The Arizona Revised Statutes have been updated to include the revised sections from the 55th Legislature, 2nd Regular Session. Please note that the next update of this compilation will not take place until after the conclusion of the 56th Legislature, 1st Regular Session, which convenes in January 2023.
This online version of the Arizona Revised Statutes is primarily maintained for legislative drafting purposes and reflects the version of law that is effective on January 1st of the year following the most recent legislative session. The official version of the Arizona Revised Statutes is published by Thomson Reuters.
A health information organization must implement and enforce policies governing the privacy and security of individually identifiable health information and compliance with this chapter. These policies must:
1. Implement the individual rights prescribed in section 36-3802.
2. Address the individual's right to opt out of having the individual's individually identifiable health information accessible through the health information organization pursuant to section 36-3803.
3. Address the content and distribution of the notice of health information practices prescribed in section 36-3804.
4. Implement the restrictions on disclosure of individually identifiable health information through the health information organization as prescribed in section 36-3805.
5. Address security safeguards to protect individually identifiable health information as required by the health insurance portability and accountability act security rule (45 Code of Federal Regulations part 164, subpart C).
6. Prescribe the appointment and responsibilities of a person or persons who have responsibility for maintaining privacy and security procedures for the health information organization.
7. Require training of each employee and agent of the health information organization about the health information organization's policies, including the need to maintain the privacy and security of individually identifiable health information and the penalties for the unauthorized access, release, transfer, use or disclosure of individually identifiable health information. The health information organization must initially provide this training before an employee or agent may have access to individually identifiable health information available through the health information organization, and at a later time as reasonable and appropriate in accordance with the training implementation specifications required by the health insurance portability and accountability act privacy rule (45 Code of Federal Regulations section 164.530(b)).