Document #: HHS-OCIO-PIM-2020-06-004 Appendix A: Procedures Appendix B: Standards Appendix C: Guidance Appendix D: Forms and Templates Glossary and Acronyms This U.S. Department of Health and Human Services (HHS) Policy for Records
Management, herein referred to as Policy, updates and supersedes the previous version (HHS-OCIO-2016-0004-002, dated June 22, 2016). The purpose of this Policy is to establish the principles, responsibilities, and requirements for managing HHS records. This Policy provides the framework for records management program guidance and operating procedures. This Policy does not address the supplemental preservation requirements
for records associated with litigation, investigations, and audit matters. The Federal Records Act of 1950 (The Act) defines a record as: All recorded information, regardless of form or characteristics, made or received by a federal agency under federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies,
decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them, excluding library and museum material made or acquired and preserved solely for reference or exhibition purposes; or duplicate copies of records preserved only for convenience. 44 U.S.C. § 3301(a)(1)(A)-(B)
(2008).1 The Act requires all federal agencies to create and preserve records that document the agency’s organization, function, policies, decisions,
procedures, and transactions. These records must be managed in accordance with subchapter B, chapter XII, of Title 36, Code of Federal Regulations (CFR) and chapters 29, 31, 33, and 35 of Title 44, United States Code (U.S.C.). The Act calls for agencies to establish a records management program consisting of policies, procedures, and activities to manage recorded information. The Presidential and Federal Records Act Amendments of 2014 modernize records management by requiring the transfer of
records from federal agencies to the National Archives and Records Administration (NARA) in digital or electronic form to the greatest extent possible. Records are managed using the three phases of the records lifecycle: Effective and efficient management of records provides the information foundation for decision-making
at all levels, mission planning and operations, personnel services, legal inquiries, business continuity, and preservation of U.S. history. This Policy applies to all HHS components, as well as organizations conducting business for or on behalf of HHS through contractual, grant-making, or other relationships. HHS Operating Divisions (OpDivs) and Staff Divisions (StaffDivs) must adopt and implement this Policy, or may create a more restrictive
policy, but not one that is less restrictive or less comprehensive than this Policy. This Policy does not supersede any other applicable law or higher-level agency directive or policy guidance. This Policy also applies to HHS employees, contractor personnel, grant recipients, interns, and other non-government persons supporting HHS. All organizations collecting or maintaining information or using or operating information systems on behalf of the Department
are also subject to the stipulations of this Policy. Compliance with this Policy must be incorporated into applicable contract, grant, or memoranda of agreement language under separate cover, as
appropriate.2 Authorities include: In order to maintain all HHS records in accordance with applicable statutory and regulatory requirements, each OpDiv and StaffDiv is required to establish and maintain a records management program meeting the following minimum requirements: Records management is the planning,
controlling, directing, organizing, training, promoting, and other managerial activities related to the creation, maintenance and use, and disposition of records, carried out in such a way as to achieve adequate and proper documentation of Federal policies and transactions and effective and economical management of agency operations. (44 U.S.C. §
2901(2)).3 6.1.1. Electronic Records Management System (ERMS) ERMS, often referred to as a records management application (RMA), is an electronic management system in which any agency records, regardless of format (paper, electronic, microform, etc.), are collected, organized, and categorized to facilitate their preservation, retrieval, use, and disposition. An ERMS:
6.1.2. Agency’s responsibility working with contractors An OpDiv and StaffDiv maintains responsibility for managing its records whether they reside in a contracted environment or under agency physical custody (see 36 CFR Part 1222.32 (b)).4 When working with a contractor, a Contracting Officer must include a records management clause in any contract or similar agreement. At minimum, a records management clause ensures that the Federal agency and the contractor are aware of their statutory records management responsibilities. (NARA Guidance on Records Management for Contracts)5 A template of a general records management clause for use in contracts or similar agreements can be found in Appendix D. 6.1.3. NARA-Approved records schedule 6.1.3.1. Records schedules must be in place for all HHS records. Approval of the schedules must be obtained from NARA in accordance with Subchapter B, chapter XII of Title 36, Code of Federal Regulations. HHS records must be listed and described in an approved records schedule, and must be disposed of only as authorized by that schedule. HHS OpDivs and StaffDivs must update their records schedules when there are program changes that will result in the establishment of new types of records and the transfer or termination of records, or an increase or decrease in the retention time of the records. (36 CFR 1224.10(c))6 6.1.4. File plans 6.1.4.1. Each HHS OpDiv and StaffDiv must maintain a centralized file plan that includes the title and description of its records, including electronic media. Each HHS OpDiv and StaffDiv must standardize file arrangement systems, filing procedures, and filing techniques of records. File plans must be designed to enhance the current use of the files, the preservation of archival records, and the prompt and systematic disposition of permanent and temporary records according to the appropriate records schedule. 6.2 Records MaintenanceOpDivs and StaffDivs must implement a records maintenance program so that complete records are filed or otherwise identified and preserved; records can be readily found when needed; and permanent and temporary records are physically segregated from each other; or for electronic records, are segregated. (36 CFR 1222.34)7
