july 2005 electronic records management. why have an e-records management program? compliance with...
Post on 20-Dec-2015
215 views
TRANSCRIPT
![Page 1: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/1.jpg)
July 2005
Electronic RecordsElectronic RecordsManagementManagement
![Page 2: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/2.jpg)
Why have an e-records Why have an e-records management program?management program?
• Compliance with federal, state or local regulations– HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley,
FACTA, FERPA, CFR, IRS
• Control over “rogue” systems• Support mission-critical decisions• Reduce low-quality decisions• Improve system performance• Reduce risk and potential for liability
![Page 3: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/3.jpg)
• Legal status of e-records as records– Burst.com v. Microsoft– Zubulake v. UBS Warburg LLC
• Value to organization for administrative, historical, evidential or longitudinal purposes
• Ease of manipulation and mishandling
![Page 4: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/4.jpg)
Program Elements:Program Elements:
• Planning
• Policy development, implementation and compliance
• Technology as “de-incentivizer”
• The User: behavior, demands and perceptions
![Page 5: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/5.jpg)
Planning...Planning...
![Page 6: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/6.jpg)
“The primary benefit of not planning is that failure will come as a complete surprise rather than being preceded by a period of worry and depression.”
--Harold Kerzner
![Page 7: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/7.jpg)
When should planning occur?When should planning occur?
• Before e-systems are built
• When other planning initiatives are taking place
• When identifying objectives for programs
![Page 8: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/8.jpg)
Who should participate?Who should participate?
• Important players– Users– IT administrators– Decision-makers / resource allocators– Records managers
• Cross-functional team if system is to be implemented organization-wide
![Page 9: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/9.jpg)
What should planning cover?What should planning cover?
OBSTACLE:• Funding source• Size of project/program• Who does the work?• Software solutions• Is validation required?
MILESTONE:
Justification
Scope
Project team
Selection
Security protocols & procedures
![Page 10: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/10.jpg)
What should planning cover?What should planning cover?
• User training• When will system/ program go live?
• Ongoing system/program management?
• How will e-files be managed?
Training program
Implementation
Change control
Retention and disposition
![Page 11: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/11.jpg)
Planning—JustificationPlanning—Justification
• Prepare business case:– Align with other organizational goals for
managing records– Provide cost / benefit data– Provide realistic timeline for program
implementation– Enumerate the risks and potential costs of not
having the program– Be able to back up your request with data
![Page 12: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/12.jpg)
Planning—ScopePlanning—Scope
• Define the scope of the e-records management program– Individuals, departments, entire organization?
– Email, desktop, intranet / extranet, websites
– Instant messaging
• Define documentation tools for amending the program
![Page 13: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/13.jpg)
Planning—Project teamPlanning—Project team
• Must be accountable for planning and developing the program
• Should be cross-functional– Executive—solves monetary concerns
– Project manager—leads team, tracks budget, reports to executive
– IT analyst—provides technical expertise and necessary system support
– Functional area representatives (users)
![Page 14: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/14.jpg)
Planning—SelectionPlanning—Selection
• Will software be used to manage e-records?– Research vendors– Requests for information– Define functional requirements– Vendor demos using large data sets– Select application
![Page 15: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/15.jpg)
Planning—ValidationPlanning—Validation
• Depending on your environment, you may need to validate that e-records have not been tampered with and are authentic
• Plan for these validation and security needs early on
![Page 16: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/16.jpg)
Planning—TrainingPlanning—Training
• How will users be trained in e-records management?
• Will training include management of records in original, digital form?
![Page 17: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/17.jpg)
Planning—ImplementationPlanning—Implementation
• How will the e-records management program be phased in?– Incrementally– Organization-wide– By site
• Who is on call to answer questions?
• Anticipate resistance to new system
![Page 18: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/18.jpg)
Planning—Change ControlPlanning—Change Control
• How will changes in retention requirements of e-records be handled?
• Are requests for changes formal or informal, and what sort of approval process must they go through?
• How are changes to the program documented?
![Page 19: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/19.jpg)
Planning—Retention and dispositionPlanning—Retention and disposition
• Retention and disposition is affected by:– Corporate policy– IT infrastructure and management
• E-records management program must attempt to overcome the “retain forever” mentality
![Page 20: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/20.jpg)
“We currently have no guidelines on retention of records since we do not purge them. We have experienced unusual requests over the years to reconstruct statistics from work order data going back a number of years. It is best that when your Director asks for something that you don't have to say we deleted those records last week. We might be interested in a more formalized archiving system, but probably not purging the records. The only reason I could see for even archiving records would be if system performance deteriorates, or the number of records created some inefficiency in an application process.”
![Page 21: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/21.jpg)
The Planning Obstacle...The Planning Obstacle...
• Going through these steps requires time and financial investment.
• To succeed, e-records management must remain a top priority, or resources shift to other projects leaving the planning phase incomplete.
![Page 22: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/22.jpg)
Policy Development...Policy Development...
![Page 23: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/23.jpg)
• Statement of purpose clarifies the reason for the policy
• Scope clarifies record types included—should be exhaustive
• Aids in consistency and reducing variation
Do records-related policies and Do records-related policies and definitions include electronic definitions include electronic records?records?
![Page 24: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/24.jpg)
• User discretion
• Inconsistent application
• Arbitrary / subjective retention and disposition decisions
Having no policy is a “policy”Having no policy is a “policy”
![Page 25: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/25.jpg)
“Employees with limited perspectives on management and legal issues should not be relied upon to make decisions that could affect the entire business.”
