The Tayo Clinic

Document Retention & Destruction Policy

Board-Approved on 3/17/2025

---

1. Purpose & Scope

This Document Retention & Destruction Policy (“Policy”) ensures that The Tayo Clinic, Inc. (“the Clinic”) maintains and discards records in a manner consistent with:

• Legal requirements (including HIPAA for patient/telehealth data)
• Best nonprofit governance practices
• IRS 501(c)(3) standards

This Policy applies to all records (physical and electronic) created, received, or maintained by the Clinic, including but not limited to:

• Organizational documents (Articles, Bylaws, board minutes)
• Financial records (tax filings, donations, invoices, grants)
• Human resources (personnel files, volunteer records)
• Patient/telehealth data (EMRs)
• Legal documents (contracts, insurance)
• Electronic communications (email, cloud data)

2. Oversight & Acknowledgment

Executive Director’s Role: Oversees compliance with this Policy, ensuring all staff and volunteers understand and follow the guidelines.

Staff Acknowledgment: Employees and key volunteers must sign an acknowledgment confirming they understand and will comply.

Board Approval & Review: This Policy must be approved by the Board and reviewed at least every 2 years or as needed.

3. Retention Schedules

General Rule: If multiple laws apply, the longer retention period governs.

A. Permanent Records

• Articles of Incorporation & Amendments
• Bylaws & Amendments
• Board Minutes & Resolutions
• IRS Determination Letter
• Annual Audited Financial Statements
• Major Legal Documents (patents, trademarks)

B. Financial & Tax Records

• Tax Returns (Form 990): 7 years
• Auditor Reports: Permanent or 7 years if draft
• Bank Statements, Invoices, Receipts: 7 years
• Grant Records: 7 years post-grant
• Check Registers: 7 years

C. Human Resources

• Personnel Files: 7 years after employment ends
• Volunteer Records: 3 years after service
• Payroll, Time Sheets: 7 years
• I-9 Forms: 3 years after hire or 1 year after termination

D. Legal & Contracts

• Contracts & Leases: 7 years after expiration
• Insurance Policies: 7 years post-expiration
• Legal Correspondence: 7+ years or as advised

E. Patient / Telehealth Records (HIPAA)

• EMRs: Minimum 7 years from last patient encounter
• HIPAA Privacy Notices: 6–7 years

F. Electronic Communications

• Emails follow same retention as relevant category
• Non-essential emails may be deleted sooner

4. Storage & Security

• Physical: Stored in locked, restricted-access areas
• Electronic: Password-protected, backed up, and encrypted when appropriate
• HIPAA: EMRs secured in HIPAA-compliant systems

5. Destruction Procedure

• Records past their retention period should be securely destroyed unless on legal hold
• Physical: Cross-cut shredder or incineration
• Electronic: Use NIST-compliant deletion (e.g., data wiping, shredding devices)
• Approval: Destruction of large/sensitive volumes requires ED approval

6. Legal Holds & Exceptions

• All relevant records must be preserved if litigation or investigations are pending
• External requirements (e.g., funders) override this Policy when stricter

7. Other Policies & References

• Conflict of Interest Policy: Follow board minutes retention rules
• HIPAA: All PHI must be handled in line with HIPAA retention and security standards

8. Compliance & Enforcement

• The Executive Director ensures compliance
• Violations may result in disciplinary action
• Training may be provided to relevant staff

9. Policy Approval & Review

This Policy was approved by the Board of Directors on 3/17/2025. The Board will review it at least every 2 years, or more frequently as needed to reflect changes in law or operations.