135D.7 Legal and policy — liability — confidentiality.

1. The board shall implement industry-accepted security standards, policies, and procedures to protect the transmission and receipt of protected health information exchanged through the Iowa health information network, which shall, at a minimum, comply with HIPAA and shall include all of the following:

a. A secure and traceable electronic audit system to document and monitor the sender and recipient of health information exchanged through the Iowa health information network.

b. A required standard participation agreement which defines the minimum privacy and security obligations of all participants using the Iowa health information network and services available through the Iowa health information network.

c. The opportunity for a patient to decline exchange of the patient’s health information through the record locator service of the Iowa health information network.

(1) A patient shall not be denied care or treatment for declining to exchange the patient’s health information, in whole or in part, through the network.

(2) The board shall provide the means and process by which a patient may decline participation. The means and process utilized shall minimize the burden on patients and health care professionals.

(3) Unless otherwise authorized by law or rule, a patient’s decision to decline participation means that none of the patient’s health information shall be accessible through the record locator service function of the Iowa health information network. A patient’s decision to decline having health information shared through the record locator service function shall not limit a health care professional with whom the patient has or is considering a treatment relationship from sharing health information concerning the patient through the secure messaging function of the Iowa health information network.

(4) A patient who declines participation in the Iowa health information network may later decide to have health information shared through the network. A patient who is participating in the network may later decline participation in the network.

2. A participant shall not be compelled by subpoena, court order, or other process of law to access health information through the Iowa health information network in order to gather records or information not created by the participant.

3. A participant exchanging health information and data through the Iowa health information network shall grant to other participants of the network a nonexclusive license to retrieve and use that information in accordance with applicable state and federal laws, and the policies and standards established by the board.

4. A health care professional who relies reasonably and in good faith upon any health information provided through the Iowa health information network in treatment of a patient who is the subject of the health information shall be immune from criminal or civil liability arising from the damages caused by such reasonable, good-faith reliance. Such immunity shall not apply to acts or omissions constituting negligence, recklessness, or intentional misconduct.

5. A participant who has disclosed health information through the Iowa health information network in compliance with applicable law and the standards, requirements, policies, procedures, and agreements of the network shall not be subject to criminal or civil liability for the use or disclosure of the health information by another participant.

6. The following records shall be confidential records pursuant to chapter 22, unless otherwise ordered by a court or consented to by the patient or by a person duly authorized to release such information:

a. The health information contained in, stored in, submitted to, transferred or exchanged by, or released from the Iowa health information network.

b. Any health information in the possession of the board due to its administration of the Iowa health information network.

7. Unless otherwise provided in this chapter, when sharing health information through the Iowa health information network or a private health information network maintained in this state that complies with the privacy and security requirements of this chapter for the purposes of patient treatment, payment or health care operations, as such terms are defined in HIPAA, or for the purposes of public health activities or care coordination, a participant authorized by the designated entity to use the record locator service is exempt from any other state law that is more restrictive than HIPAA that would otherwise prevent or hinder the exchange of patient information by the participant.

8. A patient aggrieved or adversely affected by the designated entity’s failure to comply with subsection 1, paragraph “c”, may bring a civil action for equitable relief as the court deems appropriate.

2015 Acts, ch 73, §7, 9

Section is effective March 31, 2017; Code editor received notice from the Iowa department of public health that assumption of administration and governance of the Iowa health information network by the designated entity occurred on that date; 2015 Acts, ch 73, §9