- (a) An independent review organization shall preserve the confidentiality of individual medical records, personal information, and any proprietary information provided by payors. Personal information shall include, at a minimum, name, address, telephone number, social security number and financial information.
- (b) An independent review organization may not disclose or publish individual medical records or other confidential information about a patient without the prior written consent of the patient or as otherwise provided by law. An independent review organization may provide confidential information to a provider who is under contract with the independent review organization for the sole purpose of performing or assisting with independent review. Information provided to a provider who is under contract to perform a review shall remain confidential.
- (c) The independent review organization may not publish data which identify a particular payor, physician or provider, including any quality review studies or performance tracking data, without prior written consent of the involved payor, physician or provider. This prohibition does not apply to internal systems or reports used by the independent review organization.
- (d) All payor, patient, physician, and provider data shall be maintained by the independent review organization in a confidential manner which prevents unauthorized disclosure to third parties. Nothing in this chapter shall be construed to allow an independent review organization to take actions that violate a state or federal statute or regulation concerning confidentiality of patient records.
- (e) To assure confidentiality, an independent review organization must, when contacting a utilization review agent, a physician's or provider's office, or hospital, provide its certificate number and the caller's name and professional qualifications to the provider or the provider's named independent review representative.
- (f) The independent review organization's procedures shall specify that specific information exchanged for the purpose of conducting review will be considered confidential, be used by the independent review organization solely for the purposes of independent review, and be shared by the independent review organization with only a provider who is under contract with the independent review organization to perform independent review. The independent review organization's plan shall specify the procedures that are in place to assure confidentiality and shall acknowledge that the independent review organization agrees to abide by any federal and state laws governing the issue of confidentiality. Summary data that does not provide sufficient information to allow identification of individual patients, providers, payors or utilization review agents need not be considered confidential.
- (g) Medical records and patient-specific information shall be maintained by the independent review organization in a secure area with access limited to essential personnel only.
- (h) Information generated and obtained by the independent review organization in the course of the review shall be retained for at least four years. This requirement is not negated by the suspension or surrender of the independent review organization's certificate of registration or the failure to renew the certificate of registration.
- (i) Destruction of documents in the custody of the independent review organization that contain confidential patient information or payor, physician or provider financial data shall be by a method which ensures complete destruction of the information, when the organization determines that the information is no longer needed.
Source Note:The provisions of this §12.208 adopted to be effective November 26, 1997, 22 TexReg 11363; amended to be effective December 26, 2010, 35 TexReg 11281.