Sec. 38a-591-3 - Confidentiality
§ 38a-591-3. Confidentiality
(a) Each utilization review company shall comply with the provisions of this section as well as all applicable federal and state laws to protect the confidentiality of patient medical records. Each utilization review company shall:
(1) Secure each case file by assigning case identification numbers to all utilization review requests, and use such numbers in lieu of personally identifiable information, whenever feasible.
(2) Ensure that all paper copies of files are reasonably secured in appropriate storage facilities.
(3) Maintain appropriate written procedures for the requesting, maintenance, and disposition of patient medical records.
(4) Develop and maintain specifications indicating when and by whom the release of patient medical records is permitted.
(5) Ensure that all utilization review business operations are reasonably secured during non-business hours.
(6) Require all employees with access to patient medical records to sign a confidentiality statement, to be maintained on file by the company, in which the employee acknowledges the confidential nature of such information.
(7) Maintain a written policy stipulating sanctions for an employee's unauthorized disclosure of patient medical records, up to and including termination of employment.
(8) Maintain procedures for limiting access to computer files containing patient medical records through passwords, restricted functions and computer terminal security.
(9) Develop and maintain procedures to address the security of all patient medical records that are transferred by facsimile, which shall include:
(i) A statement in all facsimile transmission cover sheets that such data is confidential and is limited specifically for use by the company in making a utilization review determination; and
(ii) Security procedures governing the use of facsimile transmissions, specifying restricted access to such transmissions, the extent of such information that may be released, and the placement of the facsimile machine in a reasonably secured or isolated area.
(b) Summary and aggregate data shall not be considered confidential if it does not provide sufficient information to allow identification of individual patients.(Effective September 4, 2012)
The following state regulations pages link to this page.