SP0414
LD 1337
First Regular Session - 125th Maine Legislature
 
LR 1330
Item 1
Bill Tracking, Additional Documents Chamber Status

An Act To Ensure Patient Privacy and Control with Regard to Health Information Exchanges

Be it enacted by the People of the State of Maine as follows:

Sec. 1. 22 MRSA §1711-C, sub-§6, ¶B,  as amended by PL 2009, c. 387, §1, is further amended to read:

B. To an agent, employee, independent contractor or successor in interest of the health care practitioner or facility including a health information exchange that makes health care information available electronically to health care practitioners and facilities or to a member of a quality assurance, utilization review or peer review team to the extent necessary to carry out the usual and customary activities relating to the delivery of health care and for the practitioner's or facility's lawful purposes in diagnosing, treating or caring for individuals, including billing and collection, risk management, quality assurance, utilization review and peer review. Disclosure for a purpose listed in this paragraph is not a disclosure for the purpose of marketing or sales . A health information exchange to which health care information is disclosed under this paragraph shall provide an individual protection mechanism by which an individual may prohibit the health information exchange from disclosing the individual's health care information to a health care practitioner or health care facility;

Sec. 2. 22 MRSA §1711-C, sub-§7,  as amended by PL 1999, c. 512, Pt. A, §5 and affected by §7, is further amended to read:

7. Confidentiality policies.   A health care practitioner or , facility or health information exchange shall develop and implement policies, standards and procedures to protect the confidentiality, security and integrity of health care information to ensure that information is not negligently, inappropriately or unlawfully disclosed. The policies of health care facilities must provide that an individual being admitted for inpatient care be given notice of the right of the individual to control the disclosure of health care information. The policies must provide that routine admission forms include clear written notice of the individual's ability to direct that that individual's name be removed from the directory listing of persons cared for at the facility and notice that removal may result in the inability of the facility to direct visitors and telephone calls to the individual.

Sec. 3. 22 MRSA §1711-C, sub-§8,  as enacted by PL 1997, c. 793, Pt. A, §8 and affected by §10, is amended to read:

8. Prohibited disclosure.   A health care practitioner or , facility or health information exchange may not disclose health care information for the purpose of marketing or sales without written or oral authorization for the disclosure.

Sec. 4. 22 MRSA §1711-C, sub-§18  is enacted to read:

18 Participation in health information exchange.   Before collecting, receiving or making available for disclosure or distribution any health care information of a patient, a health information exchange shall obtain the written informed authorization of that patient or a person authorized under paragraph B to provide that information.
A Written consent of the patient is required prior to collection, storage, access or dissemination of health care information as described in this paragraph.

(1) A health information exchange may not collect, store or disseminate health care information about a patient without that patient's written consent.

(2) A health care practitioner may not have access to a patient's health care information through a health information exchange without that patient's written consent.

B A patient may authorize, by written consent to be kept on file with a health information exchange, a health care practitioner to access that patient's relevant health care information in the event of an emergency when such access is immediately necessary to protect the life and health of that patient.
C A health care practitioner participating in a health information exchange system shall provide to each patient:

(1) Information about the health information exchange;

(2) Opportunity for the patient to consent to the inclusion of that patient's health care information and other records from that health care practitioner in the health information exchange system;

(3) Opportunity for the patient to consent to that health care practitioner's accessing the patient's health care information through the health information exchange system; and

(4) Opportunity for the patient to specifically exclude certain categories of the patient's health care information from the scope of the authorized access or disclosure under this subsection.

D A health information exchange shall establish a secure website accessible to patients and shall provide patients with information on how to use the website. This website must:

(1) Permit a patient to view that patient's health care information and identify who has accessed that patient's records and when such access occurred;

(2) Permit a patient to select which of the patient's treatment records the patient wishes to be included in the health information exchange system and to name the health care practitioners that may have access to selected records through the health information exchange system; and

(3) Provide a mechanism for a patient to amend or revoke consent for any access or disclosure provided under this section or to trigger complete removal of records from the health information exchange system.

