§ 4-302.2
567 words·~3 min read·
/md/health-general/4-302-2A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
§4–302.2.
(a)The Maryland Health Care Commission shall adopt regulations for the privacy and security of protected health information obtained or released through a health information exchange.
(1)The regulations adopted under subsection
(a)of this section shall:
(i)Govern the access, use, maintenance, disclosure, and redisclosure of protected health information as required by State or federal law, including the federal Health Insurance Portability and Accountability Act, the federal Health Information Technology for Economic and Clinical Health Act, the federal 21st Century Cures Act, and Title 21, Subtitle 2A of this article;
(ii)Include protections for the secondary use of protected health information obtained or released through a health information exchange;
(iii)Require the State–designated health information exchange to develop and maintain a consent management application, subject to State and federal law, that:
1. Allows a person in interest to opt out of having electronic health information shared or disclosed by a health information exchange;
2. Informs the person in interest of the electronic health information that may be shared or disclosed notwithstanding the choice to opt out;
3. Requires that the State–designated health information exchange provide a health information exchange with the opt–out status of a person in interest, on receipt of an electronic request from the health information exchange for the opt–out status of the person in interest;
4. Requires a health information exchange to obtain the opt–out status of a person in interest from the State–designated health information exchange before sharing or disclosing the electronic health information of the person in interest; and
5. Except as provided in paragraph
(2)of this subsection, prohibits a health information exchange from sharing or disclosing the electronic health information of a person in interest if the person in interest has opted out of having electronic health information shared or disclosed by a health information exchange; and
(iv)Provide appropriate penalties for noncompliance with the regulations, including fines that do not exceed $10,000 per day and that are determined based on:
1. The extent of actual or potential public harm caused by the violation;
2. The cost of investigating the violation; and
3. Whether the person committed previous violations.
(2)The regulations adopted under subsection
(a)of this section may not prohibit:
(i)The Department, the Maryland Health Care Commission, or the Health Services Cost Review Commission from using electronic health information, subject to federal and State law, for health regulatory and public health functions;
(ii)The sharing or disclosing of information that is required to be exchanged under Title 21, Subtitle 2A of this article; or
(iii)The sharing or disclosing of information that is required to be exchanged under federal law, including for the purposes of payment, as defined in 45 C.F.R. § 164.501.
(3)This section does not prohibit the Commission from adopting regulations that are more stringent than federal law in accordance with 45 C.F.R. § 160.203.
(c)Data obtained or released through a health information exchange:
(1)May not be sold for financial remuneration until the regulations required under subsections
(a)and
(b)of this section are adopted; and
(2)May be sold for financial remuneration only in accordance with the regulations adopted under subsections
(a)and
(b)of this section.
(d)The Maryland Health Care Commission shall consult with health care providers, payors, State health agencies, consumer advocates, and employers before adopting regulations under subsections
(a)and
(b)of this section.