Connecticut Administrative Code
Title 38a - Insurance Department
591 - Utilization Review, Grievances and External Review
Section 38a-591-3 - Confidentiality
Universal Citation: CT Reg of State Agencies 38a-591-3
Current through March 14, 2024
(a) Each utilization review company shall comply with the provisions of this section as well as all applicable federal and state laws to protect the confidentiality of patient medical records. Each utilization review company shall:
(1) Secure
each case file by assigning case identification numbers to all utilization
review requests, and use such numbers in lieu of personally identifiable
information, whenever feasible.
(2)
Ensure that all paper copies of files are reasonably secured in appropriate
storage facilities.
(3) Maintain
appropriate written procedures for the requesting, maintenance, and disposition
of patient medical records.
(4)
Develop and maintain specifications indicating when and by whom the release of
patient medical records is permitted.
(5) Ensure that all utilization review
business operations are reasonably secured during non-business hours.
(6) Require all employees with access to
patient medical records to sign a confidentiality statement, to be maintained
on file by the company, in which the employee acknowledges the confidential
nature of such information.
(7)
Maintain a written policy stipulating sanctions for an employee's unauthorized
disclosure of patient medical records, up to and including termination of
employment.
(8) Maintain procedures
for limiting access to computer files containing patient medical records
through passwords, restricted functions and computer terminal
security.
(9) Develop and maintain
procedures to address the security of all patient medical records that are
transferred by facsimile, which shall include:
(i) A statement in all facsimile transmission
cover sheets that such data is confidential and is limited specifically for use
by the company in making a utilization review determination; and
(ii) Security procedures governing the use of
facsimile transmissions, specifying restricted access to such transmissions,
the extent of such information that may be released, and the placement of the
facsimile machine in a reasonably secured or isolated area.
(b) Summary and aggregate data shall not be considered confidential if it does not provide sufficient information to allow identification of individual patients.
Disclaimer: These regulations may not be the most recent version. Connecticut may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.