Statutes, codes, and regulations
Maryland Administrative code
Title 10 - MARYLAND DEPARTMENT OF HEALTHPart 4Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.04 - [Effective 7/7/2024] Access, Use, or Disclosure of Sensitive Health Information

Md. Code Regs. 10.25.18.04

Download
PDF
Current through Register Vol. 51, No. 12, June 14, 2024
Section 10.25.18.04 - [Effective 7/7/2024] Access, Use, or Disclosure of Sensitive Health Information
A. Consistency with Disclosure Requirements Under Federal and State Law.
(1) A person shall comply with all relevant State and federal laws, including 42 CFR Part 2, and Health-General Article, §4-302.5, Annotated Code of Maryland, concerning the access, use, or disclosure of sensitive health information through an HIE and maintenance of such information by an HIE.
(2) If federal or State law requires written consent or authorization for access, use, or disclosure of sensitive health information, a person shall obtain consent or authorization consistent with the applicable law prior to the access, use, or disclosure of sensitive health information to and through an HIE to an authorized recipient.
(3) If federal or State law does not require written consent or authorization for access, use, or disclosure of sensitive health information, a person may not require consent or authorization prior to the access, use, or disclosure of the sensitive health information through an HIE.
(4) An HIE shall use only point-to-point transmission to allow access, use, or disclosure of the sensitive health information through an HIE, unless the HIE implements:
(a) Nationally recognized standards that support control by the health care consumer over the electronic exchange of the patient's sensitive health information consistent with the privacy and consent directives made by the health care consumer;
(b) Electronic exchange controls and processes that:
(i) Support granular patient consent for the electronic transmission of sensitive health information consistent with applicable State and federal laws concerning the access, use, or disclosure of sensitive health information, including applicable standards and technical requirements in accordance with Part 2; and
(ii) Assure that the health care consumer's granular consent controls remain associated with the sensitive health information and are adhered to as the information is transmitted through, maintained, or disclosed by the HIE; and
(c) Health care consumer educational content:
(i) That is developed and established in coordination with MHCC and stakeholders;
(ii) That is kept current; and
(iii) The receipt of which shall be acknowledged by the health care consumer as part of the granular consent process.
(5) In the case of the improper access, use, maintenance, or disclosure of sensitive health information, including an inadvertent release through an HIE, a participating organization shall take the following actions in addition to any other requirement imposed under federal or State law:
(a) Take all steps necessary to immediately stop any further improper access, use, disclosure, or release of the patient's sensitive health information through the HIE and the improper maintenance of such information by the HIE; and
(b) In accordance with Regulation .08 of this chapter, notify each health care consumer whose sensitive health information has been accessed, used, maintained, or disclosed in violation of applicable State or federal laws, including a non-HIPAA violation.
B. Procedure for disclosing or re-disclosing of Part 2 health information.
(1) A health care provider that is a Part 2 program shall identify itself as such and clearly indicate on all of its patient records that such records may only be disclosed by point-to-point transmission through an HIE, if appropriate patient consent or authorization has been obtained, or as otherwise permitted by these regulations.
(2) A participating organization that receives Part 2 information may not re-disclose such information without appropriate patient consent or authorization, as permitted by applicable federal and State laws and regulations.
(3) A participating organization must maintain Part 2 records in accordance with applicable law.
C. Procedures for Disclosing or Re-Disclosing Legally Protected Health Information.
(1) An HIE shall be in compliance with Health-General Article, §4-302.5, Annotated Code of Maryland, and COMAR 10.11.08.
(2) By January 8, 2024, an HIE shall submit to the Commission:
(a) An affirmation that it:
(i) Possesses the technological capability to filter and restrict from disclosure legally protected health information to the extent required by law;
(ii) Is parsing restricted codes and conveying all other information in the health record that is not prohibited by law to exchange; and
(iii) Possesses the technological capacity to allow a consumer to request and consent to the exchange of legally protected health information to a specific treating provider; or
(b) An implementation plan that includes:
(i) An affirmation that, despite its best efforts, the HIE lacks the technological capability to fully comply with §C(1) of this regulation as of January 8, 2024, including a detailed explanation of the HIE's limitations;
(ii) A detailed description of the steps the HIE is taking to ensure compliance with §C(1) of this regulation by June 1, 2024;
(iii) A timeline to implement the requirements of Health-General Article §4-302.5, Annotated Code of Maryland, by June 1, 2024; and
(iv) A description of the extent legally protected health information and other health information will be restricted through the HIE during the implementation of its plan.
(3) If an HIE submits an implementation plan in accordance with §C(2)(b) of this regulation, the HIE shall:
(a) Notify all participating organizations by January 8, 2024, that the HIE is unable to comply with §C(1) of this regulation with a written notice that describes the extent legally protected health information and other health information will be restricted through the HIE during the implementation of its plan;
(b) Provide a status report to the Commission by April 1, 2024, detailing the progress the HIE has made under its implementation plan; and
(c) Submit validation to the Commission by June 1, 2024, that it possesses the technological capability to filter and restrict from disclosure legally protected health information to the extent required by law.
(4) The Commission shall consider an HIE's implementation plan and reported progress when assessing penalties for a violation of this section.

Md. Code Regs. 10.25.18.04

Regulation .04 amended effective 41:5 Md. R. 344, eff. 3/17/2014 ; amended effective 45:16 Md. R. 775, eff. 8/13/2018; amended effective 51:3 Md. R. 152, eff. 1/9/2024, exp. 7/7/2024(Emergency); amended effective 51:9 Md. R. 440, eff. 5/13/2024.