42 C.F.R. PART 480—ACQUISITION, PROTECTION, AND DISCLOSURE QUALITY IMPROVEMENT ORGANIZATION REVIEW INFORMATION
Title 42 - Public Health
Authority: Secs. 1102 and 1871 of the Social Security Act (42 U.S.C. 1302 and 1395hh).
Source: 50 FR 15359, Apr. 17, 1985, unless otherwise noted. Redesignated at 64 FR 66279, Nov. 24, 1999.
(a) Scope. This subpart sets forth the policies and procedures governing— (1) Disclosure of information collected, acquired or generated by a Utilization and Quality Control Quality Improvement Organization (QIO) (or the review component of a QIO subcontractor) in performance of its responsibilities under the Act and these regulations; and (2) Acquisition and maintenance of information by a QIO to comply with its responsibilities under the Act. (b) Definitions. As used in this part: Abuse means any unlawful conduct relating to items or services for which payment is sought under Title XVIII of the Act. Aggregate statistical data means any utilization, admission, discharge or diagnostic related group (DRG) data arrayed on a geographic, institutional or other basis in which the volume and frequency of services are shown without identifying any individual. Confidential information means any of the following: (1) Information that explicitly or implicitly identifies an individual patient, practitioner or reviewer. (2) Sanction reports and recommendations. (3) Quality review studies which identify patients, practitioners or institutions. (4) QIO deliberations. Health care facility or facility means an organization involved in the delivery of health care services or items for which reimbursement may be made in whole or in part under Title XVIII of the Act. Implicitly identify(ies) means data so unique or numbers so small so that identification of an individual patient, practitioners or reviewer would be obvious. Non-facility organization means a corporate entity that: (1) Is not a health care facility; (2) is not a 5 percent or more owner of a facility; and (3) is not owned by one or more health care facilities in the QIO area. Patient representative means—(1) an individual designated by the patient, in writing, as authorized to request and receive QIO information that would otherwise be disclosable to that patient; or (2) an individual identified by the QIO in accordance with §480.132(c)(3) when the beneficiary is mentally, physically or legally unable to designate a representative. Practitioner means an individual credentialed within a recognized health care discipline and involved in providing the services of that discipline to patients. QIO deliberations means discussions or communications (within a QIO or between a QIO and a QIO subcontractor) including, but not limited to, review notes, minutes of meetings and any other records of discussions and judgments involving review matters regarding QIO review responsibilities and appeals from QIO determinations, in which the opinions of, or judgment about, a particular individual or institution can be discerned. QIO information means any data or information collected, acquired or generated by a QIO in the exercise of its duties and functions under Title XI Part B or Title XVIII of the Act. QIO interpretations and generalizations on the quality of health care means an assessment of the quality of care furnished by an individual provider or group of providers based on the QIO's knowledge of the area gained from its medical review experience (e.g., quality review studies) and any other information obtained through the QIO's review activities. QIO review system means the QIO and those organizations and individuals who either assist the QIO or are directly responsible for providing medical care or for making determinations with respect to the medical necessity, appropriate level and quality of health care services that may be reimbursed under the Act. The system includes— (1) The QIO and its officers, members and employees; (2) QIO subcontractors; (3) Health care institutions and practitioners whose services are reviewed; (4) QIO reviewers and supporting staff; and (5) Data support organizations. Public information means information which has been disclosed to the public. Quality review study means an assessment, conducted by or for a QIO, of a patient care problem for the purpose of improving patient care through peer analysis, intervention, resolution of the problem and follow-up. Quality review study information means all documentation related to the quality review study process. Reviewer means review coordinator, physician, or other person authorized to perform QIO review functions. Sanction report means a report filed pursuant to section 1156 of the Act and part 474 of this chapter documenting the QIO's determination that a practitioner or institution has failed to meet obligations imposed by section 1156 of the Act. Shared health data system means an agency or other entity authorized by Federal or State law that is used by the QIO review system to provide information or to conduct or arrange for the collection, processing, and dissemination of information on health care services. Subcontractor means a facility or a non-facility organization under contract with a QIO to perform QIO review functions. [50 FR 15359, Apr. 17, 1985; 50 FR 41886, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999; 69 FR 49267, Aug. 11, 2004] (a) Section 1154(a)(7)(C) of the Act requires QIOs to the extent necessary and appropriate to examine the pertinent records of any practitioner or provider of health care