HHS Policy for Records Management (2024)

Document #: HHS-OCIO-CDO-2024-02-001
Version #: 3.0
Last Reviewed: February 2024
Next Review: February 2027
Owner: OCIO/CDO
Approved By: Jennifer Wendel, Acting HHS Chief Information Officer (CIO)

Table of Contents

1. Nature of Changes
2. Purpose
3. Background
4. Scope
5. Authorities
6. Policy
   • 6.1 Records Lifecycle
   • 6.2 Electronic Records Management
   • 6.3 Essential Records
   • 6.4 Social Media Records
   • 6.5 Freedom of Information Act (FOIA)
   • 6.6 Control and Custody of Records
   • 6.7 Transferring and Departing Staff Records
   • 6.8 Unlawful or Accidental Removal or Destruction of Records
   • 6.9 Formal Evaluations
   • 6.10 Training
7. Roles and Responsibilities
   • 7.1 HHS Secretary
   • 7.2 HHS Assistant Secretary for Administration (ASA)
   • 7.3 HHS Chief Information Officer (CIO)
   • 7.4 HHS Chief Data Officer (CDO)
   • 7.5 HHS Chief Information Security Officer (CISO)
   • 7.6 Agency Records Officer (ARO)
   • 7.7 OpDiv and StaffDiv Heads
   • 7.8 OpDiv Chief Information Officers (CIOs)
   • 7.9 OpDiv Chief Information Security Officers (CISOs)
   • 7.10 OpDiv Records Officers (ROs)
   • 7.11 OpDiv and StaffDiv Records Managers (RMs) and Records Liaisons (RLs)
   • 7.12 OpDiv and StaffDiv Records Custodians (RCs)
   • 7.13 Managers and Supervisors
   • 7.14 Contracting Officers (COs) and Contracting Officer Representatives (CORs)
   • 7.15 HHS Employees, Contractors, Detailees, Interns, and Fellows
   • 7.16 Freedom of Information Act (FOIA) Official
   • 7.17 OpDiv and StaffDiv Controlled Unclassified Information (CUI) Points of Contact
   • 7.18 Office of the General Counsel (OGC)
   • 7.19 Office of Inspector General (OIG)
   • 7.20 IT Infrastructure and Operations and System Managers
8. Information and Assistance
9. Effective Date and Implementation
10. Approval

Appendix A: Procedures

Appendix B: Standards

Appendix C: Guidance

Appendix D: Forms and Templates

Glossary and Acronyms

1. Nature of Changes

This U.S. Department of Health and Human Services (HHS) Policy for Records Management, herein referred to as Policy, updates and supersedes the previous version (HHS-OCIO-PIM-2020-06-004, dated June 12, 2020) and the HHS Policy for Implementing Electronic Mail (Email) Records Management (HHS-OCIO-PIM-2020-06-005, dated June 4, 2020).

2. Purpose

The purpose of this Policy is to establish the principles, responsibilities, and requirements for managing HHS records. This Policy provides the requirements for creating, maintaining, using, and dispositioning records, regardless of media, while protecting and safeguarding HHS records and information within HHS’s approved electronic records management systems. This Policy also provides the framework for records management program guidance and operating procedures.

3. Background

The Federal Records Act of 1950 (FRA), as amended, defines a record as: All recorded information, regardless of form or characteristics, made or received by a federal agency under federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them, excluding library and museum material made or acquired and preserved solely for reference or exhibition purposes; or duplicate copies of records preserved only for convenience. 44 U.S.C. § 3301(a)(1)(A) and (B).¹

The FRA requires all federal agencies to create and preserve records that document the agency’s organization, function, policies, decisions, procedures, and transactions. These records must be managed in accordance with subchapter B, chapter XII, of Title 36, Code of Federal Regulations (C.F.R.) and chapters 29, 31, and 33 of Title 44, United States Code (U.S.C.). The FRA calls for agencies to establish a records management program consisting of policies, procedures, and activities to manage recorded information. The Presidential and Federal Records Act Amendments of 2014 modernize records management by requiring the transfer of records from federal agencies to the National Archives and Records Administration (NARA) in digital or electronic form to the greatest extent possible.

Effective and efficient management of records provides the information foundation for decision-making at all levels, mission planning and operations, personnel services, Congressional and legal inquiries, business continuity, and preservation of U.S. history.

4. Scope

This Policy applies to HHS employees, contractor personnel, grant recipients, detailees, interns, and other non-government persons supporting HHS. All organizations collecting or maintaining information or using or operating information systems on behalf of ² the Department are also subject to the stipulations of this Policy. The Records Management Program promotes standard processes, procedures, practices, and guidelines that ensure the proper handling of HHS records in accordance with applicable law and NARA guidelines. Adherence to this Policy will ensure that all HHS records are maintained in accordance with federal laws, standard business practices, and all regulatory requirements.

This Policy also applies to all HHS components, as well as organizations conducting business for or on behalf of HHS through contractual, grant-making, or other relationships.The requirement to comply with this Policy must be incorporated in the language of each applicable contract, grant, or memorandum of agreement.³

HHS Operating Divisions (OpDivs) and Staff Divisions (StaffDivs) must adopt and implement this Policy, or may create a more restrictive policy, but not one that is less restrictive or less comprehensive than this Policy.

This Policy does not supersede any other applicable law or higher-level agency directive or policy guidance.

5. Authorities

Authorities include:

1. Agency Records Management Responsibilities, 36 C.F.R., Chapter XII, Subchapter B (consisting of Parts 1220 through 1232); see, in particular:
   (a) Scheduling Records, 36 C.F.R., §§ 1225.10 – 1225.26.
   (b) Damage to, Alienation and Unauthorized Destruction of Records, 36 C.F.R., §§ 1228.100 – 1228.106.
   (c) Unlawful of Accidental Removal, Defacing, Alteration, or Destruction of Records, 36 C.F.R., §§ 1230.1 – 1230.18.
   (d) Transfer of Records to the National Archives of the United States, 36 C.F.R., §§ 1235.1 – 1235.50.
   (e) Electronic Records Management, 36 C.F.R., §§ 1236.2 – 1236.36.
2. Controlled Unclassified Information, 32 C.F.R., Subtitle B, Chapter XX, Part 2002
3. Public Money, Property or Records, 18 U.S.C. § 641.
4. Concealment, Removal, or Mutilation Generally, 18 U.S.C. § 2071.
5. Records Management by the Archivist of the United States and by the Administrator of General Services, 44 U.S.C. §§ 2901 – 2910.
6. Records Management by Federal Agencies, 44 U.S.C. §§ 3101 – 3107.
7. Unlawful Removal, Destruction of Records, 44 U.S.C. §§ 3106.
8. Disposal of Records, 44 U.S.C. §§ 3301 – 3324.
9. Definition of Records, 44 U.S.C. § 3301.
10. Government Paperwork Elimination Act (GPEA), P. L. 105-277, Title XVII, 44 U.S.C. § 3504.
11. The Privacy Act of 1974, 5 U.S.C. § 552a.
12. Producing Documents, Electronically Stored Information, and Tangible Things, or Entering onto Land, for Inspection and Other Purposes, Federal Rules of Civil Procedures, Rule 34.
13. NARA Bulletin 2010-05: Guidance on Managing Records in Cloud Computing Environments.
14. NARA Bulletin 2013-02: Guidance on a New Approach to Managing Email Records.
15. NARA Bulletin 2014-02: Guidance on Managing Social Media Records.
16. NARA Bulletin 2015-02: Guidance on Managing Electronic Messages.
17. NARA Bulletin 2023-02: Expanding the Use of a Role-Based Approach (Capstone) for Electronic Messages.
18. NARA Criteria for Successfully Managing Permanent Electronic Records.
19. NARA Guidance on Records Management Language for Contracts.
20. NARA Universal Electronic Records Management Requirements.
21. Office of Management and Budget (OMB) Circular A-130, Management Information as a Strategic Resource.
22. OMB/NARA Directive M-19-21, Transition to Electronic Records.
23. OMB/NARA Directive M-23-07, Update to Transition to Electronic Records.
24. HHS Policy for Litigation Holds.
25. HHS Policy for Rules of Behavior for Use of Information and IT Resources.
26. HHS Policy for Mobile Devices and Removable Media.

6. Policy

The HHS Records Management Program establishes records management policies, standards, and procedures for maintaining HHS records and information in a manner facilitating ease of use, access, and disposition, and consistent with HHS records disposition schedules, regulations, and guidelines implemented by NARA and OMB.

In order to maintain all HHS records in accordance with applicable statutory and regulatory requirements, each OpDiv and StaffDiv is required to establish and maintain a records management program meeting the following minimum requirements:

6.1 Records Lifecycle

Proper record management practices ensure successful recordkeeping activities starting from record creation through final disposition. In compliance with the FRA and NARA regulations, HHS must establish effective management controls over the creation, maintenance and use, and disposition of federal records in any media, including but not limited to paper, email, instant messaging (IM), text messages, telephone messages (analog), voice mail messages, presentations, websites, social media, word processing documents, spreadsheets, and information systems, throughout their life cycle.

6.1.1. Records Creation and Receipt

The FRA requires every federal agency to “make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.”

