Code of Maryland Regulations (Last Updated: April 6, 2021) |
Title 10. Maryland Department of Health |
Part 4. |
Subtitle 25. MARYLAND HEALTH CARE COMMISSION |
Chapter 10.25.18. Health Information Exchanges: Privacy and Security of Protected Health Information |
Sec. 10.25.18.02. Definitions
-
A. In this chapter, the following terms have the meanings indicated.
B. Terms Defined.
(1) Ancillary clinical service provider means a health care provider who has a direct contractual agreement with the hospital to provide therapeutic, diagnostic, or custodial ancillary services for the hospital as part of its affiliation. Ancillary services may include skilled nursing, home care, outpatient rehabilitation and therapy, transportation, ambulatory surgery, dialysis, laboratory, radiology, pharmacy, and chemotherapy.
(2) Appropriate notice to one or more health care consumers means notice, related to a request for identifiable data for secondary use, that meets the following requirements:
(a) The notice:
(i) Must include educational information pertaining to the requesting entitys secondary use of data obtained through an HIE, including why the entity is requesting the data and how it intends to use the data;
(ii) May describe an ongoing scenario such as care coordination or other ongoing care management activities against which subsequent data may be requested by the care management organization from the HIE; in such cases, the potential need for and nature of such requests shall be included in the description of the initial request to the external review board and shall be plainly documented in the notice to health care consumers;
(iii) Must include a clear and detailed description of the steps a health care consumer must take in order to grant authorization for the use of their information or to deny authorization;
(iv) Must provide clear, detailed notice that the health care consumers failure to respond could result in their information being disclosed without their authorization, if an independent external review committee waives authorization; and
(v) Must have characteristics detailed in Regulation .03B(2)(b)-(g) of this chapter.
(b) The care management organization, or its third party, has provided to each health care consumer whose identifiable information is being requested:
(i) Notice as described above, using varied methods, where possible, to reach the health care consumer;
(ii) The opportunity to submit authorization or denial of authorization through various methods such as email, online, mail, and phone; and
(iii) At least 30 calendar days from the time of the first notice to respond to the notice.
(3) Authentication means the process of establishing confidence in user identities electronically presented to an information system.
(4) Authorization has the meaning provided in 45 CFR §164.508.
(5) Authorized purpose means the specific reason consistent with this chapter and State and federal law for which an authorized user may use, access, or disclose protected health information through or from an HIE.The authorized purpose may include daily operations and maintenance of the HIE for:
(a) The staff of the HIE who has signed a confidentiality and nondisclosure agreement; and
(b) The staff of the HIEs contractor if the contractor:
(i) Has entered into a business associate agreement with the HIE; and
(ii) Has contractually agreed to limit access to the HIE only to its employees, agents, and independent contractors with a need-to-know; and who are under a confidentiality restriction, which may include a binding work force policy and procedure.
(6) Authorized user means an individual identified by a participating organization or a health information exchange, including a health care consumer, who may use, access, or disclose protected health information through or from a health information exchange for a specific authorized purpose and whose HIE access is not currently suspended or terminated under Regulation .05, .07, or .09 of this chapter.
(7) Breach has the meaning provided in 45 CFR §164.402.
(8) Business associate has the meaning provided in 45 CFR §160.103.
(9) Core elements of the Master Patient Index (MPI) are the minimum elements that are:
(a) Required for an HIE to identify a particular patient across separate clinical, financial, and administrative systems; and
(b) Needed to exchange health information electronically.
(10) Care management organization, in the context of secondary use, means any entity that:
(a) Has a financial or specific care-related responsibilities for individuals with whom they may not have a treatment, payment, or health care operations relationship under 45 CFR §164.501(1); and
(b) Has the legal or regulatory authority to exercise the responsibilities stated in §B(10)(a) of this regulation; or
(c) Is operating in accordance with Marylands All-Payer Model or successor agreement between the Centers for Medicare and Medicaid Services and the State of Maryland;
(d) Does not include a third-party entity engaged by a participating organization to provide care management services on behalf of such participating organization for a primary use.
