Is your RIM policy up to date? Are you sure?

Over the past decade and a half, mountains of government regulations have arisen, fundamentally changing the compliance landscape and multiplying the duties of busy records managers – making it essential for an organization to properly manage its records and information management policy.

What is a RIM Policy?

A RIM (Records & Information Management) Policy is the internal guidelines that establish your information management program. RIM policy programs detail record retention schedules and regulatory compliance with the common information governance frameworks including:

  • HIPAA
  • FACTA
  • FERPA
  • GDPR
  • SOX
  • GLBA
  • FASB

RIM compliance is a deep topic, but we’ve done our best to simplify the RIM policy process and make everything easy to understand. Let’s get to it!

The Rules of RIM Compliance

In the U.S., the 9-11 event and the corruption scandals at companies like Enron led to stricter laws designed to prevent money laundering and fraud in the early 2000s, including the Sarbanes-Oxley Act. After the financial crisis of 2007-2009, the Dodd-Frank Act further tightened restrictions to prevent bribery and other problems, though there is now a movement to roll some of the legislation back.

As organizations increasingly began storing sensitive customer and employee information online, governments responded to privacy concerns with laws like HIPAA in the U.S. and the GDPR in Europe.

To reach RIM compliance, organizations have had to make sweeping changes to their recordkeeping and governance policies. And as any records manager today knows, change is never a once-and-done affair. Laws continue to evolve, often following in the footsteps of rapidly changing technology. It’s tough to keep up, and RIM policy penalties for noncompliance are severe.

Here’s a brief overview of some of the recordkeeping aspects of recent legislation and accounting RIM compliance rules that you need to be aware of.

HIPAA and HITECH

The Health Insurance Portability and Accountability Act (HIPAA) was passed to ensure the confidentiality, integrity, and availability of protected health information (PHI). The Health Information Technology for Economic and Clinical Health (HITECH tightened HIPPA rules and increased penalties for violations by 6,000 percent.

Who is affected: Healthcare organizations and companies who provide services to them.

RIM policy requirements: Physical and electronic safeguards. Federal and state retention requirements. Old documents must be shredded. An act as simple as an employee tossing a piece of paper in the trash can could result in a fine.

Penalties: Anywhere from $100 to $50,000 per violation, and up to $1,5 million per category/year.  

FACTA

The Fair and Accurate Credit Transaction Act (FACTA) was designed to reduce consumer fraud and identity theft.

Who is affected: Any companies that use consumer credit reports.

RIM policy requirements: Document destruction that prevents files from being reconstructed, including burning, pulverizing, or shredding. Digital data must also be erased.

Penalties: Federal fine of up to $2,500 per violation. States may also impose fines of up to $1,000 per violation.

FERPA

The Family Educational Rights and Privacy Act (FERPA) was passed in 1974, long before computers existed, to protect the privacy of student records and allow parents to review them. Today, it also gives parents and adult students the right to opt out of sharing their information with third parties.

Who is affected: Schools that receive federal funds.

RIM policy requirements: Requires schools to set and enforce their policies.  FERPA does not dictate the method or duration of the record storage and destruction. Watch for updates; some organizations are pushing for fines.

Penalties: Withdrawal or termination of federal funding.

GDPR

The European Union’s massive new General Data Protection Regulation, which came into effect in May, gives EU citizens rights to control how data about them is collected and used. People must consent to data collection and can request copies of the information organizations collect. In some cases, they can have their data deleted. The law also has provisions for reporting a data breach.

Who is affected: Any organization that processes the personal data of EU citizens. If EU customers land on your website and you collect their information, the law applies to you.

RIM policy requirements: Familiarize yourself with the new law and develop a governance policy. Watch for possible adaptations in the U.S. and elsewhere, such as California’s new Consumer Privacy Act.

Penalties: The EU has said it will go easy on organizations for the first year, but it is allowed to impose fines of up to 20 million Euros or 4 percent of annual revenue.

SOX

The Sarbanes-Oxley Act was passed in the wake of scandals at Enron, Tyco, and WorldCom to prevent corporate fraud and accounting errors.

Who is affected: Publicly traded companies and accounting firms.

RIM policy requirements: SOX makes it a federal crime to destroy or tamper with corporate accounting records. All financial policies, procedures, and records must be available for review by auditors with little notice. Included in the scope of document review are electronic records, including web pages, emails, voicemails, and recorded calls.

Penalties: $5 million or more in fines and 20 years in prison  

GLBA

The Gramm–Leach–Bliley Act requires financial institutions to design safeguards to protect consumer information. They must be transparent about the information they are collecting.

Who is affected: Any company that offers consumers loans, investment advice, or insurance.

RIM policy requirements: Must provide all new customers with a privacy notice. The notice must be re-approved annually. Must be able to describe in detail the steps you take to protect customer information.

Penalties: Up to $100,000 per violation and five years in prison.

New FASB Accounting Standards

The Financial Accounting Standards Board (FASB), which administers GAAP rules, has issued four new standards that are taking effect gradually over the next few years. GAAP rules are not laws and do not carry enforcement penalties. But they are necessary for credibility, and most companies treat them like laws. These are major changes that call for new disclosures and reporting requirements. Here’s a summary with links to the rules:

Not-for-profit standard

Who is affected: charities, foundations, colleges and universities, health care providers, religious organizations, trade associations, cultural institutions.

Deadline: already in effect for annual financial statements. For interim statements, must start by December 15, 2018.

RIM policy requirements: New disclosures, including a narrative explanation of policies for managing funds and a quantification of liquid assets. A more detailed accounting of expenses.

Revenue recognition standard

Who is affected: Almost all companies, public and private.

Deadline: Already in effect for public companies. Private companies must start implementing on December 15, 2018.

RIM policy requirements: Additional revenue disclosures, including documenting contract specifications about the timing, amount, and type of deliverables. Changes to the timing of revenue recognition.

Lease standard

Who is affected: Any company that leases assets, including real estate, airplanes, ships, or construction or manufacturing equipment.

Deadline: For annual statements and public company interim statements, December 15, 2018. For private company interim statements, December 15, 2020.

RIM policy requirements: Additional disclosures about the amount, timing, and uncertainty of cash flows. Disclosure of contract terms such as variable payments and renewal options.

Credit loss standard

Who is affected: Banks and finance companies.

Deadline: For public companies filing with the SEC, December 15, 2019. For public companies not filing with the SEC, December 15, 2020. For private companies, December 15, 2020, for annual statements and December 15, 2021, for interim statements.

RIM policy requirements: Changes the method of reporting credit losses from “incurred loss” model to “probable loss” model.

In a world awash with new regulations and constant updates, records managers must establish a solid records and information management policy. Some state and federal laws overlap, so you should map out all the regulations to address redundancy. And don’t be afraid to get outside help when you need it. It will cost your company a lot less than paying a fine.

More RIM Policy Resources

Shaun Stevens has over twenty years of experience in the records management industry, focused on business development, marketing and operations. He serves as the leader of national accounts for Access.