Chapter 0239 - 541R - S Ver of SB1240

Be it enacted by the Legislature of the State of Arizona:

Section 1. Section 36-509, Arizona Revised Statutes, is amended to read:

START_STATUTE36-509. Confidential records; immunity; definition

A. A health care entity must keep records and information contained in records confidential and not as public records, except as provided in this section. Records and information contained in records may only be disclosed only to:

1. Physicians and providers of health, mental health or social and welfare services involved in caring for, treating or rehabilitating the patient.

2. Individuals to whom the patient or the patient's health care decision maker has given authorization to have information disclosed.

3. Persons authorized by a court order.

4. Persons doing research only if the activity is conducted pursuant to applicable federal or state laws and regulations governing research.

5. The state department of corrections in cases in which prisoners confined to the state prison are patients in the state hospital on authorized transfers either by voluntary admission or by order of the court.

6. Governmental or law enforcement agencies if necessary to:

(a) Secure the return of a patient who is on unauthorized absence from any agency where the patient was undergoing evaluation and treatment.

(b) Report a crime on the premises.

7. Persons, including family members, other relatives, close personal friends or any other person identified by the patient, as otherwise authorized or required by state or federal law, including the health insurance portability and accountability act of 1996 privacy standards (45 Code of Federal Regulations part 160 and part 164, subpart E), or pursuant to one of the following:

(a) If the patient is present or otherwise available and has the capacity to make health care decisions, the health care entity may disclose the information if one of the following applies:

(i) The patient agrees verbally or agrees in writing by signing a consent form that permits disclosure.

(ii) The patient is given an opportunity to object and does not express an objection.

(iii) The health care entity reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.

(b) If the patient is not present or the opportunity to agree or object to the disclosure of information cannot practicably be provided because of the patient's incapacity or an emergency circumstance, the health care entity may disclose the information if the entity determines that the disclosure of the information is in the best interests of the patient. In determining whether the disclosure of information is in the best interests of the patient, in addition to all other relevant factors, the health care entity shall consider all of the following:

(i) The patient's medical and treatment history, including the patient's history of compliance or noncompliance with an established treatment plan based on information in the patient's medical record and on reliable and relevant information received from the patient's family members, friends or others involved in the patient's care, treatment or supervision.

(ii) Whether the information is necessary or, based on professional judgment, would be useful in assisting the patient in complying with the care, treatment or supervision prescribed in the patient's treatment plan.

(iii) Whether the health care entity has reasonable grounds to believe that the release of the information may subject the patient to domestic violence, abuse or endangerment by family members, friends or other persons involved in the patient's care, treatment or supervision.

(c) The health care entity believes the patient presents a serious and imminent threat to the health or safety of the patient or others, and the health care entity believes that family members, friends or others involved in the patient's care, treatment or supervision can help to prevent the threat.

(d) In order for the health care entity to notify a family member, friend or other person involved in the patient's care, treatment or supervision of the patient's location, general condition or death.

8. A state agency that licenses health professionals pursuant to title 32, chapter 13, 15, 17, 19.1 or 33 and that requires these records in the course of investigating complaints of professional negligence, incompetence or lack of clinical judgment.

9. A state or federal agency that licenses health care providers.

10. A governmental agency or a competent professional, as defined in section 36‑3701, in order to comply with chapter 37 of this title.

11. Independent oversight committees established pursuant to title 41, chapter 35. Any information released pursuant to this paragraph shall comply with the requirements of section 41‑3804 and applicable federal law and shall be released without personally identifiable information unless the personally identifiable information is required for the official purposes of the independent oversight committee. Case information received by an independent oversight committee shall be maintained as confidential. For the purposes of this paragraph, "personally identifiable information" includes a person's name, address, date of birth, social security number, tribal enrollment number, telephone or telefacsimile number, driver license number, places of employment, school identification number and military identification number or any other distinguishing characteristic that tends to identify a particular person.

12. A patient or the patient's health care decision maker.

13. The department of public safety or another law enforcement agency by the court to comply with the requirements of section 36‑540, subsections O and P.

14. A third‑party payor or the payor's contractor as permitted by the health insurance portability and accountability act privacy standards, 45 Code of Federal Regulations part 160 and part 164, subpart E.

15. A private entity that accredits the health care provider and with whom the health care provider has an agreement requiring the agency to protect the confidentiality of patient information.

16. The legal representative of a health care entity in possession of the record for the purpose of securing legal advice.