(11) Control means providing a method by which the health care consumer can electronically provide instructions to an HIE regarding the disclosure of the patients information being made available through the HIE, which may include specifying:
(a) The individuals and organizations to whom the HIE may disclose the patients health information;
(b) The circumstances (e.g., all, emergency only, inpatient, etc.) under which the patients health information may be disclosed through the HIE; and
(c) What type of health information may be disclosed, such as prescription history, laboratory reports, hospital encounters, and to whom.
(12) Core HIE education content means the educational information developed and approved by the Maryland Health Care Commission, after consultation with interested parties, and includes a general overview of:
(a) The fundamentals of health information technology, including electronic health records and the exchange of electronic health information;
(b) Health information privacy and security laws; and
(c) The benefits and risks to patients of exchanging health information through an HIE as compared to opting-out and exchanging health information through a paper-based system.
(13) Covered entity has the meaning provided in 45 CFR §160.103.
(14) Credentialed professional" means an individual who has been credentialed by a hospital to provide clinical services to patients of the hospital. Credentialing includes the formal evaluation and verification of an individuals necessary qualifications, education, training, and professional license if applicable, through the collection, verification, and evaluation of data relevant to the individuals professional performance.
(15) Data use agreement means an agreement that:
(a) Is entered into by an HIE and an entity receiving data for secondary data use purposes, regardless of whether or not the entity is a covered entity as defined by HIPAA; and
(b) Requires:
(i) The receiving entity to accept and comply with the requirements in this chapter and, to the extent the receiving entity meets the definition of a business associate under HIPAA, current State and federal laws pertaining to business associates and business associate agreements;
(ii) Both parties to access, transmit, and protect the PHI in accordance with current legal requirements and industry standards and practices;
(iii) The receiving entity to destroy the PHI, including back-up and archived copies of the PHI, in accordance with industry standards and practices, when the purposes for which it has been requested are completed, unless retention of the PHI is otherwise required by law; and
(iv) The receiving entity not to reuse or disclose the PHI to any person or organization, except as required or permitted by law; or if disclosed to a third party, which will act on behalf of the receiving entity, the third party and the receiving entity enter a contractual agreement that requires the third party to be bound by the provisions of the data use agreement that applies to the receiving entity.
(16) De-identified data means health information that neither identifies nor provides a reasonable basis to identify an individual and that meets the standards and specifications provided in 45 CFR §164.514(a)-(b).
(17) Disclose or disclosure means the release, redisclosure, transfer, provision, access, transmission, communication, or divulgence in any other manner of information in a medical record, including an acknowledgment that a medical record on a particular patient or recipient exists, outside the entity holding such information.
(18) Download means providing a method by which the health care consumer can obtain an electronic copy of the patients information that:
(a) Is in a readily available industry standard format; and
(b) Allows the health care consumer to save, maintain, use, or transmit the patients information.
(19) "Electronic health record or EHR" means an electronic record of health-related information on an individual that includes patient demographic and clinical health information that may be used for clinical diagnosis, treatment, improvement of health care quality, and patient care.
(20) Electronic health record system means technology that electronically captures, manages, and organizes health records and may have the capacity to:
(a) Provide clinical decision support;
(b) Support physician order entry;
(c) Capture and query information relevant to health care quality; and
(d) Exchange electronic health information with and integrate the information from other sources.
(21) Emergency has the meaning provided in Health-General Article, §4-301(d), Annotated Code of Maryland
(22) External and independent review committee means a group of individuals that:
(a) Is responsible for reviewing and making a determination regarding a request for a waiver of authorization related to population care management; and
(b) Shall be minimally composed of:
(i) At least three health care consumer members, three health care provider members, one member representing the scientific community, one member with privacy and legal expertise, and one member with HIE expertise;
(ii) Members who have appropriate professional competencies necessary to review the request; and
(iii) More than half of the members are not affiliated with or related to any person affiliated with the requesting entity and are free from any conflicts of interest with the requesting entity.
