HHS Policy for Records Management

Document #: HHS-OCIO-PIM-2020-06-004
Version #: 2.0
Last Reviewed: May 2020
Next Review: May 2023
Owner: OCIO/PIM
Approved By: Jose Arrieta, Chief Information Officer (CIO)

Table of Contents

  1. Nature of Changes
  2. Purpose
  3. Background
  4. Scope
  5. Authorities
  6. Policy
  7. Roles and Responsibilities
  8. Information and Assistance
  9. Effective Date and Implementation
  10. Approval
  11. Concurrence

Appendix A: Procedures

Appendix B: Standards

Appendix C: Guidance

Appendix D: Forms and Templates

Glossary and Acronyms

1. Nature of Changes

This U.S. Department of Health and Human Services (HHS) Policy for Records Management, herein referred to as Policy, updates and supersedes the previous version (HHS-OCIO-2016-0004-002, dated June 22, 2016).

2. Purpose

The purpose of this Policy is to establish the principles, responsibilities, and requirements for managing HHS records. This Policy provides the framework for records management program guidance and operating procedures. This Policy does not address the supplemental preservation requirements for records associated with litigation, investigations, and audit matters.

3. Background

The Federal Records Act of 1950 (The Act) defines a record as: All recorded information, regardless of form or characteristics, made or received by a federal agency under federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them, excluding library and museum material made or acquired and preserved solely for reference or exhibition purposes; or duplicate copies of records preserved only for convenience. 44 U.S.C. § 3301(a)(1)(A)-(B) (2008).1

The Act requires all federal agencies to create and preserve records that document the agency’s organization, function, policies, decisions, procedures, and transactions. These records must be managed in accordance with subchapter B, chapter XII, of Title 36, Code of Federal Regulations (CFR) and chapters 29, 31, 33, and 35 of Title 44, United States Code (U.S.C.). The Act calls for agencies to establish a records management program consisting of policies, procedures, and activities to manage recorded information. The Presidential and Federal Records Act Amendments of 2014 modernize records management by requiring the transfer of records from federal agencies to the National Archives and Records Administration (NARA) in digital or electronic form to the greatest extent possible.

Records are managed using the three phases of the records lifecycle:

  1. Creation or Receipt
  2. Maintenance and Use
  3. Disposition – Dispose or destroy (temporary records) or transfer to NARA (permanent records)

Effective and efficient management of records provides the information foundation for decision-making at all levels, mission planning and operations, personnel services, legal inquiries, business continuity, and preservation of U.S. history.

4. Scope

This Policy applies to all HHS components, as well as organizations conducting business for or on behalf of HHS through contractual, grant-making, or other relationships. HHS Operating Divisions (OpDivs) and Staff Divisions (StaffDivs) must adopt and implement this Policy, or may create a more restrictive policy, but not one that is less restrictive or less comprehensive than this Policy.

This Policy does not supersede any other applicable law or higher-level agency directive or policy guidance.

This Policy also applies to HHS employees, contractor personnel, grant recipients, interns, and other non-government persons supporting HHS. All organizations collecting or maintaining information or using or operating information systems on behalf of the Department are also subject to the stipulations of this Policy. Compliance with this Policy must be incorporated into applicable contract, grant, or memoranda of agreement language under separate cover, as appropriate.2

5. Authorities

Authorities include:

