HP1246, LD 1740, item 2, Document Text

Amend the bill by striking out all of section 1.

Amend the bill in section 2 in paragraph F-3 in the 4th line (page 1, line 27 in L.D.) by striking out the following: " and maintained by"

Amend the bill by striking out all of section 5 and inserting the following:

‘Sec. 5. 22 MRSA §8702, sub-§4-B is enacted to read:

4-B. HIPAA. "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1996.

Sec. 6. 22 MRSA §8702, sub-§8-C is enacted to read:

8-C. Protected health information. "Protected health information" includes:

A. "Protected health information" as defined in 45 Code of Federal Regulations, Section 160.103 (2013);

B. Individually identifiable health information:

(1) That is demographic information about an individual reported to the organization that relates to the past, present or future physical or mental health or condition of the individual;

(2) That pertains to the provision of health care to an individual; or

(3) That relates to the past, present or future payment for the provision of health care to an individual and that identifies, or with respect to which there is a reasonable basis to believe the information could be used to identify, the individual; and

C. "Health care information" as defined in section 1711-C, subsection 1, paragraph E.’

Amend the bill by inserting after section 8 the following:

‘Sec. 9. 22 MRSA §8708, sub-§7, as enacted by PL 1995, c. 653, Pt. A, §2 and affected by §7, is amended to read:

7. Authority to obtain information. Nothing in this section may be construed to limit the board's authority to obtain information that it considers necessary to carry out its duties. The board shall adopt rules regarding the definition, collection, use and release of clinical data before collecting any type of clinical data that it did not collect as of March 1, 2014. Rules adopted pursuant to this subsection are major substantive rules as defined in Title 5, chapter 375, subchapter 2-A.’

Amend the bill in section 9 in §8714 in subsection 1 in the next to the last line (page 3, line 3 in L.D.) by inserting after the following: " health information" the following: ' except that an individual's identifying health information may be used to the extent necessary to prosecute civil or criminal violations regarding information in the organization database'

Amend the bill in section 9 in §8714 by striking out all of subsection 2 (page 3, lines 5 to 11 in L.D.) and inserting the following:

‘ 2. General public access; confidentiality. The board shall adopt rules making information provided to the organization under this chapter, except protected health information and other confidential information, available to any person upon request.’

Amend the bill in section 9 in §8714 in subsection 3 in paragraph B in the last line (page 3, line 19 in L.D.) by inserting after the following: " measures" the following: ' that include appropriate accountability and notification requirements as required of business associate agreements under HIPAA'

Amend the bill in section 9 in §8714 in subsection 3 in paragraph D in the last line (page 3, line 25 in L.D.) by inserting after the following: " board" the following: ' consistent with state and federal laws'

Amend the bill in section 9 in §8714 in subsection 4 in the last 2 lines (page 3, lines 29 and 30 in L.D.) by striking out all of the last sentence.

Amend the bill in section 9 in §8714 by striking out all of subsection 10 (page 4, lines 12 and 13 in L.D.) and inserting the following:

‘ 10. Other privacy protections. Individually identifiable data submitted to the organization that would be protected by Title 5, sections 19203 and 19203-D, Title 34-B, section 1207 or 42 United States Code, Section 290dd-2 may not be linked or reidentified in any way that identifies an individual or in any way for which there is a reasonable basis to believe the information could be used to identify an individual. The board shall adopt rules to ensure privacy and security protections of the data that are at least equivalent to the privacy and security requirements of HIPAA.’

Amend the bill in section 9 in §8714 by adding at the end the following:

‘ 12. Oversight and notification to individuals. Rules developed pursuant to this section must include a definition of "breach" and a procedure for notification to affected individuals that is equivalent to those of HIPAA. If a breach requiring notification to affected individuals has occurred, the board shall notify the joint standing committee of the Legislature having jurisdiction over health and human services matters within 30 days of the breach. Information provided pursuant to this subsection must maintain the confidentiality of all individuals affected by the breach.

13. Individual complaints. The board shall adopt rules to establish a process for an individual to file a complaint if the individual believes that the individual's protected health information has been released by the organization, the board or an employee of the organization, in violation of the board's rules.

14. Rulemaking. The board shall adopt rules as necessary to implement this section. Rules adopted pursuant to this section are major substantive rules as described in Title 5, chapter 375, subchapter 2-A.’