17. A person or entity as otherwise required by state or federal law.

18. A person or entity as permitted by the federal regulations on alcohol and drug abuse treatment (42 Code of Federal Regulations part 2).

19. A person or entity to conduct utilization review, peer review and quality assurance pursuant to section 36‑441, 36‑445, 36‑2402 or 36‑2917.

20. A person maintaining health statistics for public health purposes as authorized by law.

21. A grand jury as directed by subpoena.

22. A person or entity that provides services to the patient's health care provider, as defined in section 12‑2291, and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of patient information as required by the health insurance portability and accountability act privacy standards, (45 Code of Federal Regulations part 164, subpart E).

23. A county medical examiner or an alternate medical examiner directing an investigation into the circumstances surrounding a death pursuant to section 11‑593.

B. Information disclosed pursuant to subsection A, paragraph 7 of this section may include only information that is directly relevant to the person's involvement with the patient's health care or payment related to the patient's health care. Subsection A, paragraph 7 of this section does not prevent a health care entity from obtaining or receiving information about the patient from a family member, friend or other person involved in the patient's care, treatment or supervision. A health care entity shall keep a record of the name and contact information of any person to whom any patient information is released pursuant to subsection A, paragraph 7 of this section. A decision to release or withhold information pursuant subsection A, paragraph 7 of this section is subject to review pursuant to section 36‑517.01.

C. Information and records obtained in the course of evaluation, examination or treatment and submitted in any court proceeding pursuant to this chapter or title 14, chapter 5 are confidential and are not public records unless the hearing requirements of this chapter or title 14, chapter 5 require a different procedure. Information and records that are obtained pursuant to this section and submitted in a court proceeding pursuant to title 14, chapter 5 and that are not clearly identified by the parties as confidential and segregated from nonconfidential information and records are considered public records.

D. Notwithstanding subsections A, B and C of this section, the legal representative of a patient who is the subject of a proceeding conducted pursuant to this chapter and title 14, chapter 5 has access to the patient's information and records in the possession of a health care entity or filed with the court.

E. A health care entity that acts in good faith under this article is not liable for damages in any civil action for the disclosure of records or payment records that is made pursuant to this article or as otherwise provided by law. The health care entity is presumed to have acted in good faith. This presumption may be rebutted by clear and convincing evidence.

F. For the purposes of this section, "information" means records and the information contained in records. END_STATUTE

Sec. 2. Section 36-664, Arizona Revised Statutes, is amended to read:

START_STATUTE36-664. Confidentiality; exceptions

A. A person who obtains communicable disease related information in the course of providing a health service or obtains that information from a health care provider pursuant to an authorization shall not disclose or be compelled to disclose that information except to the following:

1. The protected person or, if the protected person lacks capacity to consent, the protected person's health care decision maker.

2. A health care provider or first responder who has had an occupational significant exposure risk to the protected person's blood or bodily fluid if the health care provider or first responder provides a written request that documents the occurrence and information regarding the nature of the occupational significant exposure risk and the report is reviewed and confirmed by a health care provider who is both licensed pursuant to title 32, chapter 13, 15 or 17 and competent to determine a significant exposure risk. A health care provider who releases communicable disease information pursuant to this paragraph shall provide education and counseling to the person who has had the occupational significant exposure risk.

3. The department or a local health department for purposes of notifying a Good Samaritan pursuant to subsection E of this section.

4. An agent or employee of a health facility or health care provider to provide health services to the protected person or the protected person's child or for billing or reimbursement for health services.

5. A health facility or health care provider, in relation to the procurement, processing, distributing or use of a human body or a human body part, including organs, tissues, eyes, bones, arteries, blood, semen, milk or other body fluids, for use in medical education, research or therapy or for transplantation to another person.

6. A health facility or health care provider, or an organization, committee or individual designated by the health facility or health care provider, that is engaged in the review of professional practices, including the review of the quality, utilization or necessity of medical care, or an accreditation or oversight review organization responsible for the review of professional practices at a health facility or by a health care provider.

7. A private entity that accredits the health facility or health care provider and with whom the health facility or health care provider has an agreement requiring the agency to protect the confidentiality of patient information.

8. A federal, state, county or local health officer if disclosure is mandated by federal or state law.

9. A federal, state or local government agency authorized by law to receive the information. The agency is authorized to redisclose the information only pursuant to this article or as otherwise permitted by law.

