36-3804. Notice of health information practices; posting; distribution; decision to opt out
A. A health information organization must maintain a written notice of health information practices describing the following:
1. Individually identifiable health information that is accessible through the health information organization.
2. The categories of persons who have access to information, including individually identifiable health information, through the health information organization.
3. The purposes for which access to the information, including individually identifiable health information, is provided through the health information organization. The notice of health information practices may reference a publicly accessible website that displays the current list of allowed purposes for which access to this information is allowed through the health information organization.
4. Except as otherwise provided in state or federal law, the individual's right to opt out of having the individual's individually identifiable health information accessible through the health information organization.
5. An explanation as to how an individual may opt out of having the individual's individually identifiable health information accessible through the health information organization.
B. The notice shall include a statement informing the individual of the right not to have the individual's individually identifiable health information accessible through the health information organization, except as otherwise provided by state or federal law, and that this right is protected by article XXVII, section 2, Constitution of Arizona.
C. A health information organization must post its current notice of health information practices on its website in a conspicuous manner.
D. Notwithstanding any other requirement in this section, a health information organization must provide an individual with a copy of the notice of health information practices within thirty days after receiving a written request for that information.
E. A health care provider participating in a health information organization must distribute and document the distribution of the health information organization's notice of health information practices in the same circumstances and in the same manner as the health care provider is required to distribute and document a notice of privacy practices by the health insurance portability and accountability act (45 Code of Federal Regulation section 164.520(c)(2) and (3)). The health information organization's notice of health information privacy practices must use a legible font in at least ten-point type. Health care providers that share a location may provide the health information organization's notice of health information practices for, or on behalf of, any of the health care providers that share a location.
F. Except as otherwise provided in state or federal law, if an individual chooses to opt out of having the individual's individually identifiable health information accessible through the health information organization, the individual's individually identifiable health information shall not be accessible through the health information organization later than thirty days after the health information organization receives notice, in the manner explained in the health information organization's notice of health information practices, of the individual's decision to opt out. A person who receives de-identified information from the health information organization may not use such de-identified information, either alone or in combination with other information, to identify an individual.
G. If there is a material change to a health information organization's notice of health information practices, including the health information organization's capability to implement individual preferences for sharing or segregating individually identifiable health information, a health care provider must redistribute the notice of health information practices at the next point of contact with the individual or in the same manner and within the same time period as is required by 45 Code of Federal Regulations section 164.528 in relation to the health care provider's notice of privacy practices, whichever comes first.