Amend the bill in section 9 in §8715 by striking out all of subsection 3 (page 4, lines 26 to 30 in L.D.) and inserting the following:

‘ 3. Data use agreement. Prior to disclosing any data under subsection 1, the organization shall enter into a data use agreement with a public health authority. The agreement must include protocols that have been approved by the board for safeguarding confidential information and for ensuring there will be no disclosures of protected health information. The protocols must include appropriate accountability and notification requirements as in the business associate agreements under HIPAA.’

Amend the bill in section 9 in §8716 by striking out all of subsection 5 (page 5, lines 18 to 22 in L.D.) and inserting the following:

‘ 5. Data use agreement. Prior to disclosing any data pursuant to subsection 1, the organization shall enter into a data use agreement with a study entity. The agreement must include protocols that have been approved by the board for safeguarding confidential information and for ensuring there will be no disclosures of protected health information. The protocols must include appropriate accountability and notification requirements as in business associate agreements under HIPAA.’

Amend the bill in section 9 in §8717 in subsection 1 in the 6th line (page 5, line 29 in L.D.) by striking out the following: " or had"

Amend the bill in section 9 in §8717 by striking out all of subsection 3 (page 6, lines 18 and 21 in L.D.) and inserting the following:

‘ 3. Choice regarding disclosure of information. Before approving the release of any protected health information under this chapter, the organization shall implement a mechanism that allows an individual to choose to not allow the organization to disclose and use the individual's health information under this chapter.’

Amend the bill by adding after section 9 the following:

‘Sec. 10. Rule-making authority. The Board of Directors of the Maine Health Data Organization shall adopt rules as necessary to implement this Act. Rules adopted pursuant to this section are major substantive rules as described in the Maine Revised Statutes, Title 5, chapter 375, subchapter 2-A.

Sec. 11. Contingent effective date. Those sections of this Act that amend the Maine Revised Statutes, Title 22, section 1711-C, subsection 6, paragraph F-3 and sections 8702 and 8705-A, repeal Title 22, section 8707 and enact Title 22, sections 8714 to 8717 take effect upon the final adoption of major substantive rules required to implement the provisions of this Act. The Board of Directors of the Maine Health Data Organization shall notify the Revisor of Statutes when the major substantive rules authorized under this Act are finally adopted.’

Amend the bill by relettering or renumbering any nonconsecutive Part letter or section number to read consecutively.

SUMMARY

This amendment makes the following changes to the bill.

1. It adds a definition of "HIPAA," which is the federal Health Insurance Portability and Accountability Act of 1996.

2. The bill amends the definition of "health care information" as it regards hospitals and medical care. The amendment strikes that change and instead inserts those provisions into the definition of "protected health information" for the Maine Health Data Organization.

3. It adds privacy protections to prevent the release of protected health information for individuals with HIV and individuals undergoing mental health or substance abuse treatment.

4. It requires the Board of Directors of the Maine Health Data Organization to adopt rules to ensure privacy and security protections of data that are equivalent to the requirements in the federal Health Insurance Portability and Accountability Act of 1996.

5. It requires the Board of Directors of the Maine Health Data Organization to provide a definition of "breach" and notifications regarding breaches that are equivalent to the requirements in the federal Health Insurance Portability and Accountability Act of 1996. It requires a breach to be reported to the joint standing committee of the Legislature having jurisdiction over health and human services matters within 30 days of the breach.

6. It requires the Board of Directors of the Maine Health Data Organization to develop rules to establish a complaints procedure for individuals who believe their protected health information has been released inappropriately.

7. It prohibits the Maine Health Data Organization from collecting any clinical data that are different from the data the organization collects as of March 1, 2014 without rulemaking. These rules are major substantive rules.

8. It adds an effective date so that the sections limiting the collection of clinical data and granting rule-making authority go into effect 90 days after adjournment and the rest of the Act goes into effect upon final adoption of major substantive rules.

HP1246 LD 1740	Session - 126th Maine Legislature C "A", Filing Number H-733, Sponsored by		LR 2631 Item 2
	Bill Tracking, Additional Documents	Chamber Status

Bill Tracking		Chamber Status
Amendments	Testimony, Public Hearings & Work Sessions		Committee Information
Other Documents			Title & Section

Search Bill Text		Search Bill Status
Bill Directory	Session Information		Legislative Information
Download MS-Word, Printed PDF		Maine Legislature

Office of Legislative Information 100 State House Station Augusta, ME 04333		voice: (207) 287-1692 fax: (207) 287-1580 tty: (207) 287-6826
Word Viewer for Windows		Disclaimer