Code of Maryland Regulations
Title 10 - MARYLAND DEPARTMENT OF HEALTH
Part 4
Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.02 - Definitions
Universal Citation: MD Code Reg 10.25.18.02
Current through Register Vol. 51, No. 19, September 20, 2024
A. In this chapter, the following terms have the meanings indicated.
B. Terms Defined.
(1) "Adjudication of claims" means the
activities necessary for the adjudication or subrogation of a health benefit
claim that has been filed or may be filed by a patient, or with the
authorization of a patient on the patient's behalf, including:
(a) Determinations of eligibility or
coverage, including coordination of benefits or the determination of
cost-sharing amounts;
(b)
Reasonable prospective, concurrent, or retrospective utilization review or
predetermination of benefit coverage;
(c) Review, audit, and investigation of a
specific claim for payment of benefits with respect to medical necessity,
coverage under a health plan, appropriateness of care, or justification of
charges;
(d) Billing, claims
management, collection activities, obtaining payment under a contract for
reinsurance, and related health care data processing; and
(e) Risk adjustments based on enrollee health
status and demographic characteristics.
(2) "Ancillary clinical service provider"
means a health care provider who has a direct contractual agreement with the
hospital to provide therapeutic, diagnostic, or custodial ancillary services
for the hospital as part of its affiliation. Ancillary services may include
skilled nursing, home care, outpatient rehabilitation and therapy,
transportation, ambulatory surgery, dialysis, laboratory, radiology, pharmacy,
and chemotherapy.
(3) "Appropriate
notice to one or more health care consumers" means notice, related to a request
for individually identifiable health information for secondary use, that meets
the following requirements:
(a) The notice:
(i) Must include educational information
pertaining to the requesting entity's secondary use of data obtained through an
HIE, including why the entity is requesting the data and how it intends to use
the data;
(ii) May describe an
ongoing scenario such as care coordination or other ongoing care management
activities against which subsequent data may be requested by the care
management organization from the HIE; in such cases, the potential need for and
nature of such requests shall be included in the description of the initial
request to the external review board and shall be plainly documented in the
notice to health care consumers;
(iii) Must include a clear and detailed
description of the steps a health care consumer must take in order to grant
authorization for the use of their information or to deny
authorization;
(iv) Must provide
clear, detailed notice that the health care consumer's failure to respond could
result in their information being disclosed without their authorization, if an
independent external review committee waives authorization; and
(v) Must have characteristics detailed in
Regulation .03B(2)(b)-(g) of this chapter.
(b) The care management organization, or its
third party, has provided to each health care consumer whose identifiable
information is being requested:
(i) Notice as
described above, using varied methods, where possible, to reach the health care
consumer;
(ii) The opportunity to
submit authorization or denial of authorization through various methods such as
email, online, mail, and phone; and
(iii) At least 30 calendar days from the time
of the first notice to respond to the notice.
(4) "Authentication" means the process of
establishing confidence in user identities electronically presented to an
information system.
(5)
"Authorization" has the meaning provided in
45 CFR § 164.508.
(6) "Authorized purpose" means the specific
reason consistent with this chapter and State and federal law for which an
authorized user may use, access, or disclose protected health information
through or from an HIE.The authorized purpose may include daily operations and
maintenance of the HIE for:
(a) The staff of
the HIE who has signed a confidentiality and nondisclosure agreement;
and
(b) The staff of the HIE's
contractor if the contractor:
(i) Has entered
into a business associate agreement with the HIE; and
(ii) Has contractually agreed to limit access
to the HIE only to its employees, agents, and independent contractors with a
need-to-know; and who are under a confidentiality restriction, which may
include a binding work force policy and procedure.
(7) "Authorized user" means an
individual identified by a participating organization or a health information
exchange, including a health care consumer, who may use, access, or disclose
protected health information through or from a health information exchange for
a specific authorized purpose and whose HIE access is not currently suspended
or terminated under Regulation .05, .07, or .09 of this chapter.
(8) "Breach" has the meaning provided in
45 CFR § 164.402.
(9) "Business associate" has the meaning provided in
45 CFR § 160.103.
(10) "Core elements of the Master Patient
Index (MPI)" are the minimum elements that are:
(a) Required for an HIE to identify a
particular patient across separate clinical, financial, and administrative
systems; and
(b) Needed to exchange
health information electronically.
(11) "Care management organization", in the
context of secondary use, means any entity that:
(a) Has a financial or specific care-related
responsibilities for individuals with whom they may not have a treatment,
payment, or health care operations relationship under 45 CFR Part 164.501(1);
and
(b) Has the legal or regulatory
authority to exercise the responsibilities stated in §B(10)(a) of this
regulation; or
(c) Is operating in
accordance -with Maryland's All-Payer Model or successor agreement between the
Centers for Medicare and Medicaid Services and the State of Maryland,
(d) Does not include a third-party entity
engaged by a participating organization to provide care management services on
behalf of such participating organization for a primary use.