(23) Federalwide assurance or FWA means an agreement between an entity and the United States Department of Health and Human Services under which the entity agrees to comply with:
(a) Federal regulations concerning research involving human subjects;
(b) Department of Health and Human Services regulations found at 45 CFR Part 46;
(c) A statement of principles governing the entity in the discharge of its responsibilities for protecting the rights and welfare of human subjects of research conducted at or sponsored by the entity; and
(d) Other requirements of the agreement.
(24) Granular patient consent means expressed preferences made by a health care consumer regarding the disclosure, access, and use of the patients protected health information according to the type of information, type of provider, purpose, or circumstance communicated by the health care consumer to the HIE through reasonable means specified by the HIE, which shall include paper and electronic means.
(25) Health care consumer means a patient or a person in interest, as defined in this regulation.
(26) Health care provider means:
(a) A person who is licensed, certified, or otherwise authorized under Health Occupations Article, Annotated Code of Maryland, or Education Article, §13516, Annotated Code of Maryland, to provide health care in the ordinary course of business or practice of a profession or in an approved education or training program; or
(b) A facility where health care is provided to patients or recipients, including:
(i) A facility as defined in Health-General Article, §10101(e), Annotated Code of Maryland;
(ii) A hospital as defined in Health-General Article, §19-301(f), Annotated Code of Maryland;
(iii) A related institution as defined in Health-General Article, §19-301(o), Annotated Code of Maryland;
(iv) A State-certified substance use disorder program, as defined in Health-General Article, §8-403, Annotated Code of Maryland;
(v) A health maintenance organization as defined in Health-General Article, §19701(g), Annotated Code of Maryland;
(vi) An outpatient clinic; or
(vii) A medical laboratory;
(c) An agent, employee, officer, or director of a health care facility, or an agent or employee of a health care provider.
(27) Health information means any information, whether oral or recorded in any form or medium, that:
(a) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(b) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
(28) Health information exchange or HIE means an entity that creates or maintains an infrastructure that provides organizational and technical capabilities in an interoperable system for the electronic exchange of protected health information among participating organizations not under common ownership, in a manner that ensures the secure exchange of protected health information to provide care to patients. An HIE includes a payor HIE but does not include an entity that is acting solely as a health care clearinghouse, as defined in 45 CFR §160.103. A payor may act as, operate, or own an HIE subject to these regulations.
(29) HIE access matrix means a document that is used by a participating organization to assign access to each authorized user and describes the type of protected health information (including, but not limited to, lab reports, prescription drug information, prior admissions to hospitals), that each authorized user is allowed to retrieve from an HIE. An HIE access matrix may specify a use case (including but not limited to electronic eligibility, clinical lab ordering/results delivery, electronic prescribing, medication history, clinical summary exchange, and other items) and corresponding associated data, including identified sensitive health information.
(30) HIPAA means the Health Insurance Portability and Accountability Act of 1996, P.L.104-191, as amended, and the implementing regulations at 45 CFR Parts 160 and 164, as amended, and including as amended by the HITECH Act.
(31) HITECH Act mean the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), as amended.
(32) Hospital means an institution defined in Health-General Article, §19-301(f), Annotated Code of Maryland, that is licensed by the Office of Health Care Quality.
(33) Identifiable data means any health information that includes personal identifiers, as detailed in 45 CFR §164.501.
(34) Institutional Review Board or IRB means a committee or other group designated by an institution or affiliated with a State agency that performs a review of proposed research that has:
(a) Registered with the Office of Human Research Protections Electronic Submission System; and
(b) Obtained FWA approval from the Office of Human Research Protections.
(35) Master patient index or MPI means a database that maintains a unique index identifier for each patient whose protected health information may be accessible through an HIE and is used to cross reference patient identifiers across multiple participating organizations to allow for patient search, patient matching, and consolidation of duplicate records.
(36) MHCC or the Commission means the Maryland Health Care Commission.
(37) Nationally recognized standards means technical standards for the exchange, integration, sharing, or retrieval of electronic health information considered reliable by the health IT industry nationally.
(38) Non-HIPAA violation means an inappropriate use, access, maintenance, or disclosure of health information that is not a HIPAA violation, but is inconsistent with State or federal law or this chapter, including a violation of 42 CFR Part 2.