HHS must properly and adequately document Agency business in accordance with the FRA and NARA regulations. To meet that obligation, all HHS employees, contractor personnel, grant recipients, detailees, interns, and other non-government persons supporting HHS who manage HHS records must create and maintain records that:

1. Document the persons, places, things, or matters dealt with by HHS.
2. Facilitate action by HHS officials and their successors in office.
3. Protect the financial, legal, and other rights of the Government and of persons directly affected by the Government's actions.
4. Document the formulation and execution of policies and decisions and the taking of necessary actions, including all substantive decisions and commitments reached orally (person-to-person, by telecommunications, or in conference) or electronically.
5. Document significant board, committee, or staff meetings.

All records created or received by an official, employee, or contractor of HHS in the course of conducting federal government business for HHS are the property of HHS, wherever the record resides (for example, in a government issued mobile device or in a personal email account during an emergency). No person attains a personal or proprietary interest in any record that the person creates, provides input into, or acquires custody or possession of while acting as a federal official, employee, or contractor.

6.1.1.1. The FRA prohibits the creation or transmission of a federal record using a non-HHS electronic messaging account unless the person creating or sending the record either:

1. Copies the person’s HHS electronic messaging system (email) account at the time of initial creation or transmission of the record or,
2. Forwards a complete copy of the record to the person’s email account within 20 calendar days of the original creation or transmission of the record.

6.1.2. Records Maintenance and Use

HHS records must be maintained (e.g., captured and organized) in an appropriate manner to ensure timely search and retrieval for internal Agency use, as well as for responses to outside inquiries.

Agency records maintenance programs must:

1. Assign responsibilities for maintenance of records in all formats within each agency component, including designation of the officials that are responsible for maintenance and disposition of electronic records and management of automated systems used for recordkeeping.
2. Issue appropriate instructions to all agency employees on handling and protecting records.
3. Maintain records and non-record materials separately, in accordance with 36 C.F.R. § 1222.16.⁴
4. Maintain personal files separately from records in accordance with 36 C.F.R. § 1222.20.⁵

6.1.2.1. NARA-Approved Records Retention Schedules

Proper retention ensures that records are kept in accordance with legal, regulatory, fiscal, operational and/or historical needs. All HHS records must be associated with a NARA-approved records control schedule. If records do not have an approved records schedule, then they must be treated as permanent records (indefinitely retained) until a records control schedule is approved.

HHS must ensure new schedules are created for unscheduled records to meet regulations so that records do not remain subject to records requests and security requirements and exposed to security incidents after the records are no longer needed for agency business. NARA-Approved HHS Records Retention Schedules can be found on the NARA website ⁶.

HHS must manage records using the following order of precedence of approved schedules:

1. NARA-issued General Records Schedule (GRS).
2. Component-wide records schedules.
3. Office program specific records schedules.

HHS OpDivs and StaffDivs must update their records schedules when there are program changes that will result in the establishment of new types of records and the transfer or termination of records, or an increase or decrease in the retention time of the records. (36 C.F.R. 1224.10(c))⁷

1. Temporary records are records approved by NARA for disposal after a specified retention period.
2. Permanent records are records appraised by NARA as having sufficient historical or other value to warrant continued preservation by the federal government beyond the time it is needed for administrative, legal, or fiscal purposes.
3. Unscheduled records are records whose final disposition has not been approved by NARA. Unscheduled records may not be destroyed or deleted.

6.1.2.2. File Plans

Each HHS OpDiv and StaffDiv must maintain an up-to-date centralized file plan that includes the title and description of its records providing the identification, format, custodian, and location of all categories of records created and received in the course of official business. File plans must be designed to facilitate the identification of records, the preservation of archival records, and the prompt and systematic disposition of temporary and permanent records according to the appropriate records schedule. File plans can help Freedom of Information Act (FOIA) and records management teams identify where and how the information for a specific office or program is stored. File plans of each Program Office can be obtained by contacting their respective OpDiv and StaffDiv Records Manager or Records Liaison.

6.1.2.3. Non-records

A non-record refers to documentary materials excluded from the legal definition of a federal record. Non-records must be managed and disposed of but are not subject to the same requirements as federal records. However, non-record information may be subject to record holds or production requests such as FOIA or litigation hold requests. HHS employees must ensure that non-record materials remain separate from federal records and are destroyed when no longer needed for reference.

6.1.2.4. Access to Records

HHS records must be maintained (e.g., captured and organized) to ensure timely search and retrieval for internal Agency use, as well as for responses to outside inquiries. Sensitive records (e.g., sensitive personally identifiable information (SPII) and other Controlled Unclassified Information (CUI)) must be maintained with restricted access in accordance with statutory and regulatory requirements.

6.1.2.4.1. Controlled Unclassified Information (CUI)

CUI is information that federal agencies routinely generate, use, store, and share information that, while not meeting the threshold for classification as national security or atomic energy information, requires some level of protection from unauthorized access and release.

The CUI program established by E.O. 13556 establishes a uniform policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the program.

All CUI documents must be protected according to applicable laws, regulations, Government-wide policies, and HHS policies. Specific procedures for marking and labeling are outlined in the CUI Guidelines.For more information about HHS CUI policies and guidance, contact your OpDiv or StaffDiv CUI Point of Contact.

6.1.2.5. Agency’s Responsibility Working with Contractors

HHS OpDivs and StaffDivs must ensure that the laws, regulations, and policies applicable to records and information used and maintained by HHS also apply to records and information maintained and used by HHS contractors on behalf of HHS. All records created by HHS contractors on behalf of HHS must remain the property of HHS and cannot be used or disposed of except as explicitly authorized in writing by HHS.

An OpDiv and StaffDiv maintains responsibility for managing its records whether the records reside in a contracted environment or under agency physical custody (see 36 C.F.R. Part 1222.32).⁸ When working with a contractor, a Contracting Officer must include a records management clause in any contract or similar agreement. At a minimum, the records management clause must ensure that the federal agency and the contractor are aware of their statutory records management responsibilities. (NARA Guidance on Records Management for Contracts) ⁹

A template of a general records management clause for use in contracts or similar agreements can be found in Appendix D

6.1.3. Records Disposition

The FRA requires federal agencies to ensure proper disposition of records at the end of the records lifecycle. Records eligible for disposition are those that are no longer required to be maintained by applicable laws and approved record schedules. After temporary records have fulfilled their NARA-approved retention periods they are destroyed or deleted, while permanent records are transferred to the legal custody of the National Archives.

Each OpDiv and StaffDiv must implement proper methods to preserve permanent records and lawfully and efficiently destroy temporary records at the end of the records lifecycle. Disposition of records must occur on a systematic and routine basis. No disposition action must take place without the assurance that the record is no longer required, and that no litigation, investigation, audit, or other matter is currently pending that requires holding the record longer as evidence.

6.1.3.1. Records Holds
A records hold is temporary suspension of normal disposition practices with respect to certain agency records or documentary materials until further notice. This means that records or documentary materials, regardless of their physical location, must be kept for as long as a hold is in place. Records holds are commonly implemented due to actual or anticipated investigations, audits, litigation, or other similar occurrences and expire when such circ*mstances no longer exist.

One example of a hold that would require retention of a record beyond the end of the records lifecycle is a litigation hold. A litigation hold is a notification to employees and covered recipients to retain potentially relevant information in the agency’s possession, custody, or control when the Department has reasonable anticipation of litigation or litigation has commenced. Please reference the Department of Health and Human Services Policy for Litigation Holds for further information on HHS’s litigation hold policy.

6.2 Electronic Records Management

Electronic records include any information that is recorded in a form that only a computer can process and that satisfies the definition of a federal record under the Federal Records Act (36 C.F.R. 1220.18).¹⁰ The requirements for appropriately maintaining electronic records and for maintaining records in electronic form to the fullest extent possible include the following:

1. All information meeting the definition of an electronic record must be preserved in accordance with a NARA-approved records schedules regardless of records locations (e.g., social media sites, shared drives, internet and intranet sites, cloud environments).
2. All electronic records must be managed in an electronic information system (EIS) or HHS-approved electronic records management system that incorporates functionalities to enable preservation of the federal record with integrity throughout the record lifecycle, for example correspondence management systems.
3. OpDivs and StaffDivs are encouraged to create and organize records electronically and maintain them electronically throughout their lifecycle, to the fullest extent possible.
4. Passwords or other forms of file level encryption must be removed or cleared prior to transferring permanent records to NARA.
5. Digital and electronic signatures, in support of electronic content, are acceptable for maintaining and preserving the authenticity of electronic records.
6. Metadata must meet both NARA requirements as defined in NARA Bulletin 2015-04 ¹¹, and agency business needs.

6.2.1. Metadata

HHS must ensure that metadata elements as specified in 36 C.F.R. § 1236.54 ¹² are captured in a recordkeeping system or embedded in each file. HHS must also ensure that the metadata remains accurate and consistent regardless of where it is stored.

Metadata elements provide administrative, descriptive, and technical information that describe the structure and content of electronic records. Metadata elements also provide contextual information that explains how electronic records were created, used, managed, and maintained prior to their transfer to NARA, and how they are related to other records. This information enables NARA to appropriately manage, preserve, and provide access to electronic records for as long as they are needed.

