content and metadata. The problem is it takes time to develop the rules. IT finds it easier just to throw all emails into one giant bucket and hope that they don't have to find something
Peterk
Posted by: pak152 | September 23, 2008 at 07:11 PM
Larry and Peterk: Thank you for these valuable comments. We are discussing a very interesting and challenging subject. In order to give the topic the attention it deserves, I am peeling off a piece of it and starting a new post at http://legal-beagle.typepad.com/wrights_legal_beagle/2008/09/e-mail-instant-text-message-record-destruction.html. I'd be honored to hear what you or anyone else thinks. Readers are welcome to continue leaving comments on this thread, and they are welcome to leave comments under the new post. –Ben
Posted by: Benjamin Wright | September 24, 2008 at 02:38 PM
To whom this may concern:
I live in NYC, I would like to know if it is against the law to email Medical records? And, if it is can you tell me where I can find the information for my state.
Yours truly,
Posted by: Janice Brown | October 03, 2009 at 05:08 PM
Janice: Thank you for your inquiry. This blog is not the place for delivery of legal advice for specific situations. The answer to your question might depend on many specific facts. For example, my guess (without having researched the topic) is that no law forbids a patient from e-mailing her own patient record to someone else. On the other hand, some people might argue that it is unwise under HIPAA for a hospital to send a patient record via e-mail without encryption. --Ben
Posted by: Ben Wright | October 04, 2009 at 10:47 AM
I am a NYC public high school teacher. I was injured in school with malice intent by the secretary of our assistant principal. No one saw the incident, but there were teachers and students who saw me before and after the reported contusion (resulting to a concussion) within a 10 to 15 minute time frame. I went to our schools' nurse and noticed the redness in my nose, swelling of my right eye, and bruising and swelling of my right cheek. She gave me an ice pack. I reported the incident immediately to my supervisors. I was taken to my doctor's office by a fellow employee. The doctor immediately ordered that I go to the nearest hospital (Saint Vincent's) for further medical evaluation and treatment. I was then seen by a neurologist (NYU Hospital) and a pain management specialist (Hospital for Special Surgery.
I would like to request for a legal opinion if our assistant principal (his secretary was the one involved in the incident, and the continued verbal harassment- this time in the presence of others) to call my primary care doctor to change data in the submitted medical evaluation? He repeatedly requested (three times) that changes be made by my doctor in my medical record arguing that there was no incident of her secretary's pushing the door that resulted to my injuries. My doctor chose not to respond knowing that this is a federal violation of patient-doctor privilege and the Privacy Act.
Posted by: Joel Bernabe | June 16, 2010 at 11:52 PM