COMPLIANCE & REGULATIONS
BY INDUSTRY
An important driver for archiving email is regulatory compliance. All industries face some level of regulatory requirements which demand retention and production of business records. Some industries, such as the financial industry, healthcare, education and energy, face strict and sometimes onerous regulations.
Electronically Stored Information (ESI) communications within the financial securities industry must comply with Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) requirements. The regulations include retention of emails, instant messages and social media posts.
The healthcare industry is heavily regulated and organizations must comply with various US government rules focused on retaining patient records. Public education faces many State and local regulations regarding email communications and retention policies. Energy companies must comply with retention obligations imposed by the Federal Energy Regulatory Commission.
Even “non-regulated” industries, such as retail, transportation and manufacturing, also face some level of regulatory obligation to protect business records. Consequently, decision makers in all industries must consider regulatory compliance as a reason to implement a solid archiving solution.
Legal requirements vary by industry, with state and federal regulations mandating different levels of compliance for different types of organizations. Legal requirements change often and can vary from one region to the other. While you should always confirm with your legal counsel before making any major decisions, there are some broad industry-specific rules and regulatory compliance statutes that should go into your planning. Some of these rules are outlined below.
Research & Intellectual Propery
Patents
USPTO 37 CFR
There are no specified regulations, but best practice is patent term plus any extensions.
National Science Foundation Grant Research
NSF Grant Policy NSF 02151 sect. 350a
All records and supporting documentation relating to a NSF grant must be kept for 3 years after the award period, report submission or end of related proceedings.
Biology Research
FDA (GCP/GLP) 21 CFR 58.195 21 CFR 312.57,62 21 CFR 812.140
Records relating to FDA-controlled research must be kept for 2-5 years.
Biology Research
FDA (GCP/GLP) 21 CFR 58.195 21 CFR 312.57,62 21 CFR 812.140
Records relating to FDA-controlled research must be kept for 2-5 years.
Environmental Research
EPA (GCP/GLP) 21 CFR 160.195
Records relating to EPA-controlled research must be kept for 2-5 years.
Research Data
OMB-A110.53 2CFR 215
Research data must be kept for 3 years after research or audit is completed, whichever is later.
Animal Research
rch NIH, USDA, PHS
Animal Research Records must be kept for 3 years after end of activity.
Contract or Grant Funded Research
Local Policies based on NIH, EPA GLP, FDA GLP, FDA GCP et al
Records associated with contract or grant-funded research must generally be kept for 3-5 years.
Business
Safety Records
DOL (OSHA) 29 CFR 1910.1020
Data relating to employee exposure or safety records must be retained for 30 years.
Welfare and Pension Records
DOL (WPPDA) 20 CFR 10.410
Reports under the Welfare and Pensions Plan Disclosure Act must be kept for 5 years.
Business Records
DOL (FLSA) 29 CFR 516.6
Basic business records must be retained for 2 years.
Records
DOL (FLSA) 29 CFR 516.5
Payroll records, contracts or collective bargaining agreements, and other information must be kept for 3 years.
Employment
EEOC (ADA et al) 29 CFR 1602.14,21,28,40,49
Employment records for be kept for 1- 2 years.
Education
Financial Aid
DOEd 34 CFR 74.53 34 CFR 80.42
Records of education grants and other financial awards must be kept for 3 years after submission of final report.
Education Records
DOEd (FERPA) 34 CFR 99.32
Data relating to transactions FERPA transactions must be kept as long as the student record is maintained.
Education Records
State Law Requirements
Some state laws require educational records to be kept for a set period of time.
Healthcare
Medical Records
DHHS (Medicare) 42 CFR 482.24,26,52
Medical records must be kept for 5 years after the last entry or change unless required to retain longer by state law
Hospitals
The Health Insurance Portability and Accountability Act (HIPAA)
Retain and protect patient information for 6 years or 2 years after patient passing.
Health Insurance
The Health Insurance Portability and Accountability Act (HIPAA)
Retain and protect patient information for 6 years or 2 years after patient passing.
Finance
Hedge Fund
SEC Rule 203(b)(3)-2
No less than 5 years.
Bank
Gramm-Leach Bliley Act (GLBA)
Ensure confidentiality of customer financial information.
Internal Auditor
IRS (IRC/FICA) 26 CFR 31.6001
Retain relevant data for 4 years after tax due date or date paid, whichever is later. Data related to a claim must be kept for 4 years after the filing date.
Internal Auditor
Sarbanes-Oxley (SOX) section 802
Retain relevant data for no less than 7 years.
Registered Investment Advisor
Investment Advisors Act SEC Rule 204-2
Relevant data must be kept for no less than 5 years.