Bill Text: AZ SB1221 | 2023 | Fifty-sixth Legislature 1st Regular | Introduced
Bill Title: Hospitals; fingerprints; private investigators; identification
Spectrum: Partisan Bill (Republican 1-0)
Status: (Passed) 2023-06-05 - Chapter 163 [SB1221 Detail]
Download: Arizona-2023-SB1221-Introduced.html
|
REFERENCE TITLE: health information organizations |
|
State of Arizona Senate Fifty-sixth Legislature First Regular Session 2023
|
|
SB 1221 |
|
|
|
Introduced by Senator Shope
|
An Act
amending sections 36-135, 36-664, 36-3801 and 36-3805, Arizona Revised Statutes; relating to health information organizations.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section 1. Section 36-135, Arizona Revised Statutes, is amended to read:
36-135. Child immunization reporting system; requirements; access; confidentiality; immunity; violation; classification; definitions
A. The child immunization reporting system is established in the department to collect, store, analyze, release and report immunization data.
B. A health care professional who is licensed under title 32 to provide immunizations, except as provided in subsection I of this section, shall report the following information:
1. The health care professional's name, business address and business telephone number.
2. The child's name, address, social security number if known and not confidential, gender, date of birth and mother's maiden name.
3. The type of vaccine administered and the date it is administered.
C. The health care professional may submit this information to the department on a weekly or monthly basis by telephone, fax, mail, computer or any other method prescribed by the department.
D. Except as provided in subsection I of this section, the department shall release identifying information only to the person, the person's health care decision maker, parent or guardian, a health care provider, an entity regulated under title 20, the Arizona health care cost containment system and its contractors as defined in chapter 29 of this title, its external quality review organization or any other entity that has a business associate agreement with the Arizona health care cost containment system, a school official who is authorized by law to receive and record immunization records, a person or entity that provides services to a health care provider and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of the information, as required by the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations part 164, subpart E) or a nonprofit health information organization as defined in section 36-3801 that is designated by the department as this state's official health information exchange organization. The department may also release identifying information to an entity designated by the person or the person's health care decision maker, parent or guardian. The department, by rule, may release immunization information to persons for a specified purpose. The department may release nonidentifying summary statistics.
E. Identifying information in the system is confidential. A person who is authorized to receive confidential information under subsection D of this section or pursuant to rules adopted by the department shall disclose this information only as permitted allowed by this section or rules adopted by the department. A nonprofit health information organization as defined in section 36-3801 that is designated by the department as this state's official health information exchange organization may receive, use and redisclose the confidential information received pursuant to this section only for the purposes allowed by the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations Part 160 and Part 164, subpart E), regardless of whether the information is being maintained by or for a covered entity or business associate as defined in 45 Code of Federal Regulations section 160.103.
F. A health care provider that provides information in good faith pursuant to this section is not subject to civil or criminal liability.
G. A health care provider that does not comply with the requirements of this section violates a law applicable to the practice of medicine and commits an act of unprofessional conduct or a violation of chapter 4 of this title.
H. Any agency or person receiving confidential information from the system who subsequently discloses that information to any other person other than as permitted allowed by this section is guilty of a class 3 misdemeanor.
I. At the request of the person, or if the person is a child the child's parent or guardian, the department of health services shall provide a form to be signed that allows confidential immunization information to be withheld from all persons including persons authorized to receive confidential information pursuant to subsection D of this section. If the request is delivered to the health care professional before the immunization, the health care professional shall not forward the information required under subsection B of this section to the department.
J. For the purposes of this section, "health care decision maker" and "health care provider" have the same meanings prescribed in section 12-2291.
Sec. 2. Section 36-664, Arizona Revised Statutes, is amended to read:
36-664. Confidentiality; exceptions
A. A person who obtains communicable disease related information in the course of providing a health service or obtains that information from a health care provider pursuant to an authorization shall not disclose or be compelled to disclose that information except as authorized by state or federal law, including the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations part 160 and part 164, subpart E), or pursuant to the following:
1. The protected person or, if the protected person lacks capacity to consent, the protected person's health care decision maker.
2. A health care provider or first responder who has had an occupational significant exposure risk to the protected person's blood or bodily fluid if the health care provider or first responder provides a written request that documents the occurrence and information regarding the nature of the occupational significant exposure risk and the report is reviewed and confirmed by a health care provider who is both licensed pursuant to title 32, chapter 13, 14, 15 or 17 and competent to determine a significant exposure risk. A health care provider who releases communicable disease information pursuant to this paragraph shall provide education and counseling to the person who has had the occupational significant exposure risk.
3. The department or a local health department for purposes of notifying a Good Samaritan pursuant to subsection E of this section.