--Steven C. Burnett
![Page 26: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/26.jpg)
• Websites / blogs / wikis
• Email and instant messaging
• Unified messaging
• Versioning
• Imaging
• Computer forensics and “destruction”
• E-commerce
Are policies keeping pace withAre policies keeping pace with technologytechnology??
![Page 27: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/27.jpg)
• Depends on your environment
• Depends on “newness” of the policy and users’ familiarity with other records management principles
• When and how policies are applied can be critical…..
Will policies conflict or coincide with Will policies conflict or coincide with culture?culture?
![Page 28: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/28.jpg)
• “This is not something you get to decide. This is company policy. Do not archive your mail. Do not be foolish. 30 days.”
http://www.timesonline.co.uk/article/0,,2095-1367433,00.html
![Page 29: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/29.jpg)
The Policy Obstacle...The Policy Obstacle...
• Policies governing e-records management must be comprehensive, addressing as many formats as your organization handles.
• If not following the policies creates unnecessary risk for your organization, sanctions must be in place.
• The policy obstacle may change based on your environment.
![Page 30: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/30.jpg)
Technology…Technology…
![Page 31: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/31.jpg)
• “It costs you more to think about whether to delete something than simply to leave it on your computer.”
Tom Burt, Deputy General Counsel at Microsoft
http://www.businessweek.com/magazine/content/04_51/b3913099.htm
![Page 32: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/32.jpg)
IT and RecordsIT and Records• IT community is hard to convince that
records management and e-records preservation are important– Move toward systems capable of saving
everything
• Does technology sneak up on us? – It is planned, built, and installed BUT– If not planned people develop own solutions– Technology is the “go to” solution
![Page 33: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/33.jpg)
Different paradigmsDifferent paradigms
• Record series is not such a clear delineation with e-records unless consciously designed
• Filing / organizing becomes moot
![Page 34: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/34.jpg)
Are the technologically savvy allies or Are the technologically savvy allies or adversaries for e-records management?adversaries for e-records management?
• 10 years worth of data can be kept just as easily as 1 year’s worth
• Gmail (“Search, don’t sort” and “Don’t throw anything away”)
• Perceived irrelevance of records managers and archivists
![Page 35: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/35.jpg)
Storage is cheap…Storage is cheap…
• …but e-records management applications are not
• Creates over-abundance of electronic information– Digital landfills contain obsolete data,
irrelevant data– Overabundance increases risk of low-quality
decisions
![Page 36: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/36.jpg)
• Transport mechanism for business data– Example: email attachments
• Effect of technology on workflow– Duplication dilemma– Productivity
![Page 37: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/37.jpg)
RMA or EDMS?RMA or EDMS?
Not transparent
Turned on or off?
Expensive
![Page 38: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/38.jpg)
DatabasesDatabases:
TransactionalA/P or A/R
RegistrationsLibrary books
ReferenceLexisNexis
Retention informationImage banks
![Page 39: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/39.jpg)
DatabasesDatabases:
Research RichDurable Data
Relational
Longitudinal
![Page 40: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/40.jpg)
• Databases are powerful tools used to compile statistics or research data, or to track / find other types of records
• Typically can’t apply traditional records management principles to database records
![Page 41: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/41.jpg)
The Technology Obstacle…The Technology Obstacle…
• Acts as a “de-incentivizer” because it installs the ability to store vast amounts of data and e-records.
• There are fewer reasons to purge e-records once technology is in place.
• The behaviors affected by technology become part of the organization’s culture
![Page 42: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/42.jpg)
The User…The User…
![Page 43: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/43.jpg)
Some questions askedSome questions asked
• What criteria do you use to decide to keep and electronic document?
• To delete one?• Do you follow a schedule for
retaining/destroying files or records? • Do you ever weed files (e.g., word
processing documents) or folders from the hard drive?
![Page 44: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/44.jpg)
Retention criteria Retention criteria
• Keep– Anticipated use – 40%– Save everything – 40%
• Delete– No further use anticipated – 20%– Print then delete – 5%
![Page 45: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/45.jpg)
Follow a schedule?Follow a schedule?
• No – 63%
• Yes – 30%
![Page 46: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/46.jpg)
Weed files or folders?Weed files or folders?
• Yes -- 64%
• No – 33%
![Page 47: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/47.jpg)
So what needs to happen?So what needs to happen?
Planning:
• Ideally before e-systems are built
• As part of other planning initiatives
• Strategically (strategy drives structure)
• Planning requires data
![Page 48: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/48.jpg)
So what needs to happen?So what needs to happen?
Policy:
• Reduce user discretion
• Broadcast widely
• Provide justification for policy (legal or regulatory, efficiency, etc.)
![Page 49: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/49.jpg)
So what needs to happen?So what needs to happen?
Technology:• Recognize the behaviors it installs• It can reduce or eliminate incentive to
manage e-records• It will usually be part of the solution, not
the entire solution• Identify where technology fits in the entire
system
![Page 50: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/50.jpg)
So what needs to happen?So what needs to happen?
Users:• Identify users’ perceptions & behaviors
– Surveys
– Interviews
– Training, especially for new employees
– Take every opportunity to educate
– Understand how e-records are used and for what purposes before trying to develop your e-records management program
![Page 51: July 2005 Electronic Records Management. Why have an e-records management program? Compliance with federal, state or local regulations –HIPAA, Sarbanes-Oxley,](https://reader036.vdocument.in/reader036/viewer/2022062714/56649d4c5503460f94a29d1b/html5/thumbnails/51.jpg)
Obstacles:Obstacles:
• They exist
• They can be overcome
• They are created by users, the technologies we employ, inadequate planning, and poorly constructed policies