← Back to Playbook

OPS-SOP-035 — Document Version Control & Retention Policy

Document IDOPS-SOP-035	Version1.0	Effective Date[TBD — upon adoption]	Next ReviewAnnually	OwnerOperations
Prepared ByOperations

1. Purpose

This SOP defines how Unity Care Solutions manages the versioning, storage, access, and retention of all operational, legal, compliance, and plan documents. It ensures that the right version of every document is always available, prior versions are preserved for audit purposes, and records are retained for the periods required by ERISA, HIPAA, IRS, and DOL regulations.

Key principle: Every document that governs the plan, affects member rights, or records a financial transaction must be version-controlled and retained. A DOL audit can request records going back 6 years. "We lost it" is not an acceptable answer.

2. Document Categories

Category	Examples	Retention
Plan Documents	SPD, SBC, SMM, Plan Amendments, Trust Agreement, Captive Cell Agreements	6 years after plan year; retain while plan active
ERISA Filings	Form 5500, PCORI, RxDC, CAA gag attestation, ACA 1094-C/1095-C	6 years from filing date
Claims Records	Allied claims registers, stop-loss reimbursement requests, dispute logs	6 years from claim date
Contracts & Vendor Agreements	Allied ASA, ProAct CIF, SRS agreement, HLRA treaty, BAAs, LOIs	6 years after termination
Financial Records	Invoices, payment approvals, GL postings, trust bank statements, payment tracker	7 years (IRS standard)
Compliance Records	MHPAEA analysis, regulatory change log, breach records, notice distribution logs	6 years minimum; MHPAEA: retain while plan active
Participant Notices	SPD distribution confirmations, COBRA notices, CHIP notices, exchange notices	6 years
Operational SOPs	All OPS-SOP-XXX documents; process maps (META-001, SUB-001–009)	Current version active; prior versions retained 6 years
PHI / Claims Data	Member census, Gradient AI reports, actuarial reports with member data	6 years; HIPAA minimum 6 years from creation or last effective date
Meeting Records	Board/trustee meeting notes, key decision memos, actuarial working sessions	6 years

3. Version Control — Operational SOPs & Plan Documents

All SOPs and plan documents are version-controlled in the Unity Operations Playbook GitHub repository (github.com/Ajamesadams/unity-playbook). Version numbering: Major.Minor (e.g., v1.0, v1.1, v2.0).

Minor version (x.1, x.2): Correction, clarification, TBD filled in — no material change to process or member rights
Major version (2.0, 3.0): Material change to process, plan design, or compliance requirement

Every version change requires:

CHANGELOG.html updated with plain-English description of what changed and why
Git commit with descriptive message including document ID and version number
For major versions: Legal Counsel review before commit; GitHub Issue opened via SOP Approval Request template
Effective date updated in document header

GitHub = the system of record for all SOP versions. Git commit history is the audit trail. Every version is preserved permanently. DOL auditors can be pointed to a specific commit or tag.

4. Document Storage Locations

Document Type	Primary Storage	Notes
Operational SOPs & process maps	GitHub: github.com/Ajamesadams/unity-playbook	Public read-only site at ajamesadams.github.io/unity-playbook
Executed contracts & vendor agreements	[TBD — secure file storage]	Separate from GitHub; access restricted to Operations + Legal
ERISA filings (Form 5500, etc.)	[TBD — secure file storage]	Copies also held by Legal Counsel (Dickinson Wright)
PHI / claims data	[TBD — PHI-secure system, confirmed with IT/Legal]	HIPAA-compliant storage required; access log maintained
Financial records / invoices	Acumatica (GL system) + [TBD — document management]	Payment request forms scanned and filed with invoice
Participant notice distribution records	[TBD — secure file storage]	Date, method, and recipient list required for each distribution
BAA registry	OPS-SOP-033 registry; physical executed copies in secure storage	Confirm all BAAs current annually

⚠ TBD: Secure file storage system — confirm with IT/Legal Counsel. Options: SharePoint, encrypted cloud storage, or document management system. Must support access controls and retention enforcement.

5. Access Controls

Document Type	Access Level
Operational SOPs (non-PHI)	Read: Eric Gregory, Brooke (Compliance), Dr. Greg, Operations — via GitHub site. Write: Operations only (via git).
Executed contracts	Operations + Legal Counsel + Primary Approver. No external sharing without Legal Counsel review.
PHI / claims data	Minimum necessary standard (see OPS-SOP-032). Operations, Finance (minimum necessary), Legal Counsel (under BAA).
Financial records	Finance + Operations + Primary Approver. External auditors as needed under NDA.
ERISA filings	Legal Counsel + Operations + Primary Approver. Available to plan participants on request (Form 5500, SAR).

6. Annual Document Review

Every January, Operations conducts an annual document review:

Review all SOPs — flag any requiring update based on regulatory changes (see OPS-SOP-022) or operational changes
Confirm all plan documents reflect current plan design and entity structure
Confirm all executed contracts are current and not expired
Review BAA registry — confirm all BAAs executed and current
Purge documents that have exceeded their retention period per the schedule in Section 2
Update CHANGELOG and commit any document revisions

Retention purge rule: Before destroying any record, confirm with Legal Counsel that no pending litigation, audit, or regulatory matter requires retention beyond the standard period. When in doubt, retain.

7. References

OPS-SOP-032 — PHI Access Controls & Redaction Protocol
OPS-SOP-033 — BAA Registry & Breach Response
OPS-SOP-034 — Approval Authority Matrix
OPS-SOP-022 — Regulatory Change Monitoring
ERISA §107 (record retention); HIPAA 45 CFR §164.530(j); IRS Rev. Proc. 98-25