• Ineffective wireless encryption
  • Taped over door lock on data room
  • Inadequate passwords
  • Computers without adequate log-off
  • Disabled audit logging
  • Unencrypted email
  • Former employees with inappropriate network access

These vulnerabilities and many more (a total of 151) were found at seven large hospitals — including one in Missouri — by the Department of Health & Human Services. An analysis of two HHS reports1 observed that, “... the effort to enable hospitals and doctors to share patient data electronically is being layered on a system that already has glaring privacy problems. ...”2

Although these vivid examples point to hospital systems, HIPAA applies equally to all “covered entities,” including, of course, physician practices. One could observe that non-hospital providers may be even more vulnerable to such lapses as they are less likely to have dedicated information technology staff, legal departments and formalized recordkeeping practices.

Good information management practices should apply not only to electronic health records, but also to everyday recordkeeping, backup and maintenance of email systems, MS-Offi ce fi les and fi nancial accounting systems. The good news is that HIPAA and HITECH privacy and security requirements, as well as the EHR incentive program (meaningful use), offer ideal starting points and incentives from which to develop an improved system of compliant information management, policy and practice.

Other Drivers for Improved Information Management

The consequences of poor information governance range from the potentially lifethreatening inability to access current records, to risks associated with malpractice claims, compliance failures, and the fi nancially burdensome requirements of document collection and review in litigation. Better information management mitigates these risks, which are often overlooked, especially in the rush to deploy EHR for clinical purposes.

The American Health Information Management Association notes that, “Information stewardship and data governance practices provide cohesive policies, processes and decision rights and responsibilities for effective health information management and maintenance.”3 The benefits of such practices are pronounced. “Health systems that first streamline their paper storage and workflows for handling records not only establish the right framework for EHR, [but] they can also find as much as $1 million in savings to help fund their transition to electronic records. ...”4

The message is relatively simple: Better information management can improve financial performance, mitigate risk and help achieve the compliance requirements of HIPAA and HITECH. So, against what standard do we evaluate our current systems and practices?

Generally Accepted Recordkeeping Principles®

Best health information management practices dictate that Generally Accepted Recordkeeping Principles, similar to accounting’s GAAP guidance, be followed. According to the Association of Records Managers and Administrators, these elements are:

Accountability.  An organization shall assign a senior executive who will oversee a recordkeeping program and delegate responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure auditability.

Transparency. The processes and activities of an organization’s recordkeeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties.

Integrity. A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.

Protection. A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret or essential to business continuity.

Compliance. The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.

Availability. An organization shall maintain records in a manner that ensures timely, efficient and accurate retrieval of needed information.

Retention. An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational and historical requirements.

Disposition. An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies.

The manner in which these principles align with HIPAA and HITECH guidance is readily apparent, and turning the principles into strategies and actions is not especially diffi cult. However, it does require leadership, focused project management, time and sometimes technology, along with input from legal and records management professionals.

A key goal embodied in The Principles® is to get the right information to the right people at the right time. The tools to help a practice achieve that goal include: (1) a records management policy, (2) a records retention schedule and (3) documented processes for applying the records retention schedule to the reality of the practice.

Tools for Success

Records Management Policy. A records management policy should contain a general statement of responsibility for adhering to standards of conduct and business practice related to how records are created, used, maintained and disposed. It should also address policy rules regarding: the scope of information governed under the policy; responsibilities, ownership and management of records; rules for compliant disposal; and the impact of legal holds on record retention.

Records Retention Schedule. A practice’s records retention schedule should identify specific periods of time for which records must be retained. The schedule is based upon an inventory of functional record series and types (“buckets” of records that have similar uses or characteristics), and refl ects both legally required retention periods and retention due to business needs. Developing a legally validated records retention schedule requires research of both state and federal laws, statutes and regulations, and is based on a records inventory and data map. Once drafted, it should be updated at least every two years to refl ect changes, or as events dictate.

Records Management Processes. Processes to facilitate implementation of the records retention schedule may range from workfl ows to ensure HIPAA-compliant and secure transmission and storage of PHI and ePHI, to a legal hold process designed to identify and preserve information required by an investigation or litigation. Other processes might include: well-defined disaster recovery plans that minimize the duplication and retention of information; a periodic cleanup program; internal audits of access control; and plans for collection and disposition of information used or managed by former employees.

Getting Started

As with many things that are good for us, there can be a reluctance to initiate good information management practices. Personal convenience may yield to business needs, as it is increasingly impracticable to keep everything forever. Following are a number of focused actions to move medical practice toward better information management.

  • Email etiquette and retention should be documented and enforced.
  • Information backup practices should be adjusted to function simply as a disaster recovery mechanism, not a long-term archive from which years-old data may be recovered.
  • An archive program should be developed whereby only record-worthy information is saved, and is saved in such a way that it may be easily disposed when the retention period expires (absent a legal hold)
  • Generally Accepted Recordkeeping Principles® guidance should be applied. (See suggestions in the addendum, below.).
  • Who “owns” and manages records should be clarified.
  • Records should be available as appropriate, yet not accessible to those without proper authority.
  • The benefi ts of improved information management in terms of storage, effective retrieval and risk management should be considered.
  • A checklist for periodic self-audits of internal information management systems should be developed.
  • Technical, legal and records management professionals may be engaged to interpret  and apply legal requirements to your specific circumstance.
  • The amount of information that is saved unnecessarily may be minimized by using an up-to-date records retention policy and a schedule.
  • An annual records “cleanup” day may be initiated.


To use a well-worn idiom, there’s no time like the present to get started on health information management initiatives. The problem will not get smaller, and data is poised to reach a nearly 45-fold annual growth rate by 2020.5 Implementing a records retention schedule in the next 12 months will help get medical practices on the right track to better information management.