Transparent Transparent South Dakota Foundation for Medical Care Logo
Transparent
Whats New
Prevention
Professionals
Search and Site Map
Medicare Enrollee News
Nursing Homes
Contact Us
Prescriptions - Part D
Medical Review
About Us
Confidentiality Policy

  BACK
Transparent
Transparent
Transparent

Confidentiality Policy
Summary

  1. QIO data is all data acquired by a QIO in carrying out its statutory duties.

  2. QIO data is protected by its own statute, Section 1160 of the Social Security Act (42 USC Section 1320c-9). This statute states that QIOs are not subject to the provisions of the Freedom of Information Act, and that unauthorized disclosure of QIO information may result in a maximum fine of one thousand dollars and/or imprisonment for not more than six months.

  3. QIO data is also subject to: 1) the regulations of the Secretary of DHHS, and 2) the Centers for Medicare & Medicaid Services (CMS) guidelines published in Section 10000 of the QIO Manual. SDFMC QIO data is subject to specific restrictions approved by the SDFMC Board of Directors.
  4. The Project Director of SDFMC, or his designee, is responsible for approving release of all QIO data to ensure conformance with applicable laws, regulations, guidelines, and direction from the SDFMC Board of Directors.

  5. An individual officer, employee of SDFMC, or member of an SDFMC committee may not access privileged QIO information until they have signed an SDFMC confidentiality statement recognizing their responsibility to hold all data in confidence and are aware of legal penalties which may be assessed for unauthorized disclosure of such data or information.
  6. Confidential information is defined in 42 CFR 480.101 and includes: 1) information identifying an individual patient, practitioner, institution, or reviewer; 2) sanction reports and recommendations; 3) quality review study results which identify patients, practitioners, or institutions; and 4) QIO deliberations.

  7. Confidential data is generally not releasable except to the individuals themselves; to facilities about themselves and their practitioners to the extent of their practice at that facility; to the state licensing agencies upon specific request; to the Health Care Financing Administration upon request; to the Department of Social Services about Medicaid data; in aggregate groupings containing data from multiple hospitals; and to the facilities about themselves in routine quarterly SDFMC reports.

  8. Non-confidential information is defined in 42 CFR 480.120 and is basically everything not listed as confidential.


I. Purpose
The purpose of this South Dakota Foundation for Medical Care (SDFMC) confidentiality policy is to establish guidelines for maintaining, using, and releasing QIO data. This confidentiality policy specifies applicable federal law, regulation, and CMS guidelines pertaining to QIO information release and confidentiality; differentiates between confidential and non-confidential QIO data; details the specific responsibilities for confidentiality applicable to SDFMC personnel; describes the restrictions pertaining to release of confidential and non-confidential data; specifies the procedures to be followed in releasing QIO data; describes the security maintenance of QIO confidential data; specifies individuals and organizations having access to this data and the degree and restrictions pertaining to their access; and specifies publication and re-disclosure restrictions applicable to QIO data.

II. Applicable Regulations Pertaining to Confidentiality of QIO Data

A. QIO data is all data acquired by a QIO in carrying out its statutory duties. QIO data is protected by its own statute, Section 1160 of the Social Security Act (42 USC Section 1320c-9). This statute states that QIOs are not subject to the provisions of the Freedom of Information Act, and that unauthorized disclosure of QIO information may result in a maximum fine of one thousand dollars and/or imprisonment for not more than six months.

B. Section 1160 of the Social Security Act also specifies that QIO data is subject to regulations of the Secretary of the Department of Health and Human Services. These DHHS regulations were originally promulgated during 1985 through 1987 based upon proposed PSRO regulations. Current applicable regulations are found in 42 CFR Sections 480.101 through 480.143.

C. Centers for Medicare & Medicaid Services (CMS) guidelines pertaining to protection and disclosure of QIO information were published in the QIO Manual in August 1993. The sections of the QIO Manual pertaining to confidentiality are Section 10000 - Statutory and Regulatory Requirements; Section 10010 - General Requirements; Section 10020 - Non-Confidential Information; Section 10030 - Confidential Information; Section 10040 - Disclosure of QIO Deliberations; Section 10060 - Disclosure of QIO Information Involving Beneficiary Complaints; Section 10070 - Disclosure of QIO Information for Research Purposes; Section 10080 - Disclosure of QIO Sanction
Information; and Section 10090 - Redisclosure of QIO Information.