6.2.1.1. Categories of Metadata

Metadata can describe almost any aspect of an electronic record. For convenience, individual metadata elements that work together to describe a particular aspect of a record can be referred to as belonging to categories. As a result, metadata is often organized into schemas that define what labels mean and how they should be used.

1. Administrative Metadata is used to manage collections of records. Examples include the Transfer Request (TR) Number, the Record Group, the name of the person authorized to transfer custody, etc.
2. Descriptive Metadata identifies and describes records. Examples include a photograph’s caption, the title of a book, or the composer of a song.
3. Preservation Metadata is the specialized set of information required to preserve and provide access to electronic records. Examples include the file format used to encode a file, the software necessary to view it, or an action taken to maintain it such as the results of a virus scan.
4. Technical Metadata describes aspects of electronic records important to their proper interpretation, rendering, or playback. The type of compression used with a digital image, the audio codec contained in a digital video, or the encryption algorithm used to digitally sign an email are all examples of technical metadata. Technical metadata is frequently included as Preservation metadata as it is necessary for the maintenance of electronic records.
5. Use Metadata includes information that describes how records can be accessed or circulated. Metadata identifying copyright status or security classification are examples of use metadata.

6.2.2. Electronic Messaging Records

According to the Federal Records Act, as defined in 44 U.S.C. § 2911(c)(1) ¹³, electronic messages refer to “electronic mail and other electronic messaging systems that are used for purposes of communicating between individuals.” This includes email, text messages, instant messages, social media, or other similar forms of communication.

In accordance with federal records management laws and regulations, OpDivs and StaffDivs shall:

1. Preserve and retain email messages, text, and instant messages that meet the definition of a federal record sent or received from the HHS email server or government furnished devices per NARA-approved records schedules.
2. Have the capability to produce various forms of electronic messages i.e., email, text, instant messages, etc. that are responsive to FOIA requests, litigation holds, or other document production requests such as Congressional inquiries.
3. Prohibit the use of personal email and messaging accounts to conduct agency business and transmit any HHS information. In the event HHS authorizes the use of personal accounts, such as in emergency situations when federal accounts are not accessible or when an employee is initially contacted through a personal account, HHS employees must ensure that a complete copy of any federal records sent or received on personal account systems are captured and forwarded to their official HHS email account no later than 20 calendar days after the original creation or transmission of the record.

Regardless of how many federal email accounts individuals use to conduct official business, agencies must ensure that all accounts are managed, accessible and identifiable according to federal recordkeeping requirements.

6.2.3. Email and Other Electronic Messages Managed under the Capstone Approach

HHS has adopted the Capstone approach (GRS 6.1). Under the Capstone approach, HHS manages the disposition of email records and attachments, calendar appointments, tasks, instant messages, text messages, and chat messages that serve a similar purpose as email to facilitate communication and information sharing based on the role of the account user rather than the content of each record. (NOTE: Records under a preservation obligation, such as a litigation hold, must be managed based on record content, so are precluded from being managed under the Capstone approach.)

1. Email and Other Electronic Messages of Capstone Officials –
2. Email Records of Non-Capstone Officials –

6.2.3.1. Text and Instant Messaging Records

Multimedia Messaging Service (MMS) and Short Message Service (SMS) or similar formats are used on mobile devices to communicate in a peer-to-peer fashion. Text or instant messages when created or received in the course of agency business on government furnished mobile devices are federal records that must be captured and managed in compliance with federal records management laws, regulations, and policies. All such text or instant messages are subject to FOIA requests, and some of the messages may be subject to litigation holds and other preservation holds. These records must be managed in accordance with GRS 6.1 or any other NARA-approved disposition authority.

Transmission of HHS information via personal mobile devices is prohibited unless HHS authorizes the use of personal mobile devices to conduct agency business in the event of emergency situations when federal accounts are not accessible or when an employee is initially contacted through a personal mobile device. In those limited instances, staff must continue to save and manage any text or instant message records related to their work, by sending a copy to their HHS email account at the time of transmission or forwarding that record to their HHS email account within 20 calendar days of creation or transmission.

6.2.4. Digitization

Transitioning to an electronic environment enables HHS to work with and leverage information in a way that analog record formats do not always allow. Analog records exist in a static state which limits information from being easily searched, updated or transferred without manual intervention. Additional guidance on digitization standards can be found in Appendix B.

6.2.4.1. Digitizing Temporary Federal Records

If an OpDiv or StaffDiv intends to digitally reproduce (digitize) records in order to designate the digitized version as the recordkeeping copy and destroy the original source records, that OpDiv or StaffDiv must:

1. Digitize the record to the standards in 36 C.F.R. § 1236.32.¹⁴
2. Validate the digitization according to 36 C.F.R. § 1236.34.

6.3 Essential Records

The Essential Records Program identifies, protects, and provides ready access to vital records necessary to ensure continuity of essential HHS activities in the event of a national, regional, or local disaster or emergency.

6.3.1. Each OpDiv and StaffDiv is required to identify and protect the records and information necessary to continue key operations; protect the legal and financial rights of HHS, its employees, or the public; and protect the records deemed critical for the continuity and/or resumption of mission-essential functions. For more information about the HHS Essential Records Program, please contact the OpDiv or StaffDiv designated Continuity of Operations Plan (COOP) Coordinator or the Administration for Strategic Preparedness and Response (ASPR).

6.4 Social Media Records

The use of social media may create federal records that must be captured and managed in compliance with federal records management laws, regulations, and policies. The maintenance of these records is the responsibility of the office or agency originating the content. All personnel authorized by the Assistant Secretary for Public Affairs (ASPA) approval to use social media on behalf of HHS must identify these federal records and consult with their designated records management staff to determine how the records will be managed. For more information about HHS social media policies, please visit www.hhs.gov/web/social-media/policies/index.html.

6.5 Freedom of Information Act (FOIA)

FOIA is a disclosure statute that promotes open government (the public's right to know) by letting the public have access to most records that are in the custody of or otherwise under the control of a federal agency, except to the extent protected from disclosure by nine mostly discretionary exemptions. Because FOIA is a disclosure statute, not a records management statute, the records that are subject to FOIA even include, in some cases, records that would not be considered "records" for records management purposes under 44 U.S.C. § 3301.¹⁵

All records received, created, or maintained by HHS staff, regardless of physical location and physical format, must be assumed to be subject to FOIA. Records locations include but are not limited to electronic information systems, electronic back-up sites, e-mail servers, headquarters, field offices, Federal Records Centers (FRC), individual and central office spaces, agency-specific storage locations, contractor offices, and HHS Continuity of Operations [COOP] sites. For additional guidance on HHS FOIA procedures, please contact an HHS FOIA Office.¹⁶

6.6 Control and Custody of Records

Agency records are the property of the federal government, not the property of individual employees, and must not be removed from the Department without proper authorization. Removal of documentary materials must be approved in accordance with the provisions of this Policy to ensure HHS’s ownership and ability to protect agency information and fulfill requests such as litigation holds and FOIA.

All records created or received by an official, employee or contractor of HHS while conducting federal government business are the property of HHS, wherever the record resides. No person attains a proprietary interest in any record that the person may create, provide input into, or acquire custody or possession of, by virtue of the person’s position as an official, employee, or contractor.

6.7 Transferring and Departing Staff Records

Departing HHS employees, contractors, detailees, and interns must manage their records in accordance with federal records management laws, regulations, and policies.

1. Federal records that have not met disposal dates must be left with the OpDiv or StaffDiv from which the employee is departing. Departing staff must formally identify record locations and ensure those are accessible to the appropriate managers and supervisors or other designated Division staff.
2. Federal records responsive to active FOIA requests or subject to litigation or other preservation holds must be identified and remain in the custody or control of the OpDiv or StaffDiv.
3. Employees transferring within the Department may retain copies of federal records in rare cases only after review and approval of their designated Records Officer. The Records Officer’s approval must be based on a documented business need for the records to be retained by the employee in their new role, and the retention must be relevant to the organization they are transferring to in accordance with the following requirements:
   1. The original record must be maintained by the Division from which the employee is leaving.
   2. Transferring employees may retain copies only if transferring to another HHS OpDiv or StaffDiv with responsibilities that are inherently the same.
   3. Transferring employees may request to have selected personal email and documents transferred to their new accounts. Items such as their own Performance Management Appraisal Plans (PMAPs) and email contacts are examples of such personal documentation.
4. Employees separating or retiring from HHS may not take copies of records or other work-related, non-record materials unless approved by their designated Records Officer or legal counsel. When determining whether to permit departing employees to remove extra copies, the agency must also consider the extent to which such removal could affect the agency's ability to invoke various legal privileges and must consider the use of nondisclosure agreements in appropriate cases.
   1. Copies of records that are national security classified must remain under the control of the agency and not be allowed to be removed.
   2. Copies of records that are otherwise restricted (e.g., as privileged or subject to the Privacy Act) must be maintained in accordance with the appropriate agency requirements and not be allowed to be removed.
   3. Approval to remove extra copies should be granted only if the removal would be at no cost to the agency.
   4. Contracting Officer Representatives (CORs) are responsible for ensuring that departing contractors do not remove any HHS records.

