Collapse to view only § 480.107 - Limitations on redisclosure.
General Provisions
- SECTION § 480.101 - Scope and definitions.
- SECTION § 480.102 - Statutory bases for acquisition and maintenance of information.
- SECTION § 480.103 - Statutory bases for disclosure of information.
- SECTION § 480.104 - Procedures for disclosure by a QIO.
- SECTION § 480.105 - Notice of disclosures made by a QIO.
- SECTION § 480.106 - Exceptions to QIO notice requirements.
- SECTION § 480.107 - Limitations on redisclosure.
- SECTION § 480.108 - Penalties for unauthorized disclosure.
- SECTION § 480.109 - Applicability of other statutes and regulations.
QIO Access to Information
- SECTION § 480.111 - QIO access to records and information of institutions and practitioners.
- SECTION § 480.112 - QIO access to records and information of intermediaries and carriers.
- SECTION § 480.113 - QIO access to information collected for QIO purposes.
- SECTION § 480.114 - Limitation on data collection.
QIO Responsibilities
Disclosure of Nonconfidential Information
Disclosure of Confidential Information
- SECTION § 480.130 - Disclosure to the Department.
- SECTION § 480.131 - Access to medical records for the monitoring of QIOs.
- SECTION § 480.132 - Disclosure of information about patients.
- SECTION § 480.133 - Disclosure of information about practitioners, reviewers and institutions.
- SECTION § 480.134 - Verification and amendment of QIO information.
- SECTION § 480.135 - Disclosure necessary to perform review responsibilities.
- SECTION § 480.136 - Disclosure to intermediaries and carriers.
- SECTION § 480.137 - Disclosure to Federal and State enforcement agencies responsible for the investigation or identification of fraud or abuse of the Medicare or Medicaid programs.
- SECTION § 480.138 - Disclosure for other specified purposes.
- SECTION § 480.139 - Disclosure of QIO deliberations and decisions.
- SECTION § 480.140 - Disclosure of quality review study information.
- SECTION § 480.141 - Disclosure of QIO interpretations on the quality of health care.
- SECTION § 480.142 - Disclosure of sanction reports.
- SECTION § 480.143 - QIO involvement in shared health data systems.
- SECTION § 480.144 - Access to QIO data and information.
- SECTION § 480.145 - Beneficiary authorization of use of confidential information.
General Provisions
§ 480.101 - Scope and definitions.
(a) Scope. This subpart sets forth the policies and procedures governing—
(1) Disclosure of information collected, acquired or generated by a Utilization and Quality Control Quality Improvement Organization (QIO) (or the review component of a QIO subcontractor) in performance of its responsibilities under the Act and these regulations; and
(2) Acquisition and maintenance of information by a QIO to comply with its responsibilities under the Act.
(b) Definitions. As used in this part:
Abuse means any unlawful conduct relating to items or services for which payment is sought under Title XVIII of the Act.
Aggregate statistical data means any utilization, admission, discharge or diagnostic related group (DRG) data arrayed on a geographic, institutional or other basis in which the volume and frequency of services are shown without identifying any individual.
Confidential information means any of the following:
(1) Information that explicitly or implicitly identifies an individual patient, practitioner or reviewer.
(2) Sanction reports and recommendations.
(3) Quality review studies which identify patients, practitioners or institutions.
(4) QIO deliberations.
Health care facility or facility means an organization involved in the delivery of health care services or items for which reimbursement may be made in whole or in part under Title XVIII of the Act.
Implicitly identify(ies) means data so unique or numbers so small so that identification of an individual patient, practitioners or reviewer would be obvious.
Non-facility organization means a corporate entity that: (1) Is not a health care facility; (2) is not a 5 percent or more owner of a facility; and (3) is not owned by one or more health care facilities in the QIO area.
Patient representative means—(1) an individual designated by the patient, in writing, as authorized to request and receive QIO information that would otherwise be disclosable to that patient; or (2) an individual identified by the QIO in accordance with § 480.132(c)(3) when the beneficiary is mentally, physically or legally unable to designate a representative.
Practitioner means an individual credentialed within a recognized health care discipline and involved in providing the services of that discipline to patients.
Public information means information which has been disclosed to the public.
