Skip Navigation

Frequent Questions A-Z Index

  
www.hhs.gov

Email Updates E-mail subscriptions envelope Font Size Reduce Text Size Enlarge Text Size     Print Print     Download Reader PDF

HHS Home > OCIO Home > Policy

OCIO Home

About the OCIO

Enterprise Architecture

Policy

Capital Planning & Budget

Enterprise Performance Life Cycle

Resource Management

IT Security & Privacy

Records Management

Information Collection / Paperwork Reduction Act

IT Infrastructure and Operations

HHSD IT PMO

E-Government & President's Management Agenda

Plans & Reports

OCIO Site Map

ASA Home

HHS Policy for Electronic Records Management

September 15, 2005

HHS-OCIO-2005-0001

Table of Contents


1. Purpose

This document establishes the policy for electronic records management within the Department of Health and Human Services (HHS) into standard policy format. The Policy applies to all HHS personnel, contractors, interns and visitors that have access to HHS facilities or HHS information. It is developed to implement requirements to establish objectives, responsibilities, standards, guidelines and instructions specific to electronic records management such as records creation, maintenance, adequate documentation and proper records disposition. It intends to protect HHS resources and data from unauthorized use and disclosure, inappropriate records disposition, to improve incident response for records management violations, and to mitigation of any indiscretions.

This policy supercedes HHSIRM Circular #22, Electronic Records Management, dated January 19, 1993. It converts the content from “Circular format” to OCIO Policy format while updating the responsibility and roles sections to incorporate the influence that Enterprise Architecture and security have on Electronic Records Management, per a meeting between HHS CIO staff and the National Archives and Records Administration on March 23, 2005.

2. Background

The heads of Federal agencies are responsible for making and preserving records, including electronic records, containing adequate documentation of the organization, functions, policies, decisions, procedures and essential transactions of the agency. The records should be designed to furnish information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities. (See 44 U.S.C. 3101). Each Federal agency is required to establish an active and continuing records management program, and is responsible for submitting records disposition schedules to the Archivist of the United States for approval. (No record may be destroyed without the authorization of the Archivist. Unauthorized destruction of records can result in criminal penalties [18 U.S.C. 2071].)

Failure to create and/or dispose of Federal records is not the only concern for the HHS. We also must assure that our records are properly maintained which includes their protection from improper exposure. This policy serves as the foundation for a comprehensive risk mitigation strategy; best practice documents and, where applicable, more granular Agency-specific policy.

The National Archives and Records Administration Act of 1984 (Public Law 98-497, 44 United States Code [U.S.C.] Chapter 29), amended the records management statutes to divide records management responsibilities between the National Archives and Records Administration (NARA) and the General Services Administration (GSA). Under the Act, NARA is responsible for adequacy of documentation and records disposition, as stated in 36 CFR Chapter XII, Subchapter B, which prescribes policies for records management programs relating to records creation and maintenance, adequate documentation and proper records disposition, and especially Part 1234, “Electronic Records Management,” which provides specific guidance for electronic records; and GSA is responsible for economy and efficiency in records management. Federal agency records management programs must comply with regulations promulgated by both NARA and GSA, as stated in the Federal Information Resources Management Regulation (FIRMR), Subchapter B, §201-9, “Creation, Maintenance, and Use of Records,” and FIRMR Bulletin B-1, “Electronic Records Management,” which provides specific guidance for electronic records. (Note the FIRMR Bulletin B-1 is essentially the same as 36 CFR Chapter XII, Subchapter B, Part 1234).

Further guidance is contained in GSA and NARA bulletins, handbooks and other publications, as well as their websites.

3. Scope

This document establishes the Policy for electronic records management implemented within Health and Human Services (HHS). This Policy applies to all Department Operating Divisions, including the Office of the Secretary, and organizations conducting business for and on behalf of the Department, whether owned and operated by HHS, or operated on behalf of HHS, through contractual relationships and/or service level agreements when using HHS IT resources. It applies to all HHS personnel, contractors and visitors who have access to HHS supported facilities or HHS information.

Within this policy the term Operating Division (OPDIV) includes the Inspector General, as well as the Office of the Secretary as a combined, single entity. The Office of the Secretary includes the Offices of the Regional Directors and, for “Information Resources Management (IRM)” purposes, the Administration on Aging.