  1. Agency Records Management Responsibilities, 36 CFR, Chapter XII, Subchapter B (2011).
  2. Unlawful of Accidental Removal, Defacing, Alteration, or Destruction of Records, 36 CFR, Chapter XII, Subchapter B, §§ 1230.1 – 1230.18 (2011).
  3. Electronic Records Management, 36 CFR Chapter XII, Subchapter B, §§ 1236.2 – 1236.36 (2011).
  4. Damage to, Alienation and Unauthorized Destruction of Records, 36 CFR Chapter XII, Subchapter B §§ 1228.100 – 1228.106 (2009).
  5. Public Money, Property or Records, 18 U.S.C. § 641 (2011).
  6. Concealment, Removal, or Mutilation Generally, 18 U.S.C. § 2071 (2011).
  7. National Archives and Records Administration, 44 U.S.C. §§ 2101 – 2120 (2011).
  8. Records Management by the Archivist of the United States and by the Administrator of General Services, 44 U.S.C. §§ 2901 – 2910 (2011).
  9. Records Management by Federal Agencies, 44 U.S.C. §§ 3101 – 3107 (2011).
  10. Unlawful Removal, Destruction of Records, 44 U.S.C. §§ 3106 (2011).
  11. Disposal of Records, 44 U.S.C. §§ 3301 – 3324 (2011).
  12. Definition of Records, 44 U.S.C. § 3301 (2011).
  13. Coordination of Federal Information Policy (Paperwork Reduction Act of 1980, as amended, Paperwork Reduction Reauthorization Act of 1995, and Government Paperwork Elimination Act), 44 U.S.C. §§ 3501 – 3549 (2011).
  14. The Privacy Act of 1974, 5 U.S.C. § 552a (2016).
  15. Producing Documents, Electronically Stored Information, and Tangible Things, or Entering onto Land, for Inspection and Other Purposes, Federal Rules of Civil Procedures, Rule 34 (2014).
  16. Delivering Government Solutions in the 21st Century – Executive Office of the President, Reform Plan and Reorganization Recommendations (2018).
  17. National Archives and Records Administration (NARA) Bulletin 2010-05: Guidance on Managing Records in Cloud Computing Environments (2010).
  18. NARA Bulletin 2014-02: Guidance on Managing Social Media Records (2014).
  19. NARA Bulletin 2015-02: Guidance on Managing Electronic Messages (2015).
  20. NARA Criteria for Successfully Managing Permanent Electronic Records, (2018).
  21. NARA Guidance on Records Management Language for Contracts (2019).
  22. OMB Circular A-130, Management Information as a Strategic Resource (2016).
  23. OMB/NARA Directive M-12-18, Managing Government Records Directive (2012).
  24. OMB M-14-16, Guidance on Managing Email (2014).
  25. OMB/NARA Directive M-19-21, Transition to Electronic Records (2019).
  26. “Public Law 113-187: Presidential and Federal Records Act Amendments of 2014”, (128 Stat. 2003, Date: 11/26/2014).
  27. Universal Electronic Records Management Requirements (2017).
  28. NARA General Records Schedules (2017).
  29. HHS Agency Records Control Schedules (2019).
  30. General Record Schedule 6.1: Email Managed under a Capstone Approach (2017).
  31. HHS Policy for Litigation Holds (2019).
  32. HHS Policy for Implementing Electronic Mail (Email) Records Management (2019).
  33. HHS Policy for Rules of Behavior for Use of Information and IT Resources (2019).
  34. HHS Policy for Mobile Devices and Removable Media (2019)

6. Policy

In order to maintain all HHS records in accordance with applicable statutory and regulatory requirements, each OpDiv and StaffDiv is required to establish and maintain a records management program meeting the following minimum requirements:

6.1 Records Management

Records management is the planning, controlling, directing, organizing, training, promoting, and other managerial activities related to the creation, maintenance and use, and disposition of records, carried out in such a way as to achieve adequate and proper documentation of Federal policies and transactions and effective and economical management of agency operations. (44 U.S.C. § 2901(2)).3

6.1.1. Electronic Records Management System (ERMS)

ERMS, often referred to as a records management application (RMA), is an electronic management system in which any agency records, regardless of format (paper, electronic, microform, etc.), are collected, organized, and categorized to facilitate their preservation, retrieval, use, and disposition. An ERMS:

  1. Provides document content, context, and structure.
  2. Ensures authenticity, integrity, and reliability – i.e., contains unchanged, redundant information (prevents unauthorized alternation, modification, concealment, or deletion).
  3. Provides for compliance and disposition – i.e., meets regulations and complies with agency records schedules.

6.1.2. Agency’s responsibility working with contractors

An OpDiv and StaffDiv maintains responsibility for managing its records whether they reside in a contracted environment or under agency physical custody (see 36 CFR Part 1222.32 (b)).4 When working with a contractor, a Contracting Officer must include a records management clause in any contract or similar agreement. At minimum, a records management clause ensures that the Federal agency and the contractor are aware of their statutory records management responsibilities. (NARA Guidance on Records Management for Contracts)5

A template of a general records management clause for use in contracts or similar agreements can be found in Appendix D.

6.1.3. NARA-Approved records schedule

6.1.3.1. Records schedules must be in place for all HHS records. Approval of the schedules must be obtained from NARA in accordance with Subchapter B, chapter XII of Title 36, Code of Federal Regulations.

HHS records must be listed and described in an approved records schedule, and must be disposed of only as authorized by that schedule. HHS OpDivs and StaffDivs must update their records schedules when there are program changes that will result in the establishment of new types of records and the transfer or termination of records, or an increase or decrease in the retention time of the records. (36 CFR 1224.10(c))6

6.1.4. File plans

6.1.4.1. Each HHS OpDiv and StaffDiv must maintain a centralized file plan that includes the title and description of its records, including electronic media. Each HHS OpDiv and StaffDiv must standardize file arrangement systems, filing procedures, and filing techniques of records. File plans must be designed to enhance the current use of the files, the preservation of archival records, and the prompt and systematic disposition of permanent and temporary records according to the appropriate records schedule.

