480.115—Requirements for maintaining confidentiality.
(a) Responsibilities of QIO officers and employees.
The QIO must provide reasonable physical security measures to prevent unauthorized access to QIO information and to ensure the integrity of the information, including those measures needed to secure computer files. Each QIO must instruct its officers and employees and health care institution employees participating in QIO activities of their responsibility to maintain the confidentiality of information and of the legal penalties that may be imposed for unauthorized disclosure of QIO information.
(b) Responsible individuals within the QIO.
The QIO must assign a single individual the responsibility for maintaining the system for assuring the confidentiality of information within the QIO review system. That individual must notify CMS of any violations of these regulations.
(c) Training requirements.
The QIO must train participants of the QIO review system in the proper handling of confidential information.
(d) Authorized access.
An individual participating in the QIO review system on a routine or ongoing basis must not have authorized access to confidential QIO information unless that individual—
(1)
Has completed a training program in the handling of QIO information in accordance with paragraph (c) of this section or has received comparable training from another source; and
(2)
Has signed a statement indicating that he or she is aware of the legal penalties for unauthorized disclosure.
(e) Purging of personal identifiers.
(1)
The QIO must purge or arrange for purging computerized information, patient records and other noncomputerized files of all personal identifiers as soon as it is determined by CMS that those identifiers are no longer necessary.
(2)
The QIO must destroy or return to the facility from which it was collected confidential information generated from computerized information, patient records and other noncomputerized files when the QIO determines that the maintenance of hard copy is no longer necessary to serve the specific purpose for which it was obtained or generated.
(f) Data system procedures.
The QIO must assure that organizations and consultants providing data services to the QIO have established procedures for maintaining the confidentiality of QIO information in accordance with requirements defined by the QIO and consistent with procedures established under this part.