D. The SDFMC Board of Directors is responsible for clarifying applicable laws and regulations as they pertain to the specific confidentiality of information on South Dakota beneficiaries, practitioners, and providers. These clarifications may be found in motions approved by the SDFMC Board of Directors.

III. SDFMC Personnel and Their Responsibilities
It is the responsibility of the Project Director of the SDFMC, or his written authorized designee, to provide an ongoing program for informing those officers, employees, and SDFMC committee members of the handling of SDFMC privileged information gathered during QIO activities. The Project Director of SDFMC, or his designee, is responsible for monitoring release of all QIO data by approving each specific release of data to ensure conformance with applicable laws, regulations, guidelines, and direction from the SDFMC Board of Directors. All officers, employees of SDFMC, and members of committees of SDFMC must be made aware of their responsibility to maintain the confidentiality of SDFMC data and information and of the legal penalties which may be assessed for unauthorized disclosure of QIO data or information. An individual officer, employee of SDFMC, or member of an SDFMC committee may not be authorized to access privileged QIO information until that individual has signed a statement indicating that he/she recognizes their responsibility to hold all data in confidence and is aware of legal penalties which may be assessed for unauthorized disclosure of such data or information. The Associate Vice President for Data Processing will be responsible for ensuring data security of SDFMC automated data to include maintenance of security passwords, restrictions of employee access to data files, and design of a system backup program to restore data in the event of loss.

IV. Definitions of Confidential and Non-Confidential
A. Confidential information is defined in 42 CFR 480.101 and includes any of the following:
  1. Information that explicitly or implicitly identifies an individual patient, practitioner, or reviewer. "Implicitly identifies" means data so unique or numbers so small that identification of an individual patient, practitioner, or reviewer would be obvious. Due to the possibility of implicitly identifying a patient or practitioner from provider-specific profiling of South Dakota hospitals and facilities, the SDFMC Board of Directors has restricted facility-specific release with the exception of information released to the state licensing agencies, to the Centers for Medicare & Medicaid Services, to the Department of Social Services about Medicaid data, and to the facilities about themselves.

  2. Sanction Reports and Recommendations. "Sanction Report" means a report filed pursuant to Section 1156 of the Social Security Act and defined in CFR Section 474 documenting the QIO's determination that a practitioner or institution has failed to meet obligations imposed by Section 1156 of the Act.

  3. Quality Review Studies Which Identify Patients, Practitioners, or Institutions. "Quality Review Study" means an assessment, conducted by or for a QIO, of a patient care problem for the purpose of improving patient care through peer analysis, intervention, resolution of the problem, and follow-up. Study data identifying practitioners, patients, or facilities may not be released.

  4. QIO Deliberations. "QIO Deliberations" means discussions or communications (within a QIO or between a QIO and a QIO subcontractor) including, but not limited to, review notes, minutes of meetings, and any other records of discussions and judgments involving review matters regarding QIO review responsibilities and appeals for QIO determinations, in which the opinions of, or judgment about, a particular individual or institution can be discerned.


B. Non-Confidential Information is defined in 42 CFR 480.120 and includes such things as:
  1. The norms, criteria, and standards the QIO uses for initial screening of cases, and for other review activities.

  2. Winning technical proposals for contracts from the Department of Health and Human Services.

  3. Copies of documents describing administrative procedures agreed to between the QIO and institutions or between a QIO and a Medicare intermediary or Medicare carrier.

  4. Routine reports submitted by the QIO to the Centers for Medicare & Medicaid Services to the extent that they do not contain confidential information.

  5. Summaries of the proceedings of QIO regular and other meetings of the governing board and general membership except for portions of the summaries involving QIO deliberations which are confidential information.

    6. Public information in the QIO's possession.
    Aggregate statistical information that does not implicitly or explicitly identify individual patients, practitioners, or reviewers. (Due to the possibility of implicitly identifying a patient or practitioner from provider-specific profiling of South Dakota hospitals and facilities, the SDFMC Board of Directors has determined that all facility-specific information is deemed confidential.)
  6. Quality review study information including summaries and conclusions from which the identification of patients, practitioners, and institutions have been deleted.