6.2 Records Maintenance

OpDivs and StaffDivs must implement a records maintenance program so that complete records are filed or otherwise identified and preserved; records can be readily found when needed; and permanent and temporary records are physically segregated from each other; or for electronic records, are segregated. (36 CFR 1222.34)7

  1. Temporary records are records approved by NARA for disposal after a specified retention period.
  2. Permanent records are records appraised by NARA as having sufficient historical or other value to warrant continued preservation by the Federal Government beyond the time it is needed for administrative, legal, or fiscal purposes.
  3. Electronic records are records stored in a form that only a computer can process. Records can be numeric, graphic, and text information; media can include, but are not limited to, magnetic media, such as tapes and disks, and optical disks.
  4. Unscheduled records are records whose final disposition has not been approved by NARA. Unscheduled records may not be destroyed or deleted.

6.2.1. Electronic Recordkeeping System (ERKS)

6.2.1.1. Electronic recordkeeping system (ERKS) is an electronic system that captures, organizes, and categorizes records to facilitate their preservation, retrieval, use, and disposition (36 CFR 1220.18)8

This system must:

  1. Use automated processes to manage the electronic records of an agency.
  2. Preserve the content of electronic records, and their context and structure, over time.
  3. Collect, organize, and categorize records to facilitate their preservation, retrieval, use, and disposition.
  4. Be distinguished from an information system by linkages to activities its documents and by its ability to preserve and provide access to the content, structures, and context of the records.

An ERKS may be either a distinct system designed specifically to provide recordkeeping functionality, or it may be a module within, or a part of, another system (such as an application system or an electronic document management system).

6.2.2. Universal ERM requirements

6.2.2.1 Universal ERM requirements identify high level business needs for managing electronic records. They are baseline ERM program requirements derived from existing NARA regulations, policy, and guidance. ERM requirements are a starting point for OpDivs and StaffDivs to use when developing recordkeeping and record management system requirements. These requirements contain six sections based on the lifecycle of electronic records management:

  1. Capture
  2. Maintenance and Use
  3. Disposal
  4. Transfer
  5. Metadata
  6. Reporting
  1. The requirements are either “program” requirements, relating to the design and implementation of an agency’s ERM policies and procedures, or “system” requirements, providing technical guidance to vendors in creating ERM tools and specifications for agencies to consider when procuring them.
  2. The requirements are then either mandatory (“Must Have”) or preferred (“Should Have”). These designations help vendors determine what functions their tools must perform, as opposed to those that are ideal. “Must Have” and “Should Have” requirements also help agencies prioritize procurement of these ERM tools according to their needs and financial priorities.

6.2.3. Cloud services

6.2.3.1. Cloud services refer to federal records that reside in a cloud environment hosted by a third party service provider. HHS OpDivs and StaffDivs must create standards and policies for managing records created, used, or stored in cloud computing environments:

  1. Include the agency records management officer and/or staff in the planning, development, deployment, and use of cloud computing solutions.
  2. Define which copy of records will be declared as the agency's record copy and manage these in accordance with 36 CFR Part 1222.9 The value of records in the cloud may be greater than the value of any other set because of indexing or other reasons. In such instances, this added value may require designation of the copies as records.
  3. Include instructions for determining if federal records in a cloud environment are covered under an existing records retention schedule.
  4. Include instructions on how all records will be captured, managed, retained, made available to authorized users, and retention periods applied.
  5. Include instructions on conducting a records analysis, developing and submitting records retention schedules to NARA for unscheduled records in a cloud environment. These instructions should include scheduling system documentation, metadata, and related records.
  6. Include instructions to periodically test transfers of federal records to other environments, including agency servers, to ensure the records remain portable.
  7. Include instructions on how data will be migrated to new formats, operating systems, etc., so that records are readable throughout their entire life cycles. Include in your migration planning provisions for transferring permanent records in the cloud to NARA.
  8. Resolve portability and accessibility issues through good records management policies and other data governance practices. Data governance typically addresses interoperability of computing systems, portability of data (able to move from one system to another), and information security and access. However, such policies by themselves will not address an agency's compliance with the Federal Records Act and NARA regulations.

6.3 Essential Records

6.3.1. Each OpDiv and StaffDiv is responsible for establishing, in consultation with continuity of operations (COOP) points of contact, an Essential Records program to select and safeguard records that would be required to ensure continuity of essential functions during and following a national disaster.