(12) "Commission" means the
Maryland Health Care Commission.
(13) "Control" means providing a method by
which the health care consumer can electronically provide instructions to an
HIE regarding the disclosure of the patient's information being made available
through the HIE, which may include specifying:
(a) The individuals and organizations to whom
the HIE may disclose the patient's health information;
(b) The circumstances (e.g., all, emergency
only, inpatient, etc.) under which the patient's health information may be
disclosed through the HIE; and
(c)
What type of health information may be disclosed, such as prescription history,
laboratory reports, hospital encounters, and to whom.
(14) "Core HIE education content" means the
educational information developed and approved by the Maryland Health Care
Commission, after consultation with interested parties, and includes a general
overview of:
(a) The fundamentals of health
information technology, including electronic health records and the exchange of
electronic health information;
(b)
Health information privacy and security laws; and
(c) The benefits and risks to patients of
exchanging health information through an HIE as compared to opting-out and
exchanging health information through a paper-based system.
(15) "Covered entity" has the
meaning provided in 45 CFR
§ 160.103.
(16) "Credentialed professional" means an
individual who has been credentialed by a hospital to provide clinical services
to patients of the hospital. Credentialing includes the formal evaluation and
verification of an individual's necessary qualifications, education, training,
and professional license if applicable, through the collection, verification,
and evaluation of data relevant to the individual's professional
performance.
(17) "Data use
agreement" means an agreement that:
(a) Is
entered into by an HIE and an entity receiving data for secondary data use
purposes, regardless of whether or not the entity is a covered entity as
defined by HIPAA; and
(b) Requires:
(i) The receiving entity to accept and comply
with the requirements in this chapter and, to the extent the receiving entity
meets the definition of a business associate under HIPAA, current State and
federal laws pertaining to business associates and business associate
agreements;
(ii) Both parties to
access, transmit, and protect the PHI in accordance with current legal
requirements and industry standards and practices;
(iii) The receiving entity to destroy the
PHI, including back-up and archived copies of the PHI, in accordance with
industry standards and practices, when the purposes for which it has been
requested are completed, unless retention of the PHI is otherwise required by
law; and
(iv) The receiving entity
not to reuse or disclose the PHI to any person or organization, except as
required or permitted by law; or if disclosed to a third party, which will act
on behalf of the receiving entity, the third party and the receiving entity
enter a contractual agreement that requires the third party to be bound by the
provisions of the data use agreement that applies to the receiving
entity.
(18)
"De-identified data" means health information that neither identifies nor
provides a reasonable basis to identify an individual and that meets the
standards and specifications provided in
45 CFR § 164.514(a) -(b).
(19) "Disclose" or "disclosure" means the
release, redisclosure, transfer, provision, access, transmission,
communication, or divulgence in any other manner of health information,
including an acknowledgment that a health record on a particular patient or
recipient exists, outside the entity holding the information.
(20) "Download" means providing a method by
which the health care consumer can obtain an electronic copy of the patient's
information that:
(a) Is in a readily
available industry standard format; and
(b) Allows the health care consumer to save,
maintain, use, or transmit the patient's information.
(21) "Electronic health information" means
health information that is in an electronic form.
(22) "Electronic health record" or "EHR"
means an electronic record of health-related information on an individual that
includes patient demographic and clinical health information that may be used
for clinical diagnosis, treatment, improvement of health care quality, and
patient care.
(23) "Electronic
health record system" means technology that electronically captures, manages,
and organizes health records and may have the capacity to:
(a) Provide clinical decision
support;
(b) Support physician
order entry;
(c) Capture and query
information relevant to health care quality; and
(d) Exchange electronic health information
with and integrate the information from other sources.
(24) "Emergency" has the meaning provided in
Health-General Article, § 4-301(d), Annotated Code of Maryland
(25) "External and independent review
committee" means a group of individuals that:
(a) Is responsible for reviewing and making a
determination regarding a request for a waiver of authorization related to
population health management; and
(b) Shall be minimally composed of:
(i) At least three health care consumer
members, three health care provider members, one member representing the
scientific community, one member with privacy and legal expertise, and one
member with HIE expertise;
(ii)
Members who have appropriate professional competencies necessary to review the
request; and
(iii) More than half
of the members are not affiliated with or related to any person affiliated with
the requesting entity and are free from any conflicts of interest with the
requesting entity.
(26) "Federalwide assurance " or "FWA " means
an agreement between an entity and the United States Department of Health and
Human Services under which the entity agrees to comply with:
(a) Federal regulations concerning research
involving human subjects;
(b)
Department of Health and Human Services regulations found at 45 CFR Part
46;
(c) A statement of principles
governing the entity in the discharge of its responsibilities for protecting
the rights and welfare of human subjects of research conducted at or sponsored
by the entity; and
(d) Other
requirements of the agreement.
