How to Handle Document Retention & Destruction

Responding to and Defending Government Investigations: What to do When the Government “Knocks” On Your Door
Under Attack: Ransomware Threats, Prevention Tips, and Response Strategy for Health Care Providers

1st Talk Compliance features guest Rachel V. Rose, JD, MBA, principal with Rachel V. Rose – Attorney at Law, P.L.L.C., Houston, TX, on the topic of “HIPAA and Beyond: Documentation Retention & Legal Holds.” Rachel joins our host, Catherine Short to review a multitude of laws, including HIPAA, requires certain types of documents be kept for a certain period of time. How does document retention play out for public companies subject to SOX and what should companies do in the event of a legal hold or a preservation request? This presentation addresses laws that are relevant to healthcare industry participants, as well as compliance suggestions, and steps to take when either a legal hold or a preservation request arrives.

 Catherine Short:  0:00

Welcome and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality, complimentary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook, or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel. On today’s episode, we are speaking with Rachel V. Rose JD MBA, a principal with Rachel V. Rose Attorney at Law PLLC in Houston, Texas, on the topic of HIPAA and beyond: document retention and legal holds.

A multitude of laws including HIPAA requires certain types of documents to be kept for a certain period of time. How does document retention play out for public companies subject to SOX and what companies do in the event of illegal hold or preservation request. This presentation addresses laws that are relevant to healthcare industry participants, as well as compliance suggestions and steps to take when either a legal hold or preservation request arrives.

Before we begin, I would like to mention at First Healthcare Compliance we strive to serve as a trusted resource for compliance professionals and every month we celebrate their hard work and dedication with our compliance Super Ninja recognition. For this episode, we’re spotlighting Super Ninja Julie Garcia, Business Office Manager at Coastal Vascular Center. Julie says “Coastal Vascular Center has three office locations, and yet the whole group works as a team, they respond well to the compliance updates and changes. I’m fortunate to have such a close knit and caring group of professionals to work with every day”. Congratulations Julie, our team is honored to have the privilege of working with you.

So hello, Rachel, thank you so much for joining me today on 1st Talk Compliance.


Rachel V. Rose:  2:18

Hi, Catherine, thank you for having me today, as part of First Talk Compliance. I think the issue that we’re going to be addressing is timely and important.


Catherine Short:  2:29

Thank you. I do too. So my first question has to do with electronic media and also all other forms of documents. My question is, do PNPs apply only to electronic media or all forms of documents? And so could you explain to our audience first what PNP is, what does that mean? And then tell us about electronic media versus paper and any other form?


Rachel V. Rose:  2:57

First and foremost, PNP simply means policies and procedures. For those of you who have been in the healthcare industry for quite some time, you’re very familiar with the requirements under HIPAA, that policies and procedures are required in order to address a variety of different items which are present both within the HIPAA Privacy Rule, which was initially published in the Federal Register in December of 2000, as well as the Security Rule, which was published in the Federal Register in February of 2003, and became effective in 2005. So if we think about protected health information in general, there are two primary forms of protected health information there is PHI, which is stated in the HIPAA Privacy Rule, and is inclusive of all written paper, oral and electronic forms of PHI. By way of contrast, the security rule, specifically addresses electronic PHI, or ePHI. So examples of ePHI include not only emails and cloud types of storage, but also VPNs and voice over processing, which is a tool that is utilized by many organizations today.

Along those lines, Catherine in terms of PNPs and what needs to be addressed, it’s imperative to parse out the Privacy Rule from the Security Rule. Whenever you start looking at your document retention and destruction items, first, identify what types of PHI need to be retained and for what periods of time. A second prong of that is to look at how documents are being retained in electronic, if they are paper are they kept in a locked file cabinet in a separate room? All of those are included in policies and procedures. Now, when you get to the document destruction, they can shred those and it should be shredded automatically just people walk over and they put those documents in the shredding bin. From there, the third party comes and picks it up, they unlock the block and they release the documents into a huge typically a mobile shredding device from there a certificate is given and that’s important in terms of making sure that your organization is compliant. Oftentimes, a certificate is emailed and it allows an organization to easily file those into a sub folder and keep a record of the type of shred that was produced. And that’s important, the PHI cannot be pieced back together and that’s why the confetti shredder is important. Now for electronic protected health information, how you delete that is going to be a discussion between you and your IT provider in terms of the software that you need to use and the schedule that can be set up a term of destruction, a server or a laptop, or other types of information, it needs to be completely sanitized, or destroyed.  I always refer my clients to NIST, and to make sure that they are adhering to the appropriate guidelines, as well as making sure that the data is completely deleted so that you don’t have a situation for example, and this actually was a HIPAA violation, where a Xerox copier was returned, but it had not been sanitized. So just like the paper shredding, companies give a certificate of shredding, so should it third party give a certificate that the data has been sanitized completely, and then you file that certificate away.


