Sec. 10.25.18.04. Access, Use, or Disclosure of Sensitive Health Information  

A. Consistency with Disclosure Requirements Under Federal and State Law.

(1) A person shall comply with all relevant State and federal laws, including 42 CFR Part 2, concerning the access, use, or disclosure of sensitive health information through an HIE and maintenance of such information by an HIE.

(2) If federal or State law requires written consent or authorization for access, use, or disclosure of sensitive health information, a person shall obtain consent or authorization consistent with the applicable law prior to the access, use, or disclosure of sensitive health information to and through an HIE to an authorized recipient.

(3) Notwithstanding §A(2) of this regulation, an HIE may transmit sensitive health information:

(a) To medical personnel who have a need for information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention, as permitted by Part 2; and

(b) In an emergency, if a health care provider makes a professional determination that an immediate disclosure is necessary to provide for the emergency health care needs of a patient or recipient.

(4) An HIE shall use only point-to-point transmission to allow access, use, or disclosure of the sensitive health information through an HIE, unless the HIE implements:

(a) Nationally recognized standards that support control by the health care consumer over the electronic exchange of the patient’s sensitive health information consistent with the privacy and consent directives made by the health care consumer;

(b) Electronic exchange controls and processes that:

(i) Support granular patient consent for the electronic transmission of sensitive health information consistent with applicable State and federal laws concerning the access, use, or disclosure of sensitive health information, including applicable standards and technical requirements in accordance with Part 2; and

(ii) Assure that the health care consumer’s granular consent controls remain associated with the sensitive health information and are adhered to as the information is transmitted through, maintained, or disclosed by the HIE; and

(c) Health care consumer educational content:

(i) That is developed and established in coordination with MHCC and stakeholders;

(ii) That is kept current; and

(iii) The receipt of which shall be acknowledged by the health care consumer as part of the granular consent process.

(5) In the case of the improper access, use, maintenance, or disclosure of sensitive health information, including an inadvertent release through an HIE, a participating organization shall take the following actions in addition to any other requirement imposed under federal or State law:

(a) Take all steps necessary to immediately stop any further improper access, use, disclosure, or release of the patient’s sensitive health information through the HIE and the improper maintenance of such information by the HIE; and

(b) In accordance with Regulation .08 of this chapter, notify each health care consumer whose sensitive health information has been accessed, used, maintained, or disclosed in violation of applicable State or federal laws, including a non-HIPAA violation.

B. Procedure for disclosing or re-disclosing of Part 2 health information.

(1) A health care provider that is a Part 2 program shall identify itself as such and clearly indicate on all of its patient records that such records may only be disclosed by point-to-point transmission through an HIE, if appropriate patient consent or authorization has been obtained, or as otherwise permitted by these regulations.

(2) A participating organization that receives Part 2 information may not re-disclose such information without appropriate patient consent or authorization, as permitted by applicable federal and State laws and regulations.

(3) A participating organization must maintain Part 2 records in accordance with applicable law.