(27) "Granular patient consent" means
expressed preferences made by a health care consumer regarding the disclosure,
access, and use of the patient's protected health information according to the
type of information, type of provider, purpose, or circumstance communicated by
the health care consumer to the HIE through reasonable means specified by the
HIE, which shall include paper and electronic means.
(28) "Health care" has the meaning provided
in Health-General Article, §4-301(g), Annotated Code of
Maryland.
(29) "Health care
consumer" or "consumer" means a recipient, a patient, or a person in interest,
as defined in this regulation.
(30)
"Health care provider" means:
(a) A person
who is licensed, certified, or otherwise authorized under Health Occupations
Article, Annotated Code of Maryland, or Education Article, §13"516,
Annotated Code of Maryland, to provide health care in the ordinary course of
business or practice of a profession or in an approved education or training
program; or
(b) A facility where
health care is provided to patients or recipients, including:
(i) A facility as defined in Health-General
Article, § 10 "101(e), Annotated Code of Maryland;
(ii) A hospital as defined in Health-General
Article, § 19-3010, Annotated Code of Maryland;
(iii) A related institution as defined in
Health-General Article, § 19-301(o), Annotated Code of Maryland;
(iv) A State-certified substance use disorder
program, as defined in Health-General Article, § 8-403, Annotated Code of
Maryland;
(v) A health maintenance
organization as defined in Health-General Article, § 19 "701(g), Annotated
Code of Maryland;
(vi) An
outpatient clinic; or
(vii) A
medical laboratory;
(c)
An agent, employee, officer, or director of a health care facility, or an agent
or employee of a health care provider.
(31) "Health information" means any information,
whether oral or recorded in any form or medium, including electronic health
information, that:
(a) Is created or received
by a health care provider, health plan, public health authority, employer, life
insurer, school or university, or health care clearinghouse; and
(b) Relates to the past, present, or future
physical or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment for the
provision of health care to an individual.
(32) "Health information exchange" or "HIE" has the
meaning provided in HealthGeneral Article §4-301(i), Annotated Code of
Maryland.
(33) "Health information
technology developer of certified health information technology" or "developer"
means an entity that develops, sells, licenses, provides, or offers health
information technology, as defined in
42 U.S.C.
300jj(5), to persons in the
State and has one or more health information technology modules certified under
a program that is kept or recognized by the National Coordinator in accordance
with 42 U.S.C.
300jj-11(c)(5).
(34) Health Record.
(a) "Health record" means any health
information, in any form or medium, created or transmitted by a participating
organization or health care consumer that:
(i) Is entered in the record of a patient or
recipient; and
(ii) Identifies or
can readily be associated with the identity of a patient or a
recipient.
(b) "Health
record" includes a medical record as defined in Health-General §4-301(k),
Annotated Code of Maryland.
(35) "HIE access matrix" means a document that is used
by a participating organization to assign access to each authorized user and
describes the type of protected health information (including, but not limited
to, lab reports, prescription drug information, prior admissions to hospitals),
that each authorized user is allowed to retrieve from an HIE. An HIE access
matrix may specify a use case (including but not limited to electronic
eligibility, clinical lab ordering/results delivery, electronic prescribing,
medication history, clinical summary exchange, and other items) and
corresponding associated data, including identified sensitive health
information.
(36) "HIPAA" means
the Health Insurance Portability and Accountability Act of 1996,
P.L.
104-191, as amended, and the implementing
regulations at 45 CFR Parts 160 and 164, as amended, and including as amended
by the HITECH Act.
(37) "HITECH
Act" mean the Health Information Technology for Economic and Clinical Health
Act, Title XIII of Division A and Title IV of Division B of the American
Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), as
amended.
(38) "Hospital" has the
meaning provided in Health-General Article, §19-301(f), Annotated Code of
Maryland.
(39) "Individually
identifiable health information" has the meaning provided in
45 CFR § 160.103 and includes any health information
that contains personal identifiers, as detailed in
45 CFR § 164.514(b).
(40) "Institutional Review Board" or "IRB"
means a committee or other group designated by an institution or affiliated
with a State agency that performs a review of proposed research that has:
(a) Registered with the Office of Human
Research Protections Electronic Submission System; and
(b) Obtained FWA approval from the Office of
Human Research Protections.
(41) "Interoperability" has the meaning
provided in 45 CFR § 170.102.
(42) "Legally protected health information"
means the health information with a date of service after May 31, 2022, that is
subject to restrictions under Health-General Article, §4-302.5, Annotated
Code of Maryland, and COMAR 10.11.08, including:
(a) Mifepristone data, as defined by the
Secretary; and
(b) As specified by
the Secretary, the diagnosis, procedure, medication, and other codes related
to:
(i) Abortion care; and
(ii) Sensitive health services, as defined by
Health-General, §4-301, Annotated Code of Maryland.