4. An agent or employee of a health facility or health care provider to provide health services to the protected person or the protected person's child or for billing or reimbursement for health services.
5. A health facility or health care provider, in relation to procuring, processing, distributing or using a human body or a human body part, including organs, tissues, eyes, bones, arteries, blood, semen, milk or other body fluids, for use in medical education, research or therapy or for transplantation to another person.
6. A health facility or health care provider, or an organization, committee or individual designated by the health facility or health care provider, that is engaged in the review of professional practices, including the review of the quality, utilization or necessity of medical care, or an accreditation or oversight review organization responsible for the review of professional practices at a health facility or by a health care provider.
7. A private entity that accredits the health facility or health care provider and with whom the health facility or health care provider has an agreement requiring the agency to protect the confidentiality of patient information.
8. A federal, state, county or local health officer if disclosure is mandated by federal or state law.
9. A federal, state or local government agency authorized by law to receive the information. The agency is authorized to redisclose the information only pursuant to this article or as otherwise allowed by law.
10. An authorized employee or agent of a federal, state or local government agency that supervises or monitors the health care provider or health facility or administers the program under which the health service is provided. An authorized employee or agent includes only an employee or agent who, in the ordinary course of business of the government agency, has access to records relating to the care or treatment of the protected person.
11. A person, health care provider or health facility to which disclosure is ordered by a court or administrative body pursuant to section 36-665.
12. The industrial commission of Arizona or parties to an industrial commission of Arizona claim pursuant to section 23-908, subsection D and section 23-1043.02.
13. Insurance entities pursuant to section 20-448.01 and third-party payors or the payors' contractors.
14. Any person or entity as authorized by the patient or the patient's health care decision maker.
15. A person or entity as required by federal law.
16. The legal representative of the entity holding the information in order to secure legal advice.
17. A person or entity for research only if the research is conducted pursuant to applicable federal or state laws and regulations governing research.
18. A person or entity that provides services to the patient's health care provider, as defined in section 12-2291, and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of patient information as required by the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations part 164, subpart E).
19. A county medical examiner or an alternate medical examiner directing an investigation into the circumstances surrounding a death pursuant to section 11-593.
B. At the request of the department of child safety or the department of economic security and in conjunction with the placement of children in foster care or for adoption or court-ordered placement, a health care provider shall disclose communicable disease information, including HIV-related information, to the department of child safety or the department of economic security.
C. A state, county or local health department or officer may disclose communicable disease related information if the disclosure is any of the following:
1. Specifically authorized or required by federal or state law.
2. Made pursuant to an authorization signed by the protected person or the protected person's health care decision maker.
3. Made to a contact of the protected person. The disclosure shall be made without identifying the protected person.
4. Made for the purposes of research as authorized by state and federal law.
5. Made to a nonprofit health information organization as defined in section 36-3801 that is designated by the department as this state's official health information exchange organization. The health information organization may receive, use and redisclose the communicable disease related INFORMATION only for the purposes allowed by the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations Part 160 and Part 164, subpart E), regardless of whether the information is being maintained by or for a covered entity or business associate as defined in 45 Code of Federal Regulations section 160.103.
D. The director may authorize the release of information that identifies the protected person to the national center for health statistics of the United States public health service for the purposes of conducting a search of the national death index.
E. The department or a local health department shall disclose communicable disease related information to a Good Samaritan who submits a request to the department or the local health department. The request shall document the occurrence of the accident, fire or other life-threatening emergency and shall include information regarding the nature of the significant exposure risk. The department shall adopt rules that prescribe standards of significant exposure risk based on the best available medical evidence. The department shall adopt rules that establish procedures for processing requests from Good Samaritans pursuant to this subsection. The rules shall provide that the disclosure to the Good Samaritan not reveal the protected person's name and be accompanied by a written statement that warns the Good Samaritan that the confidentiality of the information is protected by state law.
F. An authorization to release communicable disease related information shall be signed by the protected person or, if the protected person lacks capacity to consent, the protected person's health care decision maker. An authorization shall be dated and shall specify to whom disclosure is authorized, the purpose for disclosure and the time period during which the release is effective. A general authorization for the release of medical or other information, including communicable disease related information, is not an authorization for the release of HIV-related information unless the authorization specifically indicates its purpose as an authorization for the release of confidential HIV-related information and complies with the requirements of this section.
G. A person to whom communicable disease related information is disclosed pursuant to this section shall not disclose the information to another person except as authorized by this section. This subsection does not apply to the protected person or a protected person's health care decision maker.
H. This section does not prohibit the listing of communicable disease related information, including acquired immune deficiency syndrome, HIV-related illness or HIV infection, in a certificate of death, autopsy report or other related document that is prepared pursuant to law to document the cause of death or that is prepared to release a body to a funeral director. This section does not modify a law or rule relating to access to death certificates, autopsy reports or other related documents.