services for which payment may be made under Title XVIII of the Act. (b) Section 1154(a)(9) of the Act requires QIOs to collect and maintain information necessary to carry out their responsibilities under the Act. (c) Section 1156(a)(3) of the Act requires health care practitioners and providers to maintain evidence of the medical necessity and quality of health care services they provide to Medicare patients as required by QIOs. (a) Section 1154(a)(10) of the Act requires QIOs to exchange information with intermediaries and carriers with contracts under sections 1816 and 1842 of the Act, other QIOs, and other public or private review organizations as appropriate. (b) Section 1160 of the Act provides that QIO information must be held in confidence and not be disclosed except where— (1) Necessary to carry out the purpose of Title XI Part B of the Act; (2) Specifically permitted or required under this subpart; (3) Necessary, and in the manner prescribed under this subpart, to assist Federal and State agencies recognized by the Secretary as having responsibility for identifying and investigating cases or patterns of fraud or abuse; (4) Necessary, and in the manner prescribed under the subpart to assist Federal or State agencies recognized by the Secretary as having responsibility for identifying cases or patterns involving risks to the public health; (5) Necessary, and in the manner prescribed under this subpart, to assist appropriate State agencies having responsibility for licensing or certification of providers or practitioners; or (6) Necessary, and in the manner prescribed under this subpart to assist Federal or State health planning agencies by furnishing them aggregate statistical data on a geographical, institutional or other basis. [50 FR 15359, Apr. 17, 1985; 50 FR 41886, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999] (a) Notice to accompany disclosure. (1) Any disclosure of information under the authority of this subpart is subject to the requirements in §480.105 relating to the providing of a notice of the disclosure. (2) Disclosure of confidential information made under the authority of this subpart, except as provided in §480.106, must be accompanied by a written statement informing the recipient that the information may not be redisclosed except as provided under §480.107 that limits redisclosure. (b) QIO interpretations. A QIO may provide a statement of comment, analysis, or interpretation to guide the recipient in using information disclosed under this subpart. (c) Fees. A QIO may charge a fee to cover the cost of providing information authorized under this subpart. These fees may not exceed the amount necessary to recover the cost to the QIO for providing the information. (d) Format for disclosure of public information. A QIO is required to disclose public information (§480.120(a)(6)) only in the form in which it is acquired by the QIO or in the form in which it is maintained for QIO use. (e) Medicare provider number. A QIO must include the provider identification number assigned by the Medicare program on information that CMS requests. [50 FR 15359, Apr. 17, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] (a) Notification of the disclosure of nonconfidential information. Except as permitted under §480.106, at least 30 calender days before disclosure of nonconfidential information, the QIO must notify an identified institution of its intent to disclose information about the institution (other than reports routinely submitted to CMS or Medicare fiscal intermediaries, or to or from QIO subcontractors, or to or from the institution) and provide the institution with a copy of the information. The institution may submit comments to the QIO that must be attached to the information disclosed if received before disclosure, or forwarded separately if received after disclosure. (b) Notification of the disclosure of confidential information. (1) A QIO must notify the practitioner who has treated a patient, of a request for disclosure to the patient or patient representative in accordance with the requirements and exceptions to the requirements for disclosure specified under §480.132. (2) A QIO must notify a practitioner or institution of the QIO's intent to disclose information on the practitioner or institution to an investigative or licensing agency (§§480.137 and 480.138) except for cases specified in §480.106 involving fraud or abuse or imminent danger to individuals or the public health. The practitioner or institution must be notified and provided a copy of the information to be disclosed at least 30 calendar days before the QIO discloses the identifying information. The QIO must forward with the information any comments submitted by the practitioner or institution in response to the QIO notice if received before disclosure, or forwarded separately if received after disclosure. [50 FR 15359, Apr. 17, 1985; 50 FR 41886, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] (a) Imminent danger to individuals or public health. When the QIO determines that requested information is necessary to protect against an imminent danger to individuals or the public health, the notification required in §480.105 may be sent simultaneously with the disclosure. (b) Fraud or Abuse. The notification requirement in §480.105 does not apply if— (1) The disclosure is made in an investigation of fraud or abuse by the Office of the Inspector General or the General Accounting Office; or (2) The disclosure is made in an investigation of fraud or abuse