6.4 Social Media Records

The use of social media and instant messaging may create federal records that must be captured and managed in compliance with federal records management laws, regulations, and policies. OpDivs and StaffDivs must identify these federal records and determine how they will be managed. If the OpDiv and StaffDiv has identified social media content as federal records, they must determine whether an existing disposition authority applies, including the General Records Schedule (GRS). If an existing authority does not cover the content, a new schedule must be developed. OpDivs and StaffDivs should develop new records schedules if social media and instant messaging users enhance the content by adding comments, metadata or other information that becomes part of the complete record. (NARA Bulletin 2014-02: Guidance on Managing Social Media Records (2014))

6.5 Text Messaging Records

The use of text messaging may create federal records that must be captured and managed in compliance with federal records management laws, regulations, and policies. OpDivs and StaffDivs must identify these federal records and determine how they will be managed. If the OpDiv and StaffDiv has identified text messaging content as federal records, it must determine whether an existing disposition authority applies, including the General Records Schedule (GRS). If an existing authority does not cover the content, a new schedule must be developed. OpDivs and StaffDivs should develop new records schedules if text messaging users enhance the content by adding comments, metadata or other information that becomes part of the complete record. (NARA Bulletin 2015-02: Guidance on Managing Electronic Messages (2015))

6.6 Control and Custody of Records

Agency records are the property of the federal government, not the property of individual employees, and must not be removed from the Department without proper authority. Chain of custody refers to the chronological documentation or paper trail, showing custody, control, transfer, and disposition of federal records for departing or transferring employees. (44 U.S.C. Chapter 31)10

All departing employees must:

  1. Identify and separate all employee federal Records from Non-Record Materials and Personal Papers.
  2. Purge non-record materials, personal papers and extra copies.

All supervisors or appropriate officials must:

  1. Ensure that the chain of custody document has been completed and signed before the employee departs the agency
  2. Ensure that departing employee’s federal records have been identified and properly disposed of in accordance with approved records disposition schedules before the employee’s departure.
  3. Ensure that the departing employee’s federal records have been turned over to the appropriate successor or official to permit continued preservation of the Department federal records.

6.7 Unlawful or Accidental Removal or Destruction of Records

Official records must be protected against loss, unauthorized destruction or alteration, and illegal removal from HHS in order to ensure adequate documentation of organization, functions, policies, decisions, procedures, and essential business transactions. The unauthorized removal, concealment, falsification, mutilation, and/or disposition of official records is prohibited by law and is subject to penalty. The penalties for the unlawful or accidental removal, defacing, alteration, or destruction of federal records or the attempt to do so, include a fine, imprisonment, or both. (18 U.S.C. §§ 641 and 2071)11

6.8 Formal Evaluations

OpDivs and StaffDivs will conduct a formal evaluation on two of their records management programs annually. The goal of the evaluations is to measure the effectiveness of records management programs and practices and to ensure that they comply with NARA regulations. Formal evaluations are intended to provide agencies with information they may use to measure compliance and target resources within areas requiring improvement.

6.9 Training

Each HHS OpDiv and StaffDiv must provide records management training to all staff to ensure they are aware of their responsibilities to maintain and safeguard department records, including the obligations under this Policy. (OMB/NARA Directive M-19-21, Transition to Electronic Records)12

  1. Annually inform all agency personnel of their records management responsibilities in law, regulation, and policy, and provide training specific to the practices and policies of the organization.

6.9.1. All contract employees who have access to (1) HHS federal information or a federal information system or (2) personally identifiable information, must complete the applicable OpDiv and StaffDiv Records Management training before performing any work under their contract. Thereafter, the employees must complete annual Records Management training throughout the life of the contract. The contractor must also ensure subcontractor compliance with this training requirement.

7. Roles and Responsibilities

7.1 HHS Secretary

The responsibilities of the HHS Secretary include, but are not limited to, the following:

  1. Notifying the Archivist of the United States of any actual, impending, or threatened unlawful removal, defacing, alteration, corruption, deletion, erasure, or other destruction of records in the custody of the agency.

7.2 HHS Assistant Secretary for Administration (ASA)

The responsibilities of the HHS Assistant Secretary for Administration (ASA) include, but are not limited to, the following:

  1. Serving as the Senior Agency Official for Records Management (SAORM). Delegates oversight responsibility for the Department-wide records management program to the Chief Information Officer (CIO).
  2. Has direct responsibility for ensuring that the department or agency efficiently and appropriately complies with all applicable records management statutes, regulations, NARA Policy, and Presidential Directives.
  3. At the Assistant Secretary level or equivalent, has direct responsibility for ensuring that the agency efficiently and appropriately complies with all applicable records management statutes, regulations, and policies.

