Data Retention & Secure Destruction

Assessment for records management, data retention policies, and secure destruction procedures for regulated industries

HealthcareResearchBiotechPharmaAll minutes18 questions

1. Retention Policies

Are data retention schedules documented for all record types (clinical, research, business)?*

Retention schedule: Medical records (6-10 years per state), research (IRB approval +3 years), GMP (batch records lifetime of product +1 year)

Do retention policies comply with longest applicable requirement (HIPAA, FDA, state law)?*

Longest requirement applies: HIPAA 6 years, FDA GMP lifetime +1 year, clinical trial records 2 years after NDA/BLA, state laws vary

Are retention schedules reviewed annually and updated for regulatory changes?*

Policy review: Annual assessment of retention requirements, update for new regulations, train staff on changes

2. Electronic Records Management

Are electronic records stored in 21 CFR Part 11 compliant systems with audit trails?*

Part 11: Audit trails (who, what, when), version control, electronic signatures, prevent unauthorized changes

Are electronic records backed up regularly with offsite/cloud redundancy?*

Backup strategy: Daily incremental, weekly full, offsite storage, test restoration quarterly, encryption at rest/transit

Is electronic data migrated when systems are upgraded or decommissioned?*

Data migration: Maintain accessibility and integrity during system changes, validation of migrated data, legacy system archives

3. Physical Records Storage

Are physical records stored in secure, access-controlled, environmentally appropriate facilities?*

Storage conditions: Climate control, fire suppression, water protection, pest control, access logs

Is offsite records storage used with documented chain of custody and retrieval procedures?*

Offsite storage: Contracted facility, retrieval request process, inventory management, business associate agreement (HIPAA)

Are records inventories maintained with retention dates and destruction schedules?*

Inventory: Record location, retention period, destruction date, responsible party, periodic reconciliation

4. Secure Destruction Procedures

Are records destruction methods NIST SP 800-88 compliant (shredding, degaussing, cryptographic erasure)?*

Destruction methods: Cross-cut shredding (paper), degaussing/physical destruction (magnetic media), crypto-erase (SSD), incineration

Are Certificates of Destruction obtained from vendors with tracking of destroyed records?*

COD: Date, method, serial numbers/inventory list, vendor signature, retain for audit trail

Is destruction reviewed and approved by designated official before execution?*

Destruction approval: Records manager or compliance officer approval, verify retention period met, no litigation hold

5. Audit & Compliance

Are records management audits conducted annually to verify retention and destruction compliance?*

Audit scope: Random sample review, destruction logs verification, policy compliance, access control testing

Are staff trained annually on records retention, destruction, and data privacy requirements?*

Training: Retention schedules, destruction procedures, privacy laws, penalties for violations, incident reporting

Are records management violations reported and investigated with corrective action?*

Violations: Premature destruction, retention beyond schedule, unsecured disposal; investigate, report, prevent recurrence

6. Litigation Hold

Is litigation hold process documented with procedures to suspend destruction?*

Litigation hold: Legal notice triggers immediate halt to destruction, identify relevant records, preserve electronically and physically

Are custodians notified immediately of litigation holds with acknowledgment required?*

Hold notification: Email to all record custodians, acknowledge receipt, periodic reminders, training on obligations

Are litigation hold releases documented when legal matter concludes?*

Hold release: Legal counsel authorizes release, notify custodians, resume normal retention schedules, document release date

Please answer all required questions to see your results