|
House Engrossed Senate Bill |
|
State of Arizona Senate Fifty-fourth Legislature First Regular Session 2019
|
|
CHAPTER 311
|
|
SENATE BILL 1321 |
|
|
AN ACT
Amending sections 36‑509, 36‑664, 36‑3801, 36‑3802, 36‑3803, 36‑3804, 36‑3805 and 36‑3806, Arizona Revised Statutes; repealing section 36‑3807, Arizona Revised Statutes; amending sections 36‑3808 and 36‑3809, Arizona Revised Statutes; relating to health information organizations.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section 1. Section 36-509, Arizona Revised Statutes, is amended to read:
36-509. Confidential records; immunity; definition
A. A health care entity must keep records and information contained in records confidential and not as public records, except as provided in this section. Records and information contained in records may only be disclosed only as authorized by state or federal law, including the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations part 160 and part 164, subpart E), or as follows to:
1. Physicians and providers of health, mental health or social and welfare services involved in caring for, treating or rehabilitating the patient.
2. Individuals to whom the patient or the patient's health care decision maker has given authorization to have information disclosed.
3. Persons authorized by a court order.
4. Persons doing research only if the activity is conducted pursuant to applicable federal or state laws and regulations governing research.
5. The state department of corrections in cases in which prisoners confined to the state prison are patients in the state hospital on authorized transfers either by voluntary admission or by order of the court.
6. Governmental or law enforcement agencies if necessary to:
(a) Secure the return of a patient who is on unauthorized absence from any agency where the patient was undergoing evaluation and treatment.
(b) Report a crime on the premises.
(c) Avert a serious and imminent threat to an individual or the public.
7. Persons, including family members, other relatives, close personal friends or any other person identified by the patient, as otherwise authorized or required by state or federal law, including the health insurance portability and accountability act of 1996 privacy standards (45 Code of Federal Regulations part 160 and part 164, subpart E), or pursuant to one of the following:
(a) If the patient is present or otherwise available and has the capacity to make health care decisions, the health care entity may disclose the information if one of the following applies:
(i) The patient agrees verbally or agrees in writing by signing a consent form that permits disclosure.
(ii) The patient is given an opportunity to object and does not express an objection.
(iii) The health care entity reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.
(b) If the patient is not present or the opportunity to agree or object to the disclosure of information cannot practicably be provided because of the patient's incapacity or an emergency circumstance, the health care entity may disclose the information if the entity determines that the disclosure of the information is in the best interests of the patient. In determining whether the disclosure of information is in the best interests of the patient, in addition to all other relevant factors, the health care entity shall consider all of the following:
(i) The patient's medical and treatment history, including the patient's history of compliance or noncompliance with an established treatment plan based on information in the patient's medical record and on reliable and relevant information received from the patient's family members, friends or others involved in the patient's care, treatment or supervision.
(ii) Whether the information is necessary or, based on professional judgment, would be useful in assisting the patient in complying with the care, treatment or supervision prescribed in the patient's treatment plan.
(iii) Whether the health care entity has reasonable grounds to believe that the release of the information may subject the patient to domestic violence, abuse or endangerment by family members, friends or other persons involved in the patient's care, treatment or supervision.
(c) The health care entity believes the patient presents a serious and imminent threat to the health or safety of the patient or others, and the health care entity believes that family members, friends or others involved in the patient's care, treatment or supervision can help to prevent the threat.
(d) In order for the health care entity to notify a family member, friend or other person involved in the patient's care, treatment or supervision of the patient's location, general condition or death.
8. A state agency that licenses health professionals pursuant to title 32, chapter 13, 15, 17, 19.1 or 33 and that requires these records in the course of investigating complaints of professional negligence, incompetence or lack of clinical judgment.
9. A state or federal agency that licenses health care providers.
10. A governmental agency or a competent professional, as defined in section 36‑3701, in order to comply with chapter 37 of this title.
11. Independent oversight committees established pursuant to title 41, chapter 35. Any information released pursuant to this paragraph shall comply with the requirements of section 41‑3804 and applicable federal law and shall be released without personally identifiable information unless the personally identifiable information is required for the official purposes of the independent oversight committee. Case information received by an independent oversight committee shall be maintained as confidential. For the purposes of this paragraph, "personally identifiable information" includes a person's name, address, date of birth, social security number, tribal enrollment number, telephone or telefacsimile number, driver license number, places of employment, school identification number and military identification number or any other distinguishing characteristic that tends to identify a particular person.
