42 CFR § 2.16 - Security for records and notification of breaches.

§ 2.16 Security for records and notification of breaches.

(a) The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information.

(1) Requirements for formal policies and procedures. These policies and procedures must address all of the following:

(i) Paper records, including:

(A) Transferring and removing such records;

(B) Destroying such records, including sanitizing the hard copy media associated with the paper printouts, to render the patient identifying information non-retrievable;

(C) Maintaining such records in a secure room, locked file cabinet, safe, or other similar container, or storage facility when not in use;

(D) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other similar containers, and storage facilities that use or store such information; and

(E) Rendering patient identifying information de-identified in accordance with the requirements of 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a particular patient.

(ii) Electronic records, including:

(A) Creating, receiving, maintaining, and transmitting such records;

(B) Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable;

(C) Using and accessing electronic records or other electronic media containing patient identifying information; and

(D) Rendering the patient identifying information de-identified in accordance with the requirements of 45 CFR 164.514(b) such that there is no reasonable basis to believe that the information can be used to identify a patient.

(2) Exception for certain lawful holders. Family, friends, and other informal caregivers who are lawful holders as defined in this part are not required to comply with paragraph (a) of this section.

(b) The provisions of 45 CFR part 160 and subpart D of 45 CFR part 164 shall apply to part 2 programs with respect to breaches of unsecured records in the same manner as those provisions apply to a covered entity with respect to breaches of unsecured protected health information.

[89 FR 12622, Feb. 16, 2024]