7 AAC 166.040 - Privacy and security
(a) An individual owns the individual's
individually identifiable health information. An HIE participant owns the
medical record that includes the individually identifiable health information.
(b) Individually identifiable
health information located on an HIE is confidential, is protected under
AS
40.25.120 from disclosure, and is not public
information subject to the public records requirements of
AS
40.25.110.
(c) An HIE shall comply with the applicable
requirements of AS 45.48 (Alaska Personal Information Protection Act),
P.L.
104-191 (Health Insurance Portability and
Accountability Act of 1996 (HIPAA)),
P.L.
111-5 , div. A, title XIII (Health Information
Technology for Economic and Clinical Health (HITECH) Act of 2009), 42 C.F.R.
Part 2, and 45 C.F.R. Parts 160 and 164.
(d) An HIE may not allow an HIE participant
to alter the electronic health information of another HIE participant within
the HIE. Nothing in this subsection prohibits an HIE participant from remedying
an error made in a previous transmission of electronic health information, or
amending the HIE participant's own records.
(e) An HIE may only disclose electronic
health information for treatment and billing.
(f) An HIE shall annually have an independent
third party perform an assessment of the potential risks and vulnerabilities to
the confidentiality, integrity, and availability of electronic health
information on the HIE, as required under
45 C.F.R.
164.308(a) (1)(ii)(A). The
assessment must include the HIE's compliance with the privacy and security
requirements of 45 C.F .R. 164.302 - 164.318 and
45 C.F.R.
164.500 -
164.534. The HIE shall provide the
risk assessment to the department and the governing body, not later than 10
business days after receipt from the third party that performed the assessment.
The HIE shall provide recommendations for acceptance or mitigation of each
high- and medium-level risk identified in the assessment to the governing body
and to the department not later than 30 days after receipt from the third party
that performed the assessment. The HIE shall provide to an HIE participant,
upon request, a summary of the risk assessment and actions taken to accept or
mitigate risk.
(g) A valid release
of an individual's electronic health information or a court order is required
for any disclosure not otherwise authorized under this section.
Notes
Authority:AS 18.23.300
AS 18.23.305
AS 18.23.310
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.