ARIZONA
HOUSE OF REPRESENTATIVES
|
SB 1321: health information organizations |
||
|
PRIME SPONSOR: Senator Carter, LD 15 BILL STATUS: Health and Human Services |
|
|
Makes updates to the Health Information
Organization (HIO) statutes.
History
Laws 2011, Ch. 268 enacted laws related to a HIO. A HIO is defined as an organization that oversees and governs the exchange of individually identifiable health information among organizations according to nationally recognized standards. A HIO does not include: a health care provider or an electronic health record maintained by or on behalf of a health care provider; entities that are subject to Title 20 or that are health plans subject federal law; and the exchange of individually identifiable health information directly between health care providers without a separate organization governing that exchange A.R.S. §36-3801.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Collectively these are known as the Administrative Simplification provisions.
Health Current is the health information exchange (HIE) that helps partners transform care by bringing together communities and information across Arizona.
Provisions
1. Clarifies that a health care entity may disclose records and information only as authorized by state or federal law, including HIPAA and that a person who obtains communicable disease related information must not disclose or be compelled to disclose that information except as authorized by state or federal law, including HIPAA. (Sec. 1, 2)
Individual Rights
2. States that an individual has the right, except as otherwise provided in state or federal law, to opt out or having their individually identifiable information provided. (Sec. 4)
3. Provides that an individual may request a copy of their identifiable health information that is accessible through the HIO in accordance with HIPAA. (Sec. 4)
4. Removes the ability for electronic delivery of individually identifiable health information. (Sec. 4)
5. Clarifies an individual may request the amendment of incorrect individually identifiable health information accessible through the HIO. (Sec. 4)
Individual Right to Opt-Out of HIOs
7. Removes language allowing an individual to opt out of a particular health care provider sharing their individually identifiable health information through the HIO. (Sec. 5)
8. States that if an individual provides notice to their health care provider of their intent to opt out of participating in an HIO, the provider must promptly provide that notice to the HIO in the manner provided in the HIO's policies. (Sec. 5)
9. Elucidates that a decision to opt out of having individually identifiable health information access through the HIO, may be changed any an individual at any time. (Sec. 5)
10. Specifies that individuals who had previously opted out of having a particular health care provider's data accessible through the HIO will be treated by the HIO as having elected to opt out within 90 days after the effective date of this amendment. (Sec. 5)
Notice of Health Information Practices
11. Provides that a HIO must maintain a written notice of health information practices describing individually identifiable health information that is accessible through the HIO. (Sec. 6)
12. States that the notice of health information practices may reference a publicly accessible website that displays the current list of allowed purposes for which access to this information is allowed through the HIO. (Sec. 6)
13. Stipulates that the notice must include a statement informing the individual of the right not to have their identifiable health information accessible through the HIO, except as otherwise provided by state or federal law. (Sec. 6)
14. Provides that a participating health care provider in a HIO must distribute and document the distribution of the HIO's notice of health information practices in the same circumstances and in the same manner as the provider is required to distribute and document a notice of privacy practices by the HIPAA. The HIO's notice of health information privacy practices must use a legible font in at least ten-point type. Providers that share a location may provide the HIO's notice of health information practices for, or on behalf of, any of the providers that share a location. (Sec. 6)
15. States, except as otherwise provided in state or federal law, if an individual chooses to opt out of having their individually identifiable health information accessible through the HIO, the individual's individually identifiable health information must not be accessible through the HIO later than 30 days after the HIO receives notice, in the manner explained in the HIO's notice of health information practices of the individual's decision to opt out. (Sec. 6)
Disclosure of Individually Identifiable Health Information
16. Provides that except as otherwise provided in state or federal law, disclosure of an individual's individually identifiable health information through a HIO is allowed only if the individual has not opted out of having the individuals' individually identifiable health information accessible through the HIO. (Sec. 7)
17. Prohibits the transfer of individually identifiable health information or de-identified health information that is accessible through the HIO to any person for the purpose of research, absent consent from the individual. (Sec. 7)
18. States this chapter does not limit, change or otherwise affect a HIO's right or duty to exchange information, including individually identifiable health information and de-identified health information, in accordance with applicable law and by means other than through the HIO. (Sec. 7)
Required Policies
19. Requires a HIO to implement and enforce policies governing the privacy and security of individually identifiable health information and the policy must address the individual's right to opt out of having the individual's individually identifiable health information accessible through the HIO. (Sec. 8)
20. Requires an initial training of each employee and agent of the HIO before an employee or agent may have access to individually identifiable health information available through the HIO and at a later time as reasonable and appropriate in accordance with the training implementation specifications required by HIPAA. (Sec. 8)
Miscellaneous
21. Repeals A.R.S. § 36-3807 relating to implementing individual preference for sharing individually identifiable health information. (Sec. 9)
22. Specifies that individually identifiable health information that is accessible through a HIO is not subject to a civil litigation subpoena, except as otherwise provided in state or federal law. (Sec. 10)
23. Specifies that a HIO is not liable for damages in any civil action for any of the following:
a. Inaccurate or incomplete health information that is provided by third parties and that is accessible through the HIO;
b. Another person's use of disclosure health information through the HIO; and
c. The use or disclosure of health information that is made in good faith or as otherwise provided by law. The HIO is presumed to have acted in good faith. This presumption may be rebutted by clear and convincing evidence. (Sec. 11)
24. States the civil liability for damages does not preclude liability for that portion of any damages resulting from intentional misconduct or gross negligence by a HIO. (Sec. 11)
25. Updates definitions. (Sec. 3)
26. Makes technical and conforming changes. (Sec. 3, 4, 6, 7, 8, 11)
27.
28.
29. ---------- DOCUMENT FOOTER ---------
30. Fifty-fourth Legislature SB 1321
31. First Regular Session Version 1: Health and Human Services
32.
33. ---------- DOCUMENT FOOTER ---------