Current through Acts 2023-2024, ch. 1069
Section 47-18-3311 - [Effective 7/1/2025] Exemptions(a) This part does not apply to:(1) A body, authority, board, bureau, commission, district, or agency of this state or of a political subdivision of this state;(2) A financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.);(3) An individual, firm, association, corporation, or other entity that is licensed in this state under title 56 as an insurance company and transacts insurance business;(4) A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States department of health and human services, 45 CFR Parts 160 and 164 established pursuant to HIPAA, and the federal Health Information Technology for Economic and Clinical Health Act (P.L. 111-5);(5) A nonprofit organization;(6) An institution of higher education;(7) Protected health information under HIPAA;(8) Health records for purposes of title 68;(9) Patient identifying information for purposes of 42 U.S.C. § 290dd-2;(10) Personal information: (A) Processed for purposes of: (i) Research conducted in accordance with the federal policy for the protection of human subjects under 45 CFR Part 46;(ii) Human subjects research conducted in accordance with good clinical practice guidelines issued by The International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; or(iii) Research conducted in accordance with the protection of human subjects under 21 CFR Parts 6, 50, and 56; or(B) Processed or sold in connection with research conducted in accordance with the requirements set forth in this part, or other research conducted in accordance with applicable law;(11) Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.);(12) Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.);(13) Information that is:(A) Derived from the healthcare-related information listed in this subsection (a) that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA; or(B) Included in a limited data set as described in 45 CFR 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified in 45 CFR 164.514(e);(14) Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this subsection (a) that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. § 290dd-2;(15) Information used only for public health activities and purposes as authorized by HIPAA;(16) The collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.);(17) Personal information collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.);(18) Personal information or educational information regulated by the federal Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g et seq.);(19) Personal information collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.);(20) Data processed or maintained: (A) In the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;(B) As the emergency contact information of an individual under this part used for emergency contact purposes; or(C) That is necessary to retain to administer benefits for another individual relating to the individual under subdivision (a)(20)(A) and used for the purposes of administering those benefits;(21) Information collected as part of public- or peer-reviewed scientific or statistical research in the public interest;(22) An insurance producer licensed under title 56; or(23) Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the federal Controlled Substances Act (21 U.S.C. § 830).(b) Controllers and processors that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) are deemed compliant with an obligation to obtain parental consent under this part.(c) This part does not require a controller, processor, third party, or consumer to disclose trade secrets.Added by 2023 Tenn. Acts, ch. 408, s 2, eff. 7/1/2025.