12. A patient or the patient's health care decision maker.
13. The department of public safety or another law enforcement agency by the court to comply with the requirements of section 36‑540, subsections O and P.
14. A third‑party payor or the payor's contractor as permitted by the health insurance portability and accountability act privacy standards, 45 Code of Federal Regulations part 160 and part 164, subpart E.
15. A private entity that accredits the health care provider and with whom the health care provider has an agreement requiring the agency to protect the confidentiality of patient information.
16. The legal representative of a health care entity in possession of the record for the purpose of securing legal advice.
17. A person or entity as otherwise required by state or federal law.
18. A person or entity as permitted by the federal regulations on alcohol and drug abuse treatment (42 Code of Federal Regulations part 2).
19. A person or entity to conduct utilization review, peer review and quality assurance pursuant to section 36‑441, 36‑445, 36‑2402 or 36‑2917.
20. A person maintaining health statistics for public health purposes as authorized by law.
21. A grand jury as directed by subpoena.
22. A person or entity that provides services to the patient's health care provider, as defined in section 12‑2291, and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of patient information as required by the health insurance portability and accountability act privacy standards, (45 Code of Federal Regulations part 164, subpart E).
B. Information disclosed pursuant to subsection A, paragraph 7 of this section may include only information that is directly relevant to the person's involvement with the patient's health care or payment related to the patient's health care. Subsection A, paragraph 7 of this section does not prevent a health care entity from obtaining or receiving information about the patient from a family member, friend or other person involved in the patient's care, treatment or supervision. A health care entity shall keep a record of the name and contact information of any person to whom any patient information is released pursuant to subsection A, paragraph 7 of this section. A decision to release or withhold information pursuant subsection A, paragraph 7 of this section is subject to review pursuant to section 36‑517.01.
C. Information and records obtained in the course of evaluation, examination or treatment and submitted in any court proceeding pursuant to this chapter or title 14, chapter 5 are confidential and are not public records unless the hearing requirements of this chapter or title 14, chapter 5 require a different procedure. Information and records that are obtained pursuant to this section and submitted in a court proceeding pursuant to title 14, chapter 5 and that are not clearly identified by the parties as confidential and segregated from nonconfidential information and records are considered public records.
D. Notwithstanding subsections A, B and C of this section, the legal representative of a patient who is the subject of a proceeding conducted pursuant to this chapter and title 14, chapter 5 has access to the patient's information and records in the possession of a health care entity or filed with the court.
E. A health care entity that acts in good faith under this article is not liable for damages in any civil action for the disclosure of records or payment records that is made pursuant to this article or as otherwise provided by law. The health care entity is presumed to have acted in good faith. This presumption may be rebutted by clear and convincing evidence.
F. For the purposes of this section, "information" means records and the information contained in records.
Sec. 2. Section 36-664, Arizona Revised Statutes, is amended to read:
36-664. Confidentiality; exceptions
A. A person who obtains communicable disease related information in the course of providing a health service or obtains that information from a health care provider pursuant to an authorization shall not disclose or be compelled to disclose that information except as authorized by state or federal law, including the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations part 160 and part 164, subpart E), or pursuant to the following:
1. The protected person or, if the protected person lacks capacity to consent, the protected person's health care decision maker.
2. A health care provider or first responder who has had an occupational significant exposure risk to the protected person's blood or bodily fluid if the health care provider or first responder provides a written request that documents the occurrence and information regarding the nature of the occupational significant exposure risk and the report is reviewed and confirmed by a health care provider who is both licensed pursuant to title 32, chapter 13, 15 or 17 and competent to determine a significant exposure risk. A health care provider who releases communicable disease information pursuant to this paragraph shall provide education and counseling to the person who has had the occupational significant exposure risk.
3. The department or a local health department for purposes of notifying a Good Samaritan pursuant to subsection E of this section.
4. An agent or employee of a health facility or health care provider to provide health services to the protected person or the protected person's child or for billing or reimbursement for health services.
5. A health facility or health care provider, in relation to the procurement, processing, distributing or use of a human body or a human body part, including organs, tissues, eyes, bones, arteries, blood, semen, milk or other body fluids, for use in medical education, research or therapy or for transplantation to another person.
6. A health facility or health care provider, or an organization, committee or individual designated by the health facility or health care provider, that is engaged in the review of professional practices, including the review of the quality, utilization or necessity of medical care, or an accreditation or oversight review organization responsible for the review of professional practices at a health facility or by a health care provider.
