Home
gpo.gov
govinfo.gov

e-CFR Navigation Aids

Browse

Simple Search

Advanced Search

 — Boolean

 — Proximity

 

Search History

Search Tips

Corrections

Latest Updates

User Info

FAQs

Agency List

Incorporation By Reference

eCFR logo

Related Resources

Electronic Code of Federal Regulations

We invite you to try out our new beta eCFR site at https://ecfr.federalregister.gov. We have made big changes to make the eCFR easier to use. Be sure to leave feedback using the Feedback button on the bottom right of each page!

e-CFR data is current as of November 30, 2020

Title 42Chapter ISubchapter APart 2Subpart B → §2.16


Title 42: Public Health
PART 2—CONFIDENTIALITY OF SUBSTANCE USE DISORDER PATIENT RECORDS
Subpart B—General Provisions


§2.16   Security for records.

(a) The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. These formal policies and procedures must address:

(1) Paper records, including:

(i) Transferring and removing such records;

(ii) Destroying such records, including sanitizing the hard copy media associated with the paper printouts, to render the patient identifying information non-retrievable;

(iii) Maintaining such records in a secure room, locked file cabinet, safe, or other similar container, or storage facility when not in use;

(iv) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other similar containers, and storage facilities that use or store such information; and

(v) Rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).

(2) Electronic records, including:

(i) Creating, receiving, maintaining, and transmitting such records;

(ii) Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable;

(iii) Using and accessing electronic records or other electronic media containing patient identifying information; and

(iv) Rendering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).

(b) [Reserved]

Need assistance?