CHAPTER 332-I MEDICAL RECORDS, PATIENT INFORMATION, AND THE HEALTH INFORMATION ORGANIZATION CORPORATION
Section 332-I:3
332-I:3 Use and Disclosure of Protected Health Information; Health Information Exchange. –
I. Except as provided in paragraph VI, a health care provider or a business associate of a health care provider or a patient or patient's legal representative may transmit the patient's protected health information through the health information organization. Only a health care provider, for purposes of treatment, care coordination, or quality assurance, or a patient or a patient's legal representative with respect to the patient's protected health information, may have access to protected health information transmitted through the health information organization.
II. The health information organization shall adhere to the protected health information requirements for health care providers in state and federal law.
III. The health information organization shall maintain an audit log of the transactions transmitted through the health information organization. The parties transmitting or receiving information through the health information organization shall maintain audit logs in accordance with nationally accepted interoperability standards, practices, regulations, and statutes, including but not limited to:
(a) The identity of the health care provider accessing the information;
(b) The identity of the individual whose protected health information was accessed by the health care provider;
(c) The date the protected health information was accessed; and
(d) The area of the record that was accessed.
[Paragraph IV, as amended by 2011, 232:4, shall take effect upon the date provided by 2009, 318:5; see "Applicability; Certification" note below.]
IV. The health information organization shall be certified, when federal certification standards are established, to be in compliance with nationally accepted interoperability standards and practices.
V. No person shall require a health care provider to participate in the health information organization as a condition of payment or participation.
VI. An individual shall be given an opportunity to opt out of sharing his or her name and address and his or her protected health care information through the health information organization. Such an opportunity shall be provided in a clear and conspicuous manner, including, but not limited to, simple opt out language in a font and size easily readable by the average adult reader so that the individual may make his or her decision known.
VII. The health information organization shall follow all current and future laws relative to medical information privacy and all existing laws regarding health information exchanges.
VIII. Notwithstanding paragraph I, health care providers otherwise required or authorized by law to submit data to the department of health and human services may do so through a health information organization; provided, that such transmissions meet the same standards for privacy and security of protected health information that apply when such information is exchanged between providers.