7. A private entity that accredits the health facility or health care provider and with whom the health facility or health care provider has an agreement requiring the agency to protect the confidentiality of patient information.
8. A federal, state, county or local health officer if disclosure is mandated by federal or state law.
9. A federal, state or local government agency authorized by law to receive the information. The agency is authorized to redisclose the information only pursuant to this article or as otherwise permitted by law.
10. An authorized employee or agent of a federal, state or local government agency that supervises or monitors the health care provider or health facility or administers the program under which the health service is provided. An authorized employee or agent includes only an employee or agent who, in the ordinary course of business of the government agency, has access to records relating to the care or treatment of the protected person.
11. A person, health care provider or health facility to which disclosure is ordered by a court or administrative body pursuant to section 36‑665.
12. The industrial commission or parties to an industrial commission of Arizona claim pursuant to section 23‑908, subsection D and section 23‑1043.02.
13. Insurance entities pursuant to section 20‑448.01 and third‑party payors or the payors' contractors.
14. Any person or entity as authorized by the patient or the patient's health care decision maker.
15. A person or entity as required by federal law.
16. The legal representative of the entity holding the information in order to secure legal advice.
17. A person or entity for research only if the research is conducted pursuant to applicable federal or state laws and regulations governing research.
18. A person or entity that provides services to the patient's health care provider, as defined in section 12‑2291, and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of patient information as required by the health insurance portability and accountability act privacy standards, 45 Code of Federal Regulations part 164, subpart E.
B. At the request of the department of child safety or the department of economic security and in conjunction with the placement of children in foster care or for adoption or court‑ordered placement, a health care provider shall disclose communicable disease information, including HIV‑related information, to the department of child safety or the department of economic security.
C. A state, county or local health department or officer may disclose communicable disease related information if the disclosure is any of the following:
1. Specifically authorized or required by federal or state law.
2. Made pursuant to an authorization signed by the protected person or the protected person's health care decision maker.
3. Made to a contact of the protected person. The disclosure shall be made without identifying the protected person.
4. For the purposes of research as authorized by state and federal law.
D. The director may authorize the release of information that identifies the protected person to the national center for health statistics of the United States public health service for the purposes of conducting a search of the national death index.
E. The department or a local health department shall disclose communicable disease related information to a Good Samaritan who submits a request to the department or the local health department. The request shall document the occurrence of the accident, fire or other life‑threatening emergency and shall include information regarding the nature of the significant exposure risk. The department shall adopt rules that prescribe standards of significant exposure risk based on the best available medical evidence. The department shall adopt rules that establish procedures for processing requests from Good Samaritans pursuant to this subsection. The rules shall provide that the disclosure to the Good Samaritan shall not reveal the protected person's name and shall be accompanied by a written statement that warns the Good Samaritan that the confidentiality of the information is protected by state law.
F. An authorization to release communicable disease related information shall be signed by the protected person or, if the protected person lacks capacity to consent, the protected person's health care decision maker. An authorization shall be dated and shall specify to whom disclosure is authorized, the purpose for disclosure and the time period during which the release is effective. A general authorization for the release of medical or other information, including communicable disease related information, is not an authorization for the release of HIV‑related information unless the authorization specifically indicates its purpose as an authorization for the release of confidential HIV‑related information and complies with the requirements of this section.
G. A person to whom communicable disease related information is disclosed pursuant to this section shall not disclose the information to another person except as authorized by this section. This subsection does not apply to the protected person or a protected person's health care decision maker.
H. This section does not prohibit the listing of communicable disease related information, including acquired immune deficiency syndrome, HIV‑related illness or HIV infection, in a certificate of death, autopsy report or other related document that is prepared pursuant to law to document the cause of death or that is prepared to release a body to a funeral director. This section does not modify a law or rule relating to access to death certificates, autopsy reports or other related documents.
I. If a person in possession of HIV‑related information reasonably believes that an identifiable third party is at risk of HIV infection, that person may report that risk to the department. The report shall be in writing and include the name and address of the identifiable third party and the name and address of the person making the report. The department shall contact the person at risk pursuant to rules adopted by the department. The department employee making the initial contact shall have expertise in counseling persons who have been exposed to or tested positive for HIV or acquired immune deficiency syndrome.