6.7.1. Chain of Custody

Chain of custody refers to the chronological documentation or paper trail, showing custody, control, transfer, and disposition of federal records for departing or transferring employees. (44 U.S.C. Chapter 31) ¹⁷

All departing employees must:

1. Identify and separate all employee federal records from non-record materials and personal papers.
2. Complete a chain of custody or records transfer document certifying that all federal records created and maintained during their employment have been turned over to their successor, supervisor, or appropriate official.

All supervisors or appropriate officials must:

1. Ensure that the chain of custody or records transfer document has been completed and signed before the employee departs the agency.
2. Ensure that departing employee’s federal records have been identified and turned over to the appropriate successor or official to permit the continued preservation of HHS federal records.

6.8 Unlawful or Accidental Removal or Destruction of Records

Official records must be protected against loss, unauthorized destruction or alteration, and illegal removal from HHS to ensure adequate documentation of organization, functions, policies, decisions, procedures, and essential business transactions. The unauthorized removal, concealment, falsification, mutilation, and/or disposition of official records is prohibited by law and is subject to penalty. The penalties for the unlawful or accidental removal, defacing, alteration, or destruction of federal records, or the attempt to do so include a fine, imprisonment, or both. (18 U.S.C. §§ 641 and 2071)¹⁸

HHS reports actual and potential threats to records (e.g., removal, alteration, or deliberate and accidental destruction), to NARA, as required by 36 C.F.R. 1230.14¹⁹ and may report same to the HHS Office of the Inspector General.

All HHS employees and contractors are responsible for immediately notifying their respective Records Manager or OpDiv Records Officer of any actual, impending, or threatened unlawful removal, defacing, alteration, or destruction of records in the custody of HHS staff in a timely manner.

1. The OpDiv Records Officer will perform initial inquiries to determine if there is a potential records loss and, if required, will proceed with notification to NARA. Notification will include a brief description of the records potentially lost. The Department Records Officer should be copied on the initial notification to NARA.
2. The OpDiv Records Officer will work with the program office to conduct a thorough investigation of what led to the potential records loss. The investigation must determine to the best extent possible the information required for the final report to NARA.
3. The OpDiv Records Officer will work with the program office to recover any lost or destroyed records to the extent possible.
4. The OpDiv Records Officer will draft and submit the final Unauthorized Destruction of Records Report to NARA based on the completed investigation that includes:
   1. A complete description of the records with volume and inclusive dates.
   2. The OpDiv or StaffDiv maintaining the records.
   3. A statement of the exact circ*mstances surrounding the removal, defacing, alteration, or destruction of records.
   4. A statement of the safeguards established to prevent further loss of documentation.
   5. When appropriate, details of the actions taken to salvage, retrieve, or reconstruct the records.
5. The OpDiv Records Officer will work with the program office to develop and implement corrective measures based upon the results of the final Unauthorized Destruction of Records Report. NARA may respond with additional corrective measures that the OpDiv Records Officer will also need to address.

6.9 Formal Evaluations

OpDivs and StaffDivs must aim to conduct a formal evaluation on a specific program area of their records management programs annually. The goal of the evaluation is to measure the effectiveness of records management programs and practices and to ensure that they comply with NARA regulations. Formal evaluations are intended to provide agencies with information they may use to measure compliance and target resources within areas requiring improvement. Additional guidance and procedures on formal evaluations can be found in Appendix A.

6.10 Training

To ensure that the HHS Records Management Program remains dynamic and effective, all
HHS employees and contractors must be aware of the program and have adequate training to perform their records management responsibilities as required to maintain and safeguard HHS records.

Each HHS OpDiv and StaffDiv must annually inform all agency personnel of their records management responsibilities in law, regulation, and policy, and provide training specific to the practices and policies of the organization. (OMB/NARA Directive M-19-21, Transition to Electronic Records)²⁰

6.10.1. Records Management Training for Federal Employees

1. New Employee Orientation
2. Annual Training
3. Senior Officials Records Management Awareness Training
4. Incoming Senior Officials entering federal service shall receive training on specific recordkeeping requirements and the importance of appropriately managing records under their immediate control.
5. Departing Senior Officials shall receive exit briefings prior to separation on the appropriate disposition of the records under their immediate control.

6.10.2. Records Management Training for Contractors

All contractors who have access to (1) HHS federal information or a federal information system or (2) personally identifiable information, must complete the applicable OpDiv and StaffDiv records management training within 30 days before performing any work under their contract. Thereafter the following year, contractors must complete annual records management training by December 31st of each calendar year throughout the life of the contract. The contractor must also ensure subcontractor compliance with this training requirement.

7. Roles and Responsibilities

7.1 HHS Secretary

The responsibilities of the HHS Secretary include, but are not limited to, the following:

1. Ensuring the creation and preservation of records that adequately and properly document the organization, functions, policies, decisions, procedures, and essential transactions of HHS.
2. Designating a Senior Agency Official for Records Management (SAORM) to oversee the HHS Records Management Program and have direct responsibility for ensuring HHS efficiently and appropriately complies with all applicable records management statutes, regulations, NARA policies, and requirements of the OMB/NARA Directive M-19-21, Transition to Electronic Records.
3. Preventing the unlawful or accidental removal, defacing, alteration, or destruction of records and direct that any unauthorized removal, defacing, alteration, or destruction be reported to NARA.
4. Taking adequate measures to inform all employees and contractors of the provisions of the law relating to unauthorized destruction, removal, alteration, or defacement of records.

7.2 HHS Assistant Secretary for Administration (ASA)

The responsibilities of the HHS Assistant Secretary for Administration (ASA) include, but are not limited to, the following:

1. Serving as the Senior Agency Official for Records Management (SAORM). Delegates oversight responsibility for the Department-wide records management program to the Chief Information Officer (CIO).
2. Acting on behalf of the agency head to ensure that the department or agency efficiently and appropriately complies with all applicable records management statutes, regulations, NARA Policy, and Presidential Directives.
3. Bridging the gap between the agency head and the Agency Records Officer in order to provide strategic direction for the agency’s records management program.

7.3 HHS Chief Information Officer (CIO)

The responsibilities of the HHS CIO include, but are not limited to, the following:

1. Appointing the HHS Records Officer, certified to NARA standards, to assist with implementation, evaluation and administration issues regarding the Federal Records Act and applicable legislation.
2. Ensuring a Departmental Records Management Program is developed, documented, implemented, and promoted to support records management activities for all information systems, networks and data that support Departmental operations.
3. Maintaining a central policy-making role in the agency’s development and evaluation of records management issues.
4. Integrating records management procedures and activities into HHS Chief Information Officer (CIO) policy and planning.
5. Reviewing and making recommendations on requests for funding and acquisition of electronic recordkeeping systems in accordance with information technology capital planning, and investment control procedures.

7.4 HHS Chief Data Officer (CDO)

The responsibilities of the HHS CDO include, but are not limited to, the following:

1. Standardizing and streamlining existing federated enterprise-wide data management in order to better leverage the information.
2. Managing data assets, including data inventories, which identify the sources of data, where the datasets are being maintained, their content, and how they are being used.
3. Turning data into information by creating a data-driven culture where data and metrics can be used to make better decisions.
4. Establishing a data stewardship framework.
5. Consulting with the HHS Records Management Program during the development of policies and standards in alignment with federal records management laws and regulations.

7.5 HHS Chief Information Security Officer (CISO)

The responsibilities of the HHS Chief Information Security Officer (CISO) include, but are not limited to, the following:

1. Establishing and maintaining HHS vision and strategy to ensure information assets and technologies are adequately protected.
2. Ensuring HHS oversight and compliance with Federal Information Security Management Act (FISMA) to include the development and maintenance of the overall security of HHS IT systems and system inventory.
3. Ensuring that records are maintained in a manner that prevents loss, theft, misuse, or unauthorized access or alteration throughout the record lifecycle.
4. Establishing assessment standards and processes for records management-related cybersecurity controls.
5. Consulting with the HHS Records Management Program during the development of policies and standards in alignment with federal records management laws and regulations.

7.6 Agency Records Officer (ARO)

The responsibilities of the HHS ARO include, but are not limited to, the following:

1. Serving as the Department’s representative with NARA, other federal agencies, and external organizations on matters pertaining to records management.
2. Providing leadership and guidance to ensure uniformity in records management activities throughout the Department.
3. Conducting periodic compliance evaluations of records management programs.
4. Advising the CIO and OpDivs on records management issues and developing Department-wide records management policies, procedures, guidance, and training materials.
5. Establishing and disseminating standards to ensure that OpDivs clearly identify staff responsibilities to comply with the agency’s records management program.
6. Coordinating records management issues with other federal and regulatory agencies, including NARA, OMB, General Services Administration (GSA), and Government Accountability Office (GAO).
7. Providing guidance and operational support for the implementation of litigation holds and other types of legally required holds on records and other documentary materials.
8. Providing guidance to the OpDiv Records Officers (RO) to ensure compliance with Records Management principles and policies in all phases of the Enterprise Performance Life Cycle (EPLC) process.
9. Completing requirements for a NARA certificate of Federal Records Management Training. New incumbents must obtain the certificate within one year of assuming the position of Departmental ARO.