QIO deliberations means discussions or communications (within a QIO or between a QIO and a QIO subcontractor) including, but not limited to, review notes, minutes of meetings and any other records of discussions and judgments involving review matters regarding QIO review responsibilities and appeals from QIO determinations, in which the opinions of, or judgment about, a particular individual or institution can be discerned.
QIO information means any data or information collected, acquired or generated by a QIO in the exercise of its duties and functions under Title XI Part B or Title XVIII of the Act.
QIO interpretations and generalizations on the quality of health care means an assessment of the quality of care furnished by an individual provider or group of providers based on the QIO's knowledge of the area gained from its medical review experience (e.g., quality review studies) and any other information obtained through the QIO's review activities.
QIO review system means the QIO and those organizations and individuals who either assist the QIO or are directly responsible for providing medical care or for making determinations with respect to the medical necessity, appropriate level and quality of health care services that may be reimbursed under the Act. The system includes—
(1) The QIO and its officers, members and employees;
(2) QIO subcontractors;
(3) Health care institutions and practitioners whose services are reviewed;
(4) QIO reviewers and supporting staff;
(5) Data support organizations; and
(6) CMS.
Quality review study means an assessment, conducted by or for a QIO, of a patient care problem for the purpose of improving patient care through peer analysis, intervention, resolution of the problem and follow-up.
Quality review study information means all documentation related to the quality review study process.
Reviewer means review coordinator, physician, or other person authorized to perform QIO review functions.
Sanction report means a report filed pursuant to section 1156 of the Act and part 474 of this chapter documenting the QIO's determination that a practitioner or institution has failed to meet obligations imposed by section 1156 of the Act.
Shared health data system means an agency or other entity authorized by Federal or State law that is used by the QIO review system to provide information or to conduct or arrange for the collection, processing, and dissemination of information on health care services.
Subcontractor means a facility or a non-facility organization under contract with a QIO to perform QIO review functions.
§ 480.102 - Statutory bases for acquisition and maintenance of information.
(a) Section 1154(a)(7)(C) of the Act requires QIOs to the extent necessary and appropriate to examine the pertinent records of any practitioner or provider of health care services for which payment may be made under Title XVIII of the Act.
(b) Section 1154(a)(9) of the Act requires QIOs to collect and maintain information necessary to carry out their responsibilities under the Act.
(c) Section 1156(a)(3) of the Act requires health care practitioners and providers to maintain evidence of the medical necessity and quality of health care services they provide to Medicare patients as required by QIOs.
§ 480.103 - Statutory bases for disclosure of information.
(a) Section 1154(a)(10) of the Act requires QIOs to exchange information with intermediaries and carriers with contracts under sections 1816 and 1842 of the Act, other QIOs, and other public or private review organizations as appropriate.
(b) Section 1160 of the Act provides that QIO information must be held in confidence and not be disclosed except where—
(1) Necessary to carry out the purpose of Title XI Part B of the Act;
(2) Specifically permitted or required under this subpart;
(3) Necessary, and in the manner prescribed under this subpart, to assist Federal and State agencies recognized by the Secretary as having responsibility for identifying and investigating cases or patterns of fraud or abuse;
(4) Necessary, and in the manner prescribed under the subpart to assist Federal or State agencies recognized by the Secretary as having responsibility for identifying cases or patterns involving risks to the public health;
(5) Necessary, and in the manner prescribed under this subpart, to assist appropriate State agencies having responsibility for licensing or certification of providers or practitioners; or
(6) Necessary, and in the manner prescribed under this subpart to assist Federal or State health planning agencies by furnishing them aggregate statistical data on a geographical, institutional or other basis.
§ 480.104 - Procedures for disclosure by a QIO.
(a) Notice to accompany disclosure. (1) Any disclosure of information under the authority of this subpart is subject to the requirements in § 480.105 relating to the providing of a notice of the disclosure.
(2) Disclosure of confidential information made under the authority of this subpart, except as provided in § 480.106, must be accompanied by a written statement informing the beneficiary that the information may not be redisclosed except as provided under § 480.107 that limits redisclosure.
(b) QIO interpretations. A QIO may provide a statement of comment, analysis, or interpretation to guide the beneficiary in using information disclosed under this subpart.
(c) Fees. A QIO may charge a fee to cover the cost of providing information authorized under this subpart. These fees may not exceed the amount necessary to recover the cost to the QIO for providing the information.