J. Except as otherwise provided pursuant to this article or subject to an order or search warrant issued pursuant to section 36‑665, a person who receives HIV‑related information in the course of providing a health service or pursuant to a release of HIV‑related information shall not disclose that information to another person or legal entity or be compelled by subpoena, order, search warrant or other judicial process to disclose that information to another person or legal entity.
K. This section and sections 36‑663, 36‑666, 36‑667 and 36‑668 do not apply to persons or entities subject to regulation under title 20.
Sec. 3. Section 36-3801, Arizona Revised Statutes, is amended to read:
36-3801. Definitions
In this chapter, unless the context otherwise requires:
1. "Breach" has the same meaning prescribed in 45 Code of Federal Regulations, part 164, subpart D.
2. "Clinical laboratory" has the same meaning prescribed in section 36‑451.
3. 2. "De-identified health information" has the same meaning as described in 45 Code of Federal Regulations section 164.514.
4. 3. "Health care decision maker" has the same meaning prescribed in section 12‑2291.
5. 4. "Health care provider" has the same meaning prescribed in section 12‑2291.
6. 5. "Health information organization" means an organization that oversees and governs the exchange of individually identifiable health information among organizations according to nationally recognized standards. Health information organization does not include:
(a) A health care provider or an electronic health record maintained by or on behalf of a health care provider.
(b) Entities that are subject to title 20 or that are health plans as defined in 45 Code of Federal Regulations section 160.103.
(c) The exchange of individually identifiable health information directly between health care providers without a separate organization governing that exchange.
7. 6. "Individual":
(a) Means the person who is the subject of the individually identifiable health information.
(b) Does not include an inmate as defined under the health insurance portability and accountability act privacy standards prescribed in 45 Code of Federal Regulations section 164.501.
8. 7. "Individually identifiable health information" has the same meaning prescribed in the health insurance portability and accountability act privacy standards, (45 Code of Federal Regulations part 160 and part 164, subpart E).
9. 8. "Medical records" has the same meaning prescribed in section 12‑2291.
10. 9. "Opt out" means an individual's written decision that the individual's individually identifiable health information cannot be shared through a health information organization.
10. "Participation" or "participating", with respect to a health information organization, means providing or accessing individually identifiable health information in the manner provided in the health information organization's policies.
11. "Person" has the same meaning prescribed in section 1‑215.
12. "Treatment" has the same meaning prescribed in the health insurance portability and accountability act privacy standards, 45 Code of Federal Regulations part 160 and part 164, subpart E.
13. 12. "Written" means in handwriting or through an electronic transaction that meets the requirements of title 44, chapter 26.
Sec. 4. Section 36-3802, Arizona Revised Statutes, is amended to read:
36-3802. Individual rights
A. A health information organization must provide An individual has the following rights to individuals:
1. Except as otherwise provided in state or federal law, to opt out of participating in the having the individual's individually identifiable health information accessible through a health information organization pursuant to section 36‑3803.
2. To request a copy of the individual's individually identifiable health information that is available accessible through the health information organization in accordance with the health insurance portability and accountability act (45 Code of Federal Regulations section 164.524). The health information organization may provide this right directly or may require health care providers or other persons participating in the health information organization to provide this access to individuals. The copy may be provided electronically, if the individual requesting the copy consents to electronic delivery of the individually identifiable health information, and must be provided to the individual within thirty days after the individual's request. Charges for copies are governed by section 12‑2295.
3. To request the amendment of incorrect individually identifiable health information available accessible through the health information organization.
4. To request a list of the persons who have accessed the individual's individually identifiable health information through the health information organization for a period of at least three years before the individual's request. This list must be provided to the individual within thirty days after the individual's request.
5. To be notified, pursuant to section 18-552 and 45 Code of Federal Regulations part 164, subpart D, of a breach at the health information organization that affects the individual's individually identifiable health information.
B. If an individual does not have the capacity to make health care decisions, the individual's health care decision maker may exercise all individual rights in this chapter on behalf of the individual.
Sec. 5. Section 36-3803, Arizona Revised Statutes, is amended to read:
36-3803. Individual right to opt out of health information organizations
Except as otherwise provided in state or federal law, an individual has the right to opt out of participating in having the individual's individually identifiable health information accessible through a health information organization by providing notice as explained in the health information organization's notice of health information practices. An individual also has the right to opt out of a particular health care provider sharing the individual's individually identifiable health information through the health information organization, provided that, if the health care provider is an employee of an organization, the organization may apply such opt out to all health care providers employed by the organization. If an individual provides a notice of opt out to a health care provider, the health care provider must promptly provide that notice to the health information organization in the manner provided in the health information organization's policies. A decision to opt out of participating in a health care having individually identifiable health information accessible through the health information organization may be changed by an individual at any time by providing notice as explained in the health information organization's notice of health information practices. Individuals who previously elected to opt out of having a particular health care provider's data accessible through the health information organization will be treated by the health information organization as having elected to opt out under this section within ninety days after the effective date of this amendment to this section.
