• Exclusion Individuals or Entities
• Fair Market Value Policy
• Focused Arrangement Database Policy and Procedure
• Fraud, Waste and Abuse Protection and Federal Deficit Reduction Act of 2005 Policy
• General Statement on Agreements with Referral Sources Policy
• Identity Theft Prevention Program - Red Flag Rules
• Professional Courtesies for Health Services Policy
• Professional Services Policy
• Responding to Suspected Violations of the Stark Law That Do Not Implicate the Anti- Kickback Statute
• Responding to Suspected Violations of the Anti-Kickback Statute or for Stark Law Violations that Potentially Implicate the Anti-Kickback Statute
• Whistleblower (Reporting Compliance and Ethics Concerns)

• Access of Individuals to Protected Health Information (PHI)
• Accounting of Disclosures of Health Information
• Disclosures of Personally Identifiable Health Information to Business Associates
• Fax Machine Transmittal of Confidential, Sensitive or Protected Health Information (PHI)
• Uses and Disclosures of Protected Health Information: With and Without Authorization
• Protection of Sensitive Electronic Information
• Request for Restriction of Uses and Disclosures of Protected Health Information
• Requests for Amendment of Protected Health Information
• Standards for Privacy of Individually Identifiable Health Information
• Workstation Use and Security Policy

I. PURPOSE

1. Policy Statement

Rowan University recognizes that the efficient management of its records, regardless of their form or medium, is essential to support its core functions, to comply with its legal and regulatory obligations, and to contribute to the effective overall management of the institution. The University further recognizes that proper methods of records disposal and the determination of what records should be stored in the Rowan-Virtua SOM Archives for permanent preservation is an important responsibility. This document provides the policy framework through which to meet this responsibility.

To establish the University policy for the administration of the Records Management Program and to develop procedures for the creation, use, retention, storage, and destruction of the University’s records to ensure sound records management practices and comply with all applicable State and Federal retention laws and regulations and in accordance with N.J.S.A. Title 47, Public Records, the Department of State, Division of Archives and Records Management (DARM), and N.J.A.C. 15:3 et seq.

2. Reason for This Policy

• To promote efficient administration and management of the records of the University.
• To provide guidance on the maintenance, retention, storage and disposition of official records based on their fiscal, legal, administrative, and historical value to the University.
• To reduce and/or prevent unnecessary legal and fiscal responsibility caused by retaining the University records longer than the retention schedules authorizes or by premature disposal of the University records.

3. Who Should Read This Policy

All members of the the University community

4. Related Documents and Links

The University Records Management Program (includes Records Retention Schedules)

• Processing Division of Archives and Records Management (DARM) forms:
  • NJ Request and Authorization Form Records Disposal Form
  • Artemis Records Retention & Disposition Management System (Help Manual)
• Identity Theft Compliance Policy
• Draft Information Security Classification Policy
• Minimum Security Standards for Networked Devices
• NIST Special Publication 800-88, Guidelines for Media Sanitization 

II. ACCOUNTABILITY

Under the direction of the President, the Provost and Executive Vice Chancellor for Academic Affairs, Deans and department administrators shall ensure compliance with this policy.

III. APPLICABILITY

This policy applies to all public records created or received at the University units.

IV. DEFINITIONS

A. Definition of a Record
The University records are defined as any and all data or information in a fixed form and in any format that is created or received in the course of institutional activity and retained as evidence of that activity for future reference. Records include all textual or printed materials including, but not limited to, papers, manuscripts, correspondence, books, maps, drawings, plans; microfilm, photographs, sound and moving image recordings, electronic data and/or machine readable data on all mediums or other documentary materials regardless of physical form and characteristics.

B. Vital Records
Some University records are “essential”; meaning that their loss would jeopardize the rights and privileges of the University. Vital records include records whose legal status and informational value to the University is so great, and the consequences of loss are so severe, that special protection is justified in order to reduce the risk of loss. The following records are considered to be essential:

• Records containing information required to re-establish or continue in the event of a disaster
• Records containing unique and irreplaceable information necessary to recreate the university’s legal and financial position
• Records that preserve the rights of the organization and its employees, students, and other constituent groups

C. Electronic Records
Electronic records consist of information captured through electronic means, and which may or may not have a paper record to back them up. Electronic records are data or information that has been captured and fixed for storage and manipulation in an automated system and requires the use of the system to render it intelligible by a person. "Electronic records" can encompass both analog and digital information formats and most often refers to records created in electronic format (born digital) but is sometimes used to describe scans of records from other formats. Examples of electronic records include, but are not limited to, email, text messages, PDFs, word processing documents, digital photographs, sound recordings, moving images, formatted data, spreadsheets, databases, and records existing in a university computing cloud such as emails, instant message conversations, calendars, videos, blogs, etc.