I. If a person in possession of HIV-related information reasonably believes that an identifiable third party is at risk of HIV infection, that person may report that risk to the department. The report shall be in writing and include the name and address of the identifiable third party and the name and address of the person making the report. The department shall contact the person at risk pursuant to rules adopted by the department. The department employee making the initial contact shall have expertise in counseling persons who have been exposed to or tested positive for HIV or acquired immune deficiency syndrome.
J. Except as otherwise provided pursuant to this article or subject to an order or search warrant issued pursuant to section 36-665, a person who receives HIV-related information in the course of providing a health service or pursuant to a release of HIV-related information shall not disclose that information to another person or legal entity or be compelled by subpoena, order, search warrant or other judicial process to disclose that information to another person or legal entity.
K. This section and sections 36-666, 36-667 and 36-668 do not apply to persons or entities that are subject to regulation under title 20.
Sec. 3. Section 36-3801, Arizona Revised Statutes, is amended to read:
36-3801. Definitions
In this chapter, unless the context otherwise requires:
1. "Breach" has the same meaning prescribed in 45 Code of Federal Regulations, part 164, subpart D.
2. "De-identified health information" has the same meaning as described in 45 Code of Federal Regulations section 164.514.
3. "Health care decision maker" has the same meaning prescribed in section 12-2291.
4. "Health care provider" has the same meaning prescribed in section 12-2291.
5. "Health information organization" means an organization that oversees and governs the exchange of individually identifiable health information among organizations according to nationally recognized standards. Health information organization does not include:
(a) A health care provider or an electronic health record maintained by or on behalf of a health care provider.
(b) Entities that are subject to title 20 or that are health plans as defined in 45 Code of Federal Regulations section 160.103.
(c) The exchange of individually identifiable health information directly between health care providers without a separate organization governing that exchange.
6. "Individual":
(a) Means the person who is the subject of the individually identifiable health information.
(b) Does not include an inmate as defined under the health insurance portability and accountability act privacy standards prescribed in 45 Code of Federal Regulations section 164.501.
7. "Individually identifiable health information" has the same meaning prescribed in the health insurance portability and accountability act privacy standards (45 Code of Federal Regulations part 160 and part 164, subpart E).
8. "Medical records" has the same meaning prescribed in section 12-2291.
9. "Opt out" means an individual's written decision that the individual's individually identifiable health information cannot be shared through a health information organization.
10. "Participation" or "participating", with respect to a health information organization, means providing or accessing individually identifiable health information in the manner provided in the health information organization's policies.
11. "Person" has the same meaning prescribed in section 1-215.
12. "Research" has the same meaning prescribed in 45 Code of Federal Regulations SECTION 164.501.
12. 13. "Written" means in handwriting or through an electronic transaction that meets the requirements of title 44, chapter 26.
Sec. 4. Section 36-3805, Arizona Revised Statutes, is amended to read:
36-3805. Disclosure of individually identifiable health information; disclosure; consent
A. Except as otherwise provided in state or federal law, disclosure of an individual's individually identifiable health information through a health information organization is allowed only if:
1. The individual has not opted out of having the individual's individually identifiable health information accessible through the health information organization.
2. The purpose of the disclosure is explained in the health information organization's current notice of health information practices.
3. The disclosure complies with the health insurance portability and accountability act privacy standard standards (45 Code of Federal Regulations part 164, subpart E).
B. A health information organization may not sell or otherwise make commercial use of an individual's individually identifiable health information without the written consent of the individual.
C. A health information organization may not transfer disclose individually identifiable health information or de-identified health information that is accessible through the health information exchange organization to any person or entity for the purpose of research or using the information as part of a set of data for an application for grant or other research funding, unless the health care provider obtains consent from the individual for the transfer. A health care provider must document that it has provided a notice of transfer to the individual and that the individual has received and read and understands the notice. Documentation must be in the form of a signature by the individual indicating the individual has received and read and understands the notice and that the individual gives consent to the transfer of information. For the purposes of this subsection, "consent" means that a health care provider participating in a health information organization has provided a notice to the individual that is in at least twelve-point type and that describes the purposes of the transfer unless the disclosure complies with applicable federal and state laws that regulate the disclosure of individually identifiable health INFORMATION or de-identified health information for research.
D. This chapter does not:
1. Interfere with any other federal or state laws or regulations that provide more extensive protection of individually identifiable health information than provided in this chapter.
2. Limit, change or otherwise affect a health information organization's right or duty to exchange information, including individually identifiable health information and de-identified health information, in accordance with applicable law and by means other than through the health information organization.