(d) Format for disclosure of public information. A QIO is required to disclose public information (§ 480.120(a)(6)) only in the form in which it is acquired by the QIO or in the form in which it is maintained for QIO use.
(e) Medicare provider number. A QIO must include the provider identification number assigned by the Medicare program on information that CMS requests.
§ 480.105 - Notice of disclosures made by a QIO.
(a) Notification of the disclosure of nonconfidential information. Except as permitted under § 480.106, at least 30 calendar days before disclosure of nonconfidential information, the QIO must notify an identified institution of its intent to disclose information about the institution (other than reports routinely submitted to CMS or Medicare administrative contractors or fiscal intermediaries, or to or from QIO subcontractors, or to or from the institution) and provide the institution with a copy of the information. The institution may submit comments to the QIO that must be attached to the information disclosed if received before disclosure, or forwarded separately if received after disclosure.
(b) Notification of the disclosure of confidential information. (1) A QIO must notify the practitioner who has treated a patient, of a request for disclosure to the patient or patient representative in accordance with the requirements and exceptions to the requirements for disclosure specified under § 480.132.
(2) A QIO must notify a practitioner or institution of the QIO's intent to disclose information on the practitioner or institution to an investigative or licensing agency (§§ 480.137 and 480.138) except for cases specified in § 480.106 involving fraud or abuse or imminent danger to individuals or the public health. The practitioner or institution must be notified and provided a copy of the information to be disclosed at least 30 calendar days before the QIO discloses the identifying information. The QIO must forward with the information any comments submitted by the practitioner or institution in response to the QIO notice if received before disclosure, or forwarded separately if received after disclosure.
§ 480.106 - Exceptions to QIO notice requirements.
(a) Imminent danger to individuals or public health. When the QIO determines that requested information is necessary to protect against an imminent danger to individuals or the public health, the notification required in § 480.105 may be sent simultaneously with the disclosure.
(b) Fraud or Abuse. The notification requirement in § 480.105 does not apply if—
(1) The disclosure is made in an investigation of fraud or abuse by the Office of the Inspector General or the General Accounting Office; or
(2) The disclosure is made in an investigation of fraud or abuse by any other Federal or State fraud or abuse agency and the investigative agency specifies in writing that the information is related to a potentially prosecutable criminal offense.
(c) Other. The notification requirements in § 480.105(a) and (b)(2) do not apply if:
(1) The institution or practitioner has requested, in writing, that the QIO make the disclosure;
(2) The institution or practitioner has provided, in writing, consent for the disclosure; or
(3) The information is public information as defined in § 480.101(b) and specified under § 480.120.
§ 480.107 - Limitations on redisclosure.
Persons or organizations that obtain confidential QIO information must not further disclose the information to any other person or organization except—
(a) As directed by the QIO to carry out a disclosure permitted or required under a particular provision of this part;
(b) As directed by CMS to carry out specific responsibilities of the Secretary under the Act;
(c) As necessary for CMS to carry out its responsibilities for appeals under section 1155 of the Act or for CMS to process sanctions under section 1156 of the Act;
(d) If the health care services furnished to an individual patient are reimbursed from more than one source, these sources of reimbursement may exchange confidential information as necessary for the payment of claims;
(e) If the information is acquired by the QIO from another source and the receiver of the information is authorized under its own authorities to acquire the information directly from the source, the receiver may disclose the information in accordance with the source's redisclosure rules;
(f) As necessary for the General Accounting Office to carry out its statutory responsibilities;
(g) Information pertaining to a patient or practitioner may be disclosed by that individual provided it does not identify any other patient or practitioner;
(h) An institution may disclose information pertaining to itself provided it does not identify an individual patient or practitioner;
(i) Governmental fraud or abuse agencies and State licensing or certification agencies recognized by CMS may disclose information as necessary in a judicial, administrative or other formal legal proceeding resulting from an investigation conducted by the agency;
(j) State and local public health officials to carry out their responsibilities, as necessary, to protect against a substantial risk to the public health; or
(k) As necessary for the Office of the Inspector General to carry out its statutory responsibilities.
(l) Redisclosures of information that is confidential because it identifies the parties involved in immediate advocacy may occur if all parties have consented to the redisclosure, as provided for under § 476.110(c) of this chapter.
§ 480.108 - Penalties for unauthorized disclosure.
