§ 63-1-120. Confidentiality of data - Disclosure upon court order - Immunity from liability.  

A.  Except as otherwise provided by Section 1-119 of this title, the individual forms, computer tapes, or other forms of data collected by and furnished to the Division of Health Care Information or to a data processor pursuant to the Oklahoma Health Care Information System Act shall be confidential and shall not be public records as defined in the Open Records Act.

B.  After approval by the State Department of Health, the compilations prepared for release or dissemination from the data collected, except for a report prepared at the request of an individual data provider containing information concerning only its transactions, shall be public records.  The Division shall establish a Health Care Information Advisory Committee as provided in Section 1-122 of this title, to assist with determinations related to data collection, and information to be released and disseminated to the public.

C.  The confidentiality of identifying information is to be protected and the pertinent statutes, rules and regulations of the State of Oklahoma and of the federal government relative to confidentiality shall apply.

D.  Identifying information shall not be disclosed, and shall not be used for any purpose except for the creation and maintenance of anonymous medical case histories for statistical reporting and data analysis.

E.  The Division or other state agency receiving information pursuant to the Oklahoma Health Care Information System Act shall be subject to the same confidentiality restrictions imposed by state or federal law as the public or private agency providing the information and is prohibited from taking any administrative, investigative or other action with respect to any individual on the basis of the identifying information.  The Division data analyzer or other state agency receiving information pursuant to the Oklahoma Health Care Information System Act is further prohibited from identifying, directly or indirectly, any individual in any report of scientific research or long-term evaluation, or otherwise disclosing identities in any manner.

F.  Except as otherwise authorized by the Oklahoma Health Care Information System Act, identifying information submitted to the Division which would directly or indirectly identify any person shall not be disclosed by the Division either voluntarily or in response to any legal process, unless directed to by a court of competent jurisdiction, granted after application showing good cause therefor with notice of the hearing to the Division.  In assessing good cause the court shall only grant such application if it seeks to challenge the statistical efficacy of a finding made by the Division or alleges a violation of confidentiality by the Division.  Such application shall then be granted only when the public interest and the need for disclosure outweighs the injury to the person, to the physician-patient relationship, and to the treatment services.  Upon the granting of such order, the court, in determining the extent to which any disclosure of all or any part of any record is necessary, shall impose appropriate safeguards against unauthorized disclosure.

G.  Any person who submits or receives data as required or authorized by the Oklahoma Health Care Information System Act shall be immune from liability in any civil action for any action taken as required by the provisions of the Oklahoma Health Care Information System Act.  This immunity is in addition to any other immunity for the same or similar acts to which the person is otherwise entitled.

H.  Any person who violates the confidentiality provisions of this section shall be punishable by a fine of Five Thousand Dollars ($5,000.00).