(39) Notice (or notify or notification) means an action that is required to be taken in writing or by written request under this chapter by a person, including an HIE, a health care consumer, a participating organization, or the MHCC, in order to provide information to another that:
(a) Is sent by letter delivered to the persons address of record;
(b) Uses one of the following electronic or digital mechanisms where the delivery is acknowledged or confirmed:
(i) An email, when the receiving person has provided an email address;
(ii) By a health care consumer using the receivers website; or
(iii) By a health care consumer using a patient portal;
(c) By a health care consumer using telephonic or similar method, provided that a written confirmation of the conversation is provided to the health care consumer by the person receiving the notification or request by the following means:
(i) An email, when the health care consumer has provided an email address and delivery is acknowledged or confirmed; or
(ii) A letter delivered to the health care consumers address of record; and
(d) Complies with HIPAA and all other applicable federal and State laws and regulations.
(40) Opt-out means the explicit written notice by a health care consumer to an HIE that the patient has elected not to participate in the HIE, so that the HIE shall not disclose such patients protected health information, or data derived from such patients health information, except as consistent with this chapter.
(41) Part 2 means the federal Confidentiality of Substance Use Disorder Patient Records regulations found in 42 CFR Part 2 and supplemented by the final rule 82 FR 6052.
(42) Part 2 information" means any information subject to the regulations under 42 CFR Part 2.
(43) Participating organization means a covered entity that enters into an agreement with an HIE that governs the terms and conditions under which its authorized users may use, access, or disclose protected health information through the HIE.
(44) Patient means an individual who receives health care and on whom a medical record is maintained.
(45) Payor means:
(a) An insurer that holds a certificate of authority in the State and provides health benefit plans in the State;
(b) A health maintenance organization that holds a certificate of authority in the State;
(c) A managed care organization authorized to receive Medicaid prepaid capitation payments under Health-General Article, Title 15, Subtitle 1, Annotated Code of Maryland; or
(d) A nonprofit health service plan that holds a certificate of authority in the State.
(46) Person means an individual, trust or estate, general or limited partnership, joint stock company, unincorporated association or society, municipal or other corporation, incorporated association, limited liability partnership, limited liability company, the State, an agency or political subdivision of the State, a court, and any other governmental entity.
(47) Person in interest means any of the following, but does not include a participating organization:
(a) An adult on whom a health care provider maintains a medical record;
(b) A person authorized to consent to health care for an adult consistent with the authority granted, including without limitation, a guardian, surrogate, or person with a medical power of attorney;
(c) A duly appointed personal representative of a deceased person;
(d) Either:
(i) A minor, if the medical record concerns treatment to which the minor has the right to consent and has consented under Title 20, Subtitle 1 of the Health-General Article, Annotated Code of Maryland; or
(ii) A parent, guardian, custodian, or a representative of the minor designated by a court, in the discretion of the attending physician who provided the treatment to the minor, as provided in Health-General Article, §§20 -102 and 20-104, Annotated Code of Maryland; or
(e) If §B(45)(d) of this regulation does not apply to a minor:
(i) A parent of the minor, except if the parent's authority to consent to health care for the minor has been specifically limited by a court order or a valid separation agreement entered into by the parents of the minor; or
(ii) A person authorized to consent to health care for the minor consistent with the authority granted; or
(f) An attorney appointed in writing by a person listed in this definition regarding matters subject to this chapter.
(48) Point-to-point transmission means a secure electronic transmission of PHI, including, but not limited to, records sent via facsimile or secure clinical messaging service, sent by a single entity that can be read only by the single receiving entity designated by the sender.A point-to-point transmission may be facilitated by an HIE and mirrors a paper-based exchange, such as a referral to a specialist, a discharge summary sent to where the patient is transferred, lab results sent to the practitioner who ordered them, or clinical information sent from a hospital to the patients health plan for quality improvement or care management/coordination activities for such patient.
(49) Population care management purpose means the use of data, for secondary use, available from or through an HIE for population-based activities relating to the improvement of patient and population health or the reduction of health care costs, including but not limited to:
(a) Patient outreach activities that involve care management;
(b) Development or assessment of, quality indicators, patient patterns or outcomes, or support of quality reporting;
(c) Development and evaluation of innovative care delivery models and programs; and
(d) Risk assessment.
