Tenn. Code § 68-11-1503

Current through Acts 2023-2024, ch. 1069
Section 68-11-1503 - Confidentiality
(a)
(1) The name and address and other identifying information of a patient shall not be divulged, except for:
(A) Any statutorily required reporting to health or government authorities;
(B) Access by an interested third-party payer or designee, for the purpose of utilization reviews, case management, peer reviews, or other administrative functions;
(C) Access by health care providers from whom the patient receives or seeks care;
(D) If the patient does not object, any directory information, including only the name of the patient, the patient's general health status and the patient's location and telephone number. Directory information shall be released to all inquirers, only if the patient has been notified, upon admission to the hospital, of the patient's right to object to the information that may be released and has not objected; or, if the patient is in a physical or mental condition such that the patient is incapable of making an objection and the next of kin or patient representative does not come forward and object; and
(E) Any request by the office of inspector general or the medicaid fraud control unit with respect to an ongoing investigation. No person or entity shall be subject to any civil or criminal liability for releasing patient information in response to a request from the office of inspector general or the medicaid fraud control unit.
(2) Except as otherwise provided in this part, § 63-2-101, and part 3 of this chapter, a health care provider shall have in place a policy to protect the dignity of a patient, even if the patient dies or becomes incapacitated, by limiting the use and disclosure of medical records, images, videos or pictures intended to be used for appropriate medical educational purposes, even if the patient's information is de-identified. The policy shall include when and to whom it is appropriate to use and disclose the patient's information, and when a written authorization from the patient or their authorized representative is required, whenever it is reasonably possible to obtain it, prior to use or disclosure. If the patient becomes incapacitated or dies, and there is no legal representative for the patient, the patient's next of kin will be considered to be an authorized representative for the patient. When required, the written authorization will include the core elements required by 45 CFR Parts 160 and 164, "Standards for Privacy of Individually Identifiable Health Information."
(b) The name and address and other identifying information shall not be sold for any purpose.
(c) Any violation of this section shall be an invasion of the patient's right to privacy.
(d) Notwithstanding this part or any other law to the contrary, it shall not be unlawful to disclose, nor shall there be any liability for disclosing, medical information in response to a subpoena, court order, or request authorized by state or federal law.
(e) For purposes of this part:
(1) "De-identified" means there is no reasonable basis to believe that the information can be used to identify an individual and there is compliance with the requirements for de-identification outlined in 45 CFR Part 164, 164.514, "Other requirements relating to uses and disclosures of protected health information";
(2) "Incapacitated" means that a patient is in a physical or mental condition such that the patient is incapable of granting or denying informed consent; and
(3) "Medical records" means "hospital records" as that term is defined in § 68-11-302.

T.C.A. § 68-11-1503

Acts 1996, ch. 873, § 4; 1997 , ch. 366, § 1; 1998, ch. 791, § 1; 2005, ch. 113, § 2; 2005, ch. 474, § 14; 2010 , ch. 862, §§ 4, 5.