CHAPTER 5. RELEASE OF HEALTH RECORDS TO THIRD PARTIES AND FOR LEGITIMATE BUSINESS PURPOSES

IC 16-39-5
     Chapter 5. Release of Health Records to Third Parties and for Legitimate Business Purposes

IC 16-39-5-1
Interprovider exchange of records without patient's consent
    
Sec. 1. This article does not prohibit a provider from obtaining a patient's health records from another provider without the patient's consent if the health records are needed to provide health care services to the patient.
As added by P.L.2-1993, SEC.22. Amended by P.L.6-1995, SEC.38.

IC 16-39-5-2
Patient's written consent to insurer to obtain records or medical information
    
Sec. 2. (a) Except as provided in IC 16-39-2, IC 16-39-3, IC 16-39-4, and subsection (d), this article does not prohibit an accident and sickness insurance company (as defined in IC 27-8-5-1) from obtaining health records or medical information with a written consent executed at the time of receiving an application for insurance or at any other time. Such consent may be used at any time for legitimate accident and sickness insurance purposes.
    (b) A written consent to obtain health records or medical information obtained at the time of application by an insurance company making any of the types of insurance not defined in IC 27-8-5 may be used for any legitimate insurance purposes for up to two (2) years from the date the contract is issued. A written consent obtained at any other time by an insurance company not defined in IC 27-8-5 may be used for up to one (1) year after the date the consent was signed. A copy of all health records or medical information obtained by an insurance company, other than a life insurance company (as defined in IC 27-1-2-3(s)), by means of the written consent of the patient under this subsection shall be furnished to the patient by the insurance company upon the written request of the patient.
    (c) Consents obtained by any insurance company need only contain the following:
        (1) Name of the insured.
        (2) Date the consent is granted.
        (3) Name of the company to which consent is given to receive information.
        (4) General nature of the information that may be secured by use of the consent.
    (d) Except as provided in subsection (e), an insurance company other than a life insurance company (as defined in IC 27-1-2-3(s)) may not obtain the results of any genetic screening or testing (as defined in IC 27-8-26-2) without a separate written consent by an individual at the time of application for insurance or at any other time. The form on which an individual indicates written consent must:         (1) indicate in at least 10 point boldface type that the individual need not consent to releasing the results of any genetic testing or screening; and
        (2) be approved by the commissioner before use.
    (e) An insurance company other than a life insurance company (as defined in IC 27-1-2-3(s)) is not liable if the insurance company:
        (1) inadvertently receives the results of any genetic testing or screening (as defined in IC 27-8-26-2); and
        (2) has not obtained a separate written consent as required under subsection (d).
An insurance company that inadvertently receives testing or screening results may not use the genetic testing or screening results in violation of IC 27-8-26.
As added by P.L.2-1993, SEC.22. Amended by P.L.1-1994, SEC.89; P.L.150-1997, SEC.1.

IC 16-39-5-3
Provider's use of records; confidentiality; violations
    
Sec. 3. (a) As used in this section,"association" refers to an Indiana hospital trade association founded in 1921.
    (b) As used in this section, "data aggregation" means a combination of information obtained from the health records of a provider with information obtained from the health records of one (1) or more other providers to permit data analysis that relates to the health care operations of the providers.
    (c) Except as provided in IC 16-39-4-5, the original health record of the patient is the property of the provider and as such may be used by the provider without specific written authorization for legitimate business purposes, including the following:
        (1) Submission of claims for payment from third parties.
        (2) Collection of accounts.
        (3) Litigation defense.
        (4) Quality assurance.
        (5) Peer review.
        (6) Scientific, statistical, and educational purposes.
    (d) In use under subsection (c), the provider shall at all times protect the confidentiality of the health record and may disclose the identity of the patient only when disclosure is essential to the provider's business use or to quality assurance and peer review.
    (e) A provider may disclose a health record to another provider or to a nonprofit medical research organization to be used in connection with a joint scientific, statistical, or educational project. Each party that receives information from a health record in connection with the joint project shall protect the confidentiality of the health record and may not disclose the patient's identity except as allowed under this article.
    (f) A provider may disclose a health record or information obtained from a health record to the association for use in connection with a data aggregation project undertaken by the association. However, the provider may disclose the identity of a patient to the

association only when the disclosure is essential to the project. The association may disclose the information it receives from a provider under this subsection to the state department to be used in connection with a public health activity or data aggregation of inpatient and outpatient discharge information submitted under IC 16-21-6-6. The information disclosed by:
        (1) a provider to the association; or
        (2) the association to the state department;
under this subsection is confidential.
    (g) Information contained in final results obtained by the state department for a public health activity that:
        (1) is based on information disclosed under subsection (f); and
        (2) identifies or could be used to determine the identity of a patient;
is confidential. All other information contained in the final results is not confidential.
    (h) Information that is:
        (1) advisory or deliberative material of a speculative nature; or
        (2) an expression of opinion;
including preliminary reports produced in connection with a public health activity using information disclosed under subsection (f), is confidential and may only be disclosed by the state department to the association and to the provider who disclosed the information to the association.
    (i) The association shall, upon the request of a provider that contracts with the association to perform data aggregation, make available information contained in the final results of data aggregation activities performed by the association in compliance with subsection (f).
    (j) A person who recklessly violates or fails to comply with subsections (e) through (h) commits a Class C infraction. Each day a violation continues constitutes a separate offense.
    (k) This chapter does not do any of the following:
        (1) Repeal, modify, or amend any statute requiring or authorizing the disclosure of information about any person.
        (2) Prevent disclosure or confirmation of information about patients involved in incidents that are reported or required to be reported to governmental agencies and not required to be kept confidential by the governmental agencies.
As added by P.L.2-1993, SEC.22. Amended by P.L.102-1994, SEC.7; P.L.103-1994, SEC.1; P.L.2-1995, SEC.73; P.L.231-1999, SEC.15; P.L.44-2002, SEC.5; P.L.78-2004, SEC.23.

IC 16-39-5-4
Copying fees
    
Sec. 4. IC 16-39-9 governs the fees that may be charged for making and providing copies of records under this chapter.
As added by P.L.102-1994, SEC.8.