Agency officials shall apply this policy to contractor personnel, interns and other non-government employees through incorporation by reference in contracts, service level agreements (SLA) or memoranda of understanding (MOU) as conditions for using Government provided IT resources.

Agencies shall use this Policy or may create a more restrictive OPDIV policy, but not one that is less restrictive, comprehensive or compliant with the Department, GSA and NARA requirements.

4. Policy

OPDIVs shall develop and implement a program, integrated with their records and information resources management programs, for the management of all records created, received, maintained, used, or stored on electronic media. This program shall be in accordance with 36 CFR Chapter II, Part 1234, FIRMR Bulletin B-1, and HHS OCIO “Records Management.”

OPDIVs shall consider all electronic record keeping requirements when determining information needs and requirements for Federal Information Processing (FIP) resources. (See FIRMR Part 201-7, “Planning,” and FIRMR Subpart 201-20.1, “Requirements Analysis.”) The design of OPDIV electronic records systems shall incorporate the requirements for the creation, maintenance and use, retention and disposition of records.

4.1 OPDIVs shall schedule all OPDIV electronic records for disposition.

4.2 OPDIVs shall use the mandatory NARA General Records Schedules (GRS), particularly GRS 20, “Electronic Records,” GRS 23, “Records Common to Most Offices Within Agencies,” and GRS 24. “Information Technology Operations and Management Records” as applicable, and to the greatest extent possible, to schedule the disposition of their electronic records and related documentation and indexes. The GRS covers only disposable (temporary) records. GRS 23 covers word processing files, certain administrative databases, and electronic spreadsheets. (See http://www.archives.gov/records-mgmt/ardor/records-schedules.html for current GRS).

4.3 OPDIVs shall develop proposed records disposition schedules for electronic records created or received which are not covered by the GRS or which have not previously been scheduled for disposition, in accordance with the policy and procedures specified in HHSIRM, “Records Management,” except that the responsible official shall be the ODPIV Electronic Records Management Officer (in instances where the responsibility for records management has been assigned to one person in the OPDIV and the responsibility for electronic records management has been assigned to another person).

The proposed requests for disposition shall be sent to the HHS Electronic Records Management Officer for concurrence and submission to NARA for approval.[1] Until a request for disposition is approved by NARA, the electronic records are unscheduled, and shall be maintained indefinitely, in accordance with 36 CFR Chapter XII, Subchapter B, §1222.50.

4.4 OPDIVs shall ensure that all employees creating or receiving electronic records are adequately trained in their keeping, and are reminded annually of OPDIV electronic record policies and the sanctions provided for the unlawful “alienation” (removal or destruction) of Federal records.

4.5 OPDIVs shall review their electronic records systems periodically for conformance to established Federal, HHS and internal ODPIV procedures, standards and policies.

4.6 OPDIVs shall establish procedures to:

4.6.1 coordinate guidelines among the managers[2] of the OPDIV’s information resources management programs, systems managers, and systems users to assure the integration of the management of electronic records with other records and other information resources management programs;

4.6.2 address electronic records management requirements before approving new electronic record systems or enhancements to existing systems;

4.6.3 OPDIVs shall ensure that individuals responsible for the implementation of the agency’s records management programs participate in the development of new or revised programs, processes, systems and procedures; in the “IRM” strategic planning process; and in the determination of information needs and Federal Information Processing (FIP) resources requirements. Records managers will ensure that records disposition is part of the architecture of any new program development or any updates/corrections or modifications to existing programs

4.6.4 apply electronic records management guidelines to electronic records that are created or maintained by contractors;

4.6.5 develop disposition schedules for electronic records which include provisions for obtaining Department concurrence and NARA approval; and

4.6.6 ensure the implementation of the approved disposition schedules for electronic records.

4.6.7 apply 36 CFR Chapter XII, Subchapter G, “Damage to, Alienation and Unauthorized Destruction of Records and report unauthorized actions (destruction, damage, mutilations of any kind, etc.) to the HHS Records Management Officer in conformance with 36 CFR Chapter XII, Subchapter G, “Damage to, Alienation, and Unauthorized Destruction of Records”, to the Department head via the HHS Records Management Officer. §1228.102 provides the criminal penalties, and, §1228.104, prescribes the reporting process.