7.7 OpDiv and StaffDiv Heads

The responsibilities of the OpDiv Heads include, but are not limited to, the following:

1. Advocating for records management in their organization.
2. Demonstrating the importance of records management and ensuring their organization is aware of the importance of and processes for managing records.
3. Demonstrating their commitment to the proper management of records in their organization through appropriate means (e.g., sending out messages, participating in events dedicated to records clean-up activities, encouraging managers and staff to take records training).

7.8 OpDiv Chief Information Officers (CIOs)

The responsibilities of the OpDiv Chief Information Officers (CIOs) or OpDiv designated authority include, but are not limited to, the following:

1. Designating the OpDiv RO to oversee the records management program. Recommend designation of Records Managers (RMs) to support the OpDiv RO in the implementation of recordkeeping requirements for major programmatic and administrative records.
2. Ensuring the OpDiv RO completes requirements for a NARA certificate of Federal Records Management Training within one year of assuming the position of OpDiv RO.
3. Supporting the implementation of a records management program within their areas of responsibility to accomplish the objectives identified in federal regulations and HHS policies and procedures.
4. Integrating records management procedures and activities into OpDiv Chief Information Officer (CIO) policy and planning.
5. Ensuring records management and records archival functions are addressed in the requirements development phase for the design, development, and implementation of new or significantly revised information systems.
6. Reviewing and making recommendations on requests for funding and acquisition of electronic recordkeeping systems within their areas of responsibility in accordance with information technology capital planning, and investment control procedures.

7.9 OpDiv Chief Information Security Officers (CISOs)

The responsibilities of the OpDiv Chief Information Security Officers (CISOs) include, but are not limited to, the following:

1. Ensuring the technical security of the OpDiv electronic data records according to HHS and OpDiv standards.
2. Establishing assessment standards and processes for records management-related cybersecurity controls within their areas of responsibility.
3. Consulting with the OpDiv Records Management Program during the development of policies and standards in alignment with federal records management laws and regulations.

7.10 OpDiv Records Officers (ROs)

The responsibilities of the OpDiv Records Officers (ROs) include, but are not limited to, the following:

1. Serving as the primary contact for overseeing the OpDiv’s records management program.
2. Developing and disseminating instructions and operating procedures, as needed to supplement Agency-wide policy to meet the unique records management needs in support of the records management program within their OpDiv.
3. Collaborating with HHS ARO and key stakeholders on records management activities and actions such as the Records Management Self-Assessment, NARA Inspections, Unauthorized Destruction of Records Reports to NARA, etc.
4. Coordinating OpDiv records management issues with other federal and regulatory agencies, including NARA, OMB, General Services Administration (GSA), and Government Accountability Office (GAO).
5. Coordinating periodic review, development, and maintenance of current records disposition schedules for all OpDiv program records or when notified of program changes resulting in:
   1. Establishing new types of records.
   2. An increase or decrease in the retention time of the records.
   3. New or revised electronic systems.
6. Providing records management expertise and participating in the review and development of proposed electronic records management systems.
7. Ensuring that OpDiv employees and contractors complete the mandatory annual records management training.
8. Ensuring permanent records are periodically transferred to NARA for permanent preservation and temporary records are promptly destroyed, according to NARA-approved records disposition schedules, unless subject to litigation hold or other preservation requirements.
9. Reporting to NARA any alleged or actualized incidents of unauthorized destruction, manipulation, alteration, or removal of records through accidental or intentional means.
10. Maintaining and updating an official list of agency Capstone positions in accordance with NARA requirements.
11. Ensuring periodic evaluations of the records management program to monitor compliance with applicable laws and NARA, Department, and OpDiv regulations, policies, standards, and procedures.
12. Completing requirements for a NARA certificate of Federal Records Management Training within one year of assuming the OpDiv RO position.

7.11 OpDiv and StaffDiv Records Managers (RMs) and Records Liaisons (RLs)

The responsibilities of the OpDiv and StaffDiv Records Managers (RMs) and Record Liaisons (RLs) include, but are not limited to, the following:

1. Serving as the first point of contact for an entire program office regarding records management activities.
2. Developing records management administrative roles i.e., Records Custodians and communication networks with all program units including field offices and other facilities, as appropriate, to ensure that the records management program is implemented at all sites under their program areas.
3. Developing official comprehensive file plans to simplify access to information within their work areas, and periodically review file plans and procedures to ensure they are current and complete.
4. Assisting OpDiv RO, under management approval, with implementing the agency records management program in their work areas.
5. Drafting and updating records schedules, in conjunction with the OpDiv RO, for records created and maintained by their program office.
6. Coordinating with the OpDiv RO the periodic transfer of permanent records to NARA and timely destruction of temporary records according to NARA-approved records disposition schedules, unless subject to litigation hold or other preservation requirements.
7. Reporting to the OpDiv RO any alleged or actualized incidents of unauthorized destruction, manipulation, alteration, or removal of records through accidental or intentional means.
8. Identifying areas of weakness within the program or office and work collaboratively with the OpDiv RO to provide records management briefings, workshops, and recommendations to resolve identified areas of weakness.
9. Providing records management briefings and training to staff within their program office.

7.12 OpDiv and StaffDiv Records Custodians (RCs)

The responsibilities of the OpDiv and StaffDiv Records Custodians (RCs) include, but are not limited to, the following:

1. Serving as the first point of contact within a particular division or branch office regarding records management activities.
2. Supporting and maintaining the file plan and accountability for active and inactive records.
3. Assisting with the proper destruction of eligible temporary program and administrative records and the transfer of permanent records to the legal custody of NARA in accordance with NARA-approved records schedules.
4. Cooperating with the Records Manager/Records Liaison and the OpDiv Records Officer in periodic evaluations of office records.

7.13 Managers and Supervisors

The responsibilities of Managers and Supervisors include, but are not limited to, the following:

1. Ensuring that their staff, including contractors, are informed about and understand their responsibility for preserving and appropriately managing their records in all formats, including electronic messaging applications such as email, text messaging, instant messaging, chat, voicemail, social media, or mobile device applications.
2. Designating a Records Manager/Records Liaison and Records Custodians for the program office as appropriate.
3. Working with their designated Records Manager/Records Liaison and Records Custodians to approve and transfer permanent records to the NARA in accordance with NARA-approved records schedules.
4. Ensuring that their staff complete mandatory annual records management training and any other related records management training.
5. Ensuring a departing employee’s record materials, including email and text records, have been reviewed prior to the employee’s departure.
6. Ensuring a departing employee complies with policies and procedures regarding:
   1. The preservation and transfer of records to their successor.
   2. Specified location of employee’s records.
   3. Notification of departure to OGC if employee has been identified as a potential custodian in a litigation hold.

7.14 Contracting Officers (COs) and Contracting Officer Representatives (CORs)

The responsibilities of Contracting Officers and Contracting Officer Representatives include, but are not limited to, the following:

1. Inserting a records management clause in contracts ensuring clarity of records scope, contractor requirements, and adherence to HHS records management policies.
2. Ensuring contractor compliance with records management requirements during contract performance.
3. Ensuring contractors complete mandatory annual records management training.
4. Ensuring a departing contractor complies with policies and procedures regarding:
   1. The preservation, transfer, and delivery of records.
   2. Specified location of contractor’s records.
   3. Notification of departure to OGC if contractor has been identified as a potential custodian in a litigation hold.

Additional guidance on HHS contractor requirements can be found in Appendix C. A template of a general records management clause for use in contracts or similar agreements can be found in Appendix D. Additional guidance and templates can also be found in the HHS Acquisition Regulations (HHSAR).

7.15 HHS Employees, Contractors, Detailees, Interns, and Fellows

The responsibilities of all HHS employees, contractors, detailees, interns, and fellows include, but are not limited to, the following:

1. Creating, receiving, and maintaining records that reflect decisions and actions that document activities for which they are responsible.
2. Organizing files for safe storage, efficient, and effective retrieval.
3. Maintaining personal papers and non-record materials separately from official agency records.
4. Capturing and preserving in the HHS’s email system any electronic messaging records that are not being managed centrally by their servicing OCIO.
5. Managing and safeguarding records in accordance with the guidance provided by their designated OpDiv RO, records management staff, and approved records schedules, including while teleworking or working remotely.
6. Safeguarding records until they are authorized for disposition and reporting any apparent instances of unauthorized disposition to the individual’s supervisor and designated records management staff.
7. Destroying records only in accordance with approved records disposition schedules, and never removing records or non-related materials from the Department without obtaining prior authorization.
8. Completing mandatory annual records management training. any other related training and participating in records management activities such as records clean-up days.
9. If transferring or leaving the Department, consult with supervisor and designated records management staff and follow records management procedures regarding:
   1. The preservation and transfer of records to the custody of their manager, supervisor, or successor.
   2. Identifying the location of their records.
   3. Notification of departure to OGC if identified as a potential custodian in a litigation hold.
10. Providing copies of responsive federal records to the appropriate Freedom of Information Act Official when requested by the public.

