Using KOMworx to meet Data Retention Compliance Requirements

A growing number of industries are finding themselves burdened with long-term retention and access regulations to a growing number of business records. This has been true in the financial world for many years, but with the recent addition of email retention to the SEC requirements, there is now a consensus that instant messaging will soon be added. Five major Wall Street firms were fined by the SEC, in December 2002 for compliance failure, signaling its seriousness about this issue.

The healthcare industry already adheres to the 30-year retention of patient records under DICOM regulations, and now they find themselves having to also comply with new requirements from the Health Insurance Portability and Accountability Act (HIPAA).

Other industries, including pharmaceuticals, life sciences, government agencies such as the EPA and the DOD, all have their respective records retention requirements. However, there are those, like the National Archives, who need to keep their files forever - but that's another problem that has been well documented. Whether an organization is bound by one or more of these regulations or none at all, it is just sound business practice to maintain some level of records management This is the new pressing issue in IT, which has spawned a new cottage industry and new corporate-level titles such as Compliance Manager. Were you wondering where all of the Y2K consultants went?

KOM Networks has produced an extremely flexible tool, KOMWORX Data Manager, which enables organizations to meet their compliance obligations while ensuring business continuity.

KOMworx Data Manager incorporates many cost effective storage management features that justifies its purchase and implementation. But at its core, KOMworx Data Manager is an automated policy-based file lifecycle manager. Once an organization formulates their records retention and access policies, for both the business and compliance aspects, and incorporates them into the system, it will run on auto-pilot and the potential for human error is almost completely eliminated.

KOMworx Data Manager stores data files on the most appropriate, most cost-effective resources within your storage infrastructure, at every point during the file's lifecycle. These resources can include direct-attached hard disk (DAS), network-attached storage (NAS), storage area networks (SAN) and near-line archival systems such as optical disk and DVD jukeboxes. As the value and/or access requirements of a file changes over time, it is automatically moved from one storage class to another, based on the policies set up by the organization. This can, and should include, eventual storage on the medium that best meets the requirements of your particular compliance obligations.

Of course, compliance with records retention mandates is not a core function of most organizations. Records are the lifeblood of many companies, and they cannot be stored into s long-term archive just to accommodate the needs of compliance officers. KOMworx provides the platform for satisfying both the needs of the business as well as addressing compliance policies. Take for example, a hospital:

• When a new patient is treated, a new Patient Record is created and stored in the "Patient Records" directory of the KOMworx Data Manager Virtual Volume. The lifecycle policy associated with this directory says to store this new record on primary hard disk storage to allow fast access during the billing and insurance cycle. As well, provide for backup and disaster recovery copies to be made. But after 60 days, the record is automatically migrated to a near-line archival device such as an optical disk jukebox that can reliably store the record for the 30 years mandated by government regulations.

• But accessing this record from the optical jukebox when a patient is re-admitted to the hospital is not advisable. Optical jukeboxes are not very fast, and the time it takes to retrieve a record can be quite long if there are a lot of simultaneous requests being made to the jukebox. This could have serious consequences. But KOMworx Data Manager provides the solution.

• Each night, the hospital admissions staff will copy, or pre-fetch, the records of patients scheduled for the next day into the "Current In-Patient" directory, which is still within the KOMworx Data Manager Virtual Volume. The original record stays in the jukebox, and the hospital staff uses the new copy during the patient's stay. The lifecycle policy of the Current In-Patient directory says to always keep the record on high-speed, redundant (mirrored) storage media.

• When the patient is discharged, the updated record is copied back to the Patient Records directory, where it again spends 60 days on primary storage while billing is completed, and then migrated back to the jukebox. If write-once (WORM) media is b used in the jukebox, then an audit trail of the changes to the record over time will be available. If not, the new version of the record overwrites the old version, unless the file name is changed during the process. The copy in the Current In-Patient directory is deleted once all other out-processing is completed.

The End of the Life Cycle

There is a point in every record's life when it loses its value to the organization. Typically, this is the day after the applicable regulations say it needs to be retained, whether that is 2, 3, 5, 7, 15 or 30 years. But if you have kept it for that long, why worry about what to do with it when that day comes? Because in most cases, on that very day, the record will cease being an asset to the organization and become a liability. Old records are usually used to prove product design problems, harassment or bias claims, cover-ups, and other illegal or embarrassing activities. You will recall the court proceedings that Enron, Microsoft and a host of other companies had to endure recently to see the reality of this.

Companies should have a well-documented and well-managed records deletion policy to protect themselves. If the policy says, for example, to delete all emails after one year, and you can prove your adherence to that policy, then your company cannot be held in contempt for not producing those records during discovery.

KOMworx has a feature within the Virtual Volume that enables organizations meet this important requirementBy creating a "Records Deletion" storage repository files can be moved at a prescribed point in the file's lifetime (e.g. seven years after last modification). This is comparable to the Recycle Bin found in Windows operating systems. Once records are moved into this repository, responsible individuals could review them and make the ultimate decision to delete the file from the system. Of course, you should also ensure that any backup and/or disaster recovery copies are also manually destroyed as part of this process.

If you would like more information on how KOMworx Data Manager can help you meet the challenges of records retention compliance, please contact our sales or marketing staff.