42 CFR § 2.16 - Security for records.
(a) The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. These formal policies and procedures must address:
(1) Paper records, including:
(i) Transferring and removing such records;
(iii) Maintaining such records in a secure room, locked file cabinet, safe, or other similar container, or storage facility when not in use;
(iv) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other similar containers, and storage facilities that use or store such information; and
(v) Rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).
(2) Electronic records, including:
(i) Creating, receiving, maintaining, and transmitting such records;
(iv) Rendering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).
The following state regulations pages link to this page.