by any other Federal or State fraud or abuse agency and the investigative agency specifies in writing that the information is related to a potentially prosecutable criminal offense. (c) Other. The notification requirements in §480.105(a) and (b)(2) do not apply if: (1) The institution or practitioner has requested, in writing, that the QIO make the disclosure; (2) The institution or practitioner has provided, in writing, consent for the disclosure; or (3) The information is public information as defined in §480.101(b) and specified under §480.120. [50 FR 15359, Apr. 17, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49266, 49267, Aug. 11, 2004] Persons or organizations that obtain confidential QIO information must not further disclose the information to any other person or organization except— (a) As directed by the QIO to carry out a disclosure permitted or required under a particular provision of this part; (b) As directed by CMS to carry out specific responsibilities of the Secretary under the Act; (c) As necessary for CMS to carry out its responsibilities for appeals under section 1155 of the Act or for CMS to process sanctions under section 1156 of the Act; (d) If the health care services furnished to an individual patient are reimbursed from more than one source, these sources of reimbursement may exchange confidential information as necessary for the payment of claims; (e) If the information is acquired by the QIO from another source and the receiver of the information is authorized under its own authorities to acquire the information directly from the source, the receiver may disclose the information in accordance with the source's redisclosure rules; (f) As necessary for the General Accounting Office to carry out its statutory responsibilities; (g) Information pertaining to a patient or practitioner may be disclosed by that individual provided it does not identify any other patient or practitioner; (h) An institution may disclose information pertaining to itself provided it does not identify an individual patient or practitioner; (i) Governmental fraud or abuse agencies and State licensing or certification agencies recognized by CMS may disclose information as necessary in a judicial, administrative or other formal legal proceeding resulting from an investigation conducted by the agency; (j) State and local public health officials to carry out their responsibilities, as necessary, to protect against a substantial risk to the public health; or (k) As necessary for the Office of the Inspector General to carry out its statutory responsibilities. [50 FR 15359, Apr. 17, 1985; 50 FR 41886, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999] A person who discloses information not authorized under Title XI Part B of the Act or the regulations of this part will, upon conviction, be fined no more than $1,000, or be imprisoned for no more than six months, or both, and will pay the costs of prosecution. The provisions of 42 U.S.C. 290dd–3 and 290ee–3 governing confidentiality of alcohol and drug abuse patients' records, and the implementing regulations at 42 CFR part 2, are applicable to QIO information. [50 FR 15359, Apr. 17, 1985; 50 FR 41887, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999] (a) A QIO is authorized to have access to and obtain records and information pertinent to the health care services furnished to Medicare patients, held by any institution or practitioner in the QIO area. The QIO may require the institution or practitioner to provide copies of such records or information to the QIO. (b) A QIO may obtain non-Medicare patient records relating to review performed under a non-Medicare QIO contract if authorized by those patients in accordance with State law. (c) In accordance with its quality review responsibilities under the Act, a QIO may have access to and obtain information from, the records of non-Medicare patients if authorized by the institution or practitioner. (d) A QIO may reimburse for requested information at the rate of $.10 per page for photocopying plus first class postage. The photocopying amount includes the cost of labor, supplies, equipment, and overhead. [50 FR 15359, Apr. 17, 1985; 50 FR 41887, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 65 FR 83154, Dec. 29, 2000] A QIO is authorized to have access to and require copies of Medicare records or information held by intermediaries or carriers if the QIO determines that the records or information are necessary to carry out QIO review responsibilities. (a) Institutions and other entities must disclose to the QIO information collected by them for QIO purposes. (b) Information collected or generated by institutions or practitioners to carry out quality review studies must be disclosed to the QIO. A QIO or any agent, organization, or institution acting on its behalf, that is collecting information under authority of this part, must collect only that information which is necessary to accomplish the purposes of Title XI Part B of the Act in accordance with 44 U.S.C. Chapter 35, Coordination of Federal Reporting Services Information Policy. (a) Responsibilities of QIO officers and employees. The QIO must provide reasonable physical security measures to prevent unauthorized access to QIO information and to ensure the integrity of the information, including those measures needed to secure computer files. Each QIO must instruct its officers and employees and health care institution employees participating in QIO activities of their responsibility to