[Code of Federal Regulations]
[Title 42, Volume 3, Parts 430 to end]
[Revised as of October 1, 2000]
From the U.S. Government Printing Office via GPO Access
[CITE: 42CFR480.115]

[Page 397]
 
                         TITLE 42--PUBLIC HEALTH
 
                         CHAPTER IV--HEALTH CARE
                        FINANCING ADMINISTRATION,
                        DEPARTMENT OF HEALTH AND
                       HUMAN SERVICES--(Continued)
 
PART 480--ACQUISITION, PROTECTION, AND DISCLOSURE OF PEER REVIEW INFORMATION--Table of Contents
 
  Subpart B--Utilization and Quality Control Peer Review Organizations 
                                 (PROs)
 
Sec. 480.115  Requirements for maintaining confidentiality.

    (a) Responsibilities of PRO officers and employees. The PRO must 
provide reasonable physical security measures to prevent unauthorized 
access to PRO information and to ensure the integrity of the 
information, including those measures needed to secure computer files. 
Each PRO must instruct its officers and employees and health care 
institution employees participating in PRO activities of their 
responsibility to maintain the confidentiality of information and of the 
legal penalties that may be imposed for unauthorized disclosure of PRO 
information.
    (b) Responsible individuals within the PRO. The PRO must assign a 
single individual the responsibility for maintaining the system for 
assuring the confidentiality of information within the PRO review 
system. That individual must notify HCFA of any violations of these 
regulations.
    (c) Training requirements. The PRO must train participants of the 
PRO review system in the proper handling of confidential information.
    (d) Authorized access. An individual participating in the PRO review 
system on a routine or ongoing basis must not have authorized access to 
confidential PRO information unless that individual--
    (1) Has completed a training program in the handling of PRO 
information in accordance with paragraph (c) of this section or has 
received comparable training from another source; and
    (2) Has signed a statement indicating that he or she is aware of the 
legal penalties for unauthorized disclosure.
    (e) Purging of personal identifiers. (1) The PRO must purge or 
arrange for purging computerized information, patient records and other 
noncomputerized files of all personal identifiers as soon as it is 
determined by HCFA that those identifiers are no longer necessary.
    (2) The PRO must destroy or return to the facility from which it was 
collected confidential information generated from computerized 
information, patient records and other noncomputerized files when the 
PRO determines that the maintenance of hard copy is no longer necessary 
to serve the specific purpose for which it was obtained or generated.
    (f) Data system procedures. The PRO must assure that organizations 
and consultants providing data services to the PRO have established 
procedures for maintaining the confidentiality of PRO information in 
accordance with requirements defined by the PRO and consistent with 
procedures established under this part.