- (a) An independent review organization shall preserve the confidentiality of individual medical records, personal information, and any proprietary information provided by payors. Personal information shall include, at a minimum, name, address, telephone number, social security number and financial information.
- (b) An independent review organization may not disclose or publish individual medical records or other confidential information about a patient without the prior written consent of the patient or as otherwise required by law. An independent review organization may provide confidential information to a third party under contract or affiliated with the independent review organization for the sole purpose of performing or assisting with independent review. Information provided to third parties shall remain confidential.
- (c) The independent review organization may not publish data which identify a particular payor, physician or provider, including any quality review studies or performance tracking data, without prior written consent of the involved payor, physician or provider. This prohibition does not apply to internal systems or reports used by the independent review organization.
- (d) All payor, patient, physician, and provider data shall be maintained by the independent review organization in a confidential manner which prevents unauthorized disclosure to third parties. Nothing in this chapter shall be construed to allow an independent review organization to take actions that violate a state or federal statute or regulation concerning confidentiality of patient records.
- (e) To assure confidentiality, an independent review organization must, when contacting a utilization review agent, a physician's or provider's office, or hospital, provide its certification number and the caller's name and professional qualifications to the provider or the provider's named independent review representative.
- (f) The independent review organization's procedures shall specify that specific information exchanged for the purpose of conducting review will be considered confidential, be used by the independent review organization solely for the purposes of independent review, and be shared by the independent review organization with only those third parties who have authority to receive such information. The independent review organization's plan shall specify the procedures that are in place to assure confidentiality and that the independent review organization agrees to abide by any federal and state laws governing the issue of confidentiality. Summary data which does not provide sufficient information to allow identification of individual patients, providers, payors or utilization review agents need not be considered confidential.
- (g) Medical records and patient-specific information shall be maintained by the independent review organization in a secure area with access limited to essential personnel only.
- (h) Information generated and obtained by the independent review organization in the course of the review shall be retained for at least four years if the information relates to a case for which an adverse decision was made at any point.
- (i) Destruction of documents in the custody of the independent review organization that contain confidential patient information or payor, physician or provider financial data shall be by a method which ensures complete destruction of the information, when the organization determines that the information is no longer needed.
Source Note:The provisions of this §12.208 adopted to be effective November 26, 1997, 22 TexReg 11363.