Document Retention Policy

HEALHEAR

Document Rentention Policy

Effective Date: May 12, 2025
Last Reviewed: June 19, 2025

1. Purpose

This policy establishes HealHear’s practices for retaining and destroying organizational documents—electronic and hard-copy—to ensure compliance with legal, regulatory, and mission‑related requirements while protecting personal information and enabling transparent governance.

2. Scope

Applies to all HealHear records, including board minutes, financials, donor data, HIPAA-related documentation, AI-development files, volunteer and employee records, contracts, and communications (emails, Slack, etc.).

3. Roles & Responsibilities

*   Records Management Officer (RMO): Administers the policy, oversees retention schedules, ensures secure disposal.
*   Legal & Compliance Advisor: Reviews retention schedules and destruction protocols.
*   Department Heads: Identify records for retention/destruction and notify RMO.

4. Retention Schedule

Record Type
Retention Period
Notes
Articles, bylaws, charters, IRS determination
Permanent
Maintained indefinitely .
Board/committee minutes, policies, resolutions
Permanent
Reflect key governance actions.
IRS Forms: 1023, 990, tax returns
Permanent Required for audit/history.
Financial records: general ledger, financial statements for continuity and audit history.
Bank statements, invoicing, canceled checks 7 years
Standard IRS and CPA recommendation .
Grant and donor records (acknowledgments, DAFs) 7 years
Support audits and donor relations.
Contracts, leases, agreements 7 years post‑expiration
Plus any warranty or statute-of-limitations period .
Employment/volunteer records 7 years after end of activity
Includes applications, reviews.
HIPAA‑related documentation (policies, logs) 6 years from creation or update
Conforms to HIPAA privacy/security rules.
AI‑development, intellectual properties
Retain in alignment with trade‑secret/IP policies .
System logs, access/audit logs Minimum 6 years
Supports security reviews and HIPAA compliance.
Website, cookie, privacy policy versions 6 years after superseded
Maintain prior versions for accountability.
IT backups
According to above retention standards
Ensure consistent destruction when originals are purged.

5. Legal Holds

Upon litigation, audit, or government investigation, the RMO immediately suspends any scheduled disposal of relevant records until the hold is officially released.

6. Storage & Security

*   Physical records: Stored in locked, fire-safe, water-resistant cabinets.
*   Electronic records: Encrypted, access-controlled, and backed up securely.
*   Backups: Retained in alignment with retention schedule; securely erased when obsolete.

7. Destruction Procedures

When retention periods expire (and no legal hold exists):

*   Paper: Shred or pulp to incomprehensibility.
*   Digital: Permanently delete or securely overwrite (per NIST/HHS guidance) .
*   Media: Physical devices fully destroyed if containing sensitive data.

All destruction actions must be logged, recording date, type of records, method, and responsible party.

8. Policy Review

This policy is reviewed biennially by the RMO and Legal/Compliance Advisor. Any revisions are approved by the Board of Directors.

9. Transparency & Access

HealHear publishes this policy on its website. Upon request, certified copies of financial and governance records are available—subject to donor privacy protections and applicable laws.

10. Compliance

All board members, staff, and volunteers must comply with this policy. Any suspected non‑compliance should be reported to the RMO or Board Chair. The Board may authorize disciplinary or legal action against violators.

For questions or record requests, please contact:

HealHear Corporation
120 E 3rd St, #232
Front Royal, VA 22630
Email: Admin@healhear.com