A person who discloses information not authorized under Title XI Part B of the Act or the regulations of this part will, upon conviction, be fined no more than $1,000, or be imprisoned for no more than six months, or both, and will pay the costs of prosecution.
§ 480.109 - Applicability of other statutes and regulations.
The provisions of 42 U.S.C. 290dd-3 and 290ee-3 governing confidentiality of alcohol and drug abuse patients' records, and the implementing regulations at 42 CFR part 2, are applicable to QIO information.
QIO Access to Information
§ 480.111 - QIO access to records and information of institutions and practitioners.
(a) A QIO is authorized to have access to and obtain records and information pertinent to the health care services furnished to Medicare patients, held by any institution or practitioner in the QIO area. The QIO may require the institution or practitioner to provide copies of such records or information to the QIO.
(b) A QIO may obtain non-Medicare patient records relating to review performed under a non-Medicare QIO contract if authorized by those patients in accordance with State law.
(c) In accordance with its quality review responsibilities under the Act, a QIO may have access to and obtain information from, the records of non-Medicare patients if authorized by the institution or practitioner.
(d)(1) When submitting patient records to the QIO under this section, the institution or practitioner must do so consistent with the requirements in § 476.78(c) and (d) of this chapter.
(2) Reimbursement to an institution or practitioner for the cost of providing patient records is paid in accordance with § 476.78(e) of this chapter.
§ 480.112 - QIO access to records and information of intermediaries and carriers.
A QIO is authorized to have access to and require copies of Medicare records or information held by intermediaries or carriers if the QIO determines that the records or information are necessary to carry out QIO review responsibilities.
§ 480.113 - QIO access to information collected for QIO purposes.
(a) Institutions and other entities must disclose to the QIO information collected by them for QIO purposes.
(b) Information collected or generated by institutions or practitioners to carry out quality review studies must be disclosed to the QIO.
§ 480.114 - Limitation on data collection.
A QIO or any agent, organization, or institution acting on its behalf, that is collecting information under authority of this part, must collect only that information which is necessary to accomplish the purposes of Title XI Part B of the Act in accordance with 44 U.S.C. Chapter 35, Coordination of Federal Reporting Services Information Policy.
QIO Responsibilities
§ 480.115 - Requirements for maintaining confidentiality.
(a) Responsibilities of QIO officers and employees. The QIO must provide reasonable physical security measures to prevent unauthorized access to QIO information and to ensure the integrity of the information, including those measures needed to secure computer files. Each QIO must instruct its officers and employees and health care institution employees participating in QIO activities of their responsibility to maintain the confidentiality of information and of the legal penalties that may be imposed for unauthorized disclosure of QIO information.
(b) Responsible individuals within the QIO. The QIO must assign a single individual the responsibility for maintaining the system for assuring the confidentiality of information within the QIO review system. That individual must notify CMS of any violations of these regulations.
(c) Training requirements. The QIO must train participants of the QIO review system in the proper handling of confidential information.
(d) Authorized access. An individual participating in the QIO review system on a routine or ongoing basis must not have authorized access to confidential QIO information unless that individual—
(1) Has completed a training program in the handling of QIO information in accordance with paragraph (c) of this section or has received comparable training from another source; and
(2) Has signed a statement indicating that he or she is aware of the legal penalties for unauthorized disclosure.
(e) Purging of personal identifiers. (1) The QIO must purge or arrange for purging computerized information, patient records and other noncomputerized files of all personal identifiers as soon as it is determined by CMS that those identifiers are no longer necessary.
(2) The QIO must destroy or return to the facility from which it was collected confidential information generated from computerized information, patient records and other noncomputerized files when the QIO determines that the maintenance of hard copy is no longer necessary to serve the specific purpose for which it was obtained or generated.
(f) Data system procedures. The QIO must assure that organizations and consultants providing data services to the QIO have established procedures for maintaining the confidentiality of QIO information in accordance with requirements defined by the QIO and consistent with procedures established under this part.
§ 480.116 - Notice to individuals and institutions under review.
The QIO must establish and implement procedures to provide patients, practitioners, and institutions under review with the following information—
(a) The title and address of the person responsible for maintenance of QIO information;
(b) The types of information that will be collected and maintained;
(c) The general rules governing disclosure of QIO information; and
(d) The procedures whereby patients, practitioners, and institutions may obtain access to information about themselves.
