Rule 120-2-111-.09 - Independent Review Organization Confidentiality Provisions(1) An independent review organization, and all agents, contractors, and employees thereof, shall preserve the confidentiality of individual medical records and personal information to the extent required by law and by the doctor-patient relationship.(2) An independent review organization may not disclose or publish individual medical records or other confidential information about an eligible enrollee without the prior written consent of the eligible enrollee or as otherwise required by law. An independent review organization may provide confidential information to a third party under contract or affiliated with the independent review organization for the sole purpose of performing or assisting with independent review. Information provided to third parties shall remain confidential.(3) The independent review organization may not publish data which identifies a particular physician or health care provider, or particular health benefit plan or managed care entity, including any quality review studies or performance tracking data, without prior written notice to the involved provider, plan, or entity. This prohibition does not apply to internal systems or reports used by the independent review organization.(4) All patient, physician, health care provider, and health benefit plan data shall be maintained by the independent review organization in a confidential manner which prevents unauthorized disclosure to third parties. Nothing in this chapter shall be construed to allow an independent review organization to take actions that violate a state or federal statute or regulation concerning confidentiality of eligible enrollee records.(5) To assure confidentiality, an independent review organization must, when contacting a physician's or provider's office, or hospital, provide its certification number and the caller's name and professional qualifications to the provider or the provider's named independent review representative.(6) The independent review organization's procedures shall specify that specific information exchanged for the purpose of conducting review will be considered confidential, be used by the independent review organization solely for the purposes of independent review, and be shared by the independent review organization with only those third parties who have authority to receive such information. The independent review organization's plan shall specify the procedures that are in place to assure confidentiality and that the independent review organization agrees to abide by any federal and state laws governing the issue of confidentiality. Summary data that does not provide sufficient information to allow identification of individual eligible enrollees, providers, or health benefit plans need not be considered confidential.(7) Medical records and eligible enrollee-specific information shall be maintained by the independent review organization in a secure area with access limited to essential personnel only.(8) Destruction of documents in the custody of the independent review organization that contain confidential eligible enrollee information or physician or health care provider financial data shall be by a method which ensures complete destruction of the information, when the organization determines that the information is no longer needed.Ga. Comp. R. & Regs. R. 120-2-111-.09
O.C.G.A. §§ 33-2-9, 33-20A-41.
Original Rule entitled "Independent Review Organization Confidentiality Provisions" adopted. F. Sept. 20, 2023; eff. August 1, 2023, as specified by the Agency.