Don’t Let The Computer Eat The E-Mail: Electronic Document Preservation Under The Coming Sarbanes-Oxley Requirements
by Kenneth N. Rashbaum, Esq., Sedgwick, Detert, Moran & Arnold, LLP, New York, NY
The hospital’s chief compliance officer reclines in her chair, finally, as the digital readout on her desk clock flips to 9:30 p.m. She clears her mind of the latest jumble of acronyms which rule her professional life – JCAHO, HIPAA, EMTALA and CMS , among others – and reaches to power down her computer for the night. As her hand moves the mouse, she hears the telltale chime of a new e-mail. Shrugging, she clicks and opens it. It’s from the chief financial officer, asking her whether she has completed the policy to preserve e-mails concerning the hospital’s financial audit reports, pursuant to the Sarbanes-Oxley Act of 2002 or, as it’s not-so-affectionately known, “SOX.” She shakes her head, unable to handle yet another regulatory acronym which she knows will stand for many overtime hours, and writes back, “Which e-mails?” He answers, “That’s for you to figure out. Good night.”
While SOX, passed in the wake of the Enron and WorldCom debacles, covers corporations registered with the Securities and Exchange Commission (publicly traded corporations), New York Attorney General (and announced candidate for governor) Elliot Spitzer has stated his intention to apply SOX criteria to nonprofit organizations with annual revenues in excess of $250,000. Attorneys general in California, Massachusetts and Connecticut have followed suit, and some have singled out the healthcare industry. In addition, SOX is increasingly viewed as a set of “best practices” for nonprofit accounting, and, accordingly, nonprofit healthcare providers are increasingly adopting practices consistent with SOX to satisfy expected criteria from state health departments. Healthcare entities, then, will join the ranks of the puzzled in deciphering the intent of the SOX preservation requirements to save “audit papers” for seven years. True, the healthcare industry has plenty of experience in data and document preservation as a result of the dictates of HIPAA (which requires that protected health information be preserved for seven years) and state privacy laws, but SOX poses a new question: What exactly are the communications and documents that require preservation?
SOX comprises several document preservation requirements, some quite broadly drawn. For example, § 802 provides for criminal penalties for any person who “knowingly alters, destroys, mutilates, covers up or falsifies any record, document or tangible object with the intent to impede, obstruct or influence the administration or investigation of any matter within the jurisdiction of any federal department or agency or any bankruptcy proceeding.” “Department” is undoubtedly triggered by reimbursement from Medicare, and all too many hospitals have found themselves involved in bankruptcy proceedings. A parallel provision, § 1102, provides similar penalties for alteration, destruction or concealment of documents in an official proceeding. Indeed, some commentators have noted that SOX provides an easier vehicle for federal prosecutors to prove cases of obstruction of justice with regard to record loss or destruction. State prosecutors, as is their wont, will likely follow this example.
The term “document” is defined in SOX to include electronic communications.
Some of the most vexing provisions concern preservation of “audit papers,” which are defined as “work papers and other documents that form the basis of the audit and review, and memoranda correspondence, communications and other documents (including electronic records).” The practical meaning of “electronic records” is not well-defined, and the SEC has yet to respond to requests for clarification. Commentators have therefore sounded an alarm with regard to the precise nature of “electronic communications” about audits which must be preserved.
If the entities specifically covered under SOX are perplexed as to which electronic documents should be preserved, nonprofit healthcare providers faced with application of those criteria, or a hybrid of SOX and state law, must contend with the proverbial “moving target” in their compliance initiatives.
Proactivity, then, would appear to be the best strategy, as follows:
1. Plan and execute a gap analysis of electronic records retention as though SOX criteria would be applied in full. Assume e-mails which discuss the substance of audits and audit reports ( substance, not merely, “When is that darned audit report ever going to get here?”) will be treated like the reports themselves, and provide for their preservation accordingly;
2. Review and, where necessary, revise current e-document and data preservation policies and procedures. This should be an interdisciplinary approach, with counsel leading the initiative utilizing input from workgroups comprising IT, HR, finance and representatives of front-line electronic data users. Make sure all policies and practices are in writing and updated as necessary. The time-honored adage taught to medical residents, “If you didn’t write it down, it didn’t happen,” applies with equal force to compliance.
3. Consider the use of outside counsel as initiative leaders to preserve privilege with regard to the gap analysis and measures taken as a result thereof.
4. Design and implement training and education for the new policies and practices. Monitor compliance regularly and document such monitoring.