7.16 Freedom of Information Act (FOIA) Official

The responsibilities of the Freedom of Information Act (FOIA) Official include, but are not limited to, the following:

1. Routing incoming FOIA requests to the appropriate offices identified as having responsive records.
2. Assisting the responding program offices to clearly ascertain the records requested under the FOIA.
3. Reviewing federal records provided by responding program offices for release to the public under the FOIA.

7.17 OpDiv and StaffDiv Controlled Unclassified Information (CUI) Points of Contact

The responsibilities of the OpDiv and StaffDiv CUI Points of Contacts, include, but are not limited to, the following:

1. Directing and overseeing the OpDiv and StaffDiv CUI Program.
2. Ensuring compliance with the CUI policy and subsequent procedures, standards, and guidelines.

7.18 Office of the General Counsel (OGC)

The responsibilities of the Office of the General Counsel (OGC) include, but are not limited to, the following:

1. Providing legal advice and counseling on records management issues as well as assist in determining the retention of Agency records that may be needed for legal purposes.
2. Notifying OpDivs when suspension on records disposition is needed for litigation holds or other legal matters, the scope of the requests, and when such holds are lifted.
3. Reviewing records disposition schedules for legal sufficiency before submission to NARA.

7.19 Office of Inspector General (OIG)

The responsibilities of the Office of Inspector General (OIG) include, but are not limited to, the following:

1. Assisting in investigating the unauthorized removal or destruction of records or the actual and potential threats to records (e.g., removal, alteration, or deliberate or accidental destruction).

7.20 IT Infrastructure and Operations and System Managers

The responsibilities of IT Infrastructure and Operations and System Managers include, but are not limited to, the following:

1. Working with the OpDiv RO to establish and update records schedules for electronic systems.
2. Ensuring that all phases of the EPLC process comply with HHS Records Management principles and policies.
3. Ensuring that information systems intended to carry out electronic records management align with NARA’s and HHS’s requirements for records stored in an electronic recordkeeping system.
4. Ensuring proper recordkeeping of Authorization to Operate (ATO) approved systems.
5. Maintaining electronic information systems, including capturing metadata in accordance with approved records schedules and NARA requirements.
6. Ensuring system updates and revisions to information systems incorporate NARA and HHS records management requirements.
7. Coordinating the commissioning and decommissioning activities of information systems with the OpDiv RO to ensure preservation of permanent and long-term temporary records in compliance with NARA regulations.
8. Working with the OpDiv ROs to transfer permanent electronic records stored in information systems to the National Archives in accordance with approved records schedules and NARA requirements.
9. Ensuring that HHS internet, intranet, and social media postings containing official records are maintained in accordance with HHS recordkeeping requirements.
10. Conducting system-wide email searches in addition to identifying, collecting, and producing electronically stored information as part of an internal or external investigation, FOIA request, or in response to an access request as needed upon approval of OGC or OCIO.
11. Maintaining an inventory of HHS electronic systems and associated records schedules.
12. Consulting with the HHS Records Management Program during the development of policies and standards in alignment with federal records management laws and regulations.

8. Information and Assistance

The Office of the HHS Chief Data Officer (OCDO) is responsible for the development and management of this Policy. Questions, comments, suggestions, and requests for information about this Policy should be directed to HHSRecordsManagement@hhs.gov.

9. Effective Date and Implementation

The effective date of this Policy is the date on which the policy is approved. This Policy must be reviewed, at a minimum, every three (3) years from the approval date. HHS will explicitly follow any new NARA laws and regulations that become in effect before the next update of this Policy.

The HHS CIO has the authority to grant a one (1) year extension of this Policy. To archive this Policy, approval must be granted, in writing, by the HHS CIO.

10. Approval

/S/

Jennifer Wendel, Acting HHS Chief Information Officer (CIO)

February 1, 2024

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

The following procedures are associated with this Policy for section(s):

1. Page 20, Section 6.9. Formal Evaluations
   Procedures to Conduct a Formal Evaluation:
   1) Make a preliminary assessment of the status of their records management program.
   2) Identify major records management problems or challenges within the program area.
   3) Set priorities for program improvements in compliance with relevant federal records management regulations​ and NARA guidance.
   4) Analyze findings to identify successes and challenges related to the assessment topic.
   5) Prepare and submit a comprehensive report to the HHS Records Management Program summarizing the assessment topic, outlining findings and recommendations, as well as highlighting any best practices from participating offices.

Examples of Evaluation Topics and Questions:

1. Program Organization –
   1. Has the program office formally designated a Records Manager or Records Liaison with responsibility for carrying out a records management program?
   2. Does the Records Manager or Records Liaison periodically communicates with the OpDiv Records Officer on the status of records management practices and activities within the program area?
   3. In the event of a program office realignment, is the Records Manager or Records Liaison involved to provide records management guidance on the maintenance and possible transfer of program records?
2. Guidance and Training –
   1. Does the Records Manager or Records Liaison brief incoming and departing employees including senior officials on their records management responsibilities?
   2. Does the Records Manager or Records Liaison provide guidance as required to all employees within the program area on the definition of federal records and non-record materials, including those created using office automation (i.e., email or text messages), and guidance on how the records must be managed and maintained?
   3. Is the Records Manager or Records Liaison aware of regular records management duties on proper records maintenance, filing procedures, and records dispositions?
3. Records Maintenance and Accessibility –
   1. Has the program office established standards and procedures for classifying, indexing, filing, and retrieving electronic records and made them accessible and retrievable to all program employees?
   2. Does the program office have a current file plan indicating records series, description, disposition authority, format, location (name of electronic system), and custodian of the records within the program? Is the file plan updated periodically to reflect new records series or electronic information systems, changes in recordkeeping practices, or changes in programs resulting from legislative or regulatory changes?
   3. Are permanent records identified and maintained separately from temporary records?
4. Records Disposition –
   1. Have existing records disposition schedules been approved 10 years or earlier?
   2. Do records disposition schedules instructions include provisions for:
      a) Cutoffs,
      b) Transfer instructions for all records proposed for permanent retention to NARA,
      c) Specific retention periods before final disposition of all permanent or temporary records within the program area?
   3. Is the program office following disposition instructions for electronic records that require the transfer to NARA of permanent electronic records? Is the program office following disposition instructions for temporary records, regardless of format?

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

The following standards are associated with this Policy for section(s):

1. Page 15, Section 6.2.4. Digitization

2. Digitization Standards –

   OpDivs and StaffDivs must meet the following standards when digitizing temporary records:

   1. Capture all information contained in the original source records.
   2. Include all the pages or parts from the original source records.
   3. Ensure the agency can use the digitized versions for all the purposes the original source records serve, including the ability to attest to transactions and activities.
   4. Protect against unauthorized deletions, additions, or alterations to the digitized versions. Ensure the agency can locate, retrieve, access, and use the digitized versions for the records' entire retention period.

3. Digitization Validation Process –

   OpDivs and StaffDivs must perform the following processes:

   1. Validate that the digitized versions are of suitable quality to replace original source records.
   2. Establish their own validation process or make use of third-party processes to validate that the digitized versions comply with 36 C.F.R. § 1236.32. The process may be project-based or agency-wide policy.
   3. Document the validation process and retain that documentation for the life of the process or the life of any records digitized using that process, whichever is longer.
   4. NARA may review validation documentation as needed.

4. Disposing of Original Source Records –

   1. Upon validation that digitized versions meet the standards in 36 C.F.R. § 1236.32, the original source records may be destroyed pursuant to GRS 4.5, Item 010 (Digitizing Records-Source Records) or an agency-specific records schedule that addresses disposition after digitization, subject to any pending legal constraint on the agency, such as a litigation hold.

   2. Digitized versions, now the recordkeeping versions, must be treated the same way as the original source records. The OpDiv or StaffDiv must retain the digitized versions for the remaining portion of any retention period established by the applicable records schedule.

   3. OpDivs and StafDivs do not need to obtain NARA approval to destroy scheduled temporary original source records they have digitized according to this part.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

The following guidance is associated with this Policy for section(s):

2. Page 28, Section 7.13. Roles and Responsibilities - Contracting Officers (COs) and Contracting Officer Representatives (CORs)

   CONTRACTOR REQUIREMENTS

   This list of Contractor Requirements (CR) establishes the requirements for HHS contractors who create, use, maintain, receive, disseminate, or dispose of HHS records in connection with the performance of HHS-funded tasks or activities. Regardless of the performer of the work, the contractor is responsible for complying with the CR list. The contractor is responsible for the requirements of the document flowing down to sub-contractors at any tier, to the extent necessary to ensure contractor compliance with the requirements.