7.3 HHS Chief Information Office (CIO)

The responsibilities of the HHS CIO include, but are not limited to, the following:

  1. Appointing the HHS Records Management Officer to guide and coordinate the HHS Records Management Program. The HHS Records Management Officer collaborates with HHS OpDivs and NARA to execute the HHS Records Management Program in accordance with this instruction.
  2. Integrating records management procedures and activities into HHS Chief Information Officer (CIO) policy and planning.
  3. Reviewing and making recommendations on requests for funding and acquisition of electronic recordkeeping systems in accordance with information technology capital planning, and investment control procedures.
  4. Overseeing the Department-wide records management program.

7.4 Agency Records Management Officer (ARO)

The responsibilities of the HHS ARO include, but are not limited to, the following:

  1. Serving as the Department’s representative with NARA, other federal agencies, and external organizations on matters pertaining to records management.
  2. Providing leadership and guidance to ensure uniformity in records management activities throughout the Department.
  3. Conducting periodic compliance evaluations of records management programs.
  4. Developing policies, standards, and procedures for records management.
  5. Ensuring all HHS employees, including senior officials and contractors are aware of their programmatic and individual records management responsibilities.
  6. Coordinating records management issues with other federal and regulatory agencies, including NARA, OMB, GSA, GAO, and OPM.
  7. Providing records management expertise and participating in the review and development of proposed electronic records management systems.
  8. Coordinating the development and implementation of the HHS records program.
  9. Providing guidance and operational support for the implementation of litigation holds and other types of legally required holds on records and other documentary materials.
  10. Providing guidance to the OpDiv ROs to ensure compliance with Records Management principles and policies in all phases of the Enterprise Performance Life Cycle (EPLC) process.
  11. Completing requirements for a NARA certificate of Federal Records Management Training. New incumbents must obtain the certificate within one year of assuming the position of Departmental ARO.

7.5 OpDiv Chief Information Officers (CIOs)

The responsibilities of the OpDiv Chief Information Officers (CIOs) or OpDiv designated authority include, but are not limited to, the following:

  1. Designating OpDiv ROs to oversee the records management program. Recommend designation of Records Managers (RMs) to support the OpDiv ROs in the implementation of recordkeeping requirements for major programmatic and administrative records.
  2. Ensuring the OpDiv ROs and RMs have adequate skills, training, resources, time, and appropriate authority to execute duties assigned.
  3. Ensuring the implementation of a records management program within their areas of responsibility to accomplish the objectives identified in federal regulations and HHS policies and procedures.
  4. Ensuring OpDiv ROs incorporate records management principles and policies in all phases of the EPLC process.
  5. Ensuring proper recordkeeping of Authorization to Operate (ATO) approved systems.
  6. Requesting funds for records storage costs.
  7. Ensuring OpDiv ROs are adequately trained and remain current on email policies and procedures.

7.6 HHS Chief Information Security Officer (CISO)

The responsibilities of the HHS Chief Information Security Officer (CISO) include, but are not limited to, the following:

  1. Ensuring HHS oversight and compliance with Federal Information Security Management Act (FISMA) to include the development and maintenance of the overall security of HHS IT systems and system inventory.
  2. Using information from the System Inventory in the various reporting and oversight requirements.

7.7 OpDiv Chief Information Security Officers (CISOs)

The responsibilities of the OpDiv Chief Information Security Officers (CISOs) include, but are not limited to, the following:

  1. Ensuring the technical security of the OpDiv electronic data records according to HHS and OpDiv standards.

7.8 OpDiv Records Management Officers (ROs)

The responsibilities of the OpDiv Records Management Officers (ROs) include, but are not limited to, the following:

  1. Serving as the primary contacts responsible for overseeing the OpDiv’s records management program and ensure the OpDiv has up-to-date records management guidelines.
  2. Coordinating the development of OpDiv records schedules with the National Archives and Records Administration (NARA).
  3. Ensuring that recordkeeping requirements are established, implemented, and periodically updated for all offices.
  4. Ensuring that HHS employees and contractors complete the annual records management training.

7.9 OpDiv and StaffDiv Records Managers (RMs) and Records Liaisons (RLs)

The responsibilities of the OpDiv and StaffDiv Records Managers (RMs) and Record Liaisons (RLs) include, but are not limited to, the following:

  1. Coordinating modifications to the office file plans and agency records schedules.
  2. Assisting HHS OpDiv RO with implementing the agency records management program in their work areas.
  3. Managing prompt disposal of temporary records stored in Federal Record Centers and the timely transfer of permanent records to NARA.
  4. Identifying and periodically update recordkeeping requirements for program and administrative records.

