(1) Except as authorized elsewhere in this chapter, a health care provider, an individual who assists a health care provider in the delivery of health care, or an agent and employee of a health care provider may not disclose health care information about a patient to any other person without the patient's written authorization. A disclosure made under a patient's written authorization must conform to the authorization.
(2) A patient has a right to receive an accounting of disclosures of health care information made by a health care provider or a health care facility in the six years before the date on which the accounting is requested, except for disclosures:
(a) To carry out treatment, payment, and health care operations;
(b) To the patient of health care information about him or her;
(c) Incident to a use or disclosure that is otherwise permitted or required;
(d) Pursuant to an authorization where the patient authorized the disclosure of health care information about himself or herself;
(e) Of directory information;
(f) To persons involved in the patient's care;
(g) For national security or intelligence purposes if an accounting of disclosures is not permitted by law;
(h) To correctional institutions or law enforcement officials if an accounting of disclosures is not permitted by law; and
(i) Of a limited data set that excludes direct identifiers of the patient or of relatives, employers, or household members of the patient.