(a) The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information. These formal policies and procedures must address:
(1) Paper records, including:
(i) Transferring and removing such records;
(ii) Destroying such records, including sanitizing the hard copy media associated with the paper printouts, to render the patient identifying information non-retrievable;
(iii) Maintaining such records in a secure room, locked file cabinet, safe, or other similar container, or storage facility when not in use;
(iv) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other similar containers, and storage facilities that use or store such information; and
(v) Rendering patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).
(2) Electronic records, including:
(i) Creating, receiving, maintaining, and transmitting such records;
(ii) Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable;
(iii) Using and accessing electronic records or other electronic media containing patient identifying information; and
(iv) Rendering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).
(b) [Reserved]