New regulations and challenges are making businesses reevaluate their records management programs. From the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Gramm-Leach-Bliley (GLB) Act to the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and Sarbanes-Oxley (SOX), companies in all industries must be compliant and protect their information. If not, they may face fines and possible criminal charges.
Determining what a company needs to do in order to comply with all these rules and regulations can be a difficult undertaking. For example, FACTA details how businesses must dispose of information in consumer reports and records but only provides recommendations on what proper disposal involves. Meanwhile SOX requires accounting firms to keep audit work papers for seven years and imposes penalties if a business inappropriately destroys its records.
Developing a Compliant Records Management Program
When developing a compliant program, one of the critical decisions to make is whether to rely on internal resources or to utilize the services of a records management provider. This decision is made easier when considering the costs involved. When handled in-house, managers spend an average of four weeks each year searching for or waiting on misfiled, mislabeled, untracked or lost information. Office workers can waste up to two hours a day looking for misplaced paperwork. Large organizations also lose a document every 12 seconds while the average cost of recreating a one-page document is $180.
Along with the decision on how to store records, other key areas that need to be considered in order for the program to be successful are:
- Development of a records retention policy
- Indexing and archiving of records
- Certified destruction of records
- Offsite storage of backup data
Determining a Retention Policy for Business Records Storage
The retention policy dictates how long a record should be stored before it is destroyed. To develop an effective policy, the company must first have a thorough understanding of its record types. Research must be conducted to determine what compliance rules at the federal, state, and local levels need to be followed based on these record types. Whether dealing with electronic files or hard copies, the company has to be able to account for this information in order to be compliant. Following compliance guidelines as well as the needs of the department will help determine how long these records must be kept before they can be destroyed.
The next important step is to properly index the records and then store them in a secure location. A records management provider will be able to store these records utilizing barcode tracking, system-driven workflows, and sophisticated systems. This approach protects your records while keeping them easily accessible. If a company needs to find a specific document, it can be located immediately using the index and barcode information. Storing records in-house would require a significant investment in this type of technology or the company would run the risk of not being able to find the documents.
Once a record reaches the end of its lifecycle based on the retention policy, the company should ensure its proper destruction. The FTC considers proper destruction to include burning, pulverizing, or shredding the information so that it is unreadable and can’t be reassembled. If using a records destruction vendor for this process, a company should require a written report and authentication of records that are ready for destruction, prior written approval, final verification, certified shredding, and the creation of a Certificate of Destruction as proof of compliance.
Offsite Data Storage Is Critical
Storing backup media in an offsite location is another key area of the records management program. By keeping the data off-site, a company is able to reduce risks should disaster strike. After all, it doesn’t matter to the government why a company can’t produce a file. Just like with hard copy records storage, media should be affixed with barcodes in order to quickly track the location of files. The off-site location should also include a temperature and humidity-controlled environment combined with cutting-edge security systems to ensure the safe storage of data.
Since many of the steps involved in the compliance process are typically not part of a company’s core business, it makes sense to utilize the services of records management providers. These providers have the experience to help companies develop a program that is both compliant and meets all of their business needs. And by taking advantage of economies of scale, these providers usually cost significantly less than if a company handled all the steps involved in records management internally.