5. Roles and Responsibilities

5.1 The Agency Head (Department)

The Agency Head is responsible for making and preserving records; establishing a continuing records management program; and submitting disposition schedules. See 44 U.S.C. 3101 and 18 U.S.C. 2071. Refer to HHS-OCIO Electronic Records Management Policy, 2. Background, (HHS-OCIO-2005-000X.001, dated July XX, 2005. Also see Responsibilities under 36 CFR Chapter XII, Subchapter G, “Damage to, Alienation and Unauthorized Destruction of Records”, §1228.100.

5.2 The OPDIV Director/OPDIV CIO

The OPDIV Director or OPDIV CIO develops and implements OPDIV-wide policy for electronic records management in accordance with this policy, and other Department, GSA and NARA guidance and requirements. Also see 36 CFR Part 1234, Electronic Records Management, and Chapter XII, with special attention to Subchapter G, “Damage to, Alienation and Unauthorized Destruction of Records”, §1228.100

5.3 The Department Enterprise Architect

The Department Enterprise Architect shall ensure that any and all systems development plans, schedules, work breakdown structures, business cases and OMB Exhibits 300, “Capital Asset Plan and Business Case Summary”, address records management provisions upfront in the planning and development stages of the lifecycle by establishing the requirement that an architectural records management layer be addressed as standard development.

5.4 The OPDIV Chief Information Security Officer (CISO)

The OPDIV CISO is responsible for ensuring the technical security of the ODPIV data records management. He/she is responsible for implementing this policy and providing the detailed monitoring, and enforcement tools and procedures as well as the requirements for incident reporting established under the Security Policy.

5.5 The Department Electronic Records Management Officer

The Department Electronic Records Management Officer is responsible for reviewing OPDIV prepared records disposition schedules, and submitting them to the Archivist for his/her approval circulating these proposed schedules to the appropriate Dept officials for their review/comment/concurrence (i.e. Privacy/FOIA, OGC, etc.).

For each proposed records disposition schedule the Department Electronic Records Management Officer is responsible for certifying, by signing the SF 115, Request for Records Disposition Authority (“Signature of Agency Representative” block) to NARA (see 36 CFR 1228), that HHS has taken into account its needs for the records for the conduct of current business as well as the likelihood for potential future usage for legal, fiscal, and administrative purposes.

5.6 The OPDIV Electronic Records Management Officers

The OPDIVs are responsible for establishing the objectives, responsibilities, standards, guidelines and instructions for their electronic records management programs, in accordance with this policy and other Department, GSA and NARA guidelines and requirements.

For each proposed records schedule, the OPDIV Electronic Records Management Officer is responsible for certifying, by signing the SF 115 (in Block 4, “Name of Person with Whom to Confer”), to the HHS Electronic Records Management Officer that:

5.6.1 the OPDIV has taken into account its needs for the records for the conduct of current business as well as the likelihood for potential future usage for legal, fiscal and administrative purposes; and

5.6.2 adequate documentation (including the opinion of the Office of the General Counsel, as necessary) supporting the proposed disposition schedule is maintained in the appropriate OPDIV records management files.

6. Applicable Policies and Guidance

6.1 Laws

6.1.1 Federal Property and Administrative Services Act of 1949, as amended (40 U.S.C. 759 Section 111).

6.1.2 Federal Records Act of 1950, as amended (44 U.S.C. Chapter 21, Chapter 29, Chapter 31, Chapter 33).

6.1.3 National Archive and Records Administration Act of 1984 (Public Law 98-497, 44 U.S.C. Chapter 21).

6.1.4 Paperwork Reduction Act of 1980, as amended (44 U.S.C. Chapter 35).

6.2 Regulations

6.2.1 36 CFR Chapter XII, Subchapter B especially Part 1234, “Electronic Records Management.”

6.2.2 36 CFR Chapter XII, Subchapter G, “Damage to, Alienation and Unauthorized Destruction of Records”.

6.2.3 Federal Information Resources Management Regulation (FIRMR) Bulletin B-1, “Electronic Records Management.  (Note that FIRMR Bulletin B-1 is essentially the same as 36 CFR Chapter XII, Subchapter B, Part 1234).”

6.2.4 FIRMR Part 201-9, “Creation, Maintenance, and Use of Records.”

6.3 Department Guidance

6.3.1 HHS OCIO-2005-0002 “Policy for Records Management”, dated September 15, 2005.

6.4 GSA Guidance

6.4.1 GSA “Evaluating Electronic Recordkeeping, A Self-Inspection Guide for Agencies,” November 1990.

6.4.2 GSA Handbook, “Electronic Recordkeeping,” July 1989.

6.5 NARA Guidance[3]

6.5.1 National Archive and Records Administration (NARA) Conference Report “The Management of Electronic Records in the 1990’s.”

