12-35-105-870 Paper and electronic records management policy

A. The provider shall implement a written records management policy that describes confidentiality, accessibility, security, and retention of paper and electronic records pertaining to individuals, including:

1. Access and limitation of access, duplication, or dissemination of individual information to persons who are authorized to access such information according to federal and state laws;

2. Storage, processing, and handling of active and closed records;

3. Storage, processing, and handling of electronic records;

4. Security measures that protect records from loss, unauthorized alteration, inadvertent or unauthorized access, disclosure of information, and transportation of records between service sites;

5. Strategies for service continuity and record recovery from interruptions that result from disasters or emergencies including contingency plans, electronic or manual back-up systems, and data retrieval systems;

6. Designation of the person responsible for records management; and

7. Disposition of records in the event that the service ceases operation. If the disposition of records involves a transfer to another provider, the provider shall have a written agreement with that provider.

B. The records management policy shall be consistent with applicable state and federal laws and regulations including:

1. Section 32.1-127.1:03 of the Code of Virginia;

2. 42 USC § 290dd;

3. 42 CFR Part 2; and

4. The Health Insurance Portability and Accountability Act (Public Law 104-191) and implementing regulations (45 CFR Parts 160, 162, and 164).