Catherine Short: 7:35

Often companies, of course lease these copiers from places such as Xerox or, or other companies like that. So does the company itself like the law firm or the the hospital or whatever, do they have to sanitize the copiers themselves? Or they have it with the third party?


Rachel V. Rose:  7:55

That’s an excellent question, Catherine and it comes down to two documents. The first document is the Business Associate Agreement, which as many people know in one section of that it will define how the information is to be returned or destroyed. Another part of that should be in the services agreement contract. If it’s in the services agreement contract that the physician’s office, for example, is responsible for wiping the drive on that, then that’s something that they would be responsible for. If they’re not, then they need to get assurances to make sure that that is being done. The process for that is taking it to the secure bin in the office dropping it in there and then the third party, which we’ve contracted with, and then you insert the third party in the contract, contact information comes up, picks it up and gives us a certificate. The last part of that procedure would be the certificates are filed with whoever gets those certificates. It could be IT, it could be HR, it could be your HIPAA compliance person. So the same thing should happen for electronic media. And if you’re unsure of the vendor, then just put that you will contact your IT person and or an attorney in order to ascertain an appropriate third party to wipe the median clean.


Catherine Short:  9:36

Okay. My next question has to do with spoliation. First, what is spoliation? And then what is the best way to avoid spoliation?


Rachel V. Rose:  9:48

That’s an excellent question. Spoliation basically is the destruction of evidence. Spoliation can be intentional or non intentional. In fact, there are two states and one territory, Illinois, Florida and the District of Columbia, which actually recognize a tort for negligence spoliation of evidence. Now spoliation of evidence may occur prior to a case commencing, it can occur during a legal proceeding. A couple of items to note there are that courts have the authority to sanction both the lawyers and their counsel for spoliation of evidence. If we harken back to 2002, with the Enron and WorldCom type cases and scandals, that led to the passage of the Sarbanes-Oxley Act, also known as SOX, and abbreviated as S O X. Section 802 of Sox was implemented for auditors, accounting firms and publicly traded companies primarily to prevent the destruction and or alteration of evidence. That same concept applies with spoliation. How can it happen, and what are the best ways to avoid it from happening? Your first line of defense is training your workforce. Your second line of defense is having adequate policies and procedures on retention and destruction of various types of information. The last policy and procedure which is critical is what’s known as a legal hold policy. With that, you should have a template that is already available and you would insert the date of the request of the legal hold or anticipated litigation, and then if you’ve received a subpoena or another form of a litigation hold, such as a preservation letter from a government agency, things of that nature, you need to document exactly what was asked of you to set aside and then you set it aside in an appropriate secure manner and make sure that nobody touches it. It should serve as a check and a balance so that one person completes the checklist, another person makes sure that all the information is gathered, and then lastly, someone rechecks the work of the person who is gathering that information.


Catherine Short:12:44

Okay. What are technical, physical and Administrative Safeguards that are the most relevant to protecting PHI and sensitive PII in relation to retention and deletion of this material?


Rachel V. Rose:  13:04

That’s an excellent question. As we know, cyber security is a focal point of all facets of our government. After the federal courts were attacked as a result of the solar winds attack, the Administrative Office of the Courts set out a statement and all of the individual courts issued requirements that needed to be followed. In light of that, we have the White House issuing an executive order in May of 2021, indicating a need for increased collaboration between the public and private sectors in order to make the overall cyber environment secure.  That came really in the wake of the Colonial Pipeline, cyber attack. Then we have various laws being considered and passed both at the state and the federal level. So it’s A, a focus; B, with the rise of ransomware attacks in the sophistication of cyber criminals, this is only going to become more and more important, and that’s why your policies and procedures related to retention and deletion as well as the business continuity and disaster recovery plans are vital. That’s because those technical, administrative and physical safeguards are a key component to ensuring that organizations are keeping backups that are not accessible by the same method of attack. It also ensures that in the event in original is lost, that a legal backup or legal copy can be reproduced to a court, to a government agency, or another type of legal proceeding. An example of a technical safeguard, which is relevant to document retention and deletion would be making sure that you have identified an appropriate vendor for the sanitization of media, such as the copiers that we mentioned earlier or laptops, and making sure that you get a certificate. Lastly, in terms of physical safeguards, keeping information in a secure area, so if everything’s housed on your servers or in a data center, look for two factor identification in order for people to access that item, as well as keeping a log as to when that room was accessed.


