Sec. 18.23.310. - Confidentiality and security of information.

(a) The department shall establish appropriate security standards to protect the transmission and receipt of individually identifiable information contained in the system established under AS 18.23.300. The standards must

(1) include controls over access to and collection, organization, and maintenance of records and data that protect the confidentiality of the individual who is the subject of a health record;

(2) include a secure and traceable electronic audit system for identifying access points and trails;

(3) meet the most stringent applicable federal or state privacy law governing the protection of the information contained in the system.

(b) A person may not release or publish individually indentifying health information from the system for purposes unrelated to the treatment or billing of the patient who is the subject of the information. Use or distribution of the information for a marketing purpose is strictly prohibited.

(c) The department shall establish procedures for a patient who is the subject of a health record contained in the system

(1) to opt out of the system;

(2) to consent to the distribution of the patient's records contained in the system;

(3) to be notified of a violation of the confidentiality provisions required under this section;

(4) on request to the department, to view an audit report created under this section for the purpose of monitoring access to the patient's records.