maintain the confidentiality of information and of the legal penalties that may be imposed for unauthorized disclosure of QIO information. (b) Responsible individuals within the QIO. The QIO must assign a single individual the responsibility for maintaining the system for assuring the confidentiality of information within the QIO review system. That individual must notify CMS of any violations of these regulations. (c) Training requirements. The QIO must train participants of the QIO review system in the proper handling of confidential information. (d) Authorized access. An individual participating in the QIO review system on a routine or ongoing basis must not have authorized access to confidential QIO information unless that individual— (1) Has completed a training program in the handling of QIO information in accordance with paragraph (c) of this section or has received comparable training from another source; and (2) Has signed a statement indicating that he or she is aware of the legal penalties for unauthorized disclosure. (e) Purging of personal identifiers. (1) The QIO must purge or arrange for purging computerized information, patient records and other noncomputerized files of all personal identifiers as soon as it is determined by CMS that those identifiers are no longer necessary. (2) The QIO must destroy or return to the facility from which it was collected confidential information generated from computerized information, patient records and other noncomputerized files when the QIO determines that the maintenance of hard copy is no longer necessary to serve the specific purpose for which it was obtained or generated. (f) Data system procedures. The QIO must assure that organizations and consultants providing data services to the QIO have established procedures for maintaining the confidentiality of QIO information in accordance with requirements defined by the QIO and consistent with procedures established under this part. The QIO must establish and implement procedures to provide patients, practitioners, and institutions under review with the following information— (a) The title and address of the person responsible for maintenance of QIO information; (b) The types of information that will be collected and maintained; (c) The general rules governing disclosure of QIO information; and (d) The procedures whereby patients, practitioners, and institutions may obtain access to information about themselves. Subject to the procedures for disclosure and notice of disclosure specified in §§480.104 and 480.105, the QIO must disclose— (a) Nonconfidential information to any person upon request, including— (1) The norms, criteria, and standards it uses for initial screening of cases, and for other review activities; (2) Winning technical proposals for contracts from the Department, and winning technical proposals for subcontracts under those contracts (except for proprietary or business information); (3) Copies of documents describing administrative procedures, agreed to between the QIO and institutions or between a QIO and the Medicare intermediary or Medicare carrier; (4) Routine reports submitted by the QIO to CMS to the extent that they do not contain confidential information. (5) Summaries of the proceedings of QIO regular and other meetings of the governing body and general membership except for those portions of the summaries involving QIO deliberations, which are confidential information and subject to the provisions of §480.139; (6) Public information in its possession; (7) Aggregate statiscal information that does not implicitly or explicitly identify individual patients, practitioners or reviewers; (8) Quality review study information including summaries and conclusions from which the identification of patients, practitioners and institutions has been deleted; and (9) Information describing the characteristics of a quality review study, including a study design and methodology. (b) Aggregate statistical information that does not implicitly or explicitly identify individual patients, practitioners or reviewers, to Federal or State health planning agencies (including Health Systems Agencies and State Health Planning and Development Agencies) in carrying out their health care planning and related activities. [50 FR 15359, Apr. 17, 1985; 50 FR 41887, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] A QIO may, on its own initiative, subject to the notification requirements in §480.105, furnish the information available under §480.120 to any person, agency, or organization. [50 FR 15359, Apr. 17, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] Except as limited by §§480.139(a) and 480.140 of this subpart, QIOs must disclose all information requested by the Department to it in the manner and form required. [50 FR 15359, Apr. 17, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] CMS or any person, organization or agency authorized by the Department or Federal statute to monitor a QIO will have access to medical records maintained by institutions or health care practitioners on Medicare patients. The monitor can require copies of the records. (a) General requirements for disclosure. Except as specified in paragraph (b) of this section, a QIO must— (1) Disclose patient identified information in its possession to the identified patient or the patient's representative if— (i) The patient or the patient's representative requests the information in writing; (ii) The request by a patient's representative includes the designation, by the patient, of