Current through 131st (2023-2024) Legislature Chapter 684
Section 8717 - [See Note] Covered entities' access to protected health information1.Permitted uses and disclosures; definitions. The organization may disclose protected health information without authorization by the subject of the information for the treatment activities of any health care provider, the payment activities of a covered entity and of any health care provider or the health care operations of a covered entity or its business associates involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if the covered entity has a relationship with the subject of the information and the protected health information pertains to the relationship. For the purposes of this section: A. "Health care operations" means any of the following activities of a covered entity:(1) Quality assessment and improvement activities, including case management and care coordination;(2) Competency assurance activities, including provider or health plan performance evaluation, credentialing and accreditation;(3) Conducting or arranging for medical reviews, audits or legal services, including fraud and abuse detection and compliance programs;(4) Specified insurance functions, such as underwriting, risk rating and reinsuring risks;(5) Business planning, development, management and administration; and(6) Business management and general administrative activities of the covered entity, including but not limited to de-identifying protected health information, creating a limited data set and permissible fund-raising for the benefit of the covered entity; [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]B. "Payment activities" means activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual; and [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]C. "Treatment" means the provision, coordination or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding an individual and referral of an individual by one provider to another. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).] [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
2. Minimum necessary. The board shall develop policies and procedures that reasonably limit disclosures of, and requests for, protected health information for payment activities and health care operations to the minimum extent necessary. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
3.Choice regarding disclosure of information. Before approving the release of any protected health information under this chapter, the organization shall implement a mechanism that allows an individual to choose to not allow the organization to disclose and use the individual's health information under this chapter. [2013, c. 528, §10(NEW); 2013, c. 528, §12(AFF).]
Added by 2014, c. 528,§ 10, eff. upon the final adoption of major substantive rules required to implement the provisions of.