Disclosure of Nonconfidential Information
§ 480.120 - Information subject to disclosure.
Subject to the procedures for disclosure and notice of disclosure specified in §§ 480.104 and 480.105, the QIO must disclose—
(a) Nonconfidential information to any person upon request, including—
(1) The norms, criteria, and standards it uses for initial screening of cases, and for other review activities;
(2) Winning technical proposals for contracts from the Department, and winning technical proposals for subcontracts under those contracts (except for proprietary or business information);
(3) Copies of documents describing administrative procedures, agreed to between the QIO and institutions or between a QIO and the Medicare intermediary or Medicare carrier;
(4) Routine reports submitted by the QIO to CMS to the extent that they do not contain confidential information.
(5) Summaries of the proceedings of QIO regular and other meetings of the governing body and general membership except for those portions of the summaries involving QIO deliberations, which are confidential information and subject to the provisions of § 480.139;
(6) Public information in its possession;
(7) Aggregate statiscal information that does not implicitly or explicitly identify individual patients, practitioners or reviewers;
(8) Quality review study information including summaries and conclusions from which the identification of patients, practitioners and institutions has been deleted; and
(9) Information describing the characteristics of a quality review study, including a study design and methodology.
(b) Aggregate statistical information that does not implicitly or explicitly identify individual patients, practitioners or reviewers, to Federal or State health planning agencies (including Health Systems Agencies and State Health Planning and Development Agencies) in carrying out their health care planning and related activities.
§ 480.121 - Optional disclosure of nonconfidential information.
A QIO may, on its own initiative, subject to the notification requirements in § 480.105, furnish the information available under § 480.120 to any person, agency, or organization.
Disclosure of Confidential Information
§ 480.130 - Disclosure to the Department.
Except as limited by § 480.139(a) and § 480.140 of this subpart, QIOs must disclose to the Department all information requested by the Department in the manner and form requested. The information can include confidential and non-confidential information and requests can include those made by any component of the Department, such as CMS.
§ 480.131 - Access to medical records for the monitoring of QIOs.
CMS or any person, organization or agency authorized by the Department or Federal statute to monitor a QIO will have access to medical records maintained by institutions or health care practitioners on Medicare patients. The monitor can require copies of the records.
§ 480.132 - Disclosure of information about patients.
(a) General requirements for disclosure. Except as specified in §§ 476.130(d) and 476.140(b) of this chapter and paragraph (b) of this section, a QIO must—
(1) Disclose patient identified information in its possession to the identified patient or the patient's representative if—
(i) The patient or the patient's representative requests the information in writing;
(ii) The request by a patient's representative includes the designation, by the patient, of the representative; and
(iii) Except as provided under paragraph (b) of this section, all other patient and practitioner identifiers have been removed.
(2) Make disclosure to the patient or the patient's representative within 14 calendar days of receipt of the request.
(b) Exceptions. (1) If a request for information is in connection with an initial denial determination under section 1154(a)(2) of the Act, the QIO must provide only the information used to support that determination in accordance with the procedures for disclosure of information related to determinations under § 478.24, including relevant practitioner identifiers.
(2) A QIO must disclose information regarding QIO deliberations only as specified in § 480.139(a).
(3) A QIO must disclose quality review study information only as specified in § 480.140.
(c) Manner of disclosure. (1) The QIO must disclose the patient information directly to the patient or the patient's representative when the representative has been authorized or appointed to receive that information.
(2) In identifying a representative, the QIO must follow pertinent State law requirements regarding the designation of health care representatives and agents. If the patient is unable to designate a representative and the identity of the representative is not already dictated by State law, the QIO must disclose the information to a person whom the QIO determines is responsible for the patient.
§ 480.133 - Disclosure of information about practitioners, reviewers and institutions.
(a) General requirements for disclosure. Except as specified in paragraph (b) of this section, the following provisions are required of the QIO.
(1) Disclosure to the identified individual or institution. A QIO must disclose, to particular practitioners, reviewers and institutions, information about themselves, upon request, and may disclose it to them without a request.
(2) Disclosure to others. (i) A QIO must disclose to an institution, upon request, information on a practitioner to the extent that the information displays practice or performance patterns of the practitioner in that institution.