6.2.1. Electronic Recordkeeping System (ERKS) 6.2.1.1. Electronic recordkeeping system (ERKS) is an electronic system that captures, organizes, and categorizes records to facilitate their preservation, retrieval, use, and disposition (36 CFR 1220.18)8 This system must:
An ERKS may be either a distinct system designed specifically to provide recordkeeping functionality, or it may be a module within, or a part of, another system (such as an application system or an electronic document management system). 6.2.2. Universal ERM requirements 6.2.2.1 Universal ERM requirements identify high level business needs for managing electronic records. They are baseline ERM program requirements derived from existing NARA regulations, policy, and guidance. ERM requirements are a starting point for OpDivs and StaffDivs to use when developing recordkeeping and record management system requirements. These requirements contain six sections based on the lifecycle of electronic records management:
6.2.3. Cloud services 6.2.3.1. Cloud services refer to federal records that reside in a cloud environment hosted by a third party service provider. HHS OpDivs and StaffDivs must create standards and policies for managing records created, used, or stored in cloud computing environments:
6.3 Essential Records6.3.1. Each OpDiv and StaffDiv is responsible for establishing, in consultation with continuity of operations (COOP) points of contact, an Essential Records program to select and safeguard records that would be required to ensure continuity of essential functions during and following a national disaster. 6.4 Social Media RecordsThe use of social media and instant messaging may create federal records that must be captured and managed in compliance with federal records management laws, regulations, and policies. OpDivs and StaffDivs must identify these federal records and determine how they will be managed. If the OpDiv and StaffDiv has identified social media content as federal records, they must determine whether an existing disposition authority applies, including the General Records Schedule (GRS). If an existing authority does not cover the content, a new schedule must be developed. OpDivs and StaffDivs should develop new records schedules if social media and instant messaging users enhance the content by adding comments, metadata or other information that becomes part of the complete record. (NARA Bulletin 2014-02: Guidance on Managing Social Media Records (2014)) 6.5 Text Messaging RecordsThe use of text messaging may create federal records that must be captured and managed in compliance with federal records management laws, regulations, and policies. OpDivs and StaffDivs must identify these federal records and determine how they will be managed. If the OpDiv and StaffDiv has identified text messaging content as federal records, it must determine whether an existing disposition authority applies, including the General Records Schedule (GRS). If an existing authority does not cover the content, a new schedule must be developed. OpDivs and StaffDivs should develop new records schedules if text messaging users enhance the content by adding comments, metadata or other information that becomes part of the complete record. (NARA Bulletin 2015-02: Guidance on Managing Electronic Messages (2015)) 6.6 Control and Custody of RecordsAgency records are the property of the federal government, not the property of individual employees, and must not be removed from the Department without proper authority. Chain of custody refers to the chronological documentation or paper trail, showing custody, control, transfer, and disposition of federal records for departing or transferring employees. (44 U.S.C. Chapter 31)10 All departing employees must:
All supervisors or appropriate officials must:
6.7 Unlawful or Accidental Removal or Destruction of RecordsOfficial records must be protected against loss, unauthorized destruction or alteration, and illegal removal from HHS in order to ensure adequate documentation of organization, functions, policies, decisions, procedures, and essential business transactions. The unauthorized removal, concealment, falsification, mutilation, and/or disposition of official records is prohibited by law and is subject to penalty. The penalties for the unlawful or accidental removal, defacing, alteration, or destruction of federal records or the attempt to do so, include a fine, imprisonment, or both. (18 U.S.C. §§ 641 and 2071)11 6.8 Formal EvaluationsOpDivs and StaffDivs will conduct a formal evaluation on two of their records management programs annually. The goal of the evaluations is to measure the effectiveness of records management programs and practices and to ensure that they comply with NARA regulations. Formal evaluations are intended to provide agencies with information they may use to measure compliance and target resources within areas requiring improvement. 6.9 TrainingEach HHS OpDiv and StaffDiv must provide records management training to all staff to ensure they are aware of their responsibilities to maintain and safeguard department records, including the obligations under this Policy. (OMB/NARA Directive M-19-21, Transition to Electronic Records)12
