Voglio sapere a riguardo di…

lotter on DSK11XQN23PROD with RULES2

Federal Register / Vol. 86, No. 192 / Thursday, October 7, 2021 / Rules and Regulations paragraph c of this section within the time prescribed by c4ii of this section. To satisfy this standard, the written documentation must include a description of the IDR entitys organizational structure and capabilities, including an organizational chart and the credentials, responsibilities, and number of personnel employed to make determinations described in paragraph c of this section.
iii Maintain a current accreditation from a nationally recognized and relevant accrediting organization, such as URAC, or ensure that it otherwise possesses the requisite training to conduct payment determinations for example, providing documentation that personnel employed by the IDR entity have completed arbitration training by the American Arbitration Association, the American Health Law Association, or a similar organization;
iv Have a process to ensure that no conflict of interest, as defined in paragraph a2 of this section, exists between the parties and the personnel the certified IDR entity assigns to a payment determination to avoid violating paragraph c1ii of this section, including policies and procedures for conducting ongoing audits for conflicts of interest, to ensure that should any arise, the certified IDR
entity has procedures in place to inform the Secretary, jointly with the Secretary of the Treasury and the Secretary of Labor, of the conflict of interest and to mitigate the risk by reassigning the dispute to other personnel in the event that any personnel previously assigned have a conflict of interest.
v Have a process to maintain the confidentiality of IIHI obtained in the course of conducting determinations. A
certified IDR entitys responsibility to comply with these confidentiality requirements shall survive revocation of the IDR entitys certification for any reason, and IDR entities must comply with the record retention and disposal requirements described in this section.
Under this process, once certified, the certified IDR entity must comply with the following requirements:
A Privacy. The certified IDR entity may create, collect, handle, disclose, transmit, access, maintain, store, and/or use IIHI, only to perform:
1 The certified IDR entitys required duties described in this section; and 2 Functions related to carrying out additional obligations as may be required under applicable Federal or State laws or regulations.
B Security. 1 The certified IDR
entity must ensure the confidentiality of
VerDate Sep<11>2014

22:02 Oct 06, 2021

Jkt 256001

all IIHI it creates, obtains, maintains, stores, and transmits;
2 The certified IDR entity must protect against any reasonably anticipated threats or hazards to the security of this information;
3 The certified IDR entity must ensure that IIHI is securely destroyed or disposed of in an appropriate and reasonable manner 6 years from either the date of its creation or the first date on which the certified IDR entity had access to it, whichever is earlier.
4 The certified IDR entity must implement policies and procedures to prevent, detect, contain, and correct security violations in the event of a breach of IIHI;
C Breach notification. The certified IDR entity must, following the discovery of a breach of unsecured IIHI, notify of the breach the provider, facility, or provider of air ambulance services; the plan and issuer; the Secretary, jointly with the Secretary of the Treasury and the Secretary of Labor; and each individual whose unsecured IIHI has been, or is reasonably believed to have been, subject to the breach, to the extent possible.
1 Breaches treated as discovered.
For purposes of this paragraph e2vC, a breach shall be treated as discovered by a certified IDR entity as of the first day on which the breach is known to the certified IDR entity or, by exercising reasonable diligence, would have been known to the certified IDR
entity. A certified IDR entity shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the certified IDR entity;
2 Timing of notification. A certified IDR entity must provide the notification required by this paragraph e2vC
without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
3 Content of notification. The notification required by this paragraph e2vC must include, to the extent possible:
i The identification of each individual whose unsecured IIHI has been, or is reasonably believed by the certified IDR entity to have been, subject to the breach;
ii A brief description of what happened, including the date of the breach and the date of the discovery of the breach, to the extent known;
iii A description of the types of unsecured IIHI that were involved in the breach for example whether full name, social security number, date of birth,
PO 00000

Frm 00153

Fmt 4701

Sfmt 4700

56131

home address, account number, diagnosis, disability code, or other types of information were involved;
iv A brief description of what the certified IDR entity involved is doing to investigate the breach, to mitigate harm to the affected parties, and to protect against any further breaches; and v Contact procedures for individuals to ask questions or learn additional information, which must include a tollfree telephone number, email address, website, or postal address.
4 Method for providing notification.
A certified IDR entity must submit the notification required by this paragraph e2vC in written form in clear and understandable language either on paper or electronically through the Federal IDR portal or electronic mail.
D Application to contractor and subcontractors. The certified IDR entity must ensure compliance with this paragraph e2v of this section by any contractor or subcontractor with access to IIHI performing any duties related to the Federal IDR process.
vi Meet appropriate indicators of fiscal integrity and stability by demonstrating that the certified IDR
entity has a system of safeguards and controls in place to prevent and detect improper financial activities by its employees and agents to assure fiscal integrity and accountability for all certified IDR entity fees and administrative fees received, held, and disbursed and by submitting 3 years of financial statements or, if not available, other information to demonstrate fiscal stability of the IDR entity;
vii Provide a fixed fee for single determinations and a separate fixed fee for batched determinations within the upper and lower limits for each, as set forth in guidance issued by the Secretary. The certified IDR entity may not charge a fee that is not within the approved limits as set forth in guidance unless the certified IDR entity or IDR
entity seeking certification receives written approval from the Secretary to charge a flat rate beyond the upper or lower limits approved by the Secretary for fees. The certified IDR entity or IDR
entity seeking certification may update its fees and seek approval from the Secretary to charge a flat fee beyond the upper or lower limits for fees, annually as provided in guidance. In order for the certified IDR entity to receive the Secretarys written approval to charge a flat fee beyond the upper or lower limits for fees as set forth in guidance, it must satisfy both conditions in paragraphs e2vA and B of this section, as follows:
A Submit, in writing, a proposal to the Secretary that includes:

E:FRFM07OCR2.SGM

07OCR2