the representative; and (iii) All other patient and practitioner identifiers have been removed. (2) Seek the advice of the attending practitioner that treated the patient regarding the appropriateness of direct disclosure to the patient 15 days before the QIO provides the requested information. If the attending practitioner states that the released information could harm the patient, the QIO must act in accordance with paragraph (c)(2) of this section. The QIO must make disclosure to the patient or patient's representative within 30 calendar days of receipt of the request. (b) Exceptions. (1) If the request is in connection with an initial denial determination under section 1154(a)(3) of the Act, the QIO— (i) Need not seek the advice of the practitioner that treated the patient regarding the appropriateness of direct disclosure to the patient; and (ii) Must provide only the information used to support that determination in accordance with the procedures for disclosure of information relating to determinations under §473.24. (2) A QIO must disclose information regarding QIO deliberations only as specified in §480.139(a). (3) A QIO must disclose quality review study information only as specified in §480.140. (c) Manner of disclosure. (1) The QIO must disclose the patient information directly to the patient unless knowledge of the information could harm the patient. (2) If knowledge of the information could harm the patient, the QIO must disclose the information to the patient's designated representative. (3) If the patient is mentally, physically or legally unable to designate a representative, the QIO must disclose the information to a person whom the QIO determines is responsible for the patient. The QIO must first attempt to make that determination based on the medical record. If the responsible person is not named in the medical record, then the QIO may rely on the attending practitioner for the information. If the practitioner is unable to provide a name, then the QIO must make a determination based on other reliable information. [50 FR 15359, Apr. 17, 1985; 50 FR 41887, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] (a) General requirements for disclosure. Except as specified in paragraph (b) of this section, the following provisions are required of the QIO. (1) Disclosure to the identified individual or institution. A QIO must disclose, to particular practitioners, reviewers and institutions, information about themselves, upon request, and may disclose it to them without a request. (2) Disclosure to others. (i) A QIO must disclose to an institution, upon request, information on a practitioner to the extent that the information displays practice or performance patterns of the practitioner in that institution. (ii) In accordance with section 1160 of the Act, a QIO must disclose information that displays practice or performance patterns of a practitioner or institution in accordance with the procedures for disclosures specified in §§480.137 and 480.138 to— (A) Federal and State agencies that are responsible for the investigation of fraud and abuse of the Medicare or Medicaid programs, and (B) Federal and State agencies that are responsible for licensing and certification of practitioners and providers. (iii) A QIO may disclose to any person, agency, or organization information on a particular practitioner or reviewer at the written request of or with the written consent of that practitioner or reviewer. The recipient of the information has the same redisclosure rights and responsibilities as the requesting or consenting practitioner or reviewer as provided under this Subpart B. (b) Exceptions. (1) If the request is in connection with an initial denial determination or a change resulting from a diagnostic related group (DRG) coding validation under Part 466 of this subchapter, the QIO must provide only the information used to support that determination in accordance with the procedures for disclosure of information relating to determinations under §473.24. (2) A QIO must disclose information regarding QIO deliberations only as specified in §480.139(a). (3) A QIO must disclose quality review study information only as specified in §480.140. [50 FR 15359, Apr. 17, 1885, as amended at 52 FR 37458, Oct. 7, 1987; 52 FR 47004, Dec. 11, 1987. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49266, 29267, Aug. 11, 2004] (a) A QIO must verify the accuracy of its information concerning patients, practitioners, reviewers, and institutions and must permit the individual or institution to request an amendment of pertinent information that is in the possession of the QIO. (b) If the QIO agrees with the request for amendment, the QIO must correct the information in its possession. If the information being amended has already been disclosed, the QIO must forward the amended information to the requester where it may affect decisions about a particular provider, practitioner or case under review. (c) If the QIO disagrees with the request for amendment, a notation of the request, reasons for the request, and the reasons for refusal must be included with the information and attached to any disclosure of the information. [50 FR 15358, Apr. 17, 1985; 50 FR 41887, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999] (a) Disclosure to conduct review. The QIO must disclose or arrange for disclosure of information to individuals and institutions within the QIO review system as necessary to fulfill their particular duties and functions under Title XI Part B