COMPLIANCE & REGULATIONS

BY INDUSTRY

An important driver for archiving email is regulatory compliance. All industries face some level of regulatory requirements which demand retention and production of business records. Some industries, such as the financial industry, healthcare, education and energy, face strict and sometimes onerous regulations.

Electronically Stored Information (ESI) communications within the financial securities industry must comply with Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) requirements. The regulations include retention of emails, instant messages and social media posts.

The healthcare industry is heavily regulated and organizations must comply with various US government rules focused on retaining patient records. Public education faces many State and local regulations regarding email communications and retention policies.  Energy companies must comply with retention obligations imposed by the Federal Energy Regulatory Commission.

Even “non-regulated” industries, such as retail, transportation and manufacturing, also face some level of regulatory obligation to protect business records. Consequently, decision makers in all industries must consider regulatory compliance as a reason to implement a solid archiving solution.

Legal requirements vary by industry, with state and federal regulations mandating different levels of compliance for different types of organizations.  Legal requirements change often and can vary from one region to the other. While you should always confirm with your legal counsel before making any major decisions, there are some broad industry-specific rules and regulatory compliance statutes that should go into your planning.  Some of these rules are outlined below.

Research & Intellectual Propery

USPTO 37 CFR

There are no specified regulations, but best practice is patent term plus any extensions.

NSF Grant Policy NSF 02151 sect. 350a

All records and supporting documentation relating to a NSF grant must be kept for 3 years after the award period, report submission or end of related proceedings.

FDA (GCP/GLP) 21 CFR 58.195 21 CFR 312.57,62 21 CFR 812.140

Records relating to FDA-controlled research must be kept for 2-5 years.

FDA (GCP/GLP) 21 CFR 58.195 21 CFR 312.57,62 21 CFR 812.140

Records relating to FDA-controlled research must be kept for 2-5 years.

EPA (GCP/GLP) 21 CFR 160.195

Records relating to EPA-controlled research must be kept for 2-5 years.

OMB-A110.53 2CFR 215

Research data must be kept for 3 years after research or audit is completed, whichever is later.

rch NIH, USDA, PHS

Animal Research Records must be kept for 3 years after end of activity.

Local Policies based on NIH, EPA GLP, FDA GLP, FDA GCP et al

Records associated with contract or grant-funded research must generally be kept for 3-5 years.

Business

DOL (OSHA) 29 CFR 1910.1020

Data relating to employee exposure or safety records must be retained for 30 years.

DOL (WPPDA) 20 CFR 10.410

Reports under the Welfare and Pensions Plan Disclosure Act must be kept for 5 years.

DOL (FLSA) 29 CFR 516.6

Basic business records must be retained for 2 years.

DOL (FLSA) 29 CFR 516.5

Payroll records, contracts or collective bargaining agreements, and other information must be kept for 3 years.

EEOC (ADA et al) 29 CFR 1602.14,21,28,40,49

Employment records for be kept for 1- 2 years.

Education

DOEd 34 CFR 74.53 34 CFR 80.42

Records of education grants and other financial awards must be kept for 3 years after submission of final report.

DOEd (FERPA) 34 CFR 99.32

Data relating to transactions FERPA transactions must be kept as long as the student record is maintained.

State Law Requirements

Some state laws require educational records to be kept for a set period of time.

Healthcare

DHHS (Medicare) 42 CFR 482.24,26,52

Medical records must be kept for 5 years after the last entry or change unless required to retain longer by state law

The Health Insurance Portability and Accountability Act (HIPAA)

Retain and protect patient information for 6 years or 2 years after patient passing.

The Health Insurance Portability and Accountability Act (HIPAA)

Retain and protect patient information for 6 years or 2 years after patient passing.

Finance

SEC Rule 203(b)(3)-2

No less than 5 years.

Gramm-Leach Bliley Act (GLBA)

Ensure confidentiality of customer financial information.

IRS (IRC/FICA) 26 CFR 31.6001

Retain relevant data for 4 years after tax due date or date paid, whichever is later. Data related to a claim must be kept for 4 years after the filing date.

Sarbanes-Oxley (SOX) section 802

Retain relevant data for no less than 7 years.

Investment Advisors Act SEC Rule 204-2

Relevant data must be kept for no less than 5 years.