6.9.1. All contract employees who have access to (1) HHS federal information or a federal information system or (2) personally identifiable information, must complete the applicable OpDiv and StaffDiv Records Management training before performing any work under their contract. Thereafter, the employees must complete annual Records Management training throughout the life of the contract. The contractor must also ensure subcontractor compliance with this training requirement. 7. Roles and Responsibilities7.1 HHS SecretaryThe responsibilities of the HHS Secretary include, but are not limited to, the following:
7.2 HHS Assistant Secretary for Administration (ASA)The responsibilities of the HHS Assistant Secretary for Administration (ASA) include, but are not limited to, the following:
7.3 HHS Chief Information Office (CIO)The responsibilities of the HHS CIO include, but are not limited to, the following:
7.4 Agency Records Management Officer (ARO)The responsibilities of the HHS ARO include, but are not limited to, the following:
7.5 OpDiv Chief Information Officers (CIOs)The responsibilities of the OpDiv Chief Information Officers (CIOs) or OpDiv designated authority include, but are not limited to, the following:
7.6 HHS Chief Information Security Officer (CISO)The responsibilities of the HHS Chief Information Security Officer (CISO) include, but are not limited to, the following:
7.7 OpDiv Chief Information Security Officers (CISOs)The responsibilities of the OpDiv Chief Information Security Officers (CISOs) include, but are not limited to, the following:
7.8 OpDiv Records Management Officers (ROs)The responsibilities of the OpDiv Records Management Officers (ROs) include, but are not limited to, the following:
7.9 OpDiv and StaffDiv Records Managers (RMs) and Records Liaisons (RLs)The responsibilities of the OpDiv and StaffDiv Records Managers (RMs) and Record Liaisons (RLs) include, but are not limited to, the following:
7.10 OpDiv and StaffDiv Records Custodians (RCs)The responsibilities of the OpDiv and StaffDiv Records Custodians (RCs) include, but are not limited to, the following:
7.11 Managers and SupervisorsThe responsibilities of Managers and Supervisors include, but are not limited to, the following:
7.12 Contracting Officers (COs) and Contracting Officer Representatives (CORs)The responsibilities of Contracting Officers and Contracting Officer Representatives include, but are not limited to, the following:
7.13 HHS Employees, Contractors, Interns, and FellowsThe responsibilities of all HHS employees, contractors, interns, and fellows include, but are not limited to, the following:
7.14 Freedom of Information Act (FOIA) Official:The responsibilities of the Freedom of Information Act (FOIA) Official include, but are not limited to, the following:
7.15 Office of the General Counsel (OGC)The responsibilities of the Office of the General Counsel (OGC) include, but are not limited to, the following:
7.16 Office of Inspector General (OIG)The responsibilities of the Office of Inspector General (OIG) include, but are not limited to, the following:
7.17 IT Infrastructure and Operations and System ManagersThe responsibilities of IT Infrastructure and Operations and System Managers include, but are not limited to, the following:
8. Information and AssistanceHHS Privacy Information Management (PIM) is responsible for the development and management of this Policy. Questions, comments, suggestions, and requests for information about this Policy should be directed to . 9. Effective Date and ImplementationThe effective date of this Policy is the date on which the policy is approved. This Policy must be reviewed, at a minimum, every three (3) years from the approval date. The HHS CIO has the authority to grant a one (1) year extension of this Policy. To archive this Policy, approval must be granted, in writing, by the HHS CIO. 10. Approval/S/ Jose Arrieta, Chief Information Officer (CIO) May 28, 2020 11. Concurrence/S/ Scott W. Rowell, Assistant Secretary for Administration (ASA) June 12, 2020 Appendix A: ProceduresPlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library. No additional procedural steps are required to implement this policy. Appendix B: StandardsPlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library. No additional standards are required to implement this policy. Appendix C: GuidancePlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library. No additional guidance is required to implement this policy. Appendix D: Forms and TemplatesPlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library. The following template is associated with the Policy:
Glossary and AcronymsDefinitions:This includes, but is not limited to, magnetic media, such as tapes and disks, and optical disks. Unless otherwise noted, these requirements apply to all electronic records systems, whether on microcomputers, minicomputers, or mainframe computers, regardless of storage media, in the network or stand-alone configurations.
Acronyms
Content created by Office of the Chief Information Officer (OCIO) Which of the following should the administrative medical assistant be able to do?Scheduling appointments. Interviewing patients for case histories and key information prior to appointments. Compiling medical records and charts. Processing insurance payments.
Which of the following should a medical administrative assistant consult to find the proper method of scheduling an appointment for a particular office?Which should a medical administrative assistant consult to find the proper method of scheduling an appointment for a particular office? Practice policy manual. Each practice desihnates its preferred scheduling procedures in a policy and procedure manual.
Which of the following actions is appropriate for the CMAA to take when processing incoming mail?Which of the following actions is appropriate for a medical administrative assistant to take when processing incoming mail? Shred unwanted mail. A patient who has Medicare insurance is covered for both inpatient and outpatient services under the same part of Medicare.
At which of the following times should the medical administrative assistant pull a patients daily chart?CMAA test review. |