Each utilization review company shall
comply with the provisions of this section as well as all applicable federal
and state laws to protect the confidentiality of patient medical records. Each
utilization review company shall:
each case file by assigning case identification numbers to all utilization
review requests, and use such numbers in lieu of personally identifiable
information, whenever feasible.
Ensure that all paper copies of files are reasonably secured in appropriate
appropriate written procedures for the requesting, maintenance, and disposition
of patient medical records.
Develop and maintain specifications indicating when and by whom the release of
patient medical records is permitted.
(5) Ensure that all utilization review
business operations are reasonably secured during non-business hours.
(6) Require all employees with access to
patient medical records to sign a confidentiality statement, to be maintained
on file by the company, in which the employee acknowledges the confidential
nature of such information.
Maintain a written policy stipulating sanctions for an employee's unauthorized
disclosure of patient medical records, up to and including termination of
(8) Maintain procedures
for limiting access to computer files containing patient medical records
through passwords, restricted functions and computer terminal
Develop and maintain
procedures to address the security of all patient medical records that are
transferred by facsimile, which shall include:
(i) A statement in all facsimile transmission
cover sheets that such data is confidential and is limited specifically for use
by the company in making a utilization review determination; and
(ii) Security procedures governing the use of
facsimile transmissions, specifying restricted access to such transmissions,
the extent of such information that may be released, and the placement of the
facsimile machine in a reasonably secured or isolated area.
(b) Summary and
aggregate data shall not be considered confidential if it does not provide
sufficient information to allow identification of individual