of the Act. (b) Disclosure to consultants and subcontractors. The QIO must disclose to consultants or subcontractors the information they need to provide specified services to the QIO. (c) Disclosure to other QIO and medical review boards. The QIO must disclose— (1) To another QIO, information on patients and practitioners who are subject to review by the other QIO; and (2) To medical review boards established under section 1881 of the Act, confidential information on patients, practitioners and institutions receiving or furnishing end stage renal disease services. (a) Required disclosure. Except as specified in §§480.139(a) and 480.140 relating to disclosure of QIO deliberations and quality review study information, a QIO must disclose to intermediaries and carriers QIO information that relates to, or is necessary for, payment of claims for Medicare as follows: (1) Review determinations and claims forms for health care services, furnished in the manner and form agreed to by the QIO and the intermediary or carrier. (2) Upon request, copies of medical records acquired from practitioners or institutions for review purposes. (3) QIO information about a particular patient or practitioner if the QIO and the intermediary or carrier (or CMS if the QIO and the intermediary or carrier cannot agree) determine that the information is necessary for the administration of the Medicare program. (b) Optional disclosure. The QIO may disclose the information specified in paragraph (a) of this section to intermediaries and carriers without a request. [50 FR 15359, Apr. 17, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] (a) Required disclosure. Except as specified in §§480.139(a) and 480.140 relating to disclosure of QIO deliberations and quality review study information, the QIO must disclose confidential information relevant to an investigation of fraud or abuse of the Medicare or medicaid programs, including QIO medical necessity determinations and other information that includes patterns of the practice or performance of a practitioner or institution, when a written request is received from a State or Federal enforcement agency responsible for the investigation or identification of fraud or abuse of the Medicare or Medicaid programs that— (1) Identifies the name and title of the individual initiating the request, (2) Identifies the physician or institution about which information is requested, and (3) States affirmatively that the institution or practitioner is currently under investigation for fraud or abuse of the Medicare or Medicaid programs and that the information is needed in furtherance of that investigation. (b) Optional disclosure. The QIO may provide the information specified in paragraph (a) of this section to Federal or State fraud and abuse enforcement agencies responsible for the investigation or identification of fraud or abuse of the Medicare or Medicaid programs, without a request. [50 FR 15358, Apr. 17, 1985, as amended at 52 FR 37458, Oct. 7, 1987. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] (a) General requirements for disclosure. Except as specified in paragraph (b) of this section, the following provisions are required of the QIO. (1) Disclosure to licensing and certification bodies. (i) A QIO must disclose confidential information upon request, to State or Federal licensing bodies responsible for the professional licensure of a practitioner or a particular institution. Confidential information, including QIO medical necessity determinations that display the practice or performance patterns of that practitioner, must be disclosed by the QIO but only to the extent that it is required by the agency to carry out a function within the jurisdiction of the agency under Federal or State law. (ii) A QIO may provide the information specified in paragraph (a)(1)(i) of this section to the State or Federal licensing body without request. (2) Disclosure to State and local public health officials. A QIO must disclose QIO information to State and local public health officials whenever the QIO determines that the disclosure of the information is necessary to protect against a substantial risk to the public health. (3) Disclosure to the courts. Patient identified records in the possession of a QIO are not subject to subpoena or discovery in a civil action, including an administrative, judicial or arbitration proceeding. (b) Exceptions. (1) The restriction set forth in paragraph (a)(3) of this section does not apply to HHS, including Inspector General, administrative subpoenas issued in the course of audits and investigations of Department programs, in the course of administrative hearings held under the Social Security Act or to disclosures to the General Accounting Office as necessary to carry out its statutory responsibilities. (2) A QIO must disclose information regarding QIO deliberations and quality review study information only as specified in §§480.139(a) and 480.140. [50 FR 15359, Apr. 17, 1985; 50 FR 41887, Oct. 16, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] (a) QIO deliberations. (1) A QIO must not disclose its deliberations except to— (i) CMS, at the QIO office or at a subcontracted organization; (ii) CMS, to the extent that the deliberations are incorporated in sanction and appeals reports; or (iii) The Office of the Inspector General, and the General Accounting Office as necessary to carry out statutory responsibilities. (2) QIO deliberations are not disclosable, either in written form or through oral testimony, in connection