Assigned to HHS                                                                                                                     FOR COMMITTEE






Fifty-Fifth Legislature, First Regular Session




health information; disclosures; prohibition


            Permits state, county and local health departments to disclose communicable disease information to Arizona's designated health information organization (HIO). Prohibits an HIO from disclosing specified health information for research purposes unless the disclosure complies with applicable state and federal regulations.


            The federal Health Insurance Portability and Accountability Act (HIPAA), enacted on August 21, 1996, requires the Secretary of the U.S. Department of Health and Human Services (U.S. HHS) to publicize standards for the electronic exchange, privacy and security of health information. In 2002, the U.S. HHS developed a proposed rule governing the privacy of individually identifiable health information. The regulation, known as the privacy rule, establishes a set of national standards governing the protection of certain health information. HIPAA privacy rules address the use and disclosure of individuals’ protected health information by entities that are subject to the privacy rule as well as standards for privacy rights for individuals to understand and control how their health information is used. The privacy rule applies to health plans, health care clearinghouses and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of the U.S. HHS has adopted standards under HIPAA.

            Laws 2011, Chapter 268 established requirements for HIOs in Arizona, including requirements governing the maintenance and release of medical records and health information. An HIO is an organization that oversees and governs the exchange of individually identifiable health information according to nationally recognized standards. Statute requires that an HIO provide certain rights to individuals, including the ability to: 1) opt out of the HIO;
2) request a list of individuals who have accessed the individual's health information through the HIO; and 3) request an amendment of incorrect individually identifiable health information available through the HIO (A.R.S. § 36-3802).

            There is no anticipated fiscal impact to the state General Fund associated with this legislation.


1.   Specifies, with regard to the Division of Developmental Disabilities within the Department of Economic Security, that medical records, including information pertaining to mental health services and communicable diseases, and information contained within the medical records can only be disclosed as authorized by state or federal law, including HIPAA privacy standards.

2.   Permits state, county and local health departments and officers to disclose communicable disease related information to Arizona's official HIO.

3.   Prohibits an HIO from disclosing individually identifiable or de-identified health information that is accessible through the HIO unless the disclosure complies with applicable state or federal laws or rules and regulations related to the use of such health information for research.

4.   Eliminates language precluding an HIO from disclosing individually identifiable or
de-identified health information for research purposes without meeting prescribed consent and notification requirements.

5.   Restricts a person who receives de-identified health information from an HIO from using the health information to identify an individual.

6.   Makes technical changes.

7.   Becomes effective on the general effective date.

Prepared by Senate Research

February 15, 2021