Sec. 6. Section 36-3804, Arizona Revised Statutes, is amended to read:
36-3804. Notice of health information practices; posting; distribution; decision to opt out
A. A health information organization must maintain a written notice of health information practices describing the following:
1. Individually identifiable health information that is accessible through the health information organization collects about individuals.
2. The categories of persons who have access to information, including individually identifiable health information, through the health information organization.
3. The purposes for which access to the information, including individually identifiable health information, is provided through the health information organization. The notice of health information practices may reference a publicly accessible website that displays the current list of allowed purposes for which access to this information is allowed through the health information organization.
4. Except as otherwise provided in state or federal law, the individual's right to opt out of participating in having the individual's individually identifiable health information accessible through the health information organization.
5. An explanation as to how an individual opts may opt out of participating in having the individual's individually identifiable health information accessible through the health information organization.
B. The notice shall include a statement informing the patient individual of the right not to share have the patient's individual's individually identifiable health information accessible through the health information organization, except as otherwise provided by state or federal law, and that this right is protected by article XXVII, section 2, Constitution of Arizona.
C. A health information organization must post its current notice of health information practices on its website in a conspicuous manner.
D. Notwithstanding any other requirement in this section, a health information organization must provide an individual with a copy of the notice of health information practices within thirty days after receiving a written request for that information.
E. A health care provider participating in a health information organization must provide distribute and document the distribution of the health information organization's notice of health information practices in at least twelve-point type to the provider's patients before or at the provider's first encounter with a patient, beginning on the first day of the provider's participation in the health information organization. A health care provider must document that it has provided the health information organization's notice of health information practices to a patient and that the patient has received and read and understands the notice. Documentation must be in the form of a signature by the patient indicating the patient has received and read and understands the notice of health information practices and whether the patient chooses to opt out. As technology develops and electronic methods of receiving documentation from the patient exist, the health information organization is permitted to utilize such electronic documentation the same circumstances and in the same manner as the health care provider is required to distribute and document a notice of privacy practices by the health insurance portability and accountability act (45 Code of Federal Regulation section 164.520(c)(2) and (3)). The health information organization's notice of health information privacy practices must use a legible font in at least ten-point type. Health care providers that share a location may provide the health information organization's notice of health information practices for, or on behalf of, any of the health care providers that share a location.
F. If the patient Except as otherwise provided in state or federal law, if an individual chooses to opt out of having the individual's individually identifiable health information accessible through the health information organization, the patient's individual's individually identifiable health information shall not be accessible through the health information organization no later than thirty days after the patient opts health information organization receives notice, in the manner explained in the health information organization's notice of health information practices, of the individual's decision to opt out. A person who receives de‑identified information from the health information organization may not use such de-identified information, either alone or in combination with other information, to identify an individual.
G. If there is a material change to a health information organization's notice of health information practices, including the health information organization's capability to implement individual preferences for sharing or segregating individually identifiable health information, a health care provider must redistribute the notice of health information practices at the next point of contact with the patient individual or in the same manner and within the same time period as is required by 45 Code of Federal Regulations section 164.528 in relation to the health care provider's notice of privacy practices, whichever comes first.
Sec. 7. Section 36-3805, Arizona Revised Statutes, is amended to read:
36-3805. Disclosure of individually identifiable health information; transfer; consent
A. Except as otherwise provided in state or federal law, disclosure of an individual's individually identifiable health information through a health information organization may disclose an individual's individually identifiable health information is allowed only if:
1. The individual has not opted out of participating in having the individual's individually identifiable health information accessible through the health information organization.
2. The type purpose of the disclosure is explained in the health information organization's current notice of health information practices.
3. The disclosure complies with the health insurance portability and accountability act privacy rule, standard (45 Code of Federal Regulations part 164, subpart E).
B. A health information organization may not sell or otherwise make commercial use of an individual's individually identifiable health information without the written consent of the individual.
