LIS

Virginia Law

Administrative Code

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Virginia Administrative Code
Title 12. Health
Agency 35. Department of Behavioral Health And Developmental Services
Chapter 105. Rules and Regulations for Licensing Providers by the Department of Behavioral Health and Developmental Services
6/28/2025

12VAC35-105-870.  Records management policy.

A. The provider shall develop and implement a written records management policy that describes confidentiality, accessibility, security, and retention of records pertaining to individuals, including:

1. Access, duplication, dissemination, and acquisition of individual information only to persons legally authorized according to federal and state laws;

2. Storage, processing, and handling of active and closed records;

3. Security measures to protect records from loss, unauthorized alteration, inadvertent or unauthorized access, disclosure of information, and transportation of records between service sites;

4. Strategies for service continuity and record recovery from interruptions that result from disasters or emergencies, including contingency plans, electronic or manual back-up systems, and data retrieval systems; and

5. Disposition of records in the event that the service ceases operation. If the disposition of records involves a transfer to another provider, the provider shall have a written agreement with that provider.

B. The records management policy shall be consistent with applicable state and federal laws and regulations related to privacy of health records, including:

1. Section 32.1-127.1:03 of the Code of Virginia;

2. 42 USC § 290dd;

3. 42 CFR Part 2; and

4. The Health Insurance Portability and Accountability Act (Public Law 104-191) and implementing regulations (45 CFR Parts 160, 162, and 164).

C. The policy shall specify what information is available to the individual.

D. Active and closed records shall be kept in areas that are accessible to authorized staff and protected from unauthorized access, fire, and flood.

E. Entries in the individual's record shall be current, dated, and authenticated by the person making the entry. Errors shall be corrected by striking through and initialing.

Statutory Authority

§ 37.2-203 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 18, Issue 18, eff. September 19, 2002; amended, Virginia Register Volume 28, Issue 5, eff. December 7, 2011; Volume 41, Issue 18, eff. June 19, 2025.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.