E A health information exchange shall establish for patients an alternate procedure to that provided for in paragraph D that does not require Internet access. Health care practitioners participating in the health information exchange system shall provide information about this nonelectronic procedure to all patients.
F A health information exchange shall maintain records regarding all disclosures of health care information by and through the health information exchange system, including the requesting party and the dates and times of the requests and disclosures.
G A health information exchange may not charge a patient or an authorized representative of a patient any fee for access provided as required by paragraph D or E.
H The website and the procedure provided as required by paragraphs D and E must permit a patient and an authorized representative of a patient to control the collection, access and disclosure of that patient's health care information records through the granting or withdrawal of written consent. Patient changes must be implemented by a health information exchange no later than 2 business days after the request.
I Notwithstanding any provision of this section to the contrary, until January 1, 2014, health care information that is being collected and disseminated by a health information exchange may continue to be collected and disseminated for that period. Beginning January 1, 2014, if a patient has not provided written informed consent indicating that patient's decision to continue participating in the health information exchange system, that patient's health care information must be permanently deleted from the health information exchange system. If, prior to January 1, 2014, a patient requests changes in collection of or access to that patient's health care information, the health information exchange shall implement those changes no later than 2 business days following the request.
J A health information exchange, following the discovery of a breach of the health information exchange system, shall notify the health care facilities and health care practitioners participating in the system of the breach and notify every individual whose health care information has been or is reasonably believed by the health information exchange to have been accessed, acquired or disclosed during the breach. The health information exchange shall provide the notification required by this paragraph without unreasonable delay but in no case later than 60 days after the discovery of the breach. For purposes of this paragraph, "discovery of a breach" occurs when a health information exchange knows of the breach. The notice to a patient must be provided as follows.

(1) The health information exchange shall provide written notification by first-class mail to the individual or to the next of kin of the individual if the individual is deceased, at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.

(2) In a case in which there is insufficient or out-of-date contact information that precludes direct written or, if specified as a preference by the individual, electronic notification to the individual, a substitute form of notice must be provided. If there are 10 or more individuals for whom there is insufficient or out-of-date contact information, there must be a conspicuous posting for a period determined by the commissioner on the home page of the website of the health care facility or health care practitioner involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. The notice in media or web posting must include a toll-free telephone number where an individual can learn whether or not the individual's health care information may have been accessed, acquired or disclosed during the breach.

Sec. 5. 22 MRSA §1711-C, sub-§19  is enacted to read:

19 Nonexclusion.   A patient may not be denied health care treatment, insurance coverage or insurance payment or reimbursement based on the nonparticipation by that patient or the patient's health care practitioner in a health information exchange system.

Sec. 6. 22 MRSA §1711-C, sub-§20  is enacted to read:

20 Exemption from freedom of access laws.   Except as provided in this section, the names and other identifying information of individuals in a health information exchange system are confidential and are exempt from the provisions of Title 1, chapter 13.

Sec. 7. 24 MRSA §2908  is enacted to read:

§ 2908 Protection from liability related to health information exchange

The participation or nonparticipation of a health care practitioner in a health information exchange system under Title 22, section 1711-C is not admissible evidence in any civil action for professional negligence or in any arbitration proceeding related to that civil action.

summary

This bill provides for the control and use of patient information available through a health information exchange. The bill requires a health information exchange to obtain the consent of a patient prior to collecting, storing or disclosing that patient's health care information and prohibits a health care practitioner from accessing that information without prior authorization, which may be waived by the patient in an emergency. The bill requires certain information about a health information exchange to be provided to a patient, including how to access the patient's records and other information regarding those records either electronically or through other means; a health information exchange is prohibited from charging the patient a fee for accessing those records. The bill establishes a protocol for notification if a breach of the health information exchange system occurs and patient information is illegally accessed. A patient may not be denied health care treatment, insurance coverage or insurance payment or reimbursement based on the failure of the patient or the health care practitioner to participate in a health information exchange system. Evidence of participation or nonparticipation in a health information exchange system may not be used as evidence in a professional negligence action against a health care practitioner. The bill exempts from the freedom of access laws information regarding a patient retained by a health information exchange.


Top of Page