Code of Maryland Regulations
Title 10 - MARYLAND DEPARTMENT OF HEALTH
Part 4
Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.01 - Scope and Purpose
Universal Citation: MD Code Reg 10.25.18.01
Current through Register Vol. 51, No. 19, September 20, 2024
A. This chapter addresses the privacy and security of protected health information maintained by a health information exchange, or obtained or released by any person through a health information exchange by adopting specific requirements:
(1) To assure the privacy and security of
protected health information accessed, used, or disclosed through a health
information exchange, including protections for the secondary use of protected
health information obtained, accessed, or released through a health information
exchange;
(2) To govern the access,
use, maintenance, and disclosure of protected health information through or by
a health information exchange;
(3)
To improve access to clinical records by treating clinicians; and
(4) To promote uses of a State-designated HIE
that will assist public health agencies in reaching public health
goals.
B. This chapter applies to:
(1) An HIE, as defined in
Regulation .02B(32) of this chapter, including:
(a) An individual or entity that determines,
controls, or has discretion to administer any requirement, policy, or agreement
that allows, enables, or requires the use of any technology or services for
access, exchange, or use of electronic protected health information:
(i) Among more than two unaffiliated
individuals or entities that are enabled to exchange electronic protected
health information with each other; and
(ii) That is for a treatment, payment, or
health care operations purpose, as those terms are defined in
45 CFR § 164.501, regardless of whether the
individuals or entities are subject to the requirements of 45 CFR Parts 160 and
164; and
(b) A health
information technology developer of certified health information technology as
that term is defined in Regulation .02B(33) of this
chapter;
(2) A person who
accesses, uses, or discloses protected health information through an HIE;
and
(3) Electronic health
information stored in, or maintained by, an HIE.
C. This chapter does not apply to:
(1) Protected health information exchanged,
accessed, used, or disclosed:
(a) Between a
hospital and a credentialed professional;
(b) Among credentialed professionals of a
hospital's medical staff;
(c)
Between a hospital and its affiliated ancillary clinical service provider who
is affiliated with the hospital and who, if required by HIPAA, has entered into
a business associate agreement with the hospital;
(d) Among entities under common ownership as
defined at Health-General Article, §4-301, Annotated Code of Maryland, for
health care treatment, payment, or health care operations purposes, as those
terms are defined in 45 CFR
§ 164.501;
(e) By a carrier, as defined in Insurance
Article, §15-301, Annotated Code of
Maryland, exchanging information as required by
45 CFR § 156.221; or
(f) Between a carrier and its business
associate, as defined in 45
CFR § 160.103, if the organizational and
technical processes provided or governed by the business associate are
transactions, as defined in 45 CFR § 160.103;
or
(2) The use, access,
or disclosure of protected health information using point-to-point transmission
unless an HIE is involved in the transmission of the data.
D. In the event that an HIE is unable to meet a requirement of this chapter independently, it may do so by the execution of a written agreement or by requesting an exemption in accordance with Regulation .09G or H of this chapter.
E. The requirements in this chapter are in addition to those set forth below:
(1) The Health Insurance Portability and
Accountability Act of 1996, and the pertinent regulations at 45 CFR Parts 160
and 164;
(2) The Maryland Consumer
Protection Act, Commercial Law Article, Title 13, Annotated Code of
Maryland;
(3) The Maryland Personal
Information Protection Act, Commercial Law Article, Title 14, Subtitle 35,
Annotated Code of Maryland;
(4) The
Maryland Confidentiality of Medical Records Act, Health-General Article, Title
4, Subtitle 3, Annotated Code of Maryland;
(5) Health General Article, §4-307,
Annotated Code of Maryland, Confidentiality of Mental Health Records;
(6) 16 CFR Part 318, Health Breach
Notification Rule, adopted by the Federal Trade Commission pursuant to the
HITECH Act;
(7) 42 CFR Part 2,
Confidentiality of Substance Use Disorder Patient Records;
(8) Titles IV and XI of the
21st Century Cures Act and the pertinent
regulations, 45 CFR Part 171, and as defined at Regulation .02B(71) of this
chapter; and
(9) All other
applicable State and federal laws and regulations governing the use, access,
maintenance, and disclosure of health information.
Disclaimer: These regulations may not be the most recent version. Maryland may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