D. Archival Records
Archival records are defined as any and all data or information in a fixed form and in any format that is created or received in the course of institutional activity and are permanently retained because of their enduring informational, evidential, and historical value.

E. Active Record
An active record is the University record that is currently being used during the ordinary course of the University business.

F. Inactive Record
An inactive record is the University record that is no longer being used in the ordinary course of the University business, but must still be retained until the end of its Records Retention Schedule.

G. Expired Record
An expired record is the University record that is no longer being used in the ordinary course of the University business when such record has fulfilled its retention requirement in accordance with the Records Retention Schedule and does not need to be permanently retained. A record cannot be considered “expired” if it is currently subject to a “Litigation Hold Notice.”

H. Office of Record
The Office of Record is the designated division, department, unit or individual, as identified in the Records Retention Schedule, responsible for both the retention and timely destruction of the University records in accordance with this policy.

I. Retention Schedule
The Records Retention Schedule provides a list of official records for each major administrative department in the University and prescribes the periods of authorized retention. The schedule may be revised periodically to include a newly created record series, to change retention periods, or to address records that are no longer useful or that are obsolete. A University record, regardless of the format in which it is created, must be retained for designated periods of time and may only be disposed of in accordance with approved retention and disposition schedules. Once a the University record has satisfied its retention period, the retention schedule will dictate the document’s ultimate disposition (i.e., authorized destruction, retention extension or transfer to the the University Archives).

J. Protected Health Information (PHI):
Protected health information means individually identifiable health information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual and identifies or could reasonably be used to identify the individual. According to N.J. Administrative Code 13:35-6.5(b) (2008) states that PHI held by Physican Offices must be retain for seven (7) years from the date of the last entry.

• Except as provided paragraph two (2) of this definition that is: a) transmitted by electronic media; b) maintained in electronic media; or c) transmitted or maintained in any other form or medium
• Protected health information excludes individually identifiable health information in: a) education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g; b) records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and c) Employment records held by a covered entity in its role as an employer.

K. “Government Entity” - any officer, commission, agency or authority of the State or of any political subdivision thereof, including subordinate boards thereof.

L. “Public Record” - A public record means any paper, written or printed book, document or drawing, map or plan, photograph, microfilm, sound-recording or similar device, or any copy thereof which has been;

1. made or is required by law to be received for filing, indexing, or reproducing by a government entity in the course of entity business, or received and/or retained by a government entity in the course of entity operations.

2. Records scanned and stored under the State of New Jersey, State Records Committee scanning certification are subject to this policy. Records kept in the library special collections are subject to this policy. Records access guidelines outlined in the Federal laws listed below supersede this policy and other State policies:

Health Insurance Portability and Accountability Act (HIPAA)

Family Educational Rights and Privacy Act (FERPA),

M. “Nonrecord Material” - Material that is not included in the definition of a public record. Examples of nonrecord material include; rough notes used to collect or compile data after the data has been included in a record; answer pads for a telephone or other informal notes; stenographers' notes after the information contained therein has been transcribed; non-University brochures, newsletters, magazines and newspapers, except those portions of newspapers retained as evidence of publication; personal notes which are not prepared for transacting the University or government business; materials pertaining solely to an individual's private affairs; extra copies and duplicates, the use of which is temporary; information notes that do not represent significant basic steps in the preparation of the public record copies; unofficial copies of documents kept only for convenience or reference; extra identical copies of a public record; stocks of printed or reproduced documents kept for supply purposes where file copies have been retained for record purposes; unused forms; blank forms; and other material of similar nature. Whenever doubt arises whether certain papers are nonrecord materials, it should be presumed that they are records. Material that is not included in the definition of a public record may be disposed of at the discretion of the custodian or the creator of the document, as applicable, subject to any other University policy.

N. “Cubic Feet of Destroyed Records” - The New Jersey Department of State, DARM defines 1 cubic foot as the size of a box of copier paper, and a file draw of records will equal 2 cubic feet.

RECORDS MANAGEMENT

I. INTRODUCTION

Records management is the systematic control of recorded information from creation or receipt, through processing and use, until final disposition. Final disposition will be through destruction or transfer into the the Archives. Proper records management satisfies compliance with laws and regulations, and ensures that historically significant records are properly preserved.

This policy provides direction on records management to ensure that the University complies with federal, state, and other regulatory guidelines. Therefore, the University faculty and staff shall:
• Retain records according to established Records Retention Schedules
• Maintain active and inactive records in appropriate storage equipment and locations
• Preserve records of historical significance
• Protect sensitive information using secure methods of recordkeeping and disposal
• Identify and protect vital records
• Discard (in an approved manner) records that are no longer required

No employee has, by virtue of his/her position, any personal or property right to official records even though he/she may have helped develop or compile them. The unlawful destruction, removal from files, and personal use of official the University records is strictly prohibited.