   1. Completion of mandatory annual records management training to contractor employees to ensure awareness and proper management of HHS records in accordance with applicable records management requirements.
   2. Manage all data created, received, and maintained for the Government by contractors in accordance with the Federal Records Act, the FOIA, and the Privacy Act of 1974.
   3. Establish record keeping requirements that reflect adequate and proper documentation of the contractor’s work on behalf of HHS.
   4. Maintain up-to-date inventories or systems that provide for the identification, location, and retrieval of all categories of records created and received during official business.
   5. Preserve records beyond their approved retention periods when they have been placed under a disposition moratorium for purposes of litigation holds and similar obligations. A disposition moratorium shall be lifted only by the OGC.
   6. Work with the appropriate contracting official and designated records management staff to ensure federal records are identified for turnover and/or delivery at the completion or termination of the contract.
   7. Provide sufficient technical documentation to ensure access to all electronic deliverables or turnovers throughout the records lifecycle.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

The following template is associated with this Policy for section(s):

1. Page 10, Section 6.1.2.5: Agency’s responsibility working with contractors
2. Page 28, Section 7.13: Roles and Responsibilities - Contracting Officers (COs) and Contracting Officer Representatives (CORs)

   The following general clause can be used as a template that agencies can modify to fit the planned type of service and specific agency records management needs. Additional contract language can be found in the HHSAR and on NARA’s web publication, Records Management for Contracts at https://www.archives.gov/records-mgmt/policy/records-mgmt-language.

   General Clause:

   Use of contractor's site and services may require management of federal records. If the contractor holds federal records, the contractor must manage federal records in accordance with all applicable records management laws and regulations, including but not limited to the Federal Records Act (44 U.S.C. Chapters 21, 29, 31, 33), regulations of the National Archives and Records Administration (NARA) at 36 C.F.R. Chapter XII Subchapter B), and this policy. Managing the records includes, but is not limited to, secure storage, retrievability, and proper disposition of all federal records, including transfer of permanently valuable records to NARA in a format and manner acceptable to NARA at the time of transfer. The agency also remains responsible under the laws and regulations cited above for ensuring that applicable records management laws and regulations are complied with through the life and termination of the contract.

   If an agency decides to create or join a private or community cloud, it will still need to meet records management responsibilities. The agencies may describe these responsibilities in agreements among the participating offices or agencies. If a cloud provider ceases to provide services, an agency must continue to meet its records management obligations. Agencies should plan for this contingency. (NARA Bulletin 2010-05: Guidance on Managing Records in Cloud Computing Environments)²¹

Glossary and Acronyms

The following is a list of key terms and acronyms used commonly in records management operations. These are not formal definitions, but rather an explanation of the terms as generally
used pertaining to HHS records management. The list is not exhaustive. For additional definitions, please see NARA Records Management Key Terms and Acronyms.²²

Definitions:

• Access – The availability of, or permission to consult, records.
• Accession – The act and procedures involved in a transfer of legal title and the taking of records into the physical custody of the National Archives.
• Active Records – Records that continue to be used with sufficient frequency to justify keeping them in the office of creation; current records.
• Administrative Records – Documents that are preserved because they facilitate the operations and management of an agency, but do not relate directly to programs that help the agency achieve its mission. These include such documents as the agency budget, personnel, supplies, travel, and training. They are found in every agency, and often (but not always) their dispositions are covered by the General Records Schedules (GRS).
• Alienation – Losing care and custody. Not protecting from loss or unauthorized access.
• Cloud Computing – The National Institute of Standards and Technology (NIST) defines cloud computing as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
• Control and Custody of Records – HHS records and materials are the property of the federal government, not the property of individual employees or contractors acting as an agent of the Government and may not be removed from the Department without proper authority. All employees and contractors must maintain records and non-record documentary materials separately from one another.
• Custody – Care and control of records, including both physical possession (physical custody) and legal responsibility (legal custody), unless one or the other is specified.
• Database – A set of data, consisting of a least one data file, that is sufficient for a given purpose.
• Deletion – The removal or erasure of information from electronic devices and storage media.
• Destruction – The disposal of documents of no further value by incineration, maceration, pulping, or shredding.
• Digitizing – The process of converting physical records into digital format.
• Disposal – The action taken regarding temporary records after their retention periods expire and usually consisting of destruction or occasionally of donation. Also, when specified, “disposal” refers to the actions taken regarding non-record materials when no longer needed, especially their destruction.
• Disposition – The action taken concerning records following their appraisal by NARA. The actions include transfer to agency storage facilities or Federal Records Centers; transfer from one federal agency to another; transfer of permanent records to the National Archives; and disposal of temporary records. “Disposition” is also the action taken regarding non-records materials when no longer needed, including screening and destruction.
• Electronic Information System (EIS) – An electronic information system is the organized collection, processing, transmission, and dissemination of information according to defined procedures. EIS includes three categories of information: (1) inputs, (2) the information on the electronic media, and (3) outputs.
• Electronic Mail (E-mail) – A document created or received on an electronic mail system including brief notes, more formal or substantive narrative documents, and any attachments, such as word-processing and other electronic documents, which may be transmitted with the message.
• Electronic Records – Any information that is recorded in a form that only a computer can process, and that satisfies the definition of a federal record (44 U.S.C. § 3301).²³ Electronic records include numeric, graphic and text information, which may be recorded on any medium capable of being read by a computer and which satisfies the definition of a record.
  This includes, but is not limited to, magnetic media, such as tapes and disks, and optical disks. Unless otherwise noted, these requirements apply to all electronic records systems, whether on microcomputers, minicomputers, or mainframe computers, regardless of storage media, in the network or stand-alone configurations.
• Electronic Records Management System (ERMS) – ERMS, often referred to as a records management application (RMA), is an electronic management system in which any agency records, regardless of format (paper, electronic, microform, etc.), are collected, organized, and categorized to facilitate their preservation, retrieval, use, and disposition. An ERMS:
  1. Provides document content, context, and structure.
  2. Ensures authenticity, integrity, and reliability – i.e., contains unchanged, redundant information (prevents unauthorized alternation, modification, concealment, or deletion).
  3. Provides for compliance and disposition – i.e., meets regulations and complies with agency records schedules.
• Enterprise Performance Life Cycle (EPLC) – A methodology that establishes a project management and accountability environment for HHS IT projects to achieve consistently successful outcomes that maximize alignment with Department-wide and individual OPDIV goals and objectives. Implementation of the EPLC methodology allows HHS to improve the quality of project planning and execution, reducing overall project risk.
• Essential Records – Essential records are any records, documents, files or information database in any form or format containing information essential to the operations and survival of an organization. They are needed to conduct essential functions and supporting activities. Essential records are divided into two major categories: (1) Emergency Operating Records are records and databases essential to the continued functioning or the reconstitution of an organization during and after continuity activation. (2) Rights and Interests Records are records critical to carrying out an organization’s essential legal and financial functions and vital to the protection of the legal and financial rights of individuals who are directly affected by that organization’s activities.
• Evaluation – An assessment designed to focus on the real-life experiences and practices agencies have with a specific assessment topic.
• File – A collection of related documents or papers arranged so that they can be consulted easily.
• File Plan – A list designating the physical and/or electronic location(s) at which an agency’s files are to be maintained, the specific types of files to be maintained there, and the organizational element(s) having custodial responsibility. Also: A document containing the identifying number, title or description, and disposition authority of files held in an office.
• General Records Schedules (GRS) – GRS are issued by the Archivist of the United States under the authority of 44 U.S.C 3303a(d)²⁴ to provide disposition authority for records common to several or all federal agencies. The GRS cover records documenting administrative functions rather than program functions. Agencies must apply the GRS to the greatest extent possible.
• HHS Records – For purposes of this Policy, HHS records include not only records that belong to HHS, but records that HHS manages for another federal agency when acting as that agency's service provider or agent.
• Hold – An agency’s temporary suspension of disposition action(s) and notification to its employees to retain records and other documentary materials in the agency’s possession, custody, or control, typically because of litigation or other independent preservation holds. Under a Hold, documentary materials, regardless of record status, format, and of physical location, are required to be retained and not destroyed or otherwise disposed of for as long as a Hold is in place.
• Information System – Is defined by the Office of Management and Budget (OMB) in Circular No. A-130 “…the organized collection, processing, transmission and dissemination of information in accordance with defined procedures, whether automated or manual.”
• Lifecycle – The management concept that records pass through three stages: creation, maintenance and use, and disposition.
• Metadata – Data describing stored data: that is, data describing the structure, data elements, interrelationships, and other characteristics of electronic records.
• Migration – A set of organized tasks designed to achieve periodic transfer of digital materials from one hardware/software configuration to another, or from one generation of computer technology to a subsequent generation.
• Non-Government Employee – Any individual, entity, or affiliate who is not an official HHS employee but contributes to the mission of HHS with their services. Examples of non-government employees include vendors, consultants, and freelancers.
• Non-Record Materials – Non-record materials are documentary materials excluded from the legal definition of records. The United States Code defines “non-record materials” to include material such as unofficial copies of documents kept only for convenience or reference, stocks of publications and near-print documents, and library or museum material intended solely for reference or exhibition.
• Office of the Secretary (OS) – is referenced in this Policy as an OpDiv and includes the StaffDivs and the Offices of the Regions. For records management purposes, the Office of Inspector General is considered a StaffDiv.
• OMB Circular A-130-Management of Federal Information Resources – Establishes policy for the management of federal information resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies. The policies in this Circular apply to the information activities of all agencies of the executive branch of the federal government.
• Operating Division (OpDiv) – A component of HHS that administers a wide variety of health and human services. The Office of the Secretary (OS) is an OpDiv.
• Permanent Records – Record appraised by NARA as having sufficient historical or other value to warrant continued preservation by the federal government beyond the time it is needed for administrative, legal, or fiscal purposes.
• Personal Papers – Documentary materials belonging to an individual that are not used to conduct agency business. Personal papers are excluded from the definition of federal records and are not owned by the Government.
• Program Records – Those records created by each federal agency in performing the unique functions that stem from the distinctive mission of the agency. The agency’s mission is defined in enabling legislation and further delineated in formal regulations.
• Records – Includes all recorded information, regardless of form or characteristics, made or received by a federal agency under federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, function, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them.
  Library and museum material made or acquired and preserved solely for reference or exhibition purposes or duplicate copies of records preserved only for convenience are not included (44 U.S.C. § 3301).²⁵
• Records Disposition Schedule – A document, approved by NARA, which provides authority for the final disposition of temporary or permanent records. Records must not be destroyed except as authorized by an approved records schedule.
• Records Management – The planning, controlling, directing, organizing, training, promoting, and other managerial activities involved with respect to records creation, records maintenance and use, and records disposition in order to achieve adequate and proper documentation of the policies and transactions of the federal government and effective and economical management of agency operations (44 U.S.C. § 2901).²⁶
• Records Retention Schedule – A records retention schedule is a document providing mandatory instructions for what to do with records no longer needed for current Government business, with the provision of authority for the final disposition of recurring or nonrecurring records.
• Reference Material – Must be clearly marked and maintained separately from the records of the office.
• Scheduled Records – Records whose final disposition has been approved by NARA.
• Social Media – Social media tools use Internet and web-based technologies (often called Web 2.0 technologies) to integrate technology, social interaction, and content creation. Social media use the “wisdom of crowds” to connect information in a collaborative manner online. Through social media, individuals or collaborations of individuals create web content, organize content, edit or comment on content, combine content, and share content.
• Staff Division (StaffDiv) – Sub-components of the Office of the Secretary Operating Division (OS OpDiv).
• Temporary Records – Record approved by NARA for disposal after a specified retention period.
• Transfer – The process of moving records from one location to another, especially from office space to off-site storage facilities, from one agency to another, or from an agency office to a Federal Records Center or to NARA.
• Unauthorized Disposal – The improper removal of records without NARA approval or the willful or accidental destruction of records without regard to a NARA approved records schedule. Unauthorized disposition of federal records is against the law and punishable by up to $250,000 in fines and imprisonment. (44 U.S.C. 3106 and 18 U.S.C. 2071)²⁷
• Unscheduled Records – Records whose final disposition has not been approved by NARA. Unscheduled records may not be destroyed or deleted.