(ii) In accordance with section 1160 of the Act, a QIO must disclose information that displays practice or performance patterns of a practitioner or institution in accordance with the procedures for disclosures specified in §§ 480.137 and 480.138 to—
(A) Federal and State agencies that are responsible for the investigation of fraud and abuse of the Medicare or Medicaid programs, and
(B) Federal and State agencies that are responsible for licensing and certification of practitioners and providers.
(iii) A QIO may disclose to any person, agency, or organization information on a particular practitioner or reviewer at the written request of or with the written consent of that practitioner or reviewer. The beneficiary of the information has the same redisclosure rights and responsibilities as the requesting or consenting practitioner or reviewer as provided under this Subpart B.
(iv) A QIO is not required to obtain the consent of a practitioner or provider prior to the release of information to a beneficiary in connection with an initial denial determination or in providing a beneficiary with the QIO's findings in response to a beneficiary complaint. Information that must be specified in a QIO's final decision in a complaint review is specified in §§ 476.130(d) and 476.140(b) of this subchapter.
(b) Exceptions. (1) If the request is in connection with an initial denial determination or a change resulting from a diagnostic related group (DRG) coding validation under part 476 of this subchapter, the QIO must provide only the information used to support that determination in accordance with the procedures for disclosure of information relating to determinations under § 478.24 of this subchapter.
(2) A QIO must disclose information regarding QIO deliberations only as specified in § 480.139(a).
(3) A QIO must disclose quality review study information only as specified in § 480.140.
§ 480.134 - Verification and amendment of QIO information.
(a) A QIO must verify the accuracy of its information concerning patients, practitioners, reviewers, and institutions and must permit the individual or institution to request an amendment of pertinent information that is in the possession of the QIO.
(b) If the QIO agrees with the request for amendment, the QIO must correct the information in its possession. If the information being amended has already been disclosed, the QIO must forward the amended information to the requester where it may affect decisions about a particular provider, practitioner or case under review.
(c) If the QIO disagrees with the request for amendment, a notation of the request, reasons for the request, and the reasons for refusal must be included with the information and attached to any disclosure of the information.
§ 480.135 - Disclosure necessary to perform review responsibilities.
(a) Disclosure to conduct review. The QIO must disclose or arrange for disclosure of information to individuals and institutions within the QIO review system as necessary to fulfill their particular duties and functions under Title XI Part B of the Act.
(b) Disclosure to consultants and subcontractors. The QIO must disclose to consultants or subcontractors the information they need to provide specified services to the QIO.
(c) Disclosure to other QIO and medical review boards. The QIO must disclose—
(1) To another QIO, information on patients and practitioners who are subject to review by the other QIO; and
(2) To medical review boards established under section 1881 of the Act, confidential information on patients, practitioners and institutions receiving or furnishing end stage renal disease services.
§ 480.136 - Disclosure to intermediaries and carriers.
(a) Required disclosure. Except as specified in §§ 480.139(a) and 480.140 relating to disclosure of QIO deliberations and quality review study information, a QIO must disclose to intermediaries and carriers QIO information that relates to, or is necessary for, payment of claims for Medicare as follows:
(1) Review determinations and claims forms for health care services, furnished in the manner and form agreed to by the QIO and the intermediary or carrier.
(2) Upon request, copies of medical records acquired from practitioners or institutions for review purposes.
(3) QIO information about a particular patient or practitioner if the QIO and the intermediary or carrier (or CMS if the QIO and the intermediary or carrier cannot agree) determine that the information is necessary for the administration of the Medicare program.
(b) Optional disclosure. The QIO may disclose the information specified in paragraph (a) of this section to intermediaries and carriers without a request.
§ 480.137 - Disclosure to Federal and State enforcement agencies responsible for the investigation or identification of fraud or abuse of the Medicare or Medicaid programs.
(a) Required disclosure. Except as specified in §§ 480.139(a) and 480.140 relating to disclosure of QIO deliberations and quality review study information, the QIO must disclose confidential information relevant to an investigation of fraud or abuse of the Medicare or medicaid programs, including QIO medical necessity determinations and other information that includes patterns of the practice or performance of a practitioner or institution, when a written request is received from a State or Federal enforcement agency responsible for the investigation or identification of fraud or abuse of the Medicare or Medicaid programs that—
(1) Identifies the name and title of the individual initiating the request,
(2) Identifies the physician or institution about which information is requested, and
(3) States affirmatively that the institution or practitioner is currently under investigation for fraud or abuse of the Medicare or Medicaid programs and that the information is needed in furtherance of that investigation.
