U.S. Code of Federal Regulations

Regulations most recently checked for updates: Nov 05, 2024

§ 2.19 - Disposition of records by discontinued programs.

(a) General. If a part 2 program discontinues operations or is taken over or acquired by another program, it must remove patient identifying information from its records or destroy its records, including sanitizing any associated hard copy or electronic media, to render the patient identifying information non-retrievable in a manner consistent with the policies and procedures established under § 2.16, unless:

(1) The patient who is the subject of the records gives written consent (meeting the requirements of § 2.31) to a transfer of the records to the acquiring program or to any other program designated in the consent (the manner of obtaining this consent must minimize the likelihood of a disclosure of patient identifying information to a third party);

(2) There is a legal requirement that the records be kept for a period specified by law which does not expire until after the discontinuation or acquisition of the part 2 program; or

(3) The part 2 program is transferred, retroceded, or reassumed pursuant to the Indian Self-Determination and Education Assistance Act (ISDEAA), 25 U.S.C. 5301 et seq., and its implementing regulations in 25 CFR part 900.

(b) Special procedure where retention period required by law. If paragraph (a)(2) of this section applies:

(1) Records in non-electronic (e.g., paper) form must be:

(i) Sealed in envelopes or other containers labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date]”.

(A) All hard copy media from which the paper records were produced, such as printer and facsimile ribbons, drums, etc., must be sanitized to render the data non-retrievable.

(B) [Reserved]

(ii) Held under the restrictions of the regulations in this part by a responsible person who must, as soon as practicable after the end of the required retention period specified on the label, destroy the records and sanitize any associated hard copy media to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under § 2.16.

(2) All of the following requirements apply to records in electronic form:

(i) Records must be:

(A) Transferred to a portable electronic device with implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key; or

(B) Transferred, along with a backup copy, to separate electronic media, so that both the records and the backup copy have implemented encryption to encrypt the data at rest so that there is a low probability of assigning meaning without the use of a confidential process or key and implemented access controls for the confidential process or key.

(ii) Within one year of the discontinuation or acquisition of the program, all electronic media on which the patient records or patient identifying information resided prior to being transferred to the device specified in paragraph (b)(2)(i)(A) of this section or the original and backup electronic media specified in paragraph (b)(2)(i)(B) of this section, including email and other electronic communications, must be sanitized to render the patient identifying information non-retrievable in a manner consistent with the discontinued program's or acquiring program's policies and procedures established under § 2.16.

(iii) The portable electronic device or the original and backup electronic media must be:

(A) Sealed in a container along with any equipment needed to read or access the information, and labeled as follows: “Records of [insert name of program] required to be maintained under [insert citation to statute, regulation, court order or other legal authority requiring that records be kept] until a date not later than [insert appropriate date];” and

(B) Held under the restrictions of the regulations in this part by a responsible person who must store the container in a manner that will protect the information (e.g., climate-controlled environment).

(iv) The responsible person must be included on the access control list and be provided a means for decrypting the data. The responsible person must store the decryption tools on a device or at a location separate from the data they are used to encrypt or decrypt.

(v) As soon as practicable after the end of the required retention period specified on the label, the portable electronic device or the original and backup electronic media must be sanitized to render the patient identifying information non-retrievable consistent with the policies established under § 2.16.

[82 FR 6115, Jan. 18, 2017, as amended at 89 FR 12622, Feb. 16, 2024]