38-1225. Patient data; confidentiality; immunity.

(1) No patient data received or recorded by an emergency medical service or an emergency care provider shall be divulged, made public, or released by an emergency medical service or an emergency care provider, except that patient data may be released for purposes of treatment, payment, and other health care operations as defined and permitted under the federal Health Insurance Portability and Accountability Act of 1996, as such act existed on January 1, 2018, or as otherwise permitted by law. Such data shall be provided to the department for public health purposes pursuant to rules and regulations of the department. For purposes of this section, patient data means any data received or recorded as part of the records maintenance requirements of the Emergency Medical Services Practice Act.

(2) Patient data received by the department shall be confidential with release only (a) in aggregate data reports created by the department on a periodic basis or at the request of an individual, (b) as case-specific data to approved researchers for specific research projects, (c) as protected health information to a public health authority, as such terms are defined under the federal Health Insurance Portability and Accountability Act of 1996, as such act existed on January 1, 2018, and (d) as protected health information, as defined under the federal Health Insurance Portability and Accountability Act of 1996, as such act existed on January 1, 2018, to an emergency medical service, to an emergency care provider, or to a licensed health care facility for purposes of treatment. A record may be shared with the emergency medical service or emergency care provider that reported that specific record. Approved researchers shall maintain the confidentiality of the data, and researchers shall be approved in the same manner as described in section 81-666. Aggregate reports shall be public documents.

(3) No civil or criminal liability of any kind or character for damages or other relief or penalty shall arise or be enforced against any person or organization by reason of having provided patient data pursuant to this section.

Source:Laws 1997, LB 138, § 14; Laws 2003, LB 667, § 11; R.S.1943, (2003), § 71-5185; Laws 2007, LB185, § 42; Laws 2007, LB463, § 509; Laws 2018, LB1034, § 26; Laws 2020, LB1002, § 34.