7.10 OpDiv and StaffDiv Records Custodians (RCs)

The responsibilities of the OpDiv and StaffDiv Records Custodians (RCs) include, but are not limited to, the following:

  1. Recordkeeping within a particular program.
  2. Ensuring office records are accurately listed and detailed in the office file plan.
  3. Ensuring proper disposition of office records.
  4. Cooperating with the Records Manager/Records Liaison and the OpDiv Records Management Officer in periodic evaluations of office records.

7.11 Managers and Supervisors

The responsibilities of Managers and Supervisors include, but are not limited to, the following:

  1. Ensuring federal employees, contractors, interns, and fellows are aware of and adhere to HHS records management policies.
  2. Ensuring federal employees, contractors, interns, and fellows complete initial and annual records management training.
  3. Ensuring a departing employee’s record materials, including email records, have been reviewed prior to the employee’s departure.
  4. Ensuring a departing employee complies with policies and procedures regarding preservation, transfer, and deleting of records.
  5. When notified that an employee, contractor, intern, or fellow is transferring or leaving the Department, consult with departing employees to follow litigation records management procedures.

7.12 Contracting Officers (COs) and Contracting Officer Representatives (CORs)

The responsibilities of Contracting Officers and Contracting Officer Representatives include, but are not limited to, the following:

  1. Inserting a records management clause in contracts ensuring contractors are aware of and adhere to HHS records management policies.
  2. Ensuring contractors complete initial and annual records management training.
  3. Ensuring a departing contractor’s record materials, including email records, have been reviewed prior to the contractor’s departure.
  4. Ensuring a departing contractor complies with policies and procedures regarding preservation, transfer, and deleting of records.
  5. When notified that a contractor is transferring or leaving the Department, consult with departing contractors to follow litigation records management procedures.

7.13 HHS Employees, Contractors, Interns, and Fellows

The responsibilities of all HHS employees, contractors, interns, and fellows include, but are not limited to, the following:

  1. Identifying federal records that were used to conduct agency business.
  2. Coordinating with OpDiv and StaffDiv RMs and RLs regarding all aspects of records management.
  3. Organizing files for efficient and effective retrieval.
  4. Completing annual records management training.
  5. If transferring or leaving the Department, consult with supervisor and office records staff and follow records management procedures.
  6. Providing copies of responsive federal records to the appropriate Freedom of Information Act Official when requested by the public.

7.14 Freedom of Information Act (FOIA) Official:

The responsibilities of the Freedom of Information Act (FOIA) Official include, but are not limited to, the following:

  1. Reviewing responsive federal records provided by HHS employees, contractors, interns, and fellows for release to the public under the FOIA.

7.15 Office of the General Counsel (OGC)

The responsibilities of the Office of the General Counsel (OGC) include, but are not limited to, the following:

  1. Reviewing disposition schedules for official records for legal sufficiency and provides instructions for implementing litigation holds required to comply with legal requirements.

7.16 Office of Inspector General (OIG)

The responsibilities of the Office of Inspector General (OIG) include, but are not limited to, the following:

  1. Assisting in investigating the unauthorized removal of records or the actual and potential threats to records (e.g., removal, alteration, or deliberate or accidental destruction).

7.17 IT Infrastructure and Operations and System Managers

The responsibilities of IT Infrastructure and Operations and System Managers include, but are not limited to, the following:

  1. Working with the OpDiv RO to establish and update records schedules for electronic system.
  2. Ensuring that all phases of the EPLC process comply with HHS Records Management principles and policies.
  3. Ensuring that information systems intended to carry out electronic records management align with NARA’s and HHS’s requirements for records stored in an electronic recordkeeping system.
  4. Ensuring proper recordkeeping of Authorization to Operate (ATO) approved systems.
  5. Maintaining electronic information systems in accordance with approved records schedules and NARA requirements.
  6. Working with the OpDiv ROs to transfer permanent systems to the National Archives in accordance with approved records schedules and NARA requirements.
  7. Ensuring that social media content containing official records are maintained in accordance with HHS recordkeeping requirements.

8. Information and Assistance

HHS Privacy Information Management (PIM) is responsible for the development and management of this Policy. Questions, comments, suggestions, and requests for information about this Policy should be directed to [email protected].

9. Effective Date and Implementation

The effective date of this Policy is the date on which the policy is approved. This Policy must be reviewed, at a minimum, every three (3) years from the approval date.

The HHS CIO has the authority to grant a one (1) year extension of this Policy. To archive this Policy, approval must be granted, in writing, by the HHS CIO.