(b) Optional disclosure. The QIO may provide the information specified in paragraph (a) of this section to Federal or State fraud and abuse enforcement agencies responsible for the investigation or identification of fraud or abuse of the Medicare or Medicaid programs, without a request.
§ 480.138 - Disclosure for other specified purposes.
(a) General requirements for disclosure. Except as specified in paragraph (b) of this section, the following provisions are required of the QIO.
(1) Disclosure to licensing and certification bodies. (i) A QIO must disclose confidential information upon request, to State or Federal licensing bodies responsible for the professional licensure of a practitioner or a particular institution. Confidential information, including QIO medical necessity determinations that display the practice or performance patterns of that practitioner, must be disclosed by the QIO but only to the extent that it is required by the agency to carry out a function within the jurisdiction of the agency under Federal or State law.
(ii) A QIO may provide the information specified in paragraph (a)(1)(i) of this section to the State or Federal licensing body without request.
(2) Disclosure to State and local public health officials. A QIO must disclose QIO information to State and local public health officials whenever the QIO determines that the disclosure of the information is necessary to protect against a substantial risk to the public health.
(3) Disclosure to the courts. Patient identified records in the possession of a QIO are not subject to subpoena or discovery in a civil action, including an administrative, judicial or arbitration proceeding.
(b) Exceptions. (1) The restriction set forth in paragraph (a)(3) of this section does not apply to HHS, including Inspector General, administrative subpoenas issued in the course of audits and investigations of Department programs, in the course of administrative hearings held under the Social Security Act or to disclosures to the General Accounting Office as necessary to carry out its statutory responsibilities.
(2) A QIO must disclose information regarding QIO deliberations and quality review study information only as specified in §§ 480.139(a) and 480.140.
§ 480.139 - Disclosure of QIO deliberations and decisions.
(a)(1) A QIO must not disclose its deliberations except to—
(i) CMS; or
(ii) The Office of the Inspector General, and the Government Accountability Office as necessary to carry out statutory responsibilities.
(2) QIO deliberations are not disclosable, either in written form or through oral testimony, in connection with the administrative hearing or review of a beneficiary's claim.
(b) Reasons for QIO decisions. (1) A QIO may disclose to those who have access to QIO information under other provisions of this subpart, the reasons for QIO decisions pertaining to that information provided that the opinions or judgements of a particular individual or practitioner cannot be identified.
(2) A QIO must disclose, if requested in connection with the administrative hearing or review of a beneficiary's claim, the reasons for QIO decisions. The QIO must include the detailed facts, findings and conclusions supporting the QIO's determination. The QIO must insure that the opinions or judgements of a particular individual or practitioner cannot be identified through the materials that are disclosed.
§ 480.140 - Disclosure of quality review study information.
(a) A QIO must disclose quality review study information with identifiers of patients, practitioners or institutions to—
(1) Representatives of authorized licensure, accreditation or certification agencies as is required by the agencies in carrying out functions which are within the jurisdiction of such agencies under state law; to Federal and State agencies responsible for identifying risks to the public health when there is substantial risk to the public health; or to Federal and State fraud and abuse enforcement agencies;
(2) An institution or practitioner, if the information is limited to health care services furnished by the institution or practitioner; and
(3) A medical review board established under section 1881 of the Act pertaining to end-stage renal disease facilities, if the information is limited to health care services subject to its review.
(b) A QIO must disclose quality review study information with identifiers of patients, practitioners or institutions to the Office of the Inspector General and the General Accounting Office as necessary to carry out statutory responsibilities.
(c) A QIO may disclose information offsite from a particular quality review study to any institution or practitioner involved in that study, provided the disclosed information is limited to that institution or practitioner.
(d) A QIO may disclose quality review study information with identifiers of particular practitioners or institutions, or both, at the written request of, or with the written consent of, the identified practitioner(s) or institution(s).
(1) The consent or request must specify the information that is to be disclosed and the intended beneficiary of the information.
(2) The beneficiary of the information has the same redisclosure rights and responsibilities as the requesting or consenting practitioner or institution as provided under this Subpart B.
(e) An institution or group of practitioners may redisclose quality review study information, if the information is limited to health care services they provided.
