Section






[Code of Federal Regulations]

[Title 42, Volume 4]

[Revised as of October 1, 2006]

From the U.S. Government Printing Office via GPO Access

[CITE: 42CFR480.115]



[Page 487]

 

                         TITLE 42--PUBLIC HEALTH

 

  CHAPTER IV--CENTERS FOR MEDICARE & MEDICAID SERVICES, DEPARTMENT OF 

                  HEALTH AND HUMAN SERVICES (CONTINUED)

 

PART 480_ACQUISITION, PROTECTION, AND DISCLOSURE QUALITY IMPROVEMENT 

 

     Subpart B_Utilization and Quality Control Quality Improvement 

                          Organizations (QIOs)

 

Sec.  480.115  Requirements for maintaining confidentiality.



    (a) Responsibilities of QIO officers and employees. The QIO must 

provide reasonable physical security measures to prevent unauthorized 

access to QIO information and to ensure the integrity of the 

information, including those measures needed to secure computer files. 

Each QIO must instruct its officers and employees and health care 

institution employees participating in QIO activities of their 

responsibility to maintain the confidentiality of information and of the 

legal penalties that may be imposed for unauthorized disclosure of QIO 

information.

    (b) Responsible individuals within the QIO. The QIO must assign a 

single individual the responsibility for maintaining the system for 

assuring the confidentiality of information within the QIO review 

system. That individual must notify CMS of any violations of these 

regulations.

    (c) Training requirements. The QIO must train participants of the 

QIO review system in the proper handling of confidential information.

    (d) Authorized access. An individual participating in the QIO review 

system on a routine or ongoing basis must not have authorized access to 

confidential QIO information unless that individual--

    (1) Has completed a training program in the handling of QIO 

information in accordance with paragraph (c) of this section or has 

received comparable training from another source; and

    (2) Has signed a statement indicating that he or she is aware of the 

legal penalties for unauthorized disclosure.

    (e) Purging of personal identifiers. (1) The QIO must purge or 

arrange for purging computerized information, patient records and other 

noncomputerized files of all personal identifiers as soon as it is 

determined by CMS that those identifiers are no longer necessary.

    (2) The QIO must destroy or return to the facility from which it was 

collected confidential information generated from computerized 

information, patient records and other noncomputerized files when the 

QIO determines that the maintenance of hard copy is no longer necessary 

to serve the specific purpose for which it was obtained or generated.

    (f) Data system procedures. The QIO must assure that organizations 

and consultants providing data services to the QIO have established 

procedures for maintaining the confidentiality of QIO information in 

accordance with requirements defined by the QIO and consistent with 

procedures established under this part.