Catherine Short:16:01

If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality, complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Rachel V. Rose, JD, MBA, Principal with Rachel V. Rose Attorney at Law PLLC in Houston, Texas, on the topic of HIPAA and beyond: document retention and legal holds. Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media.

Rachel, what are key items to include in document preservation PNPs?


Rachel V. Rose:  16:54

So some key items to include in document preservation PNPs, or your legal hold policy are as follows. First and foremost, you want to have definitions so that your workforce understands exactly what a preservation is, or a legal hold is. Then you want to identify scenarios which a legal hold might be necessary to implement, such as anticipated litigation, it could be the result of a preservation request, typically in the form of a written letter from a government agency, it can be by court order, such as by a subpoena. So in all of these circumstances, you want to make sure that your workforce understands the potential seriousness of not complying with any of these requests. Along those lines, you want to then identify types of information, you need to identify who in the organization would implement or sound the alarm for that legal hold. It’s important to note that it’s really on a need to know basis, and by saying that, you don’t need to send out an alert or an email to everybody in an organization, it needs to be very specific to documents which may be under certain people’s control, and you need to alert them that they are not to delete anything. By the same token, larger entities or business associates or a third party, IT can begin to round up that information and set it aside, if you will, in a separate folder, or offline on a separate hard drive. From there, you want to make sure that you’re including a checklist and that will vary somewhat from organization to organization, or industry to industry. Lastly, you want to have a chain of custody letter to show when the initial information was compiled, where it was compiled to. Finally, it’s important to note that the individuals who are passing the information off will need to sign that chain of custody letter.


Catherine Short: 19:30

Okay, great. Rachel, what are the most effective ways to delete evidence legally and to destroy it in accordance with HIPAA?


Rachel V. Rose:  19:43

Well, first and foremost, you want to make sure that you’re not deleting anything that’s required to be preserved. If you know it’s to be preserved, then deleting evidence is just not acceptable in any way, shape or form and that can lead to spoliation, which we talked about earlier. In terms of regularly deleting certain types of documents or information, first and foremost, you need to look at the general laws and for HIPAA, you need to look at the state laws because federal HIPAA recommend six years, but the state laws are typically longer. And most states require a seven year retention period for PHI. However, if there are minors involved, typically organizations need to keep that until the person reaches 18, plus about two to four years.  We say that because that is the timeframe, and you need to check your state laws individually, for a statute of limitations of when certain lawsuits can be brought. So along those lines, you need to identify everything in your policies and procedures as to the who, what, when, where, why, and how, regarding how information that is not subject to any legal hold type of requirement may be appropriately destroyed on an ongoing basis. How you appropriately destroy that, again goes back to the requirements of NIST, the National Institute for Standards and Technology, and the HIPAA security rule or the Privacy Rule. If it is paper protected health information, use some form of a confetti cut shredder.


Catherine Short: 21:45

Okay, great advice. And speaking of I think we are just about out of time, but do you have any other advice or things that you wanted to mention to our audience, before we wrap up,


Rachel V. Rose:  21:59

I would just recommend approaching any HIPAA or document retention in terms of cultivating an overall culture of compliance. It’s important to appreciate that there are ramifications and consequences for not adhering to legal holds and in the event it comes about as a criminal proceeding, if you’re not retaining the documents that the United States Government or another government entity has asked you to preserve and retain, that could end up being a legal action against your organization for potential obstruction of justice. So it’s something to take very seriously. There can be sanctions or we know under HIPAA, people, and I mentioned the sanitization of the Xerox machine earlier but also, there was a truck full of medical records, and the entity was fined for not appropriately disposing of those and that occurred within the last four years. So paper is still around, and it’s important to adhere to the retention and destruction requirements for all forms.


Catherine Short:  23:18

Rachel, thank you for being on our program today and for going over this important information with us.


Rachel V. Rose:  23:25

Catherine, it’s my pleasure. Thank you for the thoughtful questions, and the follow up questions. I truly appreciate it and always enjoy collaborating with First Healthcare Compliance.


Catherine Short:  23:37

Thank you. Well, the pleasure is ours and I always enjoy speaking with you, Rachel, and thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on the program’s page on and then your voice to the conversation on Twitter @1sthcc or #1sttalkcompliance. You can also email me at I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.





Related Posts