Confidentiality-Security Policy | Updated

CIMRO takes very seriously our responsibilities as a Business Associate. The CIMRO Enterprise recently completed comprehensive review of its Confidentiality-Security Policy.

CIMRO PRs must conduct all peer reviews in accordance with the then-current confidentiality policy in accord with the PR subcontract and business associate agreement.
 
Though the confidentiality policy document itself is much more extensive, there are no substantive changes in how a PR must protect confidential information and the obligations as a Business Associate. 

• The necessary administrative, physical and technical safeguards to protect confidential information must be taken and in place. 
• No non-confidential, de-identified data resulting from activity funded by CIMRO, directly or indirectly, may be published in any manner without the prior written consent of the CIMRO CEO and compliance with the applicable regulations.

 
Below is a portion of the Definitions and Descriptions section from the confidentiality policy as a refresher:

1. WHAT IS CONFIDENTIAL INFORMATION?

For purposes of this Policy, Confidential Information means and includes, but is not limited to:

• Protected Health Information (PHI), in any form or media whether electronic, on paper or oral;
• Individually Identifiable Health Information (IIHI), in any form or media whether electronic, on paper or oral;
• Personally Identifiable Information (PII), in any form or media whether electronic, on paper or oral;
• Patient Identifying Information as that term is used in regard to Substance Use Disorder regulated by 42 CFR Part 2, in any form or media whether electronic, on paper or oral;
• Computer or other electronic or non-electronic reports or records which are healthcare provider or reviewer and/or patient specific;
• Healthcare provider or reviewer license numbers, Medicare/Medicaid provider numbers, reviewer identity, or other information from which their identity can be ascertained;
• Information that explicitly or implicitly identifies an individual patient, practitioner or reviewer;
• Quality review studies which identify patients, practitioners or institutions;
• Related working materials, drafts, copies or other forms of the all of the above.
  
  

1. WHAT IS PHI?

PHI is Individually Identifiable Health Information (IIHI) that is transmitted by electronic media (ePHI); maintained in electronic media; or transmitted or maintained in any other form or medium, whether electronic, paper or oral. Note that there are three types of IIHI that are excluded from the definition of PHI in the regulations, but none have application to the Enterprise. More often than not, the general term PHI is used, even though technically PHI and IIHI are not one and the same due to the three exceptions.

1. WHAT IS IIHI?

IIHI is Individually Identifiable Health Information (IIHI). It is information, including demographic data, that relates to an individual’s past, present or future physical or mental health or condition; the provision of health care to the individual; or the past, present or future payment for the provision of health care to the individual and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.  IIHI includes many common identifiers (e.g., names, all geographic subdivisions smaller than a state (region, street address, city, county, precinct, zip code/equivalent geocode [some exceptions], all elements of dates [except year] for dates directly related to the individual [e.g., birth date, admission/ discharge dates, date of death, etc.], telephone numbers, fax numbers, e-mail addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifier/serial numbers [including license plate numbers], web Universal Resource Locators [URLs], Internet Protocol [IP] address numbers, biometric identifiers [finger/voice prints], and full face photographic images).

1.  WHAT IS PERSONALLY IDENTIFIABLE INFORMATION?

Personally Identifiable Information (PII), is generally defined to mean any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.
 
Should you have any questions or need another copy of the confidentiality policy, please contact us at peerreview@cimro.com or 217.352.1060 ext. 4201.