Section



[Code of Federal Regulations]
[Title 42, Volume 3]
[Revised as of October 1, 2004]
From the U.S. Government Printing Office via GPO Access
[CITE: 42CFR480.115]

[Page 472]
 
                         TITLE 42--PUBLIC HEALTH
 
  CHAPTER IV--CENTERS FOR MEDICARE & MEDICAID SERVICES, DEPARTMENT OF 
                  HEALTH AND HUMAN SERVICES (CONTINUED)
 
PART 480_ACQUISITION, PROTECTION, AND DISCLOSURE QUALITY IMPROVEMENT 
ORGANIZATION INFORMATION--Table of Contents
 
     Subpart B_Utilization and Quality Control Quality Improvement 
                          Organizations (QIOs)
 
Sec. 480.115  Requirements for maintaining confidentiality.

    (a) Responsibilities of QIO officers and employees. The QIO must 
provide reasonable physical security measures to prevent unauthorized 
access to QIO information and to ensure the integrity of the 
information, including those measures needed to secure computer files. 
Each QIO must instruct its officers and employees and health care 
institution employees participating in QIO activities of their 
responsibility to maintain the confidentiality of information and of the 
legal penalties that may be imposed for unauthorized disclosure of QIO 
information.
    (b) Responsible individuals within the QIO. The QIO must assign a 
single individual the responsibility for maintaining the system for 
assuring the confidentiality of information within the QIO review 
system. That individual must notify CMS of any violations of these 
regulations.
    (c) Training requirements. The QIO must train participants of the 
QIO review system in the proper handling of confidential information.
    (d) Authorized access. An individual participating in the QIO review 
system on a routine or ongoing basis must not have authorized access to 
confidential QIO information unless that individual--
    (1) Has completed a training program in the handling of QIO 
information in accordance with paragraph (c) of this section or has 
received comparable training from another source; and
    (2) Has signed a statement indicating that he or she is aware of the 
legal penalties for unauthorized disclosure.
    (e) Purging of personal identifiers. (1) The QIO must purge or 
arrange for purging computerized information, patient records and other 
noncomputerized files of all personal identifiers as soon as it is 
determined by CMS that those identifiers are no longer necessary.
    (2) The QIO must destroy or return to the facility from which it was 
collected confidential information generated from computerized 
information, patient records and other noncomputerized files when the 
QIO determines that the maintenance of hard copy is no longer necessary 
to serve the specific purpose for which it was obtained or generated.
    (f) Data system procedures. The QIO must assure that organizations 
and consultants providing data services to the QIO have established 
procedures for maintaining the confidentiality of QIO information in 
accordance with requirements defined by the QIO and consistent with 
procedures established under this part.