CHAPTER 5. RELEASE OF HEALTH RECORDS TO THIRD PARTIES AND FOR LEGITIMATE BUSINESS PURPOSES
IC 16-39-5
Chapter 5. Release of Health Records to Third Parties and for
Legitimate Business Purposes
IC 16-39-5-1
Interprovider exchange of records without patient's consent
Sec. 1. This article does not prohibit a provider from obtaining a
patient's health records from another provider without the patient's
consent if the health records are needed to provide health care
services to the patient.
As added by P.L.2-1993, SEC.22. Amended by P.L.6-1995, SEC.38.
IC 16-39-5-2
Patient's written consent to insurer to obtain records or medical
information
Sec. 2. (a) Except as provided in IC 16-39-2, IC 16-39-3,
IC 16-39-4, and subsection (d), this article does not prohibit an
accident and sickness insurance company (as defined in IC 27-8-5-1)
from obtaining health records or medical information with a written
consent executed at the time of receiving an application for insurance
or at any other time. Such consent may be used at any time for
legitimate accident and sickness insurance purposes.
(b) A written consent to obtain health records or medical
information obtained at the time of application by an insurance
company making any of the types of insurance not defined in
IC 27-8-5 may be used for any legitimate insurance purposes for up
to two (2) years from the date the contract is issued. A written
consent obtained at any other time by an insurance company not
defined in IC 27-8-5 may be used for up to one (1) year after the date
the consent was signed. A copy of all health records or medical
information obtained by an insurance company, other than a life
insurance company (as defined in IC 27-1-2-3(s)), by means of the
written consent of the patient under this subsection shall be furnished
to the patient by the insurance company upon the written request of
the patient.
(c) Consents obtained by any insurance company need only
contain the following:
(1) Name of the insured.
(2) Date the consent is granted.
(3) Name of the company to which consent is given to receive
information.
(4) General nature of the information that may be secured by
use of the consent.
(d) Except as provided in subsection (e), an insurance company
other than a life insurance company (as defined in IC 27-1-2-3(s))
may not obtain the results of any genetic screening or testing (as
defined in IC 27-8-26-2) without a separate written consent by an
individual at the time of application for insurance or at any other
time. The form on which an individual indicates written consent
must:
(1) indicate in at least 10 point boldface type that the individual
need not consent to releasing the results of any genetic testing
or screening; and
(2) be approved by the commissioner before use.
(e) An insurance company other than a life insurance company (as
defined in IC 27-1-2-3(s)) is not liable if the insurance company:
(1) inadvertently receives the results of any genetic testing or
screening (as defined in IC 27-8-26-2); and
(2) has not obtained a separate written consent as required
under subsection (d).
An insurance company that inadvertently receives testing or
screening results may not use the genetic testing or screening results
in violation of IC 27-8-26.
As added by P.L.2-1993, SEC.22. Amended by P.L.1-1994, SEC.89;
P.L.150-1997, SEC.1.
IC 16-39-5-3
Provider's use of records; confidentiality; violations
Sec. 3. (a) As used in this section,"association" refers to an
Indiana hospital trade association founded in 1921.
(b) As used in this section, "data aggregation" means a
combination of information obtained from the health records of a
provider with information obtained from the health records of one (1)
or more other providers to permit data analysis that relates to the
health care operations of the providers.
(c) Except as provided in IC 16-39-4-5, the original health record
of the patient is the property of the provider and as such may be used
by the provider without specific written authorization for legitimate
business purposes, including the following:
(1) Submission of claims for payment from third parties.
(2) Collection of accounts.
(3) Litigation defense.
(4) Quality assurance.
(5) Peer review.
(6) Scientific, statistical, and educational purposes.
(d) In use under subsection (c), the provider shall at all times
protect the confidentiality of the health record and may disclose the
identity of the patient only when disclosure is essential to the
provider's business use or to quality assurance and peer review.
(e) A provider may disclose a health record to another provider or
to a nonprofit medical research organization to be used in connection
with a joint scientific, statistical, or educational project. Each party
that receives information from a health record in connection with the
joint project shall protect the confidentiality of the health record and
may not disclose the patient's identity except as allowed under this
article.
(f) A provider may disclose a health record or information
obtained from a health record to the association for use in connection
with a data aggregation project undertaken by the association.
However, the provider may disclose the identity of a patient to the
association only when the disclosure is essential to the project. The
association may disclose the information it receives from a provider
under this subsection to the state department to be used in connection
with a public health activity or data aggregation of inpatient and
outpatient discharge information submitted under IC 16-21-6-6. The
information disclosed by:
(1) a provider to the association; or
(2) the association to the state department;
under this subsection is confidential.
(g) Information contained in final results obtained by the state
department for a public health activity that:
(1) is based on information disclosed under subsection (f); and
(2) identifies or could be used to determine the identity of a
patient;
is confidential. All other information contained in the final results is
not confidential.
(h) Information that is:
(1) advisory or deliberative material of a speculative nature; or
(2) an expression of opinion;
including preliminary reports produced in connection with a public
health activity using information disclosed under subsection (f), is
confidential and may only be disclosed by the state department to the
association and to the provider who disclosed the information to the
association.
(i) The association shall, upon the request of a provider that
contracts with the association to perform data aggregation, make
available information contained in the final results of data
aggregation activities performed by the association in compliance
with subsection (f).
(j) A person who recklessly violates or fails to comply with
subsections (e) through (h) commits a Class C infraction. Each day
a violation continues constitutes a separate offense.
(k) This chapter does not do any of the following:
(1) Repeal, modify, or amend any statute requiring or
authorizing the disclosure of information about any person.
(2) Prevent disclosure or confirmation of information about
patients involved in incidents that are reported or required to be
reported to governmental agencies and not required to be kept
confidential by the governmental agencies.
As added by P.L.2-1993, SEC.22. Amended by P.L.102-1994, SEC.7;
P.L.103-1994, SEC.1; P.L.2-1995, SEC.73; P.L.231-1999, SEC.15;
P.L.44-2002, SEC.5; P.L.78-2004, SEC.23.
IC 16-39-5-4
Copying fees
Sec. 4. IC 16-39-9 governs the fees that may be charged for
making and providing copies of records under this chapter.
As added by P.L.102-1994, SEC.8.