10. An authorized employee or agent of a federal, state or local government agency that supervises or monitors the health care provider or health facility or administers the program under which the health service is provided. An authorized employee or agent includes only an employee or agent who, in the ordinary course of business of the government agency, has access to records relating to the care or treatment of the protected person.

11. A person, health care provider or health facility to which disclosure is ordered by a court or administrative body pursuant to section 36‑665.

12. The industrial commission or parties to an industrial commission of Arizona claim pursuant to section 23‑908, subsection D and section 23‑1043.02.

13. Insurance entities pursuant to section 20‑448.01 and third‑party payors or the payors' contractors.

14. Any person or entity as authorized by the patient or the patient's health care decision maker.

15. A person or entity as required by federal law.

16. The legal representative of the entity holding the information in order to secure legal advice.

17. A person or entity for research only if the research is conducted pursuant to applicable federal or state laws and regulations governing research.

18. A person or entity that provides services to the patient's health care provider, as defined in section 12‑2291, and with whom the health care provider has a business associate agreement that requires the person or entity to protect the confidentiality of patient information as required by the health insurance portability and accountability act privacy standards, (45 Code of Federal Regulations part 164, subpart E).

19. A county medical examiner or an alternate medical examiner directing an investigation into the circumstances surrounding a death pursuant to section 11‑593.

B. At the request of the department of child safety or the department of economic security and in conjunction with the placement of children in foster care or for adoption or court‑ordered placement, a health care provider shall disclose communicable disease information, including HIV‑related information, to the department of child safety or the department of economic security.

C. A state, county or local health department or officer may disclose communicable disease related information if the disclosure is any of the following:

1. Specifically authorized or required by federal or state law.

2. Made pursuant to an authorization signed by the protected person or the protected person's health care decision maker.

3. Made to a contact of the protected person. The disclosure shall be made without identifying the protected person.

4. For the purposes of research as authorized by state and federal law.

D. The director may authorize the release of information that identifies the protected person to the national center for health statistics of the United States public health service for the purposes of conducting a search of the national death index.

E. The department or a local health department shall disclose communicable disease related information to a Good Samaritan who submits a request to the department or the local health department. The request shall document the occurrence of the accident, fire or other life‑threatening emergency and shall include information regarding the nature of the significant exposure risk. The department shall adopt rules that prescribe standards of significant exposure risk based on the best available medical evidence. The department shall adopt rules that establish procedures for processing requests from Good Samaritans pursuant to this subsection. The rules shall provide that the disclosure to the Good Samaritan shall not reveal the protected person's name and shall be accompanied by a written statement that warns the Good Samaritan that the confidentiality of the information is protected by state law.

F. An authorization to release communicable disease related information shall be signed by the protected person or, if the protected person lacks capacity to consent, the protected person's health care decision maker. An authorization shall be dated and shall specify to whom disclosure is authorized, the purpose for disclosure and the time period during which the release is effective. A general authorization for the release of medical or other information, including communicable disease related information, is not an authorization for the release of HIV‑related information unless the authorization specifically indicates its purpose as an authorization for the release of confidential HIV‑related information and complies with the requirements of this section.

G. A person to whom communicable disease related information is disclosed pursuant to this section shall not disclose the information to another person except as authorized by this section. This subsection does not apply to the protected person or a protected person's health care decision maker.

H. This section does not prohibit the listing of communicable disease related information, including acquired immune deficiency syndrome, HIV‑related illness or HIV infection, in a certificate of death, autopsy report or other related document that is prepared pursuant to law to document the cause of death or that is prepared to release a body to a funeral director. This section does not modify a law or rule relating to access to death certificates, autopsy reports or other related documents.

I. If a person in possession of HIV‑related information reasonably believes that an identifiable third party is at risk of HIV infection, that person may report that risk to the department. The report shall be in writing and include the name and address of the identifiable third party and the name and address of the person making the report. The department shall contact the person at risk pursuant to rules adopted by the department. The department employee making the initial contact shall have expertise in counseling persons who have been exposed to or tested positive for HIV or acquired immune deficiency syndrome.

J. Except as otherwise provided pursuant to this article or subject to an order or search warrant issued pursuant to section 36‑665, a person who receives HIV‑related information in the course of providing a health service or pursuant to a release of HIV‑related information shall not disclose that information to another person or legal entity or be compelled by subpoena, order, search warrant or other judicial process to disclose that information to another person or legal entity.

K. This section and sections 36‑663, 36‑666, 36‑667 and 36‑668 do not apply to persons or entities subject to regulation under title 20. END_STATUTE