(f) Quality review study information with patient identifiers is not subject to subpoena or discovery in a civil action, including an administrative, judicial or arbitration proceeding. This restriction does not apply to HHS, including Inspector General, administrative subpoenas issued in the course of audits and investigations of Department programs, in the course of administrative hearings held under the Social Security Act, or to disclosures to the General Accounting Office as necessary to carry out its statutory responsibilities.
(g) A QIO must disclose quality review study information to CMS with identifiers of patients, practitioners or institutions—
(1) For purposes of quality improvement. Activities include, but are not limited to, data validation, measurement, reporting, and evaluation.
(2) As requested by CMS when CMS deems it necessary for purposes of overseeing and planning QIO program activities.
§ 480.141 - Disclosure of QIO interpretations on the quality of health care.
Subject to the procedures for disclosure and notice of disclosure specified in §§ 480.104 and 480.105, a QIO may disclose to the public QIO interpretations and generalizations on the quality of health care that identify a particular institution.
§ 480.142 - Disclosure of sanction reports.
(a) The QIO must disclose sanction reports directly to the Office of the Inspector General and, if requested, to CMS.
(b) The QIO must upon request, and may without a request, disclose sanction reports to State and Federal agencies responsible for the identification, investigation or prosecution of cases of fraud or abuse in accordance with § 480.137.
(c) CMS will disclose sanction determinations in accordance with part 474 of this chapter.
§ 480.143 - QIO involvement in shared health data systems.
(a) Information collected by a QIO. Except as prohibited in paragraph (b) of this section, information collected by a QIO may be processed and stored by a cooperative health statistics system established under the Public Health Service Act (42 U.S.C. 242k) or other State or Federally authorized shared data system.
(b) QIO participation. A QIO may not participate in a cooperative health statistics system or other shared health data system if the disclosure rules of the system would prevent the QIO from complying with the rules of this part.
(c) Disclosure of QIO information obtained by a shared health data system. QIO information must not be disclosed by the shared health data system unless—
(1) The source from which the QIO acquired the information consents to or requests disclosure; or
(2) The QIO requests the disclosure of the information to carry out a disclosure permitted under a provision of this part.
§ 480.144 - Access to QIO data and information.
CMS may approve the requests of researchers for access to QIO confidential information not already authorized by other provisions in 42 CFR part 480.
§ 480.145 - Beneficiary authorization of use of confidential information.
(a) Except as otherwise provided under this part, a QIO may not use or disclose a beneficiary's confidential information without an authorization from the beneficiary. The QIO's use or disclosure must be consistent with the authorization.
(b) A valid authorization is a document that contains the following:
(1) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
(2) The name or other specific identification of the QIO(s) and QIO point(s) of contact making the request to use or disclose the information.
(3) The name or other specific identification of the person(s), or class of persons, to whom the QIO(s) may disclose the information or allow the requested use.
(4) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of purpose.
(5) An expiration date or an expiration event that relates to the beneficiary or the purpose of the use or disclosure. The statement “end of the QIO research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of confidential information for QIO research, including for the creation and maintenance of a research database or research repository.
(6) Signature of the individual and date. If the authorization is signed by a beneficiary's representative, a description of such representative's authority to act for the beneficiary must also be provided.
(c) In addition to those items contained in paragraph (b) of this section, the authorization must contain statements adequate to place the individual on notice of all of the following:
(1) The individual's right to revoke the authorization in writing; and
(2) Any exceptions to the right to revoke and a description of how the individual may revoke the authorization;
(3) The ability or inability of the QIO to condition its review activities on the authorization, by stating either:
(i) That the QIO may not condition the review of complaints, appeals, or payment determinations, or any other QIO reviews or other tasks within the QIO's responsibility on whether the individual signs the authorization;
(ii) The consequences to the individual of a refusal to sign the authorization when the refusal will render the QIO unable to carry out an activity.
(4) The potential for information disclosed pursuant to the authorization to be subject to either appropriate or inappropriate redisclosure by a beneficiary, after which the information would no longer be protected by this subpart.
(d) The authorization must be written in plain language.
(e) If a QIO seeks an authorization from a beneficiary for a use or disclosure of confidential information, the QIO must provide the beneficiary with a copy of the signed authorization.
(f) A beneficiary may revoke an authorization provided under this section at any time, provided the revocation is in writing, except to the extent that the QIO has taken action in reliance upon the authorization.