§ 4284 - Protection and disclosure of information
§ 4284. Protection and disclosure of information
(a) The data collected pursuant to this chapter shall be confidential, except as provided in this chapter, and shall not be subject to public records law. The department shall maintain procedures to protect patient privacy, ensure the confidentiality of patient information collected, recorded, transmitted, and maintained, and ensure that information is not disclosed to any person except as provided in this section.
(b) The department shall be authorized to provide data to only the following persons:
(1) A patient or that person's health care provider, or both, when VPMS reveals that a patient may be receiving more than a therapeutic amount of one or more regulated substances.
(2) A health care provider or dispenser who requests information and certifies that the requested information is for the purpose of providing medical or pharmaceutical treatment to a bona fide current patient.
(3) A designated representative of a board responsible for the licensure, regulation, or discipline of health care providers or dispensers pursuant to a bona fide specific investigation.
(4) A patient for whom a prescription is written, insofar as the information relates to that patient.
(5) The relevant occupational licensing or certification authority if the commissioner reasonably suspects fraudulent or illegal activity by a health care provider. The licensing or certification authority may report the data that are the evidence for the suspected fraudulent or illegal activity to a trained law enforcement officer.
(6) The commissioner of public safety, personally, if the commissioner of health personally makes the disclosure, has consulted with at least one of the patient's health care providers, and believes that the disclosure is necessary to avert a serious and imminent threat to a person or the public.
(7) Personnel or contractors, as necessary for establishing and maintaining the VPMS.
(c) A person who receives data or a report from VPMS or from the department shall not share that data or report with any other person or entity not eligible to receive that data pursuant to subsection (b) of this section. Nothing shall restrict the right of a patient to share his or her own data.
(d) The commissioner shall offer health care providers and dispensers training in the proper use of information they may receive from VPMS. Training may be provided in collaboration with professional associations representing health care providers and dispensers.
(e) A trained law enforcement officer who may receive information pursuant to this section shall not have access to VPMS except for information provided to the officer by the licensing or certification authority.
(f) The department is authorized to use information from VPMS for research and public health promotion purposes provided that data are aggregated or otherwise de-identified.
(g) Knowing disclosure of transmitted data to a person not authorized by subsection (b) of this section, or obtaining information under this section not relating to a bona fide specific investigation, shall be punishable by imprisonment for not more than one year or a fine of not more than $1,000.00, or both, in addition to any penalties under federal law. (Added 2005, No. 205 (Adj. Sess.), § 1.)