  7. Information describing the characteristics of a quality review study, including a study design in methodology.


V. Policy for Disclosure for QIO Data
Data or information required by SDFMC in the exercise of its duties and functions as a Peer Review Organization should be held in its confidence and not be disclosed to any person except when "need to know" has been established in writing. SDFMC will not disclose any QIO information which may identify specific providers, practitioners, patients, or reviewers except for the following exceptions which are defined under applicable laws, regulations, and CMS guidelines and which have been approved by the SDFMC Board of Directors:
  1. SDFMC will disclose QIO data and information to assist federal and state agencies recognized by the Secretary of the Department of Health and Human Services as having responsibility for identifying and investigating cases for patterns of fraud or abuse, only at the written request of such agency relating to a specifically defined case or pattern. This disclosure will be made in accordance with Section 42 CFR 480.137.

  2. SDFMC, at its discretion, will disclose QIO data to the appropriate federal and state agency recognized by the Secretary of the Department of Health and Human Services as having responsibility for identifying cases or patterns involving risks to the public health, relating to a specific case or pattern with respect to which there is a reasonable belief by SDFMC that there may be a substantial risk to the public health. This disclosure will be made in accordance with Section 42 CFR 480.138(2).

  3. SDFMC will disclose QIO data and information to assist appropriate state agencies recognized by the Secretary of the Department of Health and Human Services as having responsibility for licensing or certification of providers or practitioners, which data and information will be provided by SDFMC at the specific request of such agencies relating to a specific case, but only to the extent as such data and information is required by the agency in carrying out a function that is within the jurisdiction of such agency under state law. This disclosure will be made in accordance with Section 42 CFR 480.138(1).

  4. Patient medical records in the possession of SDFMC are not subject to subpoena or discovery in a civil action, including administrative, judicial, or arbitration proceeding, with the following exceptions stated in 42 CFR 480.138(A)(3). This restriction does not apply to Health and Human Services including Inspector General; administrative subpoenas issued in the course of audits and investigations of department programs; in the course of administrative hearings held under the Social Security Act; or to disclosure to the General Accounting Office as necessary to carry out its statutory responsibilities.

  5. SDFMC may release facility-specific information to providers about themselves. In accordance with 42 CFR 480.140(2), SDFMC may disclose information with identifiers of patients, practitioners, or institutions to an institution or practitioner if the information is limited to health care services furnished by the institution or practitioner.

  6. Because of the possibility of implicitly identifying a practitioner from the facility-specific profiles, SDFMC may not release facility-specific profiles about one provider to another provider. Facility-specific data for comparative purposes may only be released for hospital groupings of facilities of similar size and description.



VI. Notice of Disclosure Made by the QIO
A. Notification for disclosure of facility-specific or practitioner-specific nonconfidential information. At least 30 calendar days before disclosure of nonconfidential information, SDFMC must notify the institution/practitioner of its intent to disclose information about the institution/practitioner, and provide the institution/practitioner with a copy of the information. The institution/practitioner may submit comments to SDFMC. These comments must be attached to the information disclosed if received before disclosure, or forwarded separately if received after disclosure. Exceptions to this requirement are reports routinely submitted to CMS or to Medicare fiscal intermediaries or to the institution.

B. Notification for disclosure of patient-specific confidential information. The QIO must notify the practitioner who has treated the patient of a request for disclosure to the patient or patient representative in accordance with the requirements for disclosure specified under 42 CFR 480.132.

C. Exceptions to QIO notice requirements.
  1. If SDFMC determines that requested information is necessary to protect against an imminent danger to individuals or the public health, the notification requirement may be sent simultaneously with disclosure.

  2. The notification requirement does not apply if the disclosure is made in an investigation of fraud or abuse by the Office of the Inspector General or the General Accounting Office, or the disclosure is made in an investigation of fraud or abuse by any other federal or state fraud or abuse agency and the investigative agency specified in writing that the information is related to a potentially prosecutable criminal offense.

VII. Research, Publication and Redisclosure
A. Research entities acting as employees or subcontractors of DHHS may have access to SDFMC confidential information when it is needed to accomplish the Department's objectives. These requests must include written directive by CMS. This confidential information is releasable in accordance with guidelines, restrictions, and procedures in accordance with 42 CFR 480.138(a)(1).

B. Release of research and statistical information to other entities must adhere to the following guidelines:
  1. A written request for such data, including authorization from CMS as applicable.

  2. A written research proposal demonstrating a definite "need to know" and the validity of the proposed study.

  3. The written approval of the Project Director or his designee. ,/li>
  4. Data to be released shall not in any way identify individual patients, practitioners, or providers directly or indirectly nor in any way violate the privileged or confidential nature of the relationship and communications between practitioner and patient.

