 |
ARIZONA STATE SENATE
Fifty-Fourth Legislature, First Regular Session
health information organizations
Purpose
Modifies requirements related to the disclosure of individually identifiable information that is accessible through a health information organization (HIO).
Background
The federal Health Insurance Portability and Accountability Act (HIPAA), enacted on August 21, 1996, requires the Secretary of the U.S. Department of Health and Human Services (U.S. HHS) to publicize standards for the electronic exchange, privacy and security of health information. In 2002, the U.S. HHS developed a proposed rule governing the privacy of individually identifiable health information. The regulation, known as the privacy rule, establishes a set of national standards governing the protection of certain health information. HIPAA privacy rules address the use and disclosure of individuals’ protected health information by entities that are subject to the privacy rule as well as standards for privacy rights for individuals to understand and control how their health information is used. The privacy rule, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of the U.S. HHS has adopted standards under HIPAA.
Laws 2011, Chapter
268 established requirements for HIOs in Arizona, including requirements
governing the maintenance and release of medical records and health information. An
HIO is an organization that oversees and governs the exchange of
individually identifiable health information according to nationally recognized
standards. Statute requires that an HIO provide certain rights to individuals,
including the ability to: 1) opt out of the HIO;
2) request a list of individuals who have accessed the individual's health
information through the HIO; and 3) to request an amendment of incorrect
individually identifiable health information available through the HIO (A.R.S.
§ 36-3802).
There is no anticipated fiscal impact to the state General Fund associated with this legislation.
Provisions
1. Specifies that medical records, including information pertaining to mental health services and communicable diseases, and information contained within the medical records can only be disclosed as authorized by state or federal law, including HIPAA privacy standards.
2. Specifies that an individual’s individually identifiable heath information is accessible, rather than available, through an HIO.
3. Permits an individual to opt out of having their individually identifiable health information accessible through an HIO, except as required by state or federal law.
4. Requires that copies of a person's individually identifiable health information that is accessible through an HIO complies with HIPAA privacy standards.
5. Eliminates the ability of a person to request an electronic copy of the individual’s individually identifiable heath information.
6. Removes an individual's right to opt out of a particular health care provider sharing the individual’s individually identifiable health information through an HIO.
7. Requires a health care provider to promptly provide the notice of an individual’s decision to opt out of an HIO to the HIO in a manner prescribed by the HIO's policies.
8. Stipulates that individuals who previously elected to opt out of having a particular health care provider's data accessible through an HIO will be treated by the HIO as having elected to opt out of the HIO, within 90 days after the general effective date of this legislation.
9. Specifies that individually identifiable health information is inaccessible through an HIO 30 days after the HIO receives the notice of an individual’s decision to opt out.
10. Allows an HIO’s notice of health information practices to reference a publicly accessible website that displays the current list of permitted reasons for accessing individually identifiable health information through the HIO.
11. Requires health care providers that participate in an HIO to distribute and document distribution of the HIO’s notice of health information practices in the same circumstances and manner as a health care provider is required to distribute and document a notice of privacy practices by HIPAA.
12. Requires an HIO’s notice of health information privacy practices to use a legible font in at least 10-point type.
13. Allows health care providers who share a location to provide the HIO's notice of health information practices for, or on behalf of, any of the health care providers in the shared location.
14. Prohibits an HIO from transferring individually identifiable health information or deidentified health information that is accessible through the HIO to any person or entity for the purpose of research, with certain exceptions.
15. Affirms that established requirements and prohibitions pertaining to HIOs do not limit, change or affect a HIO’s right or duty to exchange individually identifiable health information in accordance with applicable law and by means other than through an HIO.
16. Requires that each employee and agent of an HIO receive initial training regarding the HIO’s policies prior to gaining access to individually identifiable health information through the HIO, and subsequent training at a later time as reasonable and appropriate in accordance with the training implementation specifications required by the HIPAA privacy rule.
17. Specifies that individually identifiable health information accessible through an HIO is not subject to a civil litigation subpoena, unless otherwise stipulated.
18. Grants HIOs immunity from civil liability for damages in any civil action for:
a) inaccurate or incomplete individually identifiable health information provided by third parties and accessible through an HIO;
b) another person’s use or disclosure of individually identifiable health information through an HIO; and
c) the use or disclosure of individually identifiable health information that is made in good faith.
19. Establishes a rebuttable presumption of clear and convincing evidence that an HIO uses or discloses individually identifiable health information in good faith.
20. Stipulates that the civil immunity does not preclude liability for any damages resulting from intentional misconduct or gross negligence by an HIO.
21. Defines participation and participating as they relate to HIOs.
22. Removes the definition of clinical laboratory and treatment.
23. Makes technical and conforming changes.
24. Becomes effective on the general effective date.
Prepared by Senate Research
February 5, 2019
CRS/AB/kja