D.C. Mun. Regs. tit. 22-A, § 8022
8022.1 A program shall retain individuals' records (either original or accurate reproductions) until all litigation, adverse audit findings, or both, are resolved. If no such conditions exist, a program shall retain individuals' records for at least ten (10) years after the individual's discharge.
8022.2 Records of minors shall be kept for at least ten (10) years after the minor has reached the age of eighteen (18) years.
8022.3 The provider shall establish a Document Retention Schedule with all medical records retained in accordance with Federal and District laws and regulations.
8022.4 The provider shall give the individual or legal guardian a written statement concerning individual's rights and responsibilities ("Rights Statement") in the program during orientation. The individual or guardian shall sign the statement attesting that they understand their rights and responsibilities. A provider staff member shall be available to answer an individual or legal guardian's questions about the Rights Statement and to witness the individual's or guardian's signature. This document shall be placed in the individual's record.
8022.5 If program records are maintained on computer systems, the system shall:
(a) Have a backup system to safeguard the records in the event of operator or equipment failure, natural disasters, power outages, and other emergency situations;
(b) Identify the name of the person making each entry into the record;
(c) Be secure from inadvertent or unauthorized access to records in accordance with HIPAA, the D.C. Mental Health Information Act, 42 CFR Part 2 (if applicable), and all Federal and District laws and regulations regarding the confidentiality of individual records;
(d) Limit access to providers who are involved in the care of the individual and who have permission from the individual to access the record; and
(e) Create an electronic trail when data is released.
8022.6 A program shall maintain records that safeguard confidentiality in the following manner:
(a) Records shall be stored with access controlled and limited to authorized staff and authorized agents of the Department;
8022.7 Any records that are retained off-site must be kept in accordance with this chapter. If an outside vendor is used, the provider must submit the vendor’s name, address, and telephone number to the Department.
SOURCE: Final Rulemaking published at 68 DCR 1623 (February 5, 2021).