  5. Notification to the requestee that redisclosure of confidential information is limited under regulation 42 CFR 480.107, a copy of which section will be provided to the requestee. Recipients of QIO confidential information may redisclose information about themselves only provided the redisclosure does not explicitly or implicitly identify another individual.

C. When approval is given to a person or organization to publish SDFMC data, the Project Director or his designee shall take all reasonable precautions to assure that no data made available for independent analysis and/or publication will be used in a way that might reasonably be expected to prejudice any individual's character, qualifications, rights, opportunities, or benefits.

VIII. Legal Requests for Information
A. In the event of the issuance of a subpoena for any confidential information or for any SDFMC representative to testify concerning any provider or recipient, the court's attention will be called, through proper channels, to the statutory provisions and the policies, or rules and regulations, against disclosure of information.

B. The same policies are applied to requests for information from a governmental authority, the courts, or a law enforcement official as from any other outside source. However, in accordance with 42 CFR 480.138(b), SDFMC will not withhold subpoenaed data from DHHS, CMS.

C. Deliberations at any level of SDFMC concerning patients and/or providers which serve as a basis of SDFMC decisions shall not be disclosed, except to CMS per 42 CFR 480.139.

IX. Data Security
There is no such thing as perfect security. Most organizations achieve a level of protection appropriate to their needs. The objective of data security is to limit access of SDFMC confidential data to individuals permitted access; to reduce the risk and probability of loss to the lowest affordable level; and to be able to implement a full data recovery program if a loss occurs.

A. SDFMC will attempt to achieve the highest degree of confidentiality possible by adhering to the following policies as a minimum:
  1. Only specifically identified professional reviewers and staff will be authorized to review medical data. Electronic data files will be restricted to SDFMC employees with dual password protection.
  2. All confidential records (including copies of claims, printouts, analyses, etc.) to be disposed of will be destroyed by shredding, incineration, or burial.

  3. All persons to whom an offer of employment is tendered will be informed prior to employment of the confidentiality of data and the rules and regulations pertaining to that data.

  4. All employees of SDFMC will reaffirm their awareness and agreement with the SDFMC regulations regarding the confidentiality of data at least every six months by signing the Employee Understanding of Confidentiality.

  5. Any employee of SDFMC will be subject to immediate termination for violation of SDFMC policies regarding confidentiality.

  6. All subcontractors of SDFMC must agree to abide by SDFMC regulations regarding confidentiality of data as part of the subcontract.

  7. Any subcontractor of SDFMC which stores, maintains, or processes confidential data from SDFMC must satisfy SDFMC that the computer data bank limits the output of the confidential information to those persons who are duly authorized by SDFMC.


B.Electronic Data Backup and Recovery
  1. All confidential electronic files, or other files necessary to the mission of SDFMC, will be backed up each in such manner as to follow recovery in the event of data loss. Backup tapes will be stored off-site at a secure site to ensure data-recovery in the event of fire or destruction of the SDFMC offices.

  2. SDFMC has provided backup data processing equipment to reduce system down-time to two working days in the event of hardware failure.

  3. SDFMC management has determined that in the event of total loss of SDFMC data processing due to fire or destruction of SDFMC offices, the data processing system shall be restored within three weeks of such loss. This amount of time will permit SDFMC to comply with CMS reporting requirements. No alternative data processing facilities need be designated or contracted for.


X. Notification to Individuals
A. SDFMC will notify the citizens of South Dakota prior to initiating review with respect to the plan, scope, and purposes of the SDFMC.

B. Further, SDFMC will:
  1. Allow an individual or institution which is the subject of data in the system to ascertain the accuracy of the data and information contained therein and to contest the accuracy of that data.

  2. Permit such data to be corrected or amended where existing data is demonstrably incorrect.

  3. Provide to individual patients and providers, upon written request and payment of the cost of production or reproduction, copies of their files in accordance with 42 CFR 480.132. Information identifying any other individual will be redacted from the information provided to the individual patient.

  4. Notify the physicians of record, in writing, at least 15 working days prior to patient access of their individual records; and permit the physician of record or his designee, upon written request, to be present when a patient has access to his or her individual file.


Photo: thick blank line
[ VIEW IMAGE ]

Transparent

Click here for a Image Enhanced Version of the site

© 2008 South Dakota Foundation for Medical Care, All Rights Reserved