(a) No covered entity shall use or disclose protected health information except as follows:
(1) In a manner consistent with an authorization that satisfies the requirements of 45 C.F.R. § 164.508;
(2) in a manner as permitted under 45 C.F.R. §§ 164.502, 164.506, 164.508, 164.510 and 164.512; or
(3) in a manner as required under 45 C.F.R. § 164.502.
(b) A covered entity may disclose an individual’s protected health information to a health information organization without an authorization if such covered entity:
(1) Is a party to a current participation agreement with an approved health information organization at the time the disclosure is made;
(2) discloses the individual’s protected health information to that approved health information organization in a manner consistent with the established procedures of the approved health information organization; and
(3) furnishes to the individual, or such individual’s personal representative, whose information is to be disclosed to the approved health information organization, the notice required under K.S.A. 65-6832, and amendments thereto.
(c) A covered entity that uses or discloses protected health information in compliance with this section shall be immune from any civil or criminal liability or any adverse administrative action arising out of or relating to such use or disclosure.