6.5.2 NARA “General Records Schedules (GRS),” especially GRS 20, “Electronic Records”; GRS 23, “Records Common to Most Offices Within Agencies” (GRS 23 covers word processing files, certain administrative databases, and electronic spreadsheets); and GRS 24, Information Technology Operations and Management Records.

6.5.3 NARA Instructional Guide “Managing Electronic Records,” 1990.

7. Information and Assistance

Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Technology (formerly Information Resources Management), (202) 690-6162.

8. Effective Date/Implementation

The effective date of this policy is the date the policy is approved.

These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations."  It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that effect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

9. Approved

 

_/s/ Charles Havekost______________________________    _September 15, 2005_______

Charles Havekost

HHS Chief Information Officer                                                              DATE

 

Glossary

Alienation-Losing care and custody. Not protecting from loss or access.

Database – A set of data, consisting of at least one data file, that is sufficient for a given purpose.

Database Management System – A software system used to access and retrieve data stored in a computer database.

Data File – Related numeric, textual or graphic information that is organized in as strictly prescribed form and format.

Electronic Mail (Email) – A way to send messages between computer users, either over a network or the Internet. E-mail is usually just text, but can be pictures, diagrams, sounds or programs embedded in the text or as attachments.

Electronic Records – Any information that is recorded in a form that only a computer can process and that satisfies the definition of a Federal record in 44 U.S.C. 3301.[4] Electronic records include numeric, graphic and text information, which may be recorded on any medium capable of being read by a computer and which satisfies the definition of a record.

This includes, but is not limited to, magnetic media, such as tapes and disks, and optical disks. Unless otherwise noted, these requirements apply to all electronic records systems, whether on microcomputers, minicomputers, or mainframe computers, regardless of storage media, in network or stand-alone configurations. (FIRMR Bulletin B-1).

Electronic Records System – Any information that produces, manipulates, or stores Federal records by using a computer.

Information System – Is defined by the Office of Management and Budget (OMB) in Circular No. A-130 “….the organized collection, processing, transmission and dissemination of information in accordance with defined procedures, whether automated or manual.”

Office of the Secretary (OS) – includes the Offices of the Regional Directors and, for Information Resources Management (IRM) purposes, the Administration on Aging.

OMB Exhibit 300- Capital Asset Plan and Business Case Summary As prescribed and described in OMB’s Circular A-11, Preparation, Submission and Execution of the Budget.

OMB Circular A-130-Management of Federal Information Resources Establishes policy for the management of Federal information resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies. The policies in this Circular apply to the information activities of all agencies of the executive branch of the Federal government.

Operating Division (OPDIV) – Includes the Inspector General, as well as the Office of the Secretary as a combined, single entity.

Sensitive Data – Sensitive data are data that require protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data. The term includes data whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary data, records about individuals requiring protection under the Privacy Act, and data not releasable under the Freedom of Information Act.

Text Documents – Narrative or tabular documents, such as letters, memoranda and reports, that are in loosely prescribed form and format.

 

[1] Where disposition authority for electronic records and disposition authority for records other than electronic records are requested on a single Standard Form 115, “Request for Records Disposition Authority,” OPDIVs shall assure that the OPDIV Electronic Records Management Officer and the OPDIV Records Management Officer both participate in the development of the request and that each officer certifies the accuracy of the request for the items which fall under their respective responsibility. Such a request should be sent to the HHS Records Management Officer. Also, see sections Procedures 1 and Responsibilities 3 of this Policy.

[2] Procedures for close coordination are especially important in situations where the OPDIV Records Management Officer and the OPDIV Electronic Records Management Officer are different individuals.

[3]See http://www.archives.gov/records-mgmt/ardor/records-schedules.html for current GRS

[4] This includes E-mail, sent or received, by all devices.

HHS Home | Questions? | Contacting HHS | Accessibility | Privacy Policy | FOIA | Disclaimers | Plain Writing Act | No FEAR Act | Viewers & Players
The White House | USA.gov | Inspector General | PaymentAccuracy.gov | HHS Archive | Environmental Justice

U.S. Department of Health & Human Services - 200 Independence Avenue, S.W. - Washington, D.C. 20201