Record Retention, Disposal and Data Security Policy

To maintain files for an appropriate period of time on all residents/fellows who were trained in an accredited residency/fellowship training program. This policy refers only to records that have a legal, operational or historic value.

Documents maintained, stored and destroyed by the Office of Graduate Medical Education. Programs may not store any of these documents listed in Table 1 with the exception of the Final Summative Evaluation.

The training program is responsible for recording, maintaining, storing and destruction of the following documents as applicable.

The entire file should be kept for residents/fellows who do not complete the program or who are not recommended for board certification. In addition, in the event of a litigation hold, no files may be destroyed regardless of the disposal schedule until notification has been received that the case has been resolved.

Each training program should identify a staff member to serve as a Data Steward who will take responsibility for the storage, management and disposition of appropriate documentation related to training residents and fellows.

In order to prevent a potential breach of protected or confidential information, it is recommended that the minimum retention period guidelines be followed for each type of document that is stored. This will greatly reduce UB’s vulnerability and liability in the event of a loss of information.

The preferred method of disposing of paper documentation is shredding. Do not recycle any documents containing sensitive or protected information.

Electronic deletion of data is more complicated. Hard drives/networks must be “sanitized”. This will require assistance and support from your Information Technology department. A simple “delete” process done at your workstation does not suffice to permanently delete electronic data. Be aware that backup copies of the data may also be stored and will need to be addressed. Program staff may not delete any electronic data from MedHub or alternate residency management systems.

Maintain a Record Disposal Document to record the date of disposal, description of the records identified and method of destruction. If sending paper records for shredding, a confirmation from the vendor is required that destruction of the records has been completed.

Working offsite on mobile devices such as laptops, tablets and smart phones is commonplace. However, sensitive data may only be accessed on UB-approved mobile devices via secure VPN connection and within the remote desktop application. As a general rule, you are not permitted to download category 1 or category 2 data to your personal mobile devices.

• Do not fax sensitive data. Most fax transmission lines are internet-based and are not hard-wired telephone lines and therefore, are not HIPAA-compliant;
• If you are using a flash drive to transfer highly sensitive or confidential information, it must be encrypted; 
• Encrypt all laptops that are used off site; 
• Lock your workstation when you walk away from your desk; 
• Keep documents containing sensitive information in locked drawers/ file cabinets; 
• Power down your workstation at the end of the day; 
• Delete data from your Downloads Folder on a frequent basis ( this can be set automatically in your computer's settings); 
• Be aware or "shoulder surfers" who may be sitting behind or next to you and may be able to view sensitive data;
• Formally review the information that is collected in your systems and who has access to it at least on an annual basis, more frequently, if possible. Make a note of the review in the event you are asked to provide documentation of the review; 
• In addition to the UB policies listed below and this resource, familiarize yourself with data security procedures for your hospital or office location and steps to take in the event of a data breach.

• Protection of University Data Policy
• Data Access Procedure
• UB Minimum Security Standards for Desktops, Laptops, Mobile and other Endpoint Devices
• University at Buffalo Record Retention and Disposition Policy
• SUNY Record Retention and Disposition Policy

All verification of training or malpractice coverage requests must be submitted electronically with a signed release. No requests are accepted by phone, fax or email.

• Payroll verification (for credit card applications, mortgage applications, changing the number of tax deductions on W-4 forms, and amount being deducted from paycheck for incorrect insurance.
• Direct deposit issues.

Contact your residency program director's office for:

• Verification of procedure credentialing status.
• Residency verifications which require information on the resident’s character, ability, clinical performance, etc.
• Applications to the program – vacancies in program.

Contact the Federation of State Medical Boards for training verification in the following programs:

• Family Medicine – Niagara Falls Memorial
• Thoracic Surgery
• Physical Rehabilitation and Medicine
• Rheumatology
• Pediatric GI
• Geriatric Psychiatry
• Dermatology

Established:  2004
GMEC Approved Date: September 21, 2021