36-3805. Disclosure of individually identifiable health information; transfer; consent

A. Except as otherwise provided in state or federal law, disclosure of an individual's individually identifiable health information through a health information organization is allowed only if:

1. The individual has not opted out of having the individual's individually identifiable health information accessible through the health information organization.

2. The purpose of the disclosure is explained in the health information organization's current notice of health information practices.

3. The disclosure complies with the health insurance portability and accountability act privacy standard (45 Code of Federal Regulations part 164, subpart E).

B. A health information organization may not sell or otherwise make commercial use of an individual's individually identifiable health information without the written consent of the individual.

C. A health information organization may not transfer individually identifiable health information or de-identified health information that is accessible through the health information exchange to any person or entity for the purpose of research or using the information as part of a set of data for an application for grant or other research funding, unless the health care provider obtains consent from the individual for the transfer. A health care provider must document that it has provided a notice of transfer to the individual and that the individual has received and read and understands the notice.  Documentation must be in the form of a signature by the individual indicating the individual has received and read and understands the notice and that the individual gives consent to the transfer of information. For the purposes of this subsection, "consent" means that a health care provider participating in a health information organization has provided a notice to the individual that is in at least twelve-point type and that describes the purposes of the transfer.

D. This chapter does not:

1. Interfere with any other federal or state laws or regulations that provide more extensive protection of individually identifiable health information than provided in this chapter.

2. Limit, change or otherwise affect a health information organization's right or duty to exchange information, including individually identifiable health information and de-identified health information, in accordance with applicable law and by means other than through the health information organization.