Reduce Medical Record Risk through a RIM Program

Reduce Medical Record Risk through a RIM Program

Effectively manage records by supporting compliance, audits, and litigation preparedness.

As custodians of patient records, providers are ethically obligated to manage records responsibly, and are bound to do so by federal laws such as HIPAA. Providers are also obligated to manage their own business records in accordance with state and federal regulations. Despite these requirements, your organization may not have a defined, systematic process for effectively managing patient records because existing systems were not initially configured to track lifecycle, retention, and security.

To be compliant (and to report compliance), your organization must have a comprehensive, enterprise-wide records and information management (RIM) program in place that supports client services, governance, audit response, and litigation support for patients, as well as litigation preparedness for the organization itself.

Improve Your Organization with RIM

A RIM program provides structure to address business concerns, helps to avoid the risk of non-responsiveness during legal discovery, and demonstrates the practice’s lawfulness.

Litigation readiness – Organizations must maintain records that support business decisions, operations, and services for the length of time required by the regulating agencies, and as dictated by the statutes of limitations to bring a claim. A RIM program communicates these requirements clearly and concisely.

Awareness of communication and education – RIM will help your organization:

  • Write “for the record:” no jargon, abbreviations, or slang.
  • Write a business email: to the point, one subject per email.
  • Dispose of drafts properly: When the final document is approved, delete the drafts.
  • Consistently classify and label documents: no jargon, abbreviations, or slang.
  • Dispose of records and non-records: shred paper, delete and empty the recycle bin.

Built-in cost control:

  • Keeping records beyond the required time leaves your business open to discovery and high legal costs.
  • Paying for storage of (electronic or hardcopy) patient records beyond the obligation affects the bottom line.
  • Disposing of duplicates and convenience copies eliminates confusion about which is the “real” record (a favorite question of an auditor).
  • Being able to retrieve the right record quickly reduces the time the auditor will be on site.

Improved customer service – When you keep only the most current records, retrieval time to look up a reference takes seconds or minutes, instead of hours or days. This improves productivity.

Legal case law requires it – Safe Harbor is not available if you do not have a RIM program in place. Per a U.S. District Court ruling in Starbucks Corporation v. ADT Security Services, Inc., 2009, “Failure to adopt a compliant records retention and destruction protocol that permits cost effective access to relevant records and creates an audit trail subjects the non-compliant litigant to sanctions and constitutes spoliation.” Although this ruling came from a non-medical practice case, it pertains to any business that creates, maintains, and manages records either for internal use or as a custodian of someone else’s records.

Organizations are responsible for instructing their employees, contractors, and third-party vendors on how to manage their records. This, too, is part of a RIM program. Information governance, content management, disaster recovery plans, and knowledge management are related and fall under the “Say it. Do it. Prove it!” approach to reducing risk.

Build a RIM Program 

If your organization has not implemented an enterprise-wide records management system, the task of identifying employee-created records, and finding how and where they are stored, will be a challenge. To be ready for an audit or litigation, however, it must be done. If you waiting until your organization is audited or subpoenaed, you’ll suffer far worse. Courts have stated that if competitors in your industry have been sued, you may expect litigation in your company’s future. The same holds true for audits.

Creating a RIM program starts with a records and information policy statement that clearly explains how records are to be managed.

Next, take RIM inventory: It’s important to know what you have and how the records are used. During the inventory, gather information on why the record is created in the first place, so similar business functions can be subsequently grouped together. ARMA International® provides more detailed information about this process, including inventory forms.

After you get the RIM inventory results you can start grouping similar records. For instance, you might group together “correspondence,” “letters,” and “email.” Email is problematic because it is often used for topics unrelated to business. A clear statement about emails — how to write them, what is or is not a business-related record, etc. — should be part of your policy statement. Again, ARMA International® has good resources.

A retention schedule follows RIM inventory. A good retention schedule will meet legal requirements, operational requirements, and historical value when determining how long a record should be kept. The minimum time a record needs to be kept is the legal requirement. It’s OK to keep records longer if that is the policy stated in the retention schedule. “Just in case” is not a valid operational reason to keep something longer than the legal requirement. It’s also better to use “life of the legal entity (LOE)” instead of “permanent,” for records that need to be kept that long. “Permanent” causes issues when businesses are dissolved or go bankrupt; avoid them by using “LOE” in your schedule.

The retention schedule can also explain how to dispose of records that have met their retention period. Any record with personal information should be either shredded or permanently deleted.

Note: Many software programs offer a recovery period of up to 48 hours after you delete a digital record from your system, allowing the record to be discoverable in an audit or litigation. Leave deletion of digital records to the information technology department. These folks know how to permanently delete electronic files. Consider an electronic records management (ERM) or electronic content management (ECM) to maintain metadata about the record or information with a status of destroyed per schedule. (Important for audits and litigation!)

Factor at Least Six Months to Implement

A policy statement with related procedures may take as long as six months, by the time everyone agrees on them. Allot seven to eight hours per employee to inventory the records each creates, three to six months to research retention periods (operational being the longest) to create the schedule, and three months to source and implement an ERM/ECM application. Review and update the inventory and schedule every 12 to 18 months, and refresh training on the RIM program every 12 to 18 months.


ARMA International®:

Documentum by EMC:

OnBase by Hyland®:

PaperVision® Enterprise by Digitech:

FileBound by Upland:



HP Records Manager:


Cheryl Ahrens Young, CIP, APMD, CDIA+, CTT+, ecmP, ermM, has been employed over the last 30 years as trainer, records manager, image capture analyst, contracts manager, and project manager with specific expertise in RIM projects. Young is pursuing an Information Governance Professional (IGP) designation. She earned a Bachelor of Arts in Psychology from the University of California, Riverside, and has taken graduate level courses in Business Administration, Information Systems at California Polytechnic State University, Pomona. Young is the senior project manager at Western Integrated Systems for RIM projects. She is past chair for the ARMA International 2004 Conference and past Pacific Region Manager. Young is vice president of ARMA’s Orange County, Calif., chapter and is a member of the Project Management Institute, AIIM and IOFM.


Leave a Reply

Your email address will not be published. Required fields are marked *