with the administrative hearing or review of a beneficiary's claim. (b) Reasons for QIO decisions. (1) A QIO may disclose to those who have access to QIO information under other provisions of this subpart, the reasons for QIO decisions pertaining to that information provided that the opinions or judgements of a particular individual or practitioner cannot be identified. (2) A QIO must disclose, if requested in connection with the administrative hearing or review of a beneficiary's claim, the reasons for QIO decisions. The QIO must include the detailed facts, findings and conclusions supporting the QIO's determination. The QIO must insure that the opinions or judgements of a particular individual or practitioner cannot be identified through the materials that are disclosed. (a) A QIO must disclose, onsite, quality review study information with identifiers of patients, practitioners or institutions to— (1) Representatives of authorized licensure, accreditation or certification agencies as is required by the agencies in carrying out functions which are within the jurisdiction of such agencies under state law; to federal and state agencies responsible for identifying risks to the public health when there is substantial risk to the public health; CMS; or to Federal and State fraud and abuse enforcement agencies; (2) An institution or practitioner, if the information is limited to health care services furnished by the institution or practitioner; and (3) A medical review board established under section 1881 of the Act pertaining to end-stage renal disease facilities, if the information is limited to health care services subject to its review. (b) A QIO must disclose quality review study information with identifiers of patients, practitioners or institutions to the Office of the Inspector General and the General Accounting Office as necessary to carry out statutory responsibilities. (c) A QIO may disclose information offsite from a particular quality review study to any institution or practitioner involved in that study, provided the disclosed information is limited to that institution or practitioner. (d) A QIO may disclose quality review study information with identifiers of particular practitioners or institutions, or both, at the written request of, or with the written consent of, the identified practitioner(s) or institution(s). (1) The consent or request must specify the information that is to be disclosed and the intended recipient of the information. (2) The recipient of the information has the same redisclosure rights and responsibilities as the requesting or consenting practitioner or institution as provided under this Subpart B. (e) An institution or group of practitioners may redisclose quality review study information, if the information is limited to health care services they provided. (f) Quality review study information with patient identifiers is not subject to subpoena or discovery in a civil action, including an administrative, judicial or arbitration proceeding. This restriction does not apply to HHS, including Inspector General, administrative subpoenas issued in the course of audits and investigations of Department programs, in the course of administrative hearings held under the Social Security Act, or to disclosures to the General Accounting Office as necessary to carry out its statutory responsibilities. [50 FR 15359, Apr. 17, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49266, Aug. 11, 2004] Subject to the procedures for disclosure and notice of disclosure specified in §§480.104 and 480.105, a QIO may disclose to the public QIO interpretations and generalizations on the quality of health care that identify a particular institution. [50 FR 15359, Apr. 17, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] (a) The QIO must disclose sanction reports directly to the Office of the Inspector General and, if requested, to CMS. (b) The QIO must upon request, and may without a request, disclose sanction reports to State and Federal agencies responsible for the identification, investigation or prosecution of cases of fraud or abuse in accordance with §480.137. (c) CMS will disclose sanction determinations in accordance with part 474 of this chapter. [50 FR 15359, Apr. 17, 1985. Redesignated at 64 FR 66279, Nov. 24, 1999, as amended at 69 FR 49267, Aug. 11, 2004] (a) Information collected by a QIO. Except as prohibited in paragraph (b) of this section, information collected by a QIO may be processed and stored by a cooperative health statistics system established under the Public Health Service Act (42 U.S.C. 242k) or other State or Federally authorized shared data system. (b) QIO participation. A QIO may not participate in a cooperative health statistics system or other shared health data system if the disclosure rules of the system would prevent the QIO from complying with the rules of this part. (c) Disclosure of QIO information obtained by a shared health data system. QIO information must not be disclosed by the shared health data system unless— (1) The source from which the QIO acquired the information consents to or requests disclosure; or (2) The QIO requests the disclosure of the information to carry out a disclosure permitted under a provision of this part.
Title 42: Public Health
PART 480—ACQUISITION, PROTECTION, AND DISCLOSURE QUALITY IMPROVEMENT ORGANIZATION REVIEW INFORMATION
Section Contents
General Provisions
§ 480.101 Scope and definitions.
§ 480.102 Statutory bases for acquisition and maintenance of information.
