28 Tex. Admin. Code § 12.208 - Confidentiality
(a) An IRO must preserve the confidentiality
of individual medical records, personal information, and any proprietary
information provided by payors. Personal information includes name, address,
telephone number, social security number, and financial information.
(b) An IRO is prohibited from publicly
disclosing patient information protected by the Health Insurance Portability
and Accountability Act of 1996 (42 U.S.C. Section
1320 d et seq.), or transmitting the
information to a subcontractor involved in the independent review process that
has not signed an agreement similar to the business associate agreement
required by regulations adopted under the Health Insurance Portability and
Accountability Act of 1996.
(c) An
IRO may not disclose or publish individual medical records or other
confidential information about a patient without the prior written consent of
the patient or as otherwise provided by law, including the Health Insurance
Portability and Accountability Act of 1996, if applicable. An IRO may provide
confidential information to a provider who is under contract with the IRO for
the sole purpose of performing or assisting with independent review.
Information provided to a provider who is under contract to perform a review
must remain confidential.
(d) The
IRO may not publish data identifying a particular payor, physician, or
provider, including any quality review studies or performance tracking data,
without prior written consent of the involved payor, physician, or provider.
This prohibition does not apply to internal systems or reports used by the
IRO.
(e) All payor, patient,
physician, and provider data must be maintained by the IRO in a confidential
manner that prevents unauthorized disclosure to third parties. Nothing in this
chapter allows an IRO to take actions that violate state or federal statutes or
regulations concerning confidentiality of patient records.
(f) To ensure confidentiality, an IRO must,
when contacting a utilization review agent, a physician's or provider's office,
or a hospital, provide its certificate of registration number and the caller's
name and professional qualifications to the provider or the provider's named
independent review representative.
(g) The IRO's procedures must specify that
specific information exchanged for the purpose of conducting a review will be
considered confidential, be used by the IRO solely for the purposes of
independent review, and may be shared by the IRO only with a provider who is
under contract with the IRO to perform an independent review. The IRO's plan
must specify the procedures in place to ensure confidentiality and must
acknowledge that the IRO agrees to abide by any federal and state laws
governing the issue of confidentiality. Summary data that does not provide
sufficient information to allow identification of individual patients,
providers, payors, or utilization review agents is not confidential.
(h) Medical records and patient-specific
information must be maintained by the IRO in a secure area with access limited
to essential personnel only. IROs must transmit and store records in compliance
with the Health Insurance Portability and Accountability Act of 1996.
(i) Information generated and obtained by the
IRO in the course of the review must be retained for at least four years. This
requirement is not negated by the suspension or surrender of the IRO's
certificate of registration or the failure to renew the certificate of
registration.
(j) Destruction of
documents in the custody of the IRO that contain confidential patient
information or payor, physician, or provider financial data must be by a method
that ensures complete destruction of the information when the organization
determines that the information is no longer needed.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.