10. Approval

/S/

Jose Arrieta, Chief Information Officer (CIO)

May 28, 2020

11. Concurrence

/S/

Scott W. Rowell, Assistant Secretary for Administration (ASA)

June 12, 2020

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No additional procedural steps are required to implement this policy.

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No additional standards are required to implement this policy.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No additional guidance is required to implement this policy.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

The following template is associated with the Policy:

  1. Page 8, Section 6.1.2 Agency’s responsibility working with contractors

    The following is a general clause that an agency can modify to fit the planned type of service and specific agency records management needs. Additional contract language can be found on NARA’s web publication, Records Management for Contracts at https://www.archives.gov/records-mgmt/policy/records-mgmt-language.

    Use of contractor's site and services may require management of Federal records. If the contractor holds Federal records, the contractor must manage Federal records in accordance with all applicable records management laws and regulations, including but not limited to the Federal Records Act (44 U.S.C. Chapters 21, 29, 31, 33), and regulations of the National Archives and Records Administration (NARA) at 36 CFR Chapter XII Subchapter B). Managing the records includes, but is not limited to, secure storage, retrievability, and proper disposition of all federal records, including transfer of permanently valuable records to NARA in a format and manner acceptable to NARA at the time of transfer. The agency also remains responsible under the laws and regulations cited above for ensuring that applicable records management laws and regulations are complied with through the life and termination of the contract.

    If an agency decides to create or join a private or community cloud, it will still need to meet records management responsibilities. The agencies may describe these responsibilities in agreements among the participating offices or agencies. If a cloud provider ceases to provide services, an agency must continue to meet its records management obligations. Agencies should plan for this contingency. (NARA Bulletin 2010-05: Guidance on Managing Records in Cloud Computing Environments (2010))

Glossary and Acronyms

Definitions:

This includes, but is not limited to, magnetic media, such as tapes and disks, and optical disks. Unless otherwise noted, these requirements apply to all electronic records systems, whether on microcomputers, minicomputers, or mainframe computers, regardless of storage media, in the network or stand-alone configurations.

  • Alienation – Losing care and custody. Not protecting from loss or unauthorized access.
  • Control and Custody of Records – HHS records and materials are the property of the Federal government, not the property of individual employees or contractors acting as an agent of the Government, and may not be removed from the Department without proper authority. All employees and contractors must maintain records and non-record documentary materials separately from one another.
  • Database – A set of data, consisting of a least one data file, that is sufficient for a given purpose.
  • Disposal – The action taken regarding temporary records after their retention periods expire and usually consisting of destruction or occasionally of donation. Also, when specified, “disposal” refers to the actions taken regarding non-record materials when no longer needed, especially their destruction. (See NARA, “A Federal Records Management Glossary.”)
  • Disposition – The action taken concerning records following their appraisal by NARA. The actions include transfer to agency storage facilities or Federal records center; transfer from one federal agency to another; transfer of permanent records to the National Archives; and disposal of temporary records. “Disposition” is also the action taken regarding non-records materials when no longer needed, including screening and destruction (NARA, “A Federal Records Management Glossary”).
  • Electronic Records – Any information that is recorded in a form that only a computer can process, and that satisfies the definition of a federal record (44 U.S.C. § 3301).13 Electronic records include numeric, graphic and text information, which may be recorded on any medium capable of being read by a computer and which satisfies the definition of a record.
  • Enterprise Performance Life Cycle (EPLC) – A methodology that establishes a project management and accountability environment for HHS IT projects to achieve consistently successful outcomes that maximize alignment with Department-wide and individual OPDIV goals and objectives. Implementation of the EPLC methodology allows HHS to improve the quality of project planning and execution, reducing overall project risk.
  • Essential Records – Essential records are any records, documents, files or information database in any form or format containing information essential to the operations and survival of an organization. They are needed to conduct essential functions and supporting activities. Essential records are divided into two major categories: (1) Emergency Operating Records are records and databases essential to the continued functioning or the reconstitution of an organization during and after continuity activation. (2) Rights and Interests Records are records critical to carrying out an organization’s essential legal and financial functions and vital to the protection of the legal and financial rights of individuals who are directly affected by that organization’s activities.
  • File – A collection of related documents or papers arranged so that they can be consulted easily.
  • File Plan – A listing of all files in a container (regardless of the media), office or organization.
  • Hold – An agency’s temporary suspension of disposition action(s) and notification to its employees to retain records and other documentary materials in the agency’s possession, custody or control, typically because of litigation (including administrative cases), audit, or investigative needs. Under a Hold, documentary materials, regardless of record status, format, and of physical location, are required to be retained and not destroyed or otherwise disposed of for as long as a Hold is in place.
  • Information System – Is defined by the Office of Management and Budget (OMB) in Circular No. A-130 “…the organized collection, processing, transmission and dissemination of information in accordance with defined procedures, whether automated or manual.”
  • Mandatory Records Schedules – All records of HHS must be listed and described in an approved records schedule and must be disposed of only as authorized by that schedule. Schedules must be reviewed annually. Agencies should update their records schedules when there are program changes that will result in the establishment of new types of records, the transfer or termination of records no longer required, or an increase or decrease in the retention time of the records, to ensure the schedules accurately reflect current records and the functions they document (36 CFR 1225).14 Whenever possible, HHS should apply the NARA generated General Records Schedules (GRS) for routine administrative records. As required by regulation, HHS must ask NARA for a variance when not following the retention periods outlined by these schedules (36 CFR 1227).15
  • Non-Record Materials – are federally-owned informational materials that do not meet the statutory definition of records (44 U.S.C. § 3301),16 or that have been excluded from coverage by the definition. Excluded materials are extra copies of documents kept only for reference, stocks of publications and processed documents, and library or museum materials intended solely for reference or exhibit (36 CFR 1220.18).17
  • Office of the Secretary (OS) – is referenced in this Policy as the OpDivs and includes the StaffDivs and the Offices of the Regions.
  • OMB Exhibit 300- Capital Asset Plan and Business Case Summary – As prescribed and described in OMB’s Circular A-11, Preparation, Submission and Execution of the Budget.
  • OMB Circular A-130-Management of Federal Information Resources – Establishes policy for the management of federal information resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies. The policies in this Circular apply to the information activities of all agencies of the executive branch of the federal government.
  • Operating Division (OpDiv) – An entity of HHS that is an independent agency.
  • OS Operating Division (OpDiv) – The OpDiv includes the Inspector General, as well as the Office of the Secretary and its StaffDivs as a combined, single entity.
  • Personal Papers – Documentary materials belonging to an individual that are not used to conduct agency business. Personal papers are excluded from the definition of Federal records and are not owned by the Government.
  • Records – Includes all recorded information, regardless of form or characteristics, made or received by a federal agency under federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, function, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them.