(50) Primary use of HIE data or primary use means use and disclosure of data accessed, used, or disclosed through an HIE for purposes of:
(a) Treatment as defined by HIPAA;
(b) Payment as defined by HIPAA;
(c) Reporting to public health authorities in compliance with reporting required or permitted by law;
(d) Other uses or disclosures required or permitted by law and in accordance with this chapter, including those set forth in Health-General Article, §4-305(b), Annotated Code of Maryland; or
(e) Health care operations, as defined by HIPAA, for conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.
(51) Privacy board means a group of individuals that:
(a) Is responsible for reviewing and making a determination on a request for secondary data for research purposes;
(b) Has the authority consistent with 45 CFR §164.512, including approval of a waiver or alteration of authorization requirement;
(c) Is designated or convened by the HIE, which may establish guidelines concerning a quorum;
(d) Shall meet the member composition requirements detailed in 45 CFR §164.512(i)(1)(i)(B)(1) and (3); and
(e) Shall assure that less than half of its members considering a request are affiliated with or related to any person affiliated with the requesting entity.
(52) Protected health information or PHI, a subset of health information, means:
(a) Protected health information as defined in 45 CFR §160.103; or
(b) A medical record as defined in the Health-General Article, §4-301(i); and
(c) Includes sensitive health information.
(53) Public health authority has the meaning provided in 45 CFR §164.501.
(54) Qualified research organization means an entity that:
(a) Has entered into a data use agreement with the HIE from which data is being requested;
(b) Is determined, by an IRB or privacy board, to have expertise to carry out research specific to its request;
(c) Is determined, by an IRB or privacy board, to have a legitimate and credible reason or obligation to carry out research specific to its request; and
(d) Is a participating organization, public health authority, or is engaged in joint research with a participating organization or public health authority.
(55) Query means to electronically search for information available through an HIE using the services provided by the HIE.
(56) Research means the use of secondary data available from or through an HIE for the systematic investigation, including research development, testing, preparation, and evaluation, designed to develop or contribute to generalizable knowledge as defined in 45 CFR §164.501 and 45 CFR §46.102, including the use of de-identified data and limited data sets.
(57) Secondary use of HIE data or secondary use means any use or disclosure of data accessed, used or disclosed through an HIE that is not a primary use. Examples of secondary use include, but are not limited to, use of HIE data for conducting research, improving patient safety, marketing, or the sale of HIE data.
(58) Sensitive health information means a subset of PHI, which consists of:
(a) Part 2 information; or
(b) Any other information that has specific legal protections in addition to those required under HIPAA or the Maryland Confidentiality of Medical Records Act, which include, but are not limited to, Health-General Article, §4-307, Annotated Code of Maryland, and the Public Health Services Act, 42 U.S.C. §290dd-2, as implemented and amended in federal regulations.
(59) State-designated HIE means an HIE designated by the Maryland Health Care Commission and the Health Services Cost Review Commission pursuant to the statutory authority set forth under Health-General Article, §19-143, Annotated Code of Maryland.
(60) Submit, when used in reference to consumer-submitted data, means providing a method by which the health care consumer can electronically upload information to the HIE to then be made available to authorized users of the HIE.
(61) System administrator means an individual employee within a participating organization (or an individual employed by a contractor to the participating organization) who is designated by the participating organization to manage the user accounts of specified individuals within the participating organization in coordination with an HIE.
(62) Third party system means hardware or software provided by an external entity to a participating organization, which interoperates with an HIE to allow an authorized user access to information through the HIE and may include an electronic health record system.
(63) Unusual finding means an irregularity in the manner in which use, access, maintenance, disclosure, or modification of health information or sensitive health information transmitted to or through an HIE should occur that could give rise to a breach, a violation under this chapter or a violation of other applicable privacy or security laws.
(64) Use has the meaning provided in 45 CFR §160.103.
(65) User accounts mean the records associated with an authorized users credentials and activities with an HIE or a third party system.