(a) An IRO must preserve the confidentiality of individual
medical records, personal information, and any proprietary information
provided by payors. Personal information includes name, address, telephone
number, social security number, and financial information.
(b) An IRO is prohibited from publicly disclosing patient
information protected by the Health Insurance Portability and Accountability
Act of 1996 (42 U.S.C. Section 1320d et seq.), or transmitting the
information to a subcontractor involved in the independent review
process that has not signed an agreement similar to the business associate
agreement required by regulations adopted under the Health Insurance
Portability and Accountability Act of 1996.
(c) An IRO may not disclose or publish individual medical
records or other confidential information about a patient without
the prior written consent of the patient or as otherwise provided
by law, including the Health Insurance Portability and Accountability
Act of 1996, if applicable. An IRO may provide confidential information
to a provider who is under contract with the IRO for the sole purpose
of performing or assisting with independent review. Information provided
to a provider who is under contract to perform a review must remain
confidential.
(d) The IRO may not publish data identifying a particular
payor, physician, or provider, including any quality review studies
or performance tracking data, without prior written consent of the
involved payor, physician, or provider. This prohibition does not
apply to internal systems or reports used by the IRO.
(e) All payor, patient, physician, and provider data
must be maintained by the IRO in a confidential manner that prevents
unauthorized disclosure to third parties. Nothing in this chapter
allows an IRO to take actions that violate state or federal statutes
or regulations concerning confidentiality of patient records.
(f) To ensure confidentiality, an IRO must, when contacting
a utilization review agent, a physician's or provider's office, or
a hospital, provide its certificate of registration number and the
caller's name and professional qualifications to the provider or the
provider's named independent review representative.
(g) The IRO's procedures must specify that specific
information exchanged for the purpose of conducting a review will
be considered confidential, be used by the IRO solely for the purposes
of independent review, and may be shared by the IRO only with a provider
who is under contract with the IRO to perform an independent review.
The IRO's plan must specify the procedures in place to ensure confidentiality
and must acknowledge that the IRO agrees to abide by any federal and
state laws governing the issue of confidentiality. Summary data that
does not provide sufficient information to allow identification of
individual patients, providers, payors, or utilization review agents
is not confidential.
(h) Medical records and patient-specific information
must be maintained by the IRO in a secure area with access limited
to essential personnel only. IROs must transmit and store records
in compliance with the Health Insurance Portability and Accountability
Act of 1996.
(i) Information generated and obtained by the IRO in
the course of the review must be retained for at least four years.
This requirement is not negated by the suspension or surrender of
the IRO's certificate of registration or the failure to renew the
certificate of registration.
(j) Destruction of documents in the custody of the
IRO that contain confidential patient information or payor, physician,
or provider financial data must be by a method that ensures complete
destruction of the information when the organization determines that
the information is no longer needed.
|
Source Note: The provisions of this §12.208 adopted to be effective November 26, 1997, 22 TexReg 11363; amended to be effective December 26, 2010, 35 TexReg 11281; amended to be effective July 7, 2015, 40 TexReg 2538 |