Senate Engrossed House Bill

 

 

 

State of Arizona

House of Representatives

Fiftieth Legislature

First Regular Session

2011

 

 

HOUSE BILL 2620

 

 

 

AN ACT

 

Amending sections 12-2291, 12-2294, 12-2296, 13-2316, 36-135, 36-470, 36-509 and 36-664, Arizona Revised Statutes; amending title 36, Arizona Revised Statutes, by adding chapter 38; relating to medical records.

 

 

 

(TEXT OF BILL BEGINS ON NEXT PAGE)

 



Be it enacted by the Legislature of the State of Arizona:

Section 1.  Section 12-2291, Arizona Revised Statutes, is amended to read:

START_STATUTE12-2291.  Definitions

In this article, unless the context otherwise requires:

1.  "Clinical laboratory" has the same meaning prescribed in section 36-451.

1.  2.  "Contractor" means an agency or service that duplicates medical records on behalf of health care providers.

2.  3.  "Department" means the department of health services.

3.  4.  "Health care decision maker" means an individual who is authorized to make health care treatment decisions for the patient, including a parent of a minor or an individual who is authorized pursuant to section 8‑514.05, title 14, chapter 5, article 2 or 3 or section 36‑3221, 36‑3231 or 36‑3281.

4.  5.  "Health care provider" means:

(a)  A person who is licensed pursuant to title 32 and who maintains medical records.

(b)  A health care institution as defined in section 36‑401.

(c)  An ambulance service as defined in section 36‑2201.

(d)  A health care services organization licensed pursuant to title 20, chapter 4, article 9.

5.  6.  "Medical records" means all communications related to a patient's physical or mental health or condition that are recorded in any form or medium and that are maintained for purposes of patient diagnosis or treatment, including medical records that are prepared by a health care provider or by other providers.  Medical records do not include materials that are prepared in connection with utilization review, peer review or quality assurance activities, including records that a health care provider prepares pursuant to section 36‑441, 36‑445, 36‑2402 or 36‑2917.  Medical records do not include recorded telephone and radio calls to and from a publicly operated emergency dispatch office relating to requests for emergency services or reports of suspected criminal activity, but shall include communications that are recorded in any form or medium between emergency medical personnel and medical personnel concerning the diagnosis or treatment of a person.

6.  7.  "Payment records" means all communications related to payment for a patient's health care that contain individually identifiable information.

7.  8.  "Source data" means information that is summarized, interpreted or reported in the medical record, including x‑rays and other diagnostic images. END_STATUTE

Sec. 2.  Section 12-2294, Arizona Revised Statutes, is amended to read:

START_STATUTE12-2294.  Release of medical records and payment records to third parties

A.  A health care provider shall disclose medical records or payment records, or the information contained in medical records or payment records, without the patient's written authorization as otherwise required by law or when ordered by a court or tribunal of competent jurisdiction.

B.  A health care provider may disclose medical records or payment records, or the information contained in medical records or payment records, pursuant to written authorization signed by the patient or the patient's health care decision maker.

C.  A health care provider may disclose medical records or payment records or the information contained in medical records or payment records and a clinical laboratory may disclose clinical laboratory results without the written authorization of the patient or the patient's health care decision maker as otherwise authorized by state or federal law, including the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations part 160 and part 164, subpart E), or as follows:

1.  To health care providers who are currently providing health care to the patient for the purpose of diagnosis or treatment of the patient.

2.  To health care providers who have previously provided treatment to the patient, to the extent that the records pertain to the provided treatment.

3.  To ambulance attendants as defined in section 36‑2201 for the purpose of providing care to or transferring the patient whose records are requested.

4.  To a private agency that accredits health care providers and with whom the health care provider has an agreement requiring the agency to protect the confidentiality of patient information.

5.  To a health profession regulatory board as defined in section 32‑3201.

6.  To health care providers for the purpose of conducting utilization review, peer review and quality assurance pursuant to section 36‑441, 36‑445, 36‑2402 or 36‑2917.

7.  To a person or entity that provides billing, claims management, medical data processing, utilization review or other administrative services to the patient's health care providers or clinical laboratories and with whom the health care provider has an agreement requiring the person or entity to protect the confidentiality of patient information and as required by the health insurance portability and accountability act privacy standards, 45 code of federal regulations part 164, subpart E.

8.  To the legal representative of a health care provider in possession of the medical records or payment records for the purpose of securing legal advice.

9.  To the patient's third party payor or the payor's contractor.

10.  To the industrial commission of Arizona or parties to an industrial commission claim pursuant to title 23, chapter 6.

D.  A health care provider may disclose a deceased patient's medical records or payment records or the information contained in medical records or payment records to the patient's health care decision maker at the time of the patient's death.  A health care provider also may disclose a deceased patient's medical records or payment records or the information contained in medical records or payment records to the personal representative or administrator of the estate of a deceased patient, or if a personal representative or administrator has not been appointed, to the following persons in the following order of priority, unless the deceased patient during the deceased patient's lifetime or a person in a higher order of priority has notified the health care provider in writing that the deceased patient opposed the release of the medical records or payment records:

1.  The deceased patient's spouse, unless the patient and the patient's spouse were legally separated at the time of the patient's death.

2.  The acting trustee of a trust created by the deceased patient either alone or with the deceased patient's spouse if the trust was a revocable inter vivos trust during the deceased patient's lifetime and the deceased patient was a beneficiary of the trust during the deceased patient's lifetime.

3.  An adult child of the deceased patient.

4.  A parent of the deceased patient.

5.  An adult brother or sister of the deceased patient.

6.  A guardian or conservator of the deceased patient at the time of the patient's death.

E.  A person who receives medical records or payment records pursuant to this section shall not disclose those records without the written authorization of the patient or the patient's health care decision maker, unless otherwise authorized by law.

F.  If a health care provider releases a patient's medical records or payment records to a contractor for the purpose of duplicating or disclosing the records on behalf of the health care provider, the contractor shall not disclose any part or all of a patient's medical records or payment records in its custody except as provided in this article.  After duplicating or disclosing a patient's medical records or payment records on behalf of a health care provider, a contractor must return the records to the health care provider who released the medical records or payment records to the contractor. END_STATUTE

Sec. 3.  Section 12-2296, Arizona Revised Statutes, is amended to read:

START_STATUTE12-2296.  Immunity

A health care provider, or contractor or clinical laboratory that acts in good faith under this article is not liable for damages in any civil action for the disclosure of medical records, or payment records or clinical laboratory results or information contained in medical records, or payment records or clinical laboratory results that is made pursuant to this article or as otherwise provided by law.  The health care provider, or contractor or clinical laboratory is presumed to have acted in good faith.  The presumption may be rebutted by clear and convincing evidence.

END_STATUTE

Sec. 4.  Section 13-2316, Arizona Revised Statutes, is amended to read:

START_STATUTE13-2316.  Computer tampering; venue; forfeiture; classification

A.  A person who acts without authority or who exceeds authorization of use commits computer tampering by:

1.  Accessing, altering, damaging or destroying any computer, computer system or network, or any part of a computer, computer system or network, with the intent to devise or execute any scheme or artifice to defraud or deceive, or to control property or services by means of false or fraudulent pretenses, representations or promises.

2.  Knowingly altering, damaging, deleting or destroying computer programs or data.

3.  Knowingly introducing a computer contaminant into any computer, computer system or network.

4.  Recklessly disrupting or causing the disruption of computer, computer system or network services or denying or causing the denial of computer or network services to any authorized user of a computer, computer system or network.

5.  Recklessly using a computer, computer system or network to engage in a scheme or course of conduct that is directed at another person and that seriously alarms, torments, threatens or terrorizes the person.  For the purposes of this paragraph, the conduct must both:

(a)  Cause a reasonable person to suffer substantial emotional distress.

(b)  Serve no legitimate purpose.

6.  Preventing a computer user from exiting a site, computer system or network‑connected location in order to compel the user's computer to continue communicating with, connecting to or displaying the content of the service, site or system.

7.  Knowingly obtaining any information that is required by law to be kept confidential or any records that are not public records by accessing any computer, computer system or network that is operated by this state, a political subdivision of this state, or a medical institution a health care provider as defined in section 12-2291, a clinical laboratory as defined in section 36-451 or a person or entity that provides services on behalf of a health care provider or a clinical laboratory.

8.  Knowingly accessing any computer, computer system or network or any computer software, program or data that is contained in a computer, computer system or network.

B.  In addition to section 13‑109, a prosecution for a violation of this section may be tried in any of the following counties:

1.  The county in which the victimized computer, computer system or network is located.

2.  The county in which the computer, computer system or network that was used in the commission of the offense is located or in which any books, records, documents, property, financial instruments, computer software, data, access devices or instruments of the offense were used.

3.  The county in which any authorized user was denied service or in which an authorized user's service was interrupted.

4.  The county in which critical infrastructure resources were tampered with or affected.

C.  On conviction of a violation of this section, the court shall order that any computer system or instrument of communication that was owned or used exclusively by the defendant and that was used in the commission of the offense be forfeited and sold, destroyed or otherwise properly disposed.

D.  A violation of subsection A, paragraph 6 of this section constitutes an unlawful practice under section 44‑1522 and is in addition to all other causes of action, remedies and penalties that are available to this state.  The attorney general may investigate and take appropriate action pursuant to title 44, chapter 10, article 7.

E.  Computer tampering pursuant to subsection A, paragraph 1 of this section is a class 3 felony.  Computer tampering pursuant to subsection A, paragraph 2, 3 or 4 of this section is a class 4 felony, unless the computer, computer system or network tampered with is a critical infrastructure resource, in which case it is a class 2 felony.  Computer tampering pursuant to subsection A, paragraph 5 of this section is a class 5 felony.  Computer tampering pursuant to subsection A, paragraph 7 or 8 of this section is a class 6 felony. END_STATUTE

Sec. 5.  Section 36-135, Arizona Revised Statutes, is amended to read:

START_STATUTE36-135.  Child immunization reporting system; requirements; access; confidentiality; immunity; violation; classification; definitions

A.  The child immunization reporting system is established in the department to collect, store, analyze, release and report immunization data.

B.  Beginning on January 1, 1998, A health care professional who is licensed under title 32 to provide immunizations, except as provided in subsection I of this section, shall report the following information:

1.  The health care professional's name, business address and business telephone number.

2.  The child's name, address, social security number if known and not confidential, gender, date of birth and mother's maiden name.

3.  The type of vaccine administered and the date it is administered.

C.  The health care professional may submit this information to the department on a  weekly or monthly basis by telephone, facsimile, mail, computer  or any other method prescribed by the department.

D.  Except as provided in subsection I of this section, the department shall release identifying information only to the person's health care professional person, the person's health care decision maker, parent or guardian, health care services organization, a health care provider, an entity regulated under title 20, the Arizona health care cost containment system and its providers as defined in chapter 29 of this title, or a school official who is authorized by law to receive and record immunization records or a person or entity that provides services to a health care provider and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of the information, as required by the health insurance portability and accountability act privacy standards, 45 code of federal regulations part 164, subpart E.  The department may also release identifying information to an entity designated by the person or the person's health care decision maker, parent or guardian.  The department, by rule, may release immunization information to persons for a specified purpose.  The department may release nonidentifying summary statistics.

E.  Identifying information in the system is confidential.  A person who is authorized to receive confidential information under subsection D of this section or pursuant to rules adopted by the department shall not disclose this information to any other person only as permitted by this section or rules adopted by the department.

F.  A health care professional who provider that provides information in good faith pursuant to this section is not subject to civil or criminal liability.

G.  A health care professional who provider that does not comply with the requirements of this section violates a law applicable to the practice of medicine and commits an act of unprofessional conduct or a violation of chapter 4 of this title.

H.  Any agency or person receiving confidential information from the system who subsequently discloses that information to any other person other than as permitted by this section is guilty of a class 3 misdemeanor.

I.  At the request of the person, or if the person is a child the child's parent or guardian, the department of health services shall provide a form to be signed that allows confidential immunization information to be withheld from all persons including persons authorized to receive confidential information pursuant to subsection D of this section.  If the request is delivered to the health care professional prior to before the immunization, the health care professional shall not forward the information required under subsection B of this section to the department.

J.  For the purposes of this section, "health care decision maker" and "health care provider" have the same meanings prescribed in section 12-2291. END_STATUTE

Sec. 6.  Section 36-470, Arizona Revised Statutes, is amended to read:

START_STATUTE36-470.  Examination of specimens; written requests; reports of results; retention of test records

A.  Except as otherwise provided, a clinical laboratory shall examine specimens at the authorization of any person licensed pursuant to title 32, chapter 7, 8, 13, 14, 17 or 29 or title 32, chapter 11, article 2, a person licensed to practice medicine or surgery in another state or a person authorized by law or department rules.

B.  The result of a test shall be reported to the person who authorized it.  A report of results issued from a clinical laboratory shall provide information required by the department by rule.  No A clinical interpretation, diagnosis or prognosis or suggested treatment other than normal values shall not appear on the laboratory report form, except that a report made by a physician licensed to practice medicine and surgery in this state or another state may include this information.

C.  The result of a test may be reported to a health care provider, as defined in section 12-2291, that has a treatment relationship with a patient, or to a person or entity that provides services to the health care provider and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of patient information as required by the health insurance portability and accountability act privacy standards, 45 code of federal regulations part 164, subpart E.

C.  D.  All specimens accepted by a laboratory for specified tests shall be tested on its premises, except that specimens, other than those for proficiency testing purposes, may be forwarded for examination to another laboratory licensed under this article or exempted by section 36‑461, paragraph 1.

D.  E.  When the laboratory performing the examination is other than the laboratory accepting the specimen, the report submitted shall include information required by the department by rule.

E.  F.  Records involving laboratory services and copies of reports of laboratory tests shall be kept in a manner as prescribed by the department by rule.

F.  G.  A person authorized to request clinical laboratory examinations pursuant to this section may direct that a clinical laboratory examine a person's specimens at that person's request if the authorization is given pursuant to department rules and specifies:

1.  The name of the person authorized to request an examination and to receive the results of that examination.

2.  The type of examinations to be performed by the laboratory.

3.  The total number of examinations the authorized person may request.

4.  The beginning and expiration dates of the authorization.

5.  The identification of the person giving the authorization.

G.  H.  The laboratory shall report test results ordered pursuant to subsection G of this section to the person who authorized the test and to the person who requested it. END_STATUTE

Sec. 7.  Section 36-509, Arizona Revised Statutes, is amended to read:

START_STATUTE36-509.  Confidential records; immunity

A.  A health care entity must keep records and information contained in records confidential and not as public records, except as provided in this section.  Records and information contained in records may only be disclosed to:

1.  Physicians and providers of health, mental health or social and welfare services involved in caring for, treating or rehabilitating the patient.

2.  Individuals to whom the patient or the patient's health care decision maker has given authorization to have information disclosed.

3.  Persons authorized by a court order.

4.  Persons doing research only if the activity is conducted pursuant to applicable federal or state laws and regulations governing research.

5.  The state department of corrections in cases in which prisoners confined to the state prison are patients in the state hospital on authorized transfers either by voluntary admission or by order of the court.

6.  Governmental or law enforcement agencies if necessary to:

(a)  Secure the return of a patient who is on unauthorized absence from any agency where the patient was undergoing evaluation and treatment.

(b)  Report a crime on the premises.

(c)  Avert a serious and imminent threat to an individual or the public.

7.  Persons, including family members, actively participating in the patient's care, treatment or supervision.  A health care provider may only release information relating to the patient's diagnosis, prognosis, need for hospitalization, anticipated length of stay, discharge plan, medication, medication side effects and short‑term and long‑term treatment goals.  A health care provider may make this release only after the treating professional or that person's designee interviews the patient or the patient's health care decision maker and the patient or the patient's health care decision maker does not object, unless federal or state law permits the disclosure.  If the patient does not have the opportunity to object to the disclosure because of incapacity or an emergency circumstance and the patient's health care decision maker is not available to object to the release, the health care provider in the exercise of professional judgment may determine if the disclosure is in the best interests of the patient and, if so, may release the information authorized pursuant to this paragraph.  A decision to release or withhold information is subject to review pursuant to section 36‑517.01.  The health care provider must record the name of any person to whom any information is given under this paragraph.

8.  A state agency that licenses health professionals pursuant to title 32, chapter 13, 15, 17, 19.1 or 33 and that requires these records in the course of investigating complaints of professional negligence, incompetence or lack of clinical judgment.

9.  A state or federal agency that licenses health care providers.

10.  A governmental agency or a competent professional, as defined in section 36‑3701, in order to comply with chapter 37 of this title.

11.  Human rights committees established pursuant to title 41, chapter 35.  Any information released pursuant to this paragraph shall comply with the requirements of section 41‑3804 and applicable federal law and shall be released without personally identifiable information unless the personally identifiable information is required for the official purposes of the human rights committee.  Case information received by a human rights committee shall be maintained as confidential.  For the purposes of this paragraph, "personally identifiable information" includes a person's name, address, date of birth, social security number, tribal enrollment number, telephone or telefacsimile number, driver license number, places of employment, school identification number and military identification number or any other distinguishing characteristic that tends to identify a particular person.

12.  A patient or the patient's health care decision maker pursuant to section 36‑507.

13.  The department of public safety by the court to comply with the requirements of section 36‑540, subsection N.

14.  A third party payor or the payor's contractor to obtain reimbursement for health care, mental health care or behavioral health care provided to the patient as permitted by the health insurance portability and accountability act privacy standards, 45 code of federal regulations part 160 and part 164, subpart E.

15.  A private entity that accredits the health care provider and with whom the health care provider has an agreement requiring the agency to protect the confidentiality of patient information.

16.  The legal representative of a health care entity in possession of the record for the purpose of securing legal advice.

17.  A person or entity as otherwise required by state or federal law.

18.  A person or entity as permitted by the federal regulations on alcohol and drug abuse treatment (42 Code of Federal Regulations part 2).

19.  A person or entity to conduct utilization review, peer review and quality assurance pursuant to section 36‑441, 36‑445, 36‑2402 or 36‑2917.

20.  A person maintaining health statistics for public health purposes as authorized by law.

21.  A grand jury as directed by subpoena.

22.  A person or entity that provides services to the patient's health care provider, as defined in section 12-2291, and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of patient information as required by the health insurance portability and accountability act privacy standards, 45 code of federal regulations part 164, subpart E.

B.  Information and records obtained in the course of evaluation, examination or treatment and submitted in any court proceeding pursuant to this chapter or title 14, chapter 5 are confidential and are not public records unless the hearing requirements of this chapter or title 14, chapter 5 require a different procedure.  Information and records that are obtained pursuant to this section and submitted in a court proceeding pursuant to title 14, chapter 5 and that are not clearly identified by the parties as confidential and segregated from nonconfidential information and records are considered public records.

C.  Notwithstanding subsections A and B of this section, the legal representative of a patient who is the subject of a proceeding conducted pursuant to this chapter and title 14, chapter 5 has access to the patient's information and records in the possession of a health care entity or filed with the court.

D.  A health care entity that acts in good faith under this article is not liable for damages in any civil action for the disclosure of records or payment records that is made pursuant to this article or as otherwise provided by law.  The health care entity is presumed to have acted in good faith.  This presumption may be rebutted by clear and convincing evidence. END_STATUTE

Sec. 8.  Section 36-664, Arizona Revised Statutes, is amended to read:

START_STATUTE36-664.  Confidentiality; exceptions

A.  A person who obtains communicable disease related information in the course of providing a health service or obtains that information from a health care provider pursuant to an authorization shall not disclose or be compelled to disclose that information except to the following:

1.  The protected person or, if the protected person lacks capacity to consent, the protected person's health care decision maker.

2.  The department or a local health department for purposes of notifying a good Samaritan pursuant to subsection E of this section.

3.  An agent or employee of a health facility or health care provider to provide health services to the protected person or the protected person's child or for billing or reimbursement for health services.

4.  A health facility or health care provider, in relation to the procurement, processing, distributing or use of a human body or a human body part, including organs, tissues, eyes, bones, arteries, blood, semen, milk or other body fluids, for use in medical education, research or therapy or for transplantation to another person.

5.  A health facility or health care provider, or an organization, committee or individual designated by the health facility or health care provider, that is engaged in the review of professional practices, including the review of the quality, utilization or necessity of medical care, or an accreditation or oversight review organization responsible for the review of professional practices at a health facility or by a health care provider.

6.  A private entity that accredits the health facility or health care provider and with whom the health facility or health care provider has an agreement requiring the agency to protect the confidentiality of patient information.

7.  A federal, state, county or local health officer if disclosure is mandated by federal or state law.

8.  A federal, state or local government agency authorized by law to receive the information.  The agency is authorized to redisclose the information only pursuant to this article or as otherwise permitted by law.

9.  An authorized employee or agent of a federal, state or local government agency that supervises or monitors the health care provider or health facility or administers the program under which the health service is provided.  An authorized employee or agent includes only an employee or agent who, in the ordinary course of business of the government agency, has access to records relating to the care or treatment of the protected person.

10.  A person, health care provider or health facility to which disclosure is ordered by a court or administrative body pursuant to section 36‑665.

11.  The industrial commission or parties to an industrial commission of Arizona claim pursuant to section 23‑908, subsection D and section 23‑1043.02.

12.  Insurance entities pursuant to section 20‑448.01 and third party payors or the payors' contractors.

13.  Any person or entity as authorized by the patient or the patient's health care decision maker.

14.  A person or entity as required by federal law.

15.  The legal representative of the entity holding the information in order to secure legal advice.

16.  A person or entity for research only if the research is conducted pursuant to applicable federal or state laws and regulations governing research.

17.  A person or entity that provides services to the patient's health care provider, as defined in section 12-2291, and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of patient information as required by the health insurance portability and accountability act privacy standards, 45 code of federal regulations part 164, subpart E.

B.  At the request of the department of economic security and in conjunction with the placement of children in foster care or for adoption or court‑ordered placement, a health care provider shall disclose communicable disease information, including HIV‑related information, to the department of economic security.

C.  A state, county or local health department or officer may disclose communicable disease related information if the disclosure is any of the following:

1.  Specifically authorized or required by federal or state law.

2.  Made pursuant to an authorization signed by the protected person or the protected person's health care decision maker.

3.  Made to a contact of the protected person.  The disclosure shall be made without identifying the protected person.

4.  For the purposes of research as authorized by state and federal law.

D.  The director may authorize the release of information that identifies the protected person to the national center for health statistics of the United States public health service for the purposes of conducting a search of the national death index.

E.  The department or a local health department shall disclose communicable disease related information to a good Samaritan who submits a request to the department or the local health department.  The request shall document the occurrence of the accident, fire or other life‑threatening emergency and shall include information regarding the nature of the significant exposure risk.  The department shall adopt rules that prescribe standards of significant exposure risk based on the best available medical evidence.  The department shall adopt rules that establish procedures for processing requests from good Samaritans pursuant to this subsection.  The rules shall provide that the disclosure to the good Samaritan shall not reveal the protected person's name and shall be accompanied by a written statement that warns the good Samaritan that the confidentiality of the information is protected by state law.

F.  An authorization to release communicable disease related information shall be signed by the protected person or, if the protected person lacks capacity to consent, the protected person's health care decision maker.  An authorization shall be dated and shall specify to whom disclosure is authorized, the purpose for disclosure and the time period during which the release is effective.  A general authorization for the release of medical or other information, including communicable disease related information, is not an authorization for the release of HIV‑related information unless the authorization specifically indicates its purpose as an authorization for the release of confidential HIV‑related information and complies with the requirements of this section.

G.  A person to whom communicable disease related information is disclosed pursuant to this section shall not disclose the information to another person except as authorized by this section.  This subsection does not apply to the protected person or a protected person's health care decision maker.

H.  If a disclosure of communicable disease related information is made pursuant to an authorization under subsection F of this section, the disclosure shall be accompanied by a statement in writing that warns that the information is from confidential records protected by state law and that prohibits further disclosure of the information without the specific written authorization of the person to whom it pertains or as otherwise permitted by law.

I.  H.  This section does not prohibit the listing of communicable disease related information, including acquired immune deficiency syndrome, HIV‑related illness or HIV infection, in a certificate of death, autopsy report or other related document that is prepared pursuant to law to document the cause of death or that is prepared to release a body to a funeral director.  This section does not modify a law or rule relating to access to death certificates, autopsy reports or other related documents.

J.  I.  If a person in possession of HIV‑related information reasonably believes that an identifiable third party is at risk of HIV infection, that person may report that risk to the department.  The report shall be in writing and include the name and address of the identifiable third party and the name and address of the person making the report.  The department shall contact the person at risk pursuant to rules adopted by the department.  The department employee making the initial contact shall have expertise in counseling persons who have been exposed to or tested positive for HIV or acquired immune deficiency syndrome.

K.  J.  Except as otherwise provided pursuant to this article or subject to an order or search warrant issued pursuant to section 36‑665, a person who receives HIV‑related information in the course of providing a health service or pursuant to a release of HIV‑related information shall not disclose that information to another person or legal entity or be compelled by subpoena, order, search warrant or other judicial process to disclose that information to another person or legal entity.

L.  K.  This section and sections 36‑663, 36‑666, 36‑667 and 36‑668 do not apply to persons or entities subject to regulation under title 20. END_STATUTE

Sec. 9.  Title 36, Arizona Revised Statutes, is amended by adding chapter 38, to read:

CHAPTER 38

HEALTH INFORMATION ORGANIZATIONS

ARTICLE 1.  GENERAL PROVISIONS

START_STATUTE36-3801.  Definitions

In this chapter, unless the context otherwise requires:

1.  "Breach" has the same meaning prescribed in 45 Code of federal regulations, part 164, subpart D.

2.  "Clinical laboratory" has the same meaning prescribed in section 36-451.

3.  "Health care decision maker" has the same meaning prescribed in section 12-2291.

4.  "Health care provider" has the same meaning prescribed in section 12-2291.

5.  "Health information organization" means an organization that oversees and governs the exchange of individually identifiable health information among organizations according to nationally recognized standards. Health information organization does not include a health care provider or an electronic health record maintained by or on behalf of a health care provider and does not include entities subject to title 20 or that are health plans as defined in 45 Code of Federal Regulations section 160.103.

6.  "Individual" means the person who is the subject of the individually identifiable health information.

7.  "Individually identifiable health information" has the same meaning prescribed in the health insurance portability and accountability act privacy standards, 45 Code of Federal Regulations part 160 and part 164, subpart E.

8.  "Medical records" has the same meaning prescribed in section 12‑2291.

9.  "Opt out" means an individual's written decision that the individual's individually identifiable health information cannot be shared through a health information organization.

10.  "Person" has the same meaning prescribed in section 1-215.

11.  "Treatment" has the same meaning prescribed in the health insurance portability and accountability act privacy standards, 45 Code of Federal Regulations part 160 and part 164, subpart e.

12.  "Written" means in handwriting or through an electronic transaction that meets the requirements of title 44, chapter 26.  END_STATUTE

START_STATUTE36-3802.  Individual rights

A.  A health information organization must provide the following rights to individuals:

1.  To opt out of participating in the health information organization pursuant to section 36-3803.

2.  To request a copy of the individual's individually identifiable health information that is available through the health information organization.  The health information organization may provide this right directly or may require health care providers participating in the health information organization to provide access to individuals.  The copy may be provided electronically, if the individual requesting the copy consents to electronic delivery of the individually identifiable health information, and must be provided to the individual within thirty days after the individual's request.  Charges for copies are governed by section 12-2295.

3.  To request amendment of incorrect individually identifiable health information available through the health information organization.

4.  To request a list of the persons who have accessed the individual's individually identifiable health information through the health information organization for a period of at least three years before the individual's request.  This list must be provided to the individual within thirty days after the individual's request.

5.  To be notified, pursuant to section 44-7501 and 45 Code of Federal Regulations part 164, subpart d, of a breach at the health information organization that affects the individual's individually identifiable health information.

B.  If an individual does not have the capacity to make health care decisions, the individual's health care decision maker may exercise all individual rights in this chapter on behalf of the individual. END_STATUTE

START_STATUTE36-3803.  Voluntary participation in health information organizations

An individual has the right to opt out of participating in a health information organization by providing notice as explained in the health information organization's notice of health information practices.  An individual also has the right to opt out of a particular health care provider sharing the individual's individually identifiable health information through the health information organization, provided that, if the health care provider is an employee of an organization, the organization may apply such opt out to all health care providers employed  by the organization.  If an individual provides a notice of opt out to a health care provider, the health care provider must provide that notice to the health information organization.  A decision to opt out of participating in a health care information organization may be changed by an individual at any time by providing notice as explained in the health information organization's notice of health information practices. END_STATUTE

START_STATUTE36-3804.  Notice of health information practices

A.  A health information organization must maintain a written notice of health information practices describing the following:

1.  Individually identifiable health information that the health information organization collects about individuals.

2.  The categories of persons who have access to information, including individually identifiable health information, through the health information organization.

3.  The purposes for which access to the information, including individually identifiable health information, is provided through the health information organization.

4.  The individual's right to opt out of participating in the health information organization.

5.  An explanation as to how an individual opts out of participating in the health information organization.

B.  The notice shall include a statement informing the patient of the right to choose to keep the patient's personal health information out of the health information organization and that this right is protected by article 27, section 2, Constitution of Arizona.

C.  A health information organization must post its current notice of health information practices on its website in a conspicuous manner.

D.  Notwithstanding any other requirement in this section, a health information organization must provide an individual with a copy of the notice of health information practices within thirty days after receiving a written request for that information.

E.  A health care provider participating in a health information organization must provide the health information organization's notice of health information practices in at least twelve-point type to the provider's patients before or at the provider's first encounter with a patient, beginning on the first day of the provider's participation in the health information organization.  A health care provider must document that it has provided the health information organization's notice of health information practices to a patient and that the patient has received and read and understands the notice.  Documentation must be in the form of a signature by the patient indicating the patient has received and read and understands the notice of health information practices and whether the patient chooses to opt out.  As technology develops and electronic methods of receiving documentation from the patient exist, the health information organization is permitted to utilize such electronic documentation.

F.  If the patient chooses to opt out of the health information organization, the patient's personal health information shall not be accessible through the health information organization no later than thirty days after the patient opts out.

G.  If there is a material change to a health information organization's notice of health information practices, a health care provider must redistribute the notice of health information practices at the next point of contact with the patient or in the same manner and within the same time period as is required by 45 code of federal regulations section 164.528 in relation to the health care provider's notice of privacy practices, whichever comes first. END_STATUTE

START_STATUTE36-3805.  Disclosure of individually identifiable health information

A.  A health information organization may disclose an individual's individually identifiable health information only if:

1.  The individual has not opted out of participating in the health information organization.

2.  The type of disclosure is explained in the health information organization's current notice of health information practices.

3.  The disclosure complies with the health insurance portability and accountability act privacy rule, 45 Code of Federal Regulations part 164, subpart E.

B.  A health information organization may not sell or otherwise make commercial use of an individual's individually identifiable health information without the written consent of the individual.

C.  A health information organization may not transfer individually identifiable health information or deidentified health information to any person or entity for the purpose of research or using the information as part of a set of data for an application for grant or other research funding, unless the health care provider obtains consent from the individual for the transfer.  A health care provider must document that it has provided a notice of transfer to the individual and that the individual has received and read and understands the notice.  Documentation must be in the form of a signature by the individual indicating the individual has received and read and understands the notice and that the patient gives consent to the transfer of information.  For the purposes of this subsection, "consent" means that a health care provider participating in a health information organization has provided a notice to the individual that is in at least twelve-point type and that describes the purposes of the transfer.

D.  This chapter does not interfere with any other federal or state laws or regulations that provide more extensive protection of individually identifiable health information than provided in this chapter. END_STATUTE

START_STATUTE36-3806.  Required policies

A health information organization must implement and enforce policies governing the privacy and security of individually identifiable health information and compliance with this chapter.  These policies must:

1.  Implement the individual rights prescribed in section 36-3802.

2.  Address the individual's right to opt-out of participating in the health information organization pursuant to section 36-3803.

3.  Address the content and distribution of the notice of health information practices prescribed in section 36-3804.

4.  Implement the restrictions on disclosure of individually identifiable health information prescribed in section 36-3805.

5.  Address security safeguards to protect individually identifiable health information, as required by the health insurance portability and accountability act security rule, 45 Code of Federal Regulations part 164, subpart c.

6.  Prescribe the appointment and responsibilities of a person or persons who have responsibility for maintaining privacy and security procedures for the health information organization.

7.  Require training of each employee and agent of the health information organization about the health information organization's policies, including the need to maintain the privacy and security of individually identifiable health information and the penalties provided for the unauthorized access, release, transfer, use or disclosure of individually identifiable health information.  The health information organization must provide this training before an employee or agent may have access to individually identifiable health information available to the health information organization, and twice a year for all employees and agents. END_STATUTE

START_STATUTE36-3807.  Implementing individual preference for sharing individually identifiable health information; review

A health information organization must have technology capability to implement individual preferences for sharing or segregating individually identifiable health information within three years after the effective date of this section.  After the health information organization obtains the technology capability to implement individual preferences for sharing or segregating individually identifiable health information, the health care provider must provide notice to the patient of the change pursuant to section 36-3804, subsection G. END_STATUTE

START_STATUTE36-3808.  Subpoenas; certification requirements

A.  Individually identifiable health information that is maintained by a health information organization is not subject to a subpoena directed to the health information organization unless section 12‑2294.01 is followed and a court has determined on motion and notice to the health information organization and the parties to the litigation in which the subpoena is served that the information sought from the health information organization is not available from the original source and either is relevant to the subject matter involved in the pending action or is reasonably calculated to lead to the discovery of admissible evidence in the pending action.

B.  A person who issues a subpoena to the health information organization pursuant to this section must certify before the issuance of the subpoena that the requirements of subsection A of this section have been met. END_STATUTE

START_STATUTE36-3809.  Health care providers; duty to maintain medical records

A.  A health care provider who participates in a health information organization is responsible for maintaining the provider's own medical records pursuant to title 12, chapter 13, article 7.1.

B.  Participation in a health information organization does not impact the content, use or disclosure of medical records or information contained in medical records that are held in locations other than the health information organization.

C.  This chapter does not limit, change or otherwise affect a health care provider's right or duty to exchange medical records or information contained in medical records in accordance with applicable law. END_STATUTE