Acronyms

• ARO – Agency Records Management Officer
• ASA – Assistant Secretary for Administration
• CFR – Code of Federal Regulations
• CIO – Chief Information Officer
• CISO – Chief Information Security Officer
• CO – Contracting Officer
• COOP – Continuity of Operations
• COR – Contracting Officer Representative
• EPLC – Enterprise Performance Life Cycle
• ERKS – Electronic Recordkeeping System
• ERMS – Electronic Records Management System
• FISMA – Federal Information Security Management Act
• FOIA – Freedom of Information Act
• GAO – Government Accountability Office
• GRS – General Records Schedule
• GSA – General Services Administration
• IT – Information Technology
• NARA – National Archives and Records Administration
• OCIO – Office of the Chief Information Officer
• OGC – Office of General Counsel
• OIG – Office of Inspector General
• OMB – Office of Management and Budget
• OpDiv – Operating Division
• OPM – Office of Personnel Management
• PIM – Privacy Information Management
• RC – Records Custodian
• RL – Records Liaison
• RM – Records Manager
• RMA – Records Management Application
• RO – Records Management Officer
• SAORM – Senior Agency Official for Records Management
• StaffDiv – Staff Division
• U.S.C. – United States Code

Endnotes

¹Definition of Records, 44 U.S.C. § 3301(a)(1)(A) and (B), available at: https://www.law.cornell.edu/uscode/text/44/3301#:~:text=For%20purposes%20of%20paragraph%20(1,in%20digital.

²Paper Reduction Act (PRA), 5 C.F.R. Part 1320.3(d): For purposes of this Policy, a federal grant recipient's collection or maintenance of information or use or operation of an information system will be considered to be "on behalf of" the Department only if such activity is at the specific request of the Department or if the terms and conditions of the grant require specific approval by the Department of the activity or the procedures for same.

³For further information, please see: HHS Policy for Information and Information Technology Procurements - Security and Privacy Language, Version 3.3, available at: https://intranet.hhs.gov/policy/hhs-policy-information-technology-procurements-security-and-privacy-language.

⁴Creation and Maintenance of Federal Records: How are Non-record Materials Managed, 36 C.F.R. Part 1222.16, available at: https://www.ecfr.gov/current/title-36/chapter-XII/subchapter-B/part-1222.

⁵Creation and Maintenance of Federal Records: How are Personal Files Defined and Managed, 36 C.F.R. Part 1222.20, available at: https://www.ecfr.gov/current/title-36/chapter-XII/subchapter-B/part-1222.

⁶HHS Agency Records Retention Schedules - NARA Website, available at: https://www.archives.gov/records-mgmt/rcs/schedules/index.html?dir=/departments/department-of-health-and-human-services.

⁷Records Disposition Programs, 36 C.F.R. Part 1224.10, available at: https://www.ecfr.gov/current/title-36/chapter-XII/subchapter-B/part-1224/section-1224.10.

⁸Agency Recordkeeping Requirements: How Do Agencies Manage Records Created or Received by Contractors, 36 C.F.R. Part 1222.32, available at: https://www.ecfr.gov/current/title-36/chapter-XII/subchapter-B/part-1222/subpart-B/section-1222.32.

⁹NARA Guidance on Records Management for Contracts, available at: https://www.archives.gov/records-mgmt/policy/records-mgmt-language.

¹⁰Federal Records: General, 36 C.F.R. Part 1220.18, available at: https://www.ecfr.gov/current/title-36/chapter-XII/subchapter-B/part-1220.

¹¹NARA Bulletin 2015-04, available at: https://www.archives.gov/records-mgmt/bulletins/2015/2015-04.html.

¹²Metadata Requirements, 36 C.F.R. Part 1236.54, available at: https://www.ecfr.gov/current/title-36/chapter-XII/subchapter-B/part-1236/subpart-E/section-1236.54.

¹³Federal Records Act, as defined in 44 U.S.C. § 2911(c)(1), available at: https://www.archives.gov/about/laws/records-management.html#2911.

¹⁴Electronic Records Management, 36 C.F.R. Part 1236.2 – 1236.58, available at: https://www.ecfr.gov/current/title-36/chapter-XII/subchapter-B/part-1236.

¹⁵Definition of Records, 44 U.S.C. § 3301, available at: https://www.law.cornell.edu/uscode/text/44/3301#:~:text=duplicate%20copies%20of%20records%20preserved%20only%20for%20convenience.&text=For%20purposes%20of%20paragraph%20(1,in%20digital%20or%20electronic%20form.

¹⁶HHS FOIA Offices and Contact Information, available at: https://www.hhs.gov/foia/contacts/index.html.

¹⁷Records Management by Federal Agencies, 44 U.S.C. Chapter 31, available at: https://www.archives.gov/about/laws/fed-agencies.html.

¹⁸Public Money, Property or Records, 18 U.S.C. § 641, available at: https://www.law.cornell.edu/uscode/text/18/641; see also Concealment, Removal, or Mutilation Generally, 18 U.S.C. § 2071, available at: https://www.law.cornell.edu/uscode/text/18/2071.

¹⁹Unlawful or Accidental Removal, Defacing, Alteration, or Destruction of Records, 36 C.F.R. Part 1230.14, available at: https://www.ecfr.gov/current/title-36/chapter-XII/subchapter-B/part-1230.

²⁰OMB/NARA Directive M-19-21, Transition to Electronic Records, available at: https://www.whitehouse.gov/wp-content/uploads/2019/08/M-19-21-new-2.pdf.

²¹NARA Bulletin 2010-05, available at: https://www.archives.gov/records-mgmt/bulletins/2010/2010-05.html.

²²NARA Records Management Key Terms and Acronyms, available at: https://www.archives.gov/files/records-mgmt/rm-glossary-of-terms.pdf.

²³Definition of Records, 44 U.S.C. § 3301, available at: https://www.archives.gov/about/laws/disposal-of-records.html.

²⁴Disposal of Records, 44 U.S.C. § 3303a(d), available at: https://www.archives.gov/about/laws/disposal-of-records.html.

²⁵Definition of Records, 44 U.S.C. § 3301, available at: https://www.archives.gov/about/laws/disposal-of-records.html.

²⁶Records Management by the Archivist of the United States: Definitions, 44 U.S.C. § 2901, available at: https://www.archives.gov/about/laws/fed-agencies.html.

²⁷Concealment, Removal, or Mutilation Generally, 18 U.S.C. § 2071, available at: https://www.govinfo.gov/content/pkg/USCODE-2021-title18/pdf/USCODE-2021-title18-partI-chap101-sec2071.pdf.