Compliance is a fulltime job: No industry immune from regulation

From the U.S. Department of Transportation’s rules for long-distance truckers, to the FDA’s scrutiny of every document associated with a new drug filing, compliance issues play a major role in how records are stored and documents are managed across a regulated enterprise.

Multiple agencies-ranging from the SEC’s oversight of financial services to the FCC’s guidelines for telcos or the USDA’s look at beef-mandate strict record-keeping practices. Petrochemical, pharmaceutical and manufacturing industries are further governed by the Occupational Safety Hazards Administration (OSHA) and the Environmental Protection Agency (EPA), which each regulate how (and for how long) records should be kept. In fact, several regulatory bodies, such as the EPA (www.epa.gov/recmgmt), host Web sites expressly outlining records management policies.

Compliance is crucial in a pharmaceutical environment where the FDA can walk in unannounced to a firm’s drug production plant and ask for the documented policies relating to production processes or retention guidelines. If they cannot be produced or the process doesn’t live up to the policy, the plant can be shut down.

Besides federal and state regulatory agencies, if the organization has ISO registration, the certifying body, like the British Standards Institute, can conduct on-site audits of ISO-registered clients. Part of the audit addresses retention, preservation and access documented processes. If the documentation is found lacking, the firm’s ISO registration could be withdrawn. Demonstrated compliance means well-documented procedures, audit of employee or system adherence to procedures, and consistency in application through non-announced inspections by governing bodies.

While compliance issues are faced across all industries, the insurance, medical, financial, transportation and legal markets are particularly affected by regulatory issues. It’s no longer enough for those organizations to simply manage their documents; the process by which the records are handled and stored also comes under scrutiny.

Compliance is subject to a myriad of sometimes conflicting guidelines imposed by not only national governments but by state, regional and independent economic groups. Elva Ellen Hubbard, an analyst with the Delphi Group (www.delphigroup.com), points out that an insurance company doing business in 50 states must have its products approved for sale in each state.

"Each state has different sets of regulations that can vary greatly," Hubbard said. "Additionally, the insurance company must keep track of the certification status of each agent’s license by state and class or product."

Similarly, the telecommunications industry is subject to both federal and state regulations. Walter Haug, a senior consultant with Network Engineering Consultants (www.networkeng.com), represents telecommunications clients before regulatory bodies. Discussing the handling of electronic documents, Haug said, "It’s monumental; there’s jurisdiction in every state-each with its own tariff requirements. However, there are inconsistencies between jurisdictions. Different states have different software requirements. Some mandate electronic filing, while others don’t."

As electronic records become more widely accepted, regulations governing their handling and legality are being adapted. Document retention policies apply to electronic as well as paper-based records. The trick is being able to apply those rules consistently. EDMS-based systems must be programmed to ensure imaged data and source paper documents are preserved for the varying retention requirements as specified for each document type. Also IT systems and databases must preserve financial data and associated legacy systems in the event of financial audits.

"In the regulatory arena, you get a lot of ideas that don’t get captured and shared," said Haug. "To keep track of the documents and convert what isn’t electronic to electronic is a major undertaking. If you want to disperse the knowledge, it’s got to be available quickly."

Thus, planning a document and records management system that meets compliance requirements involves a structured approach involving a number of technologies. Document management, search and retrieval and capture vendors recognize that market, and are increasingly positioning products for compliance.

For an organization that is highly regulated, the challenge is to demonstrate consistent retention and preservation compliance when faced with the creation and storage of paper, magnetic, optical and microfilmed documents. Combined with statutory and transactional data and documents are E-mail, voice mail and Web data, which are considered corporate documents and may be produced for a regulatory or legal request.

The legality of electronic documents and records has become a critical issue. Consulting firms such as Cohasset Associates (www.cohasset.com) are working to establish consistent standards of acceptance. Similarly, the Association for Information and Image Management (AIIM, www. aiim.org) has published its own guidelines in "Performance Guideline for the Legal Acceptance of Records Produced by Information Technology Systems."

Legal experts such as Brad Hulbert, a partner with the law firm McDonnell Boehnen Hulbert & Berghoff (www.mbhb.com), stress the importance of recognizing electronic documents and E-mail as part of the corporate records base. Even E-mail messages should be governed by the same document handling procedures of more structured records (see story, left).

"A computer database of E-mail is as much a record as a paper copy, except it is even more important to me (in a trial) because it’s a little more credible," said Hulbert. "A juror tends to think, ÔOh, since it came out of the computer, it must be right.’"

"Make compliance with regulations part of everyday operating procedure-the first task of the job," advises Dakota Software’s (www.dakotasoft.com) Arlene Davidson. "Putting the safety harness on before climbing the scaffolding becomes the first task of the welder, for example, not the actual welding."

So, what happens if an organization fails to comply with regulations? According to Davidson, "As long as the non-compliance area is identified and a good faith effort is made to comply, the regulators will work with you before enforcing any criminal proceedings."