§323C-21 General rules regarding use and disclosure. (a) An entity shall not use or disclose protected health information except as authorized under this part and under part IV. Disclosure of health information in the form of nonidentifiable health information shall not be construed as a disclosure of protected health information.

(b) For the purpose of treatment or qualified health care operations, an entity may only use or disclose protected health information if the use or disclosure is properly noticed pursuant to sections 323C-13 and 323C-22. For all other uses and disclosures, an entity may only use or disclose protected health information, if the use or disclosure is properly consented to pursuant to section 323C-23. Disclosure to agents of an entity shall be considered as a disclosure within an entity.

(c) If an individual does not want protected health information released pursuant to [subsection] (b), the individual shall advise the provider prior to the delivery of services that the relevant protected health information shall not be disclosed pursuant to subsection (b), and the individual shall pay the health care provider directly for health care services. A health plan may decline to cover particular health care services if an individual has refused to allow the release of protected health care information pertaining to those particular health care services. Protected health information related to health care services paid for directly by the individual shall not be disclosed without consent.

(d) An agent who receives protected health information from an entity shall be subject to all rules of disclosure and safeguard requirements under this part.

(e) Every use and disclosure of protected health information shall be limited to the purpose for which it was collected. Any other use without a valid consent to disclose shall be an unauthorized disclosure.

(f) Nothing in this part permitting the disclosure of protected health information shall be construed to require disclosure.

(g) An entity may disclose protected health information to an employee or agent of the entity not otherwise authorized to receive such information for purposes of creating nonidentifiable information, if the entity prohibits the employee or agent of the entity from using or disclosing the protected health information for purposes other than the sole purpose of creating nonidentifiable information, as specified by the entity.

(h) Any individual or entity who manipulates or uses nonidentifiable health information to identify an individual, shall be deemed to have disclosed protected health information. The disclosure or transmission of a unique patient identifier shall be deemed to be a disclosure of protected health information. [L 1999, c 87, pt of §2; am L 2000, c 140, §2]