(a)
(1) Notwithstanding any other provision of law to the contrary, a health care provider shall furnish to a patient or a patient's authorized representative a copy or summary of such patient's medical records, at the option of the health care provider, within ten (10) working days upon request in writing by the patient or such representative.
(2) If a provider fails to comply with subdivision (a)(1), proper notice shall be given to the provider's licensing board or boards, and the provider may be subject to disciplinary actions that include sanctions and a monetary fine.
(b)
(1)
(A) Except as otherwise provided by law, such patient's medical records shall not constitute public records, and nothing contained in this part shall be deemed to impair any privilege of confidentiality conferred by law on patients, their personal representatives or heirs. Nothing in this subsection (b) shall impair or abridge the right of the patient or the patient's authorized representative to obtain copies of the patient's hospital records in the manner provided in § 68-11-304. Nothing in this subsection (b) shall be construed as prohibiting a patient's medical records from being subpoenaed by a court of competent jurisdiction.
(B) As used in subdivision (b)(1)(A), “medical records” includes any list of patients that is compiled or maintained by or for such patient's health care provider.
(2) Except for any statutorily required reporting to health or government authorities and except for access by an interested third-party payer or their designee for the purpose of utilization review, case management, peer reviews or other administrative functions, the name and address and other identifying information of a patient shall not be divulged. The name and address and other identifying information shall not be sold for any purpose. Any violation of this subdivision (b)(2) shall be an invasion of the patient's right to privacy.
(3) Except as otherwise authorized in this section, title 38, chapter 7, part 1, title 68, chapter 11, part 3 and title 68, chapter 11, part 15, a health care provider shall have in place a policy to protect the dignity of a patient, even if the patient dies or becomes incapacitated, by limiting the use and disclosure of medical records, images, videos or pictures intended to be used for appropriate medical educational purposes, even if the patient's information is de-identified. The policy shall include when and to whom it is appropriate to use and disclose the patient's information, and when a written authorization from the patient or their authorized representative is required, whenever it is reasonably possible to obtain it, prior to use or disclosure. If the patient becomes incapacitated or dies, and there is no legal representative for the patient, the patient's next of kin will be considered to be an authorized representative for the patient. When required the written authorization will include the core elements required by 45 CFR Parts 160 and 164, “Standards for Privacy of Individually Identifiable Health Information.”
(c) As used in this chapter:
(1) “De-identified” means there is no reasonable basis to believe that the information can be used to identify an individual and there is compliance with the requirements for de-identification outlined in 45 CFR Part 164, § 164.514 “Other requirements relating to uses and disclosures of protected health information”;
(2) “Health care provider” means any person required to be licensed under this title;
(3) “Incapacitated” means that a patient is in a physical or mental condition such that the patient is incapable of granting or denying informed consent; and
(4) “Medical records” means all medical histories, records, reports and summaries, diagnoses, prognoses, records of treatment and medication ordered and given, X-ray and radiology interpretations, physical therapy charts and notes and lab reports.
(d) Nothing in this chapter shall be construed to prevent a true, correct and complete copy of the medical records from being subject to a subpoena duces tecum.
(e) To further the effectiveness of the immunization program of the department of health, a physician or any third party payor or health insurance entity regulated by the department of commerce and insurance doing business in Tennessee, or any entity that has elected, organized and qualified as a self-insured entity that provides information to the department regarding a child's immunization status for any of the following purposes shall not be subject to liability or cause of action or a claim of any nature, including any licensing board disciplinary action, arising solely from the disclosure of information concerning such child's immunization status:
(1) Compliance with the laws regarding child care and school attendance;
(2) Ensuring that a child receives such immunization as is medically appropriate or assisting in efforts to ensure a child is appropriately immunized;
(3) Providing immunization information to the immunization registry maintained by the department;
(4) Insuring compliance with the Families First Act, compiled in title 71, chapter 3, part 1; or
(5) Providing information that will allow the department to determine immunization levels in Tennessee.
(f) All information received by the department pursuant to this part from any source shall be confidential and unavailable to the public. Contact of a parent or guardian of a child by the department regarding the child's immunization status as the result of the department's contact with the physician shall not be held to be a breach of confidentiality by the reporting physician.
(g) The names of all children shall be included on the immunization registry established by title 37, chapter 10, part 4, unless such child's custodial parent or guardian objects to the inclusion of the child's name on the immunization registry to the department. The department shall notify the child's custodial parent or guardian in writing within six (6) months of the child's birth that inclusion on the immunization registry is not mandatory. Upon such written or oral request of exclusion by the child's custodial parent or guardian, the department shall either remove the child's name from the immunization registry or refrain from adding the child's name to the immunization registry and confirm in writing to the child's custodial parent or guardian that the child's name has been excluded from the immunization registry.
(h) Notwithstanding this part or any other law to the contrary, it shall not be unlawful to disclose, nor shall there be any liability for disclosing, medical information in response to a subpoena, court order or request authorized by state or federal law.
(i) Providers, as defined in § 71-5-2503, shall make available for inspection and copying to the office of inspector general and the medicaid fraud control unit, upon request, no later than by the close of business on the next business day, a complete set of all medical records requested in connection with an investigation being pursued by the agency or shall provide a compelling reason why the requested records cannot be produced; provided, that no such records shall be removed from the grounds of the provider's office without the provider's consent, unless the office of inspector general or the medicaid fraud control unit reasonably believes that the requested documents are about to be altered or destroyed.
(j) On request of a provider, a duly authorized agent of the requesting agency shall sign a document acknowledging receipt of records produced pursuant to this section. On request of a duly authorized agent of the requesting agency, a duly authorized agent of the provider shall sign a document acknowledging the return of specific records to the provider.
(k) No person or entity shall be subject to any civil or criminal liability for releasing patient information in response to a request from the office of inspector general or the medicaid fraud control unit.