§ 480.103 Statutory bases for disclosure of information.
§ 480.104 Procedures for disclosure by a QIO.
§ 480.105 Notice of disclosures made by a QIO.
§ 480.106 Exceptions to QIO notice requirements.
§ 480.107 Limitations on redisclosure.
§ 480.108 Penalties for unauthorized disclosure.
§ 480.109 Applicability of other statutes and regulations.
QIO Access to Information
§ 480.111 QIO access to records and information of institutions and practitioners.
§ 480.112 QIO access to records and information of intermediaries and carriers.
§ 480.113 QIO access to information collected for QIO purposes.
§ 480.114 Limitation on data collection.
QIO Responsibilities
§ 480.115 Requirements for maintaining confidentiality.
§ 480.116 Notice to individuals and institutions under review.
Disclosure of Nonconfidential Information
§ 480.120 Information subject to disclosure.
§ 480.121 Optional disclosure of nonconfidential information.
Disclosure of Confidential Information
§ 480.130 Disclosure to the Department.
§ 480.131 Access to medical records for the monitoring of QIOs.
§ 480.132 Disclosure of information about patients.
§ 480.133 Disclosure of information about practitioners, reviewers and institutions.
§ 480.134 Verification and amendment of QIO information.
§ 480.135 Disclosure necessary to perform review responsibilities.
§ 480.136 Disclosure to intermediaries and carriers.
§ 480.137 Disclosure to Federal and State enforcement agencies responsible for the investigation or identification of fraud or abuse of the Medicare or Medicaid programs.
§ 480.138 Disclosure for other specified purposes.
§ 480.139 Disclosure of QIO deliberations and decisions.
§ 480.140 Disclosure of quality review study information.
§ 480.141 Disclosure of QIO interpretations on the quality of health care.
§ 480.142 Disclosure of sanction reports.
§ 480.143 QIO involvement in shared health data systems.
Subpart A [Reserved]
top
Subpart B—Utilization and Quality Control Quality Improvement Organizations (QIOs)
top
General Provisions
top
§ 480.101 Scope and definitions.
top
§ 480.102 Statutory bases for acquisition and maintenance of information.
top
§ 480.103 Statutory bases for disclosure of information.
top
§ 480.104 Procedures for disclosure by a QIO.
top
§ 480.105 Notice of disclosures made by a QIO.
top
§ 480.106 Exceptions to QIO notice requirements.
top
§ 480.107 Limitations on redisclosure.
top
§ 480.108 Penalties for unauthorized disclosure.
top
§ 480.109 Applicability of other statutes and regulations.
top
QIO Access to Information
top
§ 480.111 QIO access to records and information of institutions and practitioners.
top
§ 480.112 QIO access to records and information of intermediaries and carriers.
top
§ 480.113 QIO access to information collected for QIO purposes.
top
§ 480.114 Limitation on data collection.
top
QIO Responsibilities
top
§ 480.115 Requirements for maintaining confidentiality.
top
§ 480.116 Notice to individuals and institutions under review.
top
Disclosure of Nonconfidential Information
top
§ 480.120 Information subject to disclosure.
top
§ 480.121 Optional disclosure of nonconfidential information.
top
Disclosure of Confidential Information
top
§ 480.130 Disclosure to the Department.
top
§ 480.131 Access to medical records for the monitoring of QIOs.
top
§ 480.132 Disclosure of information about patients.
top
§ 480.133 Disclosure of information about practitioners, reviewers and institutions.
top
§ 480.134 Verification and amendment of QIO information.
top
§ 480.135 Disclosure necessary to perform review responsibilities.
top
§ 480.136 Disclosure to intermediaries and carriers.
top
§ 480.137 Disclosure to Federal and State enforcement agencies responsible for the investigation or identification of fraud or abuse of the Medicare or Medicaid programs.
top
§ 480.138 Disclosure for other specified purposes.
top
§ 480.139 Disclosure of QIO deliberations and decisions.
top
§ 480.140 Disclosure of quality review study information.
top
§ 480.141 Disclosure of QIO interpretations on the quality of health care.
top
§ 480.142 Disclosure of sanction reports.
top
§ 480.143 QIO involvement in shared health data systems.
top