C. A health information organization may not transfer individually identifiable health information or deidentified de‑identified health information that is accessible through the health information exchange to any person or entity for the purpose of research or using the information as part of a set of data for an application for grant or other research funding, unless the health care provider obtains consent from the individual for the transfer. A health care provider must document that it has provided a notice of transfer to the individual and that the individual has received and read and understands the notice. Documentation must be in the form of a signature by the individual indicating the individual has received and read and understands the notice and that the patient individual gives consent to the transfer of information. For the purposes of this subsection, "consent" means that a health care provider participating in a health information organization has provided a notice to the individual that is in at least twelve-point type and that describes the purposes of the transfer.
D. This chapter does not:
1. Interfere with any other federal or state laws or regulations that provide more extensive protection of individually identifiable health information than provided in this chapter.
2. Limit, change or otherwise affect a health information organization's right or duty to exchange information, including individually identifiable health information and de‑identified health information, in accordance with applicable law and by means other than through the health information organization.
Sec. 8. Section 36-3806, Arizona Revised Statutes, is amended to read:
36-3806. Required policies
A health information organization must implement and enforce policies governing the privacy and security of individually identifiable health information and compliance with this chapter. These policies must:
1. Implement the individual rights prescribed in section 36‑3802.
2. Address the individual's right to opt out of participating in having the individual's individually identifiable health information accessible through the health information organization pursuant to section 36‑3803.
3. Address the content and distribution of the notice of health information practices prescribed in section 36‑3804.
4. Implement the restrictions on disclosure of individually identifiable health information through the health information organization as prescribed in section 36-3805.
5. Address security safeguards to protect individually identifiable health information, as required by the health insurance portability and accountability act security rule, (45 Code of Federal Regulations part 164, subpart C).
6. Prescribe the appointment and responsibilities of a person or persons who have responsibility for maintaining privacy and security procedures for the health information organization.
7. Require training of each employee and agent of the health information organization about the health information organization's policies, including the need to maintain the privacy and security of individually identifiable health information and the penalties provided for the unauthorized access, release, transfer, use or disclosure of individually identifiable health information. The health information organization must initially provide this training before an employee or agent may have access to individually identifiable health information available to through the health information organization, and twice a year for all employees and agents at a later time as reasonable and appropriate in accordance with the training implementation specifications required by the health insurance portability and accountability act privacy rule (45 Code of Federal Regulations section 164.530(b)).
Sec. 9. Repeal
Section 36-3807, Arizona Revised Statutes, is repealed.
Sec. 10. Section 36-3808, Arizona Revised Statutes, is amended to read:
36-3808. Civil litigation subpoenas; certification requirements
A. Except as otherwise provided in state or federal law, individually identifiable health information that is maintained by accessible through a health information organization is not subject to a civil litigation subpoena directed to the health information organization unless section 12‑2294.01 is followed and a court has determined on motion and notice to the health information organization and the parties to the civil litigation in which the subpoena is served that the information sought from the health information organization is not available from the original source and either is relevant to the subject matter involved in the pending civil action or is reasonably calculated to lead to the discovery of admissible evidence in the pending action.
B. A person who issues a civil litigation subpoena to the health information organization pursuant to this section must certify before the issuance of the civil litigation subpoena that the requirements of subsection A of this section have been met.
Sec. 11. Section 36-3809, Arizona Revised Statutes, is amended to read:
36-3809. Health care providers; duty to maintain medical records; civil immunity
A. A health care provider who participates participating in a health information organization is responsible for maintaining the provider's own medical records pursuant to title 12, chapter 13, article 7.1.
B. Participation in a health information organization does not impact the content, use or disclosure of medical records or information contained in medical records that are held in locations other than the health information organization.
C. This chapter does not limit, change or otherwise affect a health care provider's right or duty to exchange medical records or information contained in medical records in accordance with applicable law.
D. A health information organization is not liable for damages in any civil action for any of the following:
1. Inaccurate or incomplete health information that is provided by third parties and that is accessible through the health information organization.
2. Another person's use or disclosure of health information through the health information organization.
3. the use or disclosure of health information that is made in good faith pursuant to this article or as otherwise provided by law. The health information organization is presumed to have acted in good faith. this presumption may be rebutted by clear and convincing evidence.
E. Subsection D of this section does not preclude liability for that portion of any damages resulting from intentional misconduct or gross negligence by a health information organization.
APPROVED BY THE GOVERNOR JUNE 7, 2019.
FILED IN THE OFFICE OF THE SECRETARY OF STATE JUNE 7, 2019.