    Library and museum material made or acquired and preserved solely for reference or exhibition purposes or duplicate copies of records preserved only for convenience are not included (44 U.S.C. § 3301).18

  • Records Disposition Schedule – A document, approved by NARA, which provides authority for the final disposition of temporary or permanent records. Records must not be destroyed except as authorized by an approved records schedule.
  • Records Management – The planning, controlling, directing, organizing, training, promoting, and other managerial activities involved with respect to records creation, records maintenance and use, and records disposition in order to achieve adequate and proper documentation of the policies and transactions of the federal government and effective and economical management of agency operations (44 U.S.C. § 2901).19
  • Records Schedule – A records schedule is a document providing mandatory instructions for what to do with records no longer needed for current Government business, with the provision of authority for the final disposition of recurring or nonrecurring records.
  • Reference Material – Must be clearly marked and maintained separately from the records of the office.
  • Staff Division (StaffDiv) – Sub-components of the Office of the Secretary Operating Division (OS OpDiv).

Acronyms

  • ARO – Agency Records Management Officer
  • ASA – Assistant Secretary for Administration
  • CFR – Code of Federal Regulations
  • CIO – Chief Information Officer
  • CISO – Chief Information Security Officer
  • CO – Contracting Officer
  • COOP – Continuity of Operations
  • COR – Contracting Officer Representative
  • EPLC – Enterprise Performance Life Cycle
  • ERKS – Electronic Recordkeeping System
  • ERMS – Electronic Records Management System
  • FISMA – Federal Information Security Management Act
  • FOIA – Freedom of Information Act
  • GAO – Government Accountability Office
  • GRS – General Records Schedule
  • GSA – General Services Administration
  • IT – Information Technology
  • NARA – National Archives and Records Administration
  • OCIO – Office of the Chief Information Officer
  • OGC – Office of General Counsel
  • OIG – Office of Inspector General
  • OMB – Office of Management and Budget
  • OpDiv – Operating Division
  • OPM – Office of Personnel Management
  • PIM – Privacy Information Management
  • RC – Records Custodian
  • RL – Records Liaison
  • RM – Records Manager
  • RMA – Records Management Application
  • RO – Records Management Officer
  • SAORM – Senior Agency Official for Records Management
  • StaffDiv – Staff Division
  • U.S.C. – United States Code
Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed