[§323C-40] Payment card and electronic payment transaction. (a) If an individual pays for health care by presenting a debit, credit, or other payment card or account number, or by any other electronic payment means, the entity receiving payment may disclose to a person described in subsection (b) only such protected health information about the individual as is necessary for the processing of the payment transaction or the billing or collection of amounts charged to, debited from, or otherwise paid by, the individual using the card, number, or other electronic means.

(b) A person who is a debit, credit, or other payment card issuer, or is otherwise directly involved in the processing of payment transactions involving such cards or other electronic payment transactions, or is otherwise directly involved in the billing or collection of amounts paid through these means, may use or disclose protected health information about an individual that has been disclosed in accordance with subsection (a) only when necessary for:

(1) The settlement, billing, or collection of amounts charged to, debited from, or otherwise paid by the individual using a debit, credit, or other payment card or account number, or by other electronic payment means;

(2) The transfer of receivables, accounts, or interest therein;

(3) The internal audit of the debit, credit, or other payment card account information;

(4) Compliance with federal, state, or county law; or

(5) Compliance with a properly authorized civil, criminal, or regulatory investigation by federal, state, or county authorities as governed by the requirements of this section. [L 1999, c 87, pt of §2]