II. LOCAL UNIT’S RESPONSIBILITIES

It is the responsibility of each local unit (department, division, area, etc.) to identify a records management liaison who shall be responsible for ensuring the storage of active records in an appropriate manner which is consistent with this policy. Responsibilities of the local unit include, but are not limited to the following:

1. The University records, both paper and electronic, must be properly maintained during their retention period. In-house maintenance of records should ensure proper accessibility, security, and protection.

2. Identify an authorized location for storing the University records within the unit’s custody. Questions regarding proper storage and identifying authorized locations should be directed to the Records Management Program.

3. All the University employees must ensure that information in confidential or privacy-protected records is protected from unauthorized disclosure through the ultimate disposition of these records. As a normal matter of conducting business, destruction of confidential or privacy- protected records will be done by shredding or pulping. "Deletion" of confidential or privacy-protected information in computer files or other electronic storage media is not acceptable. Electronic records must be "wiped" clean or the storage media physically destroyed. These methods of destruction are specified in the retention schedules so that records may not be viewed or used by unauthorized persons after they are disposed.

4. Many records can be legally destroyed at the end of their active lives, if there are no audit, legal, fiscal, regulatory or historical reasons for the preservation of the records. Those University records designated for destruction (after fulfilling their retention requirement) must be disposed of in an appropriate method. Records containing confidential information should be destroyed by pulping, shredding, or incineration. In accordance with HIPAA regulations, the destruction/disposal of all PHI will be accomplished by shredding, incineration or another comparable fashion that ensures that the PHI cannot be recovered or reconstructed.

5. In the case of electronic records, complete and proper deleting and purging should be performed.

6. Email messages and other electronic business records are considered the University records and are subject to the same retention requirements as that which govern the management of paper records.

For assistance in determining how to dispose of the University records and/or to identify appropriate storage locations, local units should contact the Records Management Program.

III. RECORDS MANAGEMENT OFFICE RESPONSIBILITIES

The University’s Records Management Office, provides resources and information on the creation, management, transfer and/or disposition of all official the University records. As a continuing management function, the University’s Records Management Coordinator shall provide for the retention of the University records through the period of their value or legal requirement and for their systematic disposition. 

Inactive records may be stored in the University Records Management Center, which offers departments a centralized storage facility where inactive records may be stored, retrieved, and disposed of once the Records Retention Schedule has expired. Exceptions may be granted with the written approval of either the Provost and Executive Vice Chancellor for Academic Affairs or Senior Vice President for Finance and Administration. Records in the Records Management Center remain under the authority of the depositing department, and may be retrieved by that department upon request. Records stored in the Records Management Center may not be used for research except by the depositing department, or with the written permission of the depositing department, or as otherwise determined by an authorized official. Records may also be retrieved in accordance with all relevant legal or fiscal requirements of the University.

The services of the Records Management Office are available to all university units. The Records Management Office will:

1. Develop Records Retention Schedules in conjunction with departmental staff and monitor the maintenance of and compliance with those schedules.

2. Assist with inventorying departmental active records and analyzing active departmental record-keeping systems.

3. Manage and operate the Records Management Center, retrieving records upon the request of the depositing department or authorized personnel.

4. Arrange for the appropriate disposal of records stored in the Records Management Center, according to the Records Retention schedules.

5. Assist in the preparation for and protection of the University records in the event of a disaster.

6. Provide departmental consultations and campus-wide workshops to better educate the University community in proper records management principals.

IV. AUDIT

Adherence to proper records storage and to the appropriate Records Retention Schedules is subject to audit by the Internal Audit Department.

V. POLICY

A. The University will create and maintain complete and accurate records. These records will be managed in an orderly manner that facilitates timely retrieval when necessary. Records stored off site must be stored at a University approved facility.

B. The President, Central Administration, and the Dean of each school will appoint a Records Liaison. The Records Liaison will assist the the University's Custodian of Records in implementing the Records Management policy, and will oversee the implementation and maintenance of the policy within the University.

C. Records will be retained and destroyed in accordance with all appropriate State and Federal laws and regulations and this policy, including the records retention schedules issued by DARM.

D. Upon satisfaction of the required period of retention, public records may be destroyed only with prior written authorization from DARM.

E. The University units must obtain and retain a completed Request and Authorization for Records Disposal form, approved by DARM, prior to the destruction of public records. The form must be completed and signed by the school, or unit’s Record Liaison, and the the University's Records Custodian to implement this policy, prior to submitting the form to DARM.

