Section 7.166.040. Privacy and security.  

	(a)  An individual owns the individual's individually identifiable health information. An HIE participant owns the medical record that includes the individually identifiable health information.  
	(b)  Individually identifiable health information located on an HIE is confidential, is protected under AS 40.25.120 from disclosure, and is not public information subject to the public records requirements of AS 40.25.110.  
	(c)  An HIE shall comply with the applicable requirements of AS 45.48  (Alaska Personal Information Protection Act), P.L. 104-191 (Health Insurance Portability and Accountability Act of 1996 (HIPAA)), P.L. 111-5, div. A, title XIII (Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009), 42 C.F.R. Part 2, and 45 C.F.R. Parts 160 and 164.  
	(d)  An HIE may not allow an HIE participant to alter the electronic health information of another HIE participant within the HIE. Nothing in this subsection prohibits an HIE participant from remedying an error made in a previous transmission of electronic health information, or amending the HIE participant's own records.  
	(e)  An HIE may only disclose electronic health information for treatment and billing.  
	(f)  An HIE shall annually have an independent third party perform an assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic health information on the HIE, as required under 45 C.F.R. 164.308(a)(1)(ii)(A). The assessment must include the HIE's compliance with the privacy and security requirements of 45 C.F .R. 164.302 - 164.318 and 45 C.F.R. 164.500 - 164.534. The HIE shall provide the risk assessment to the department and the governing body, not later than 10 business days after receipt from the third party that performed the assessment. The HIE shall provide recommendations for acceptance or mitigation of each high- and medium-level risk identified in the assessment to the governing body and to the department not later than 30 days after receipt from the third party that performed the assessment. The HIE shall provide to an HIE participant, upon request, a summary of the risk assessment and actions taken to accept or mitigate risk.  
	(g)  A valid release of an individual's electronic health information or a court order is required for any disclosure not otherwise authorized under this section.