Code of Maryland Regulations (Last Updated: April 6, 2021) |
Title 10. Maryland Department of Health |
Part 4. |
Subtitle 25. MARYLAND HEALTH CARE COMMISSION |
Chapter 10.25.18. Health Information Exchanges: Privacy and Security of Protected Health Information |
Sec. 10.25.18.12. Requirements for Providing Health Care Consumers Electronic Access to Their Health Information
-
A. An HIE or its third party that offers health care consumers electronic access to view, download, transmit, submit, or control their health information shall:
(1) Appropriately verify the identity of the health care consumer requesting electronic access or proposing an addition or change to the patients information available through the HIE prior to disclosing or accepting changes to the information;
(2) Follow, at a minimum, the National Institute of Standards and Technology (NIST) Level 2 registration and identity proofing requirements as outlined in the most recent version of Special Publication 800-63: Electronic Authentication Guideline or its comparable industry best practices and may perform remote identity proofing;
(3) Implement the health care consumers authorization for access within a maximum of 5 business days of receipt of all necessary information for identity proofing;
(4) Adopt and implement authentication processes for health care consumer electronic access that is in accordance with Regulation .05D(3) and (4) of this chapter;
(5) Establish individual unique user names and passwords in accordance with the most recent applicable standards issued by NIST, or other comparable standards generally adopted by the health care and HIE industry;
(6) Implement processes for auditing health care consumer access that are in compliance with applicable requirements of Regulation .06 of this chapter;
(7) Implement a process for suspending and reinstating a health care consumers access in compliance with applicable requirements in Regulation .07 of this chapter;
(8) Establish processes and procedures to allow a patient to authorize an individual to have electronic access to their information;
(9) Establish processes and procedures that allow an individual to electronically access health information for a patient or patients:
(a) For whom the individual has legal authorization for such access (e.g., guardian, person with a medical power of attorney, etc.); or
(b) For whom the patient has authorized such access;
(10) Establish processes and procedures to confirm the authority of a person in interest, if not directly authorized by a patient, which must be satisfied as a condition to providing access to that person in interest; and
(11) Comply with applicable federal and State laws and regulations related to sensitive health information when disclosing such information to a health care consumer.
B. An HIE or its third party that offers health care consumers electronic access to view, download, transmit, submit, or control their information may:
(1) Charge a reasonable cost-based published fee for healthcare consumer electronic access consistent with applicable federal and State laws; and
(2) Deny a health care consumers electronic access in accordance with:
(a) Applicable law or regulation, including 45 CFR §164.524, in coordination with applicable participating organizations; or
(b) The HIEs reasonable policies, procedures, or agreements with a participating organization and shall provide notice to the health care consumer of their right to request access to the patients health information from the covered entity.
C. An HIE or its third party that offers health care consumer electronic access to view the patients health information available through the HIE shall, in accordance with federal and State law:
(1) Provide the patients health information that is equivalent to what is made available to authorized users that are health care providers, which may include:
(a) Demographic information, such as name, address, and date of birth;
(b) Provider encounters or procedures performed (e.g., hospital, ambulatory, post-acute care, etc.);
(c) Immunizations;
(d) Visit summaries;
(e) Care plan(s);
(f) Clinical test results; and
(g) Prescriptions;
(2) At a minimum, and if made available through the HIE, make the following data attributes for the patients health information electronically available to the health care consumer:
(a) Date of the encounter, procedure, test, prescription, or immunization;
(b) Results or summary of the encounter, procedure, test, prescription, or immunization; and
(c) Source of the health information, including provider name and organization name;
(3) Inform health care consumers regarding:
(a) Contacting their health care provider to discuss the health information they may be viewing if they have any concerns or questions; and
(b) Translation services and resources that may be available, through the HIE or another entity, to help assist the health care consumer in understanding their health information; and
(4) Allow the health care consumer to view the patients health information in an electronic format that meets the following criteria:
(a) The information is presented in substantially the same form and format as presented to an authorized user that is a health care provider;
(b) The form and format presented to a health care consumer is easy for the health care consumer to navigate;
(c) The information can be easily printed; and
(d) If supplemental information is made available along with the patients health information, such as educational resources, the supplemental information meets the criteria specified in Regulation .03B(2)(c)-(e) of this chapter.
D. An HIE or its third party that offers health care consumers the ability to electronically control the patients health information being made available through the HIE shall:
(1) Implement technology processes that meet industry standards and best practices and are in compliance with State and federal privacy and security laws; and
(2) Provide an electronic process by which a health care consumer can control the patients health information that is in accordance with §C(4)(b)-(d) of this regulation.
E. An HIE or its third party that offers health care consumers the ability to download the patients health information being made available through the HIE shall provide the patients health information that is:
(1) In accordance with §C(3) and (4)(b)-(d) of this regulation;
(2) Requested by the health care consumer; and
(3) In a readily available industry standard format.
F. An HIE or its third party that offers health care consumers the ability to submit information to the HIE:
(1) Shall identify the source of the information, such as patient, payor, or health care provider, when presented to an authorized user of the HIE; and
(2) May not use patient submitted health information to override or replace health information submitted from other sources.
G. An HIE or its third party that offers health care consumers the ability to transmit the patients health information being made available through the HIE to a third party of the health care consumers designation shall comply with the requirements as detailed in:
(1) §C(3) of this regulation;
(2) §C(4)(b) and (d) of this regulation; and
(3) §E(2) of this regulation.
H. Health Care Consumer Education About Electronic Access.
(1) An HIE shall provide needed information, as part of its health care consumer education plan (as detailed in .03B(1) of this chapter and meeting the characteristics as detailed in Regulation .03B(2) of this chapter), about the services or features offered by the HIE or its third party that allows the health care consumer to electronically view, download, submit, or control the patients information that is available through the HIE.
(2) The health care consumer education plan shall outline the process which, if available, allows a health care consumer to electronically view, download, transmit, submit, or control the patients information that is available through the HIE, including:
(a) The information the health care consumer must provide as part of patient identity proofing;
(b) The patients rights to:
(i) Authorize a person in interest or individual to also have access to the patients health information; and
(ii) Request a review of a denial of access;
(c) The extent to which the health care consumer has control of the patients health information being made available through the HIE; and
(d) The need to safeguard information obtained from the HIE to the same extent they safeguard other sensitive personal information.