PART I. GENERAL PROVISIONS

§323C-1 Definitions. As used in this chapter, except as otherwise specifically provided:

"Accrediting body" means a committee, organization, or institution that has been authorized by law or is recognized by a health care regulating authority as an accrediting entity or any other entity that has been similarly authorized or recognized by law to perform specific accreditation, licensing, or credentialing activities.

"Agent" means a person who represents and acts for another under a contract or relationship of agency, or whose function is to bring about, modify, affect, accept performance of, or terminate contractual obligations between the principal and a third person, including a contractor.

"Commissioner" means the insurance commissioner.

"Disclose" means to release, transfer, provide access to, share, or otherwise divulge protected health information to any person other than the individual who is the subject of the information. The term includes the initial disclosure and any subsequent redisclosures of protected health information.

"Educational institution" means an institution or place for instruction or education including any public or private elementary school, secondary school, vocational school, correspondence school, business school, junior college, teachers college, college, normal school, professional school, university, or scientific or technical institution, or other institution furnishing education for children and adults.

"Employer" means any individual or type of organization, including any partnership, association, trust, estate, joint stock company, insurance company, or corporation, whether domestic or foreign, a debtor in possession or receiver or trustee in bankruptcy, or a legal representative of a deceased person, who has one or more regular individuals in his or her employment.

"Employment" means services performed for wages under any contract of hire, written or oral, expressed or implied, with an employer.

"Entity" means a health care provider, health care data organization, health plan, health oversight agency, public health authority, employer, insurer, health researcher, law enforcement official, or educational institution, except as otherwise defined for purposes of a particular section only.

"Health care" means:

(1) Preventive, diagnostic, therapeutic, rehabilitative, palliative, or maintenance services:

(A) With respect to the physical or mental condition of an individual; or

(B) Affecting the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs, or any other tissue; or

(2) Any sale or dispensing of a drug, device, equipment, or other health care-related item to an individual, or for the use of an individual pursuant to a prescription or order by a health care provider.

"Health care data organization" means an entity that engages primarily in the business of collecting, analyzing, and disseminating identifiable and nonidentifiable patient information. A health care data organization is not a health care provider, an insurer, a health researcher, or a health oversight agency.

"Health care provider" means a person who, with respect to any protected health information, receives, creates, uses, maintains, or discloses the protected health information while acting in whole or in part in the capacity of:

(1) A person who is licensed, certified, registered, or otherwise authorized by federal or state law to provide an item or service that constitutes health care in the ordinary course of business, or practice of a profession;

(2) A federal, state, or employer-sponsored program that directly provides items or services that constitute health care to beneficiaries; or

(3) An officer, employee, or agent of a person described in paragraph (1) or (2).

"Health oversight agency" means a person who, with respect to any protected health information, receives, creates, uses, maintains, or discloses the information while acting in whole or in part in the capacity of:

(1) A person who performs or oversees the performance of an assessment, evaluation, determination, or investigation, relating to the licensing, accreditation, or credentialing of health care providers; or

(2) A person who:

(A) Performs or oversees the performance of an audit, assessment, evaluation, determination, or investigation relating to the effectiveness of, compliance with, or applicability of, legal, fiscal, medical, or scientific standards or aspects of performance related to the delivery of, or payment for, health care; and

(B) Is a public agency, acting on behalf of a public agency, acting pursuant to a requirement of a public agency, or carrying out activities under a federal or state law governing the assessment, evaluation, determination, investigation, or prosecution for violations of paragraph (1).

"Health plan" means any health insurance plan, including any hospital or medical service plan, dental or other health service plan or health maintenance organization plan, provider-sponsored organization, or other program providing or arranging for the provision of health benefits, whether or not funded through the purchase of insurance.

"Health researcher" means a person, or an officer, employee or independent contractor of a person, who receives protected health information as part of a systematic investigation, testing, or evaluation designed to develop or contribute to generalized scientific and clinical knowledge.

"Individual's designated representative" means a person who is authorized by law (based on grounds other than the minority of an individual), or by an instrument recognized under law, to act as an agent, attorney, guardian, proxy, or other legal representative of a protected individual. The term includes a health care power of attorney.

"Institutional review board" means a research committee established and operating in accord with Title 45 Code of Federal Regulations 46 sections 107, 108, 109, and 115.

"Insurer" means any person regulated under chapter 432D, article 1 of chapter 432, any group that has purchased a group insurance policy issued by a person regulated under chapter 432D, and any person regulated under article 10A of chapter 431, other than a life insurer, disability income insurer, or long-term care insurer.

"Law enforcement inquiry" means a lawful investigation conducted by an appropriate government agency or official inquiring into a violation of, or failure to comply with, any civil or administrative statute or any regulation, rule, or order issued pursuant to such a statute. It does not include a lawful criminal investigation or prosecution conducted by the county prosecutors or the department of the attorney general.

"Nonidentifiable health information" means any information that meets all of the following criteria: would otherwise be protected health information except that the information in and of itself does not reveal the identity of the individual whose health or health care is the subject of the information and will not be used in any way that would identify the subjects of the information or would create protected health information.

"Office of information practices" shall be as defined by chapter 92F.

"Person" means a government, governmental subdivision, agency or authority, corporation, company, association, firm, partnership, insurer, estate, trust, joint venture, individual, individual representative, and any other legal entity.

"Protected health information" means any information, identifiable to an individual, including demographic information, whether or not recorded in any form or medium that relates directly or indirectly to the past, present, or future:

(1) Physical or mental health or condition of a person, including tissue and genetic information;

(2) Provision of health care to an individual; or

(3) Payment for the provision of health care to an individual.

"Public health authority" means the department of health.

"Qualified health care operations" means:

(1) Only those activities conducted by or on behalf of a health plan or health care provider for the purpose of carrying out the management functions of a health care provider or health plan, or implementing the terms of a contract for health plan benefits as follows:

(A) Payment, which means the activities undertaken by a health plan or provider which are reasonably necessary to determine responsibility for coverage, services, and the actual payment for services, if any;

(B) Conducting quality assurance activities or outcomes assessments;

(C) Reviewing the competence or qualifications of health care professionals;

(D) Performing accreditation, licensing, or credentialing activities;

(E) Analyzing health plan claims or health care records data;

(F) Evaluating provider clinical performance;

(G) Carrying out utilization management; or

(H) Conducting or arranging for auditing services in accordance with statute, rule, or accreditation requirements;

(2) A qualified health care operation shall:

(A) Be an operation which cannot be carried on with reasonable effectiveness and efficiency without identifiable patient information;

(B) Be limited to only that protected health information collected under the terms of the contract for health plan benefits and without which the operation cannot be carried on with reasonable effectiveness and efficiency;

(C) Be limited to the minimum amount of protected health information, including the minimum number of records and the minimum number of documents within each patient's record, necessary to carry on the operation with reasonable effectiveness and efficiency; and

(D) Limit the handling and examination of protected health information to those persons who are reasonably well qualified, by training, credentials, or experience, to conduct the phase of the operation in which they are involved.

"Surrogate" means a person, other than an individual's designated representative or relative, who is authorized to make a health-care decision for the individual.

"Treatment" means the provision of health care by, or the coordination of health care among, health care providers, or the referral of a patient from one provider to another, or coordination of health care or other services among health care providers and third parties authorized by the health plan or the plan member.

"Unique patient identifier" means a number or alpha-numeric string assigned to an individual, which can be or is used to identify an individual's protected health information.

"Writing" means a written form that is either paper- or computer-based, and includes electronic signatures. [L 1999, c 87, pt of §2; am L 2000, c 140, §1]