|(a) Confidentiality requirements. To ensure confidentiality,
a URA must, when contacting a physician's, doctor's, or other health
care provider's office, provide its certification number, name, and
(1) If requested by the physician, doctor, or other
health care provider, the URA must present written documentation that
it is acting as an agent of the payor for the relevant enrollee.
(2) Medical records and enrollee specific information
must be maintained by the URA in a secure area with access limited
to essential personnel only.
(3) A URA must retain information generated and obtained
by a URA in the course of utilization review for at least four years.
(4) A URA's charges for providing a copy of recorded
personal information to individuals may not exceed 10 cents per page
and may not include any costs that are otherwise recouped as part
of the charge for utilization review.
(b) Written procedures on confidentiality.
(1) The URA must specify in writing the procedures
that the URA will implement pertaining to confidentiality of information
received from the enrollee; the individual acting on behalf of the
enrollee; and the physician, doctor, or other health care provider
and the information exchanged between the URA and third parties for
conducting utilization review. These procedures must specify that:
(A) specific information received from the enrollee;
the individual acting on behalf of the enrollee; and the physician,
doctor, or other health care provider and the information exchanged
between the URA and third parties for conducting reviews will be considered
confidential, be used by the review agent solely for utilization review,
and be shared by the URA with only those third parties who have authority
to receive the information, for example, the claim administrator;
(B) the URA has procedures in place to address confidentiality
and that the URA agrees to abide by any federal and state laws governing
(2) Summary data which does not provide sufficient
information to allow identification of individual enrollees, physicians,
doctors, or other health care providers is not considered confidential.