Code of Maryland Regulations (Last Updated: April 6, 2021) |
Title 10. Maryland Department of Health |
Part 4. |
Subtitle 25. MARYLAND HEALTH CARE COMMISSION |
Chapter 10.25.18. Health Information Exchanges: Privacy and Security of Protected Health Information |
Sec. 10.25.18.08. Notice of Breach and non-HIPAA Violation
-
A. Notification of a breach shall be required consistent with notification requirements of applicable federal and State laws, including HIPAA and the HITECH Act.
B. When federal or State law does not require an HIE or other entity to provide notification to a participating organization or to an effected health care consumer, or when Part 2 does not mandate other notification requirements, the HIE shall provide notification of breach and, if applicable, non-HIPAA violations pursuant to this chapter.
(1) If the investigation under Regulation .07 of this chapter concluded that there was a breach or non-HIPAA violation, in addition to applicable HIPAA notification requirements, the HIE shall notify:
(a) The person who notified the HIE of the potential breach or non-HIPAA violation, if applicable, and to the extent permitted by HIPAA and other federal and State privacy laws;
(b) Any participating organization that has provided health information regarding the health care consumer involved; and
(c) Each patient or person in interest acting on behalf of each patient whose PHI or sensitive health information was inappropriately accessed or disclosed due to a breach or non-HIPAA violation.
(2) In addition to other requirements specified in this section, the HIE shall include in its notification, the contact information for the HIE, including the address and toll-free telephone number where the health care consumer can learn more information.
C. Notification to a Health Care Consumer.
(1) If the entity providing the notification under this Regulation has knowledge that another person is acting as the health care consumer for the patient, the entity shall provide the notification to that person instead of the patient.
(2) A notification to the health care consumer required under this Regulation shall be:
(a) In writing by first-class mail to the health care consumer, at the last known address of the health care consumer, if no prior election as to notice has been made; or
(b) As specified as a preference by the health care consumer under Regulation .03F(1) of this chapter.
(3) If there is insufficient or out-of-date contact information that precludes notice consistent with this chapter, a substitute form of notice shall be provided. A substitute form of notice may include publishing the notice on the home page of the entitys website to the extent permitted by HIPAA and other federal and State privacy laws.
(4) When notice about a breach or non-HIPAA violation is required pursuant to this chapter, a participating organization or an HIE, as required, shall notify a health care consumer in writing within a reasonable time frame, but not later than 60 days from the discovery of the breach or from the date that the HIE should have reasonably discovered the breach.
(5) The written notification shall include:
(a) A description of the breach or non-HIPAA violation that occurred and the remedial actions taken by the participating organization, provided that the notification shall not contain any sensitive health information;
(b) Information about the patients right to notify credit reporting agencies of the potential for identity theft or medical identity theft;
(c) Contact information for the HIE, including the address and toll-free telephone number where the health care consumer can learn more information;
(d) Contact information for at least one credit reporting agency;
(e) Information concerning the patients right to opt out of the HIE; and
(f) The toll-free numbers, addresses, and websites for:
(i) The Office of the Attorney General, Consumer Protection Division; and
(ii) The U.S. Department of Health and Human Services, Office of Civil Rights.
(6) If the entity providing the notification keeps a medical record on the patient, the notification shall be placed within the patients medical record.
D. Notification to Appropriate Authorities.
(1) Each participating organization and each HIE shall report all violations of federal or State privacy or security law to:
(a) Those federal or State authorities to which reporting such violation is required by applicable law, whether or not such laws are specifically set forth in this chapter; and
(b) Shall promptly send a copy of such report to the Commission.
(2) If the Commission is notified of a breach under this regulation, it shall forward such notification to the Office of the Attorney General, Consumer Protection Division, within 30 days after receipt of the notification.