F. Destruction/disposal of records with protected health information, personal financial or other personal identifying information, intellectual or other proprietary rights shall be accomplished by shredding, incineration or other comparable fashion ensuring that the record cannot be recovered or reconstructed. The disposition of such destruction must be documented on the Request and Authorization for Records Disposal form.

G. Email may be a public record and must be retained in compliance with all applicable State and Federal retention laws and regulations and in accordance with N.J.S.A., Title 47, Public Records, DARM, and N.J.A.C. 15:3 et seq.

H. Electronic records, including but not limited to electronic medical, human resources, and student records, shall be created using the University standard software. Mainframes, servers, Personal Computers (PCs), and other devices containing the electronic files must adhere to the University standards and procedures for data security, business continuity, and disaster recovery. All other the University procedures, timelines, and requirements for records management and retention shall apply to electronic records.

I. Microfilming and Imaging projects must be certified by DARM in accordance with state regulations NJAC 15:3 and annually renewed.

J. The Vice President of Information Systems and Technology shall be responsible for ensuring that the State of New Jersey State Records Committee Public Records Image Processing System Certificate of Compliance is current.

K. Records which contain confidential and/or proprietary information will be maintained in a secure environment with authorized access, protection against damage or destruction by fire, smoke, water or other means, and meet all State and Federal requirements.

L. All public records are the property of the University and no employee has any personal or property right to such records regardless of his or her position or authorship.

M. The unauthorized destruction, removal, or use of the University records is prohibited.

N. The falsification or inappropriate alteration of any public record is prohibited.

O. The University Office of Compliance will be responsible for performing periodic reviews of selected units and departments of the University to ensure compliance with this policy. These reviews must occur no less frequently than on an annual basis.

P. The President & Chief Compliance Officer, through the Director of Ethics Programs, will develop and provide general training to the the University workforce regarding record management policy, procedures and regulatory requirements.

VI. REFERENCES

A. State of New Jersey State Records Committee Certificate of Compliance No. 04071501-NM

B. N.J.S.A. Title 47, Public Records

C. N.J.A.C. 15:3 et seq.

D. State of New Jersey State General Records Retention Schedule

E. State of New Jersey Four Year College Record Retention Schedule

F. State of New Jersey Health Care Facilities Retention Schedule

G. HIPAA

H. FERPA

I. Access to the University Records

J. Records Retention and Disposition Management System

K. Request and Authorization For Records Disposal Form 

L. Records Retention & Disposition

VII. EXHIBITS

A. State of New Jersey Records Committee Certificate of Compliance No.

Rowan University strives to conduct its operations in an ethical, lawful and responsible manner. Each employee is expected to adhere to this standard whenever he or she acts on behalf of the University.

The University Compliance Program has been established to define and govern the conduct expected of employees, to provide guidance on resolving questions related to business conduct and ethical issues, and to establish a mechanism by which employees can report possible violations.

Listed below are certain activities which are strictly prohibited. Staff members who engage in these or other prohibited activities may be disciplined and may be subject to termination even for the first offense, depending on the seriousness and intensity of the violation. This list is not intended to cover every possible situation that may arise, but is designed to give you a basic understanding of common types of unacceptable conduct or performance.

• Failure to adhere to the University's Code of Conduct.
• Failure to adhere to the University or its units policies and procedures.
• Failure to satisfy mandatory compliance training requirements.
• Failure to cooperate with internal attorneys, auditors and compliance officer during investigations and audits.
• Using and disclosing patient information in violation of the privacy rights of our patients as provided by state and/or federal laws and regulations (ex: HIPAA), and/or RowanSOM or its unit's policies and procedures.
• Engaging in unauthorized access to patient information or using authorized access to such information in an unauthorized manner or in violation of the University or its units policies and procedures.
• Failure to report possible violations of law or ethical standards.
• Failure to abide by the University's Conflict of Interest Policy.
• Failure to comply with Antitrust laws.
• Failure to comply with Anti-kickback/anti-referral laws.
• Failure to comply with EMTALA regulations.
• Failure to properly handle and dispose of hazardous materials and wastes; i.e. chemical, biological, and radioactive.
• Failure to comply with the proper distribution and handling of pharmaceutical products; including, but not limited to, prescription drugs, controlled substances, hypodermic needles and drug samples.
• Failure to follow policies and procedures that ensure that research grants and their implementation are consistent with federal, state, local, and the University's rules and regulations.
• Participating in concealing improper discharge or disposal of hazardous materials or pollutants.
• Failure to comply with all safety instructions and procedures which are established to prevent safety and health hazards.
• Retaliating in any form against an individual who in good faith reports a suspected violation of policy and/or law.
• Engaging in any type of scientific misconduct.
• Failure to adhere to all Medicare and Medicaid laws and regulations.
• Failure to abide by all applicable laws and regulations