(1) The privacy of individually identifiable health information collected for or by a cooperative shall be protected. Disclosure of such information is prohibited except for:

(a) Disclosures by an individual identified in the information or whose identity can be associated with the information;

(b) Disclosures explicitly authorized through written informed consent procedures by an individual;

(c) Disclosures to federal, state, or local law enforcement agencies for lawful purposes;

(d) Subject to rules promulgated by the commissioner, disclosures for bona fide research projects.

(2) (a) All disclosures of individually identifiable health information shall be restricted to the minimum amount of information necessary to accomplish the purpose for which the information is being disclosed.

(b) Any cooperative shall implement administrative, technical, and physical safeguards for the security of identifiable health information.

(3) (a) Subject to appropriate procedures established by a cooperative, an individual has the right to know whether any individual or entity uses or maintains individually identifiable health information concerning the individual and for what purpose the information may be used or maintained.

(b) Subject to appropriate procedures established by a cooperative, an individual has the right, with respect to identifiable health information concerning the individual that is recorded in any form or medium, to:

(I) See such information;

(II) Copy such information; and

(III) Have a notation made with or in such information including suggestions for amendments or corrections to such information requested by the individual or the individual's representative.

(4) Provider networks and providers in a network shall maintain the confidentiality of medical records as otherwise required by section 18-4-412, C.R.S., or other applicable law.