(1) Laboratories must control and document access into operation areas (e.g., accessioning, data entry, sample handling, analytical, certification), along with sample storage areas, and records storage areas during both operating and nonworking hours.

(2) Individuals who do not have routine duties in secured areas (with the exception of auditors and emergency personnel) must be escorted, and their entries and exits must be properly documented (i.e., date, time of entry and exit, purpose of visit, and authorized escort).

(3) If a laboratory uses external service provider(s) to perform services on the laboratory's behalf (i.e., records storage, software service provider, or cloud service providers), the laboratory must show due diligence in verifying that the service provider has procedures in place to protect the confidentiality, integrity, and availability of data for the services that they will perform. The laboratory is responsible for ensuring the external service provider is in compliance with applicable requirements.

(4) Samples must be stored in a limited access, secured area.

(5) Only personnel who are assigned to the limited access, secured area can have unescorted access.

(6) Samples may be transported outside a secured area if they are in the custody of an authorized individual who is moving them to another secured location.

(7) Laboratories must maintain physical custody of samples and are not allowed to delegate sample storage to external service providers.

(8) Original hard copy records for reported samples must be maintained in a secure room, area, or file cabinet at all times suitable to prevent damage or deterioration and to prevent loss.

(9) Laboratories may use off-site record storage locations or services if they meet the limited access and security requirements listed above.

(10) The laboratory must establish a system to ensure records are protected from loss or accidental destruction. This could include backup copies of electronic records, cloud storage, or off-site secured storage of back up tapes or disks.

(11) The laboratory must establish a procedure for documenting record retrieval, removal, and disposal assuring destruction is only allowed on records held past the five-year storage requirement.

(12) The laboratory must establish a procedure for securing documents past the five-year storage requirement when specifically requested by the accrediting authority or for legal purposes.