A. Access to data in the health information system shall be provided in accordance with regulations adopted by the department pursuant to the Health Information System Act.

B. A data provider may obtain data it has submitted to the system, as well as aggregate data, but, except as provided in Subsection D of this section, it shall not have access to data submitted by another provider that is limited only to that provider unless that data is aggregated data and publicly disseminated by the department. Except as provided in Subsection D of this section, in no event may a data provider obtain data regarding an individual patient except in instances where the data were originally submitted by the requesting provider. Prior to the release of any data, in any form, data sources shall be permitted the opportunity to verify the accuracy of the data pertaining to that data source. Data identified in writing as inaccurate shall be corrected prior to the data’s release. Time limits shall be set for the submission and review of data by data sources, and penalties shall be established for failure to submit and review the data within the established time.

C. Any person may obtain any aggregate data publicly disseminated by the department.

D. Through a secure delivery or transmission process, the department may share record-level data with a federal agency that is authorized to collect, analyze or disseminate health information. The department shall remove identifiable individual or provider information from the record-level data prior to its disclosure to the federal agency. In providing hospital information under an agreement or arrangement with a federal agency, the department shall ensure that any identifiable hospital information disclosed is necessary for the agency’s authorized use and that its disclosure meets with state and federal privacy and confidentiality laws, rules and regulations.