The auditors require access to a recipient’s entire medical record. The Office of the General Counsel, United States Department of Health and Human Services has determined, with the concurrence of the Office of Civil Rights, that the CIBMTR meets the Privacy Rule’s definition of a public health authority (PHA) and is authorized by law to collect the information necessary to fulfill the legislated mandate to collect data needed to assess outcomes of hematopoietic stem cell therapy. It is therefore not a “covered entity” under HIPAA. Additionally, transplant centers fitting the definition of covered entities may disclose certain individually identifiable health information to the CIBMTR under 45 CRF 164.512 (Privacy Rule), which allows for the disclosure of an individual’s protected health information without the individual’s written consent or authorization when such a disclosure is made to a PHA that is authorized by law to collect information for the purpose of preventing or controlling disease, injury, or disability.

In addition, the Data Transmission Agreement, signed by all transplant centers, agrees to provide CIBMTR access to all records used during completion of CIBMTR data collection forms. This agreement is a useful resource when ensuring necessary access to medical records is provided to auditors.

All charts (inpatient, outpatient and/or clinic, and stem cell processing) should be available at one site. The following recommendations should be considered when preparing recipient medical records for audit:

  • All security access paperwork for either electronic or paper access should be completed prior to audit.
  • EMR access must allow for full view of the medical record (i.e., a single PDF of the entire chart
    cannot be used for auditing). If the recipient data is stored in multiple applications, the auditors will need access to each system. When EMR access is granted, the site should verify that the auditors have full access to all information in a usable format before the auditors’ arrival at the site.
  • If records are stored outside of the EMR (i.e., stem cell lab documentation), these records must be available for review during the audit.
  • If the auditors are not granted access to the EMR, all notes, labs, tests, etc. will need to be printed for their review. The printed documentation should be organized into separate categories chronologically (i.e., progress notes, pathology reports, labs, etc.).
  • Forms will be locked for audit, preventing editing or changes being made by the transplant center. Error correction forms (ECFs) do not need to be completed for forms locked for audit. The auditors will make necessary changes based on reviewed documentation. Following the audit, if the transplant center wishes to make additional changes, an ECF and supporting documentation can be submitted to CIBMTR Center Support for review.
Last modified: Sep 15, 2022


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment