36-509. Confidential records; immunity; definition
A. A health care entity must keep records and information contained in records confidential and not as public records, except as provided in this section. Records and information contained in records may be disclosed only as authorized by state or federal law, including the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations part 160 and part 164, subpart E), or as follows to:
1. Physicians and providers of health, mental health or social and welfare services involved in caring for, treating or rehabilitating the patient.
2. Individuals to whom the patient or the patient's health care decision maker has given authorization to have information disclosed.
3. Persons authorized by a court order.
4. Persons doing research only if the activity is conducted pursuant to applicable federal or state laws and regulations governing research.
5. The state department of corrections in cases in which prisoners confined to the state prison are patients in the state hospital on authorized transfers either by voluntary admission or by order of the court.
6. Governmental or law enforcement agencies if necessary to:
(a) Secure the return of a patient who is on unauthorized absence from any agency where the patient was undergoing evaluation and treatment.
(b) Report a crime on the premises.
(c) Avert a serious and imminent threat to an individual or the public.
7. Persons, including family members, other relatives, close personal friends or any other person identified by the patient, as otherwise authorized or required by state or federal law, including the health insurance portability and accountability act of 1996 privacy standards (45 Code of Federal Regulations part 160 and part 164, subpart E), or pursuant to one of the following:
(a) If the patient is present or otherwise available and has the capacity to make health care decisions, the health care entity may disclose the information if one of the following applies:
(i) The patient agrees verbally or agrees in writing by signing a consent form that permits disclosure.
(ii) The patient is given an opportunity to object and does not express an objection.
(iii) The health care entity reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.
(b) If the patient is not present or the opportunity to agree or object to the disclosure of information cannot practicably be provided because of the patient's incapacity or an emergency circumstance, the health care entity may disclose the information if the entity determines that the disclosure of the information is in the best interests of the patient. In determining whether the disclosure of information is in the best interests of the patient, in addition to all other relevant factors, the health care entity shall consider all of the following:
(i) The patient's medical and treatment history, including the patient's history of compliance or noncompliance with an established treatment plan based on information in the patient's medical record and on reliable and relevant information received from the patient's family members, friends or others involved in the patient's care, treatment or supervision.
(ii) Whether the information is necessary or, based on professional judgment, would be useful in assisting the patient in complying with the care, treatment or supervision prescribed in the patient's treatment plan.
(iii) Whether the health care entity has reasonable grounds to believe that the release of the information may subject the patient to domestic violence, abuse or endangerment by family members, friends or other persons involved in the patient's care, treatment or supervision.
(c) The health care entity believes the patient presents a serious and imminent threat to the health or safety of the patient or others, and the health care entity believes that family members, friends or others involved in the patient's care, treatment or supervision can help to prevent the threat.
(d) In order for the health care entity to notify a family member, friend or other person involved in the patient's care, treatment or supervision of the patient's location, general condition or death.
8. A state agency that licenses health professionals pursuant to title 32, chapter 13, 15, 17, 19.1 or 33 and that requires these records in the course of investigating complaints of professional negligence, incompetence or lack of clinical judgment.
9. A state or federal agency that licenses health care providers.
10. A governmental agency or a competent professional, as defined in section 36-3701, in order to comply with chapter 37 of this title.
11. Independent oversight committees established pursuant to title 41, chapter 35. Any information released pursuant to this paragraph shall comply with the requirements of section 41-3804 and applicable federal law and shall be released without personally identifiable information unless the personally identifiable information is required for the official purposes of the independent oversight committee. Case information received by an independent oversight committee shall be maintained as confidential. For the purposes of this paragraph, "personally identifiable information" includes a person's name, address, date of birth, social security number, tribal enrollment number, telephone or telefacsimile number, driver license number, places of employment, school identification number and military identification number or any other distinguishing characteristic that tends to identify a particular person.
12. A patient or the patient's health care decision maker.
13. The department of public safety or another law enforcement agency by the court to comply with the requirements of section 36-540, subsections O and P.
14. A third-party payor or the payor's contractor as permitted by the health insurance portability and accountability act privacy standards, 45 Code of Federal Regulations part 160 and part 164, subpart E.
15. A private entity that accredits the health care provider and with whom the health care provider has an agreement requiring the agency to protect the confidentiality of patient information.
16. The legal representative of a health care entity in possession of the record for the purpose of securing legal advice.
17. A person or entity as otherwise required by state or federal law.
18. A person or entity as permitted by the federal regulations on alcohol and drug abuse treatment (42 Code of Federal Regulations part 2).
19. A person or entity to conduct utilization review, peer review and quality assurance pursuant to section 36-441, 36-445, 36-2402 or 36-2917.
20. A person maintaining health statistics for public health purposes as authorized by law.
21. A grand jury as directed by subpoena.
22. A person or entity that provides services to the patient's health care provider, as defined in section 12-2291, and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of patient information as required by the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations part 164, subpart E).
23. A county medical examiner or an alternate medical examiner directing an investigation into the circumstances surrounding a death pursuant to section 11-593.
B. Information disclosed pursuant to subsection A, paragraph 7 of this section may include only information that is directly relevant to the person's involvement with the patient's health care or payment related to the patient's health care. Subsection A, paragraph 7 of this section does not prevent a health care entity from obtaining or receiving information about the patient from a family member, friend or other person involved in the patient's care, treatment or supervision. A health care entity shall keep a record of the name and contact information of any person to whom any patient information is released pursuant to subsection A, paragraph 7 of this section. A decision to release or withhold information pursuant subsection A, paragraph 7 of this section is subject to review pursuant to section 36-517.01.
C. Information and records obtained in the course of evaluation, examination or treatment and submitted in any court proceeding pursuant to this chapter or title 14, chapter 5 are confidential and are not public records unless the hearing requirements of this chapter or title 14, chapter 5 require a different procedure. Information and records that are obtained pursuant to this section and submitted in a court proceeding pursuant to title 14, chapter 5 and that are not clearly identified by the parties as confidential and segregated from nonconfidential information and records are considered public records.
D. Notwithstanding subsections A, B and C of this section, the legal representative of a patient who is the subject of a proceeding conducted pursuant to this chapter and title 14, chapter 5 has access to the patient's information and records in the possession of a health care entity or filed with the court.
E. A health care entity that acts in good faith under this article is not liable for damages in any civil action for the disclosure of records or payment records that is made pursuant to this article or as otherwise provided by law. The health care entity is presumed to have acted in good faith. This presumption may be rebutted by clear and convincing evidence.
F. For the purposes of this section, "information" means records and the information contained in records.