IC 16-39-5
    Chapter 5. Release of Health Records to Third Parties and forLegitimate Business Purposes

IC 16-39-5-1
Interprovider exchange of records without patient's consent
    Sec. 1. This article does not prohibit a provider from obtaining apatient's health records from another provider without the patient'sconsent if the health records are needed to provide health careservices to the patient.
As added by P.L.2-1993, SEC.22. Amended by P.L.6-1995, SEC.38.

IC 16-39-5-2
Patient's written consent to insurer to obtain records or medicalinformation
    Sec. 2. (a) Except as provided in IC 16-39-2, IC 16-39-3,IC 16-39-4, and subsection (d), this article does not prohibit anaccident and sickness insurance company (as defined in IC 27-8-5-1)from obtaining health records or medical information with a writtenconsent executed at the time of receiving an application for insuranceor at any other time. Such consent may be used at any time forlegitimate accident and sickness insurance purposes.
    (b) A written consent to obtain health records or medicalinformation obtained at the time of application by an insurancecompany making any of the types of insurance not defined inIC 27-8-5 may be used for any legitimate insurance purposes for upto two (2) years from the date the contract is issued. A writtenconsent obtained at any other time by an insurance company notdefined in IC 27-8-5 may be used for up to one (1) year after the datethe consent was signed. A copy of all health records or medicalinformation obtained by an insurance company, other than a lifeinsurance company (as defined in IC 27-1-2-3(s)), by means of thewritten consent of the patient under this subsection shall be furnishedto the patient by the insurance company upon the written request ofthe patient.
    (c) Consents obtained by any insurance company need onlycontain the following:
        (1) Name of the insured.
        (2) Date the consent is granted.
        (3) Name of the company to which consent is given to receiveinformation.
        (4) General nature of the information that may be secured byuse of the consent.
    (d) Except as provided in subsection (e), an insurance companyother than a life insurance company (as defined in IC 27-1-2-3(s))may not obtain the results of any genetic screening or testing (asdefined in IC 27-8-26-2) without a separate written consent by anindividual at the time of application for insurance or at any othertime. The form on which an individual indicates written consentmust:        (1) indicate in at least 10 point boldface type that the individualneed not consent to releasing the results of any genetic testingor screening; and
        (2) be approved by the commissioner before use.
    (e) An insurance company other than a life insurance company (asdefined in IC 27-1-2-3(s)) is not liable if the insurance company:
        (1) inadvertently receives the results of any genetic testing orscreening (as defined in IC 27-8-26-2); and
        (2) has not obtained a separate written consent as requiredunder subsection (d).
An insurance company that inadvertently receives testing orscreening results may not use the genetic testing or screening resultsin violation of IC 27-8-26.
As added by P.L.2-1993, SEC.22. Amended by P.L.1-1994, SEC.89;P.L.150-1997, SEC.1.

IC 16-39-5-3
Provider's use of records; confidentiality; violations
    Sec. 3. (a) As used in this section,"association" refers to anIndiana hospital trade association founded in 1921.
    (b) As used in this section, "data aggregation" means acombination of information obtained from the health records of aprovider with information obtained from the health records of one (1)or more other providers to permit data analysis that relates to thehealth care operations of the providers.
    (c) Except as provided in IC 16-39-4-5, the original health recordof the patient is the property of the provider and as such may be usedby the provider without specific written authorization for legitimatebusiness purposes, including the following:
        (1) Submission of claims for payment from third parties.
        (2) Collection of accounts.
        (3) Litigation defense.
        (4) Quality assurance.
        (5) Peer review.
        (6) Scientific, statistical, and educational purposes.
    (d) In use under subsection (c), the provider shall at all timesprotect the confidentiality of the health record and may disclose theidentity of the patient only when disclosure is essential to theprovider's business use or to quality assurance and peer review.
    (e) A provider may disclose a health record to another provider orto a nonprofit medical research organization to be used in connectionwith a joint scientific, statistical, or educational project. Each partythat receives information from a health record in connection with thejoint project shall protect the confidentiality of the health record andmay not disclose the patient's identity except as allowed under thisarticle.
    (f) A provider may disclose a health record or informationobtained from a health record to the association for use in connectionwith a data aggregation project undertaken by the association.However, the provider may disclose the identity of a patient to the

association only when the disclosure is essential to the project. Theassociation may disclose the information it receives from a providerunder this subsection to the state department to be used in connectionwith a public health activity or data aggregation of inpatient andoutpatient discharge information submitted under IC 16-21-6-6. Theinformation disclosed by:
        (1) a provider to the association; or
        (2) the association to the state department;
under this subsection is confidential.
    (g) Information contained in final results obtained by the statedepartment for a public health activity that:
        (1) is based on information disclosed under subsection (f); and
        (2) identifies or could be used to determine the identity of apatient;
is confidential. All other information contained in the final results isnot confidential.
    (h) Information that is:
        (1) advisory or deliberative material of a speculative nature; or
        (2) an expression of opinion;
including preliminary reports produced in connection with a publichealth activity using information disclosed under subsection (f), isconfidential and may only be disclosed by the state department to theassociation and to the provider who disclosed the information to theassociation.
    (i) The association shall, upon the request of a provider thatcontracts with the association to perform data aggregation, makeavailable information contained in the final results of dataaggregation activities performed by the association in compliancewith subsection (f).
    (j) A person who recklessly violates or fails to comply withsubsections (e) through (h) commits a Class C infraction. Each daya violation continues constitutes a separate offense.
    (k) This chapter does not do any of the following:
        (1) Repeal, modify, or amend any statute requiring orauthorizing the disclosure of information about any person.
        (2) Prevent disclosure or confirmation of information aboutpatients involved in incidents that are reported or required to bereported to governmental agencies and not required to be keptconfidential by the governmental agencies.
As added by P.L.2-1993, SEC.22. Amended by P.L.102-1994, SEC.7;P.L.103-1994, SEC.1; P.L.2-1995, SEC.73; P.L.231-1999, SEC.15;P.L.44-2002, SEC.5; P.L.78-2004, SEC.23.

IC 16-39-5-4
Copying fees
    Sec. 4. IC 16-39-9 governs the fees that may be charged formaking and providing copies of records under this chapter.
As added by P.L.102-1994, SEC.8.