(43) "Master patient index" or
"MPI" means a database that maintains a unique index identifier for each
patient whose protected health information may be accessible through an HIE and
is used to cross reference patient identifiers across multiple participating
organizations to allow for patient search, patient matching, and consolidation
of duplicate records.
(44) "MHCC"
or the "Commission" means the Maryland Health Care Commission.
(45) "Nationally recognized standards" means
technical standards for the exchange, integration, sharing, or retrieval of
electronic health information considered reliable by the health IT industry
nationally.
(46) "Non-HIPAA
violation" means an inappropriate use, access, maintenance, or disclosure of
health information that is not a HIPAA violation, but is inconsistent with
State or federal law or this chapter, including a violation of 42 CFR Part 2.
(47) "Notice" (or "notify" or
"notification") means an action that is required to be taken in writing or by
written request under this chapter by a person, including an HIE, a health care
consumer, a participating organization, or the MHCC, in order to provide
information to another that:
(a) Is sent by
letter delivered to the person's address of record;
(b) Uses one of the following electronic or
digital mechanisms where the delivery is acknowledged or confirmed:
(i) An email, when the receiving person has
provided an email address;
(ii) By
a health care consumer using the receiver's website; or
(iii) By a health care consumer using a
patient portal;
(c) By a
health care consumer using telephonic or similar method, provided that a
written confirmation of the conversation is provided to the health care
consumer by the person receiving the notification or request by the following
means:
(i) An email, when the health care
consumer has provided an email address and delivery is acknowledged or
confirmed; or
(ii) A letter
delivered to the health care consumer's address of record; and
(d) Complies with HIPAA and all
other applicable federal and State laws and regulations.
(48) "Opt-out" means the explicit written
notice by a health care consumer to an HIE that the patient has elected not to
participate in the HIE, so that the HIE shall not disclose such patient's
protected health information, or data derived from such patient's health
information, except as consistent with this chapter.
(49) "Part 2" means the federal Confidentiality of
Substance Use Disorder Patient Records regulations found in 42 CFR Part 2 and
supplemented by the final rule 82 FR 6052.
(50) "Part 2 information" means any
information subject to the regulations under 42 CFR Part 2.
(51) "Participating organization" means a covered
entity that enters into an agreement with an HIE that governs the terms and
conditions under which its authorized users may use, access, or disclose
protected health information through the HIE.
(52) "Patient" means an individual who
receives health care and on whom a medical record is maintained.
(53) "Payor" means:
(a) An insurer that holds a certificate of
authority in the State and provides health benefit plans in the
State;
(b) A health maintenance
organization that holds a certificate of authority in the State;
(c) A managed care organization authorized to
receive Medicaid prepaid capitation payments under Health-General Article,
Title 15, Subtitle 1, Annotated Code of Maryland; or
(d) A nonprofit health service plan that
holds a certificate of authority in the State
(54) "Person" means an individual, trust or
estate, general or limited partnership, joint stock company, unincorporated
association or society, municipal or other corporation, incorporated
association, limited liability partnership, limited liability company, the
State, an agency or political subdivision of the State, a court, and any other
governmental entity.
(55) "Person
in interest" means any of the following, but does not include a participating
organization:
(a) An adult on whom a health
care provider maintains a medical record;
(b) A person authorized to consent to health
care for an adult consistent with the authority granted, including without
limitation, a guardian, surrogate, or person with a medical power of
attorney;
(c) A duly appointed
personal representative of a deceased person;
(d) Either:
(i) A minor, if the medical record concerns
treatment to which the minor has the right to consent and has consented under
Title 20, Subtitle 1 of the Health-General Article, Annotated Code of Maryland;
or
(ii) A parent, guardian,
custodian, or a representative of the minor designated by a court, in the
discretion of the attending physician who provided the treatment to the minor,
as provided in Health-General Article, §§ 20 -102 and 20-104,
Annotated Code of Maryland; or
(e) If §B(55)(d) of this regulation does
not apply to a minor:
(i) A parent of the
minor, except if the parent's authority to consent to health care for the minor
has been specifically limited by a court order or a valid separation agreement
entered into by the parents of the minor; or
(ii) A person authorized to consent to health
care for the minor consistent with the authority granted; or
(f) An attorney appointed in
writing by a person listed in this definition regarding matters subject to this
chapter.
(56)
"Point-to-point transmission" means a secure electronic transmission of PHI,
including, but not limited to, records sent via facsimile or secure clinical
messaging service, sent by a single entity that can be read only by the single
receiving entity designated by the sender.A point-to-point transmission may be
facilitated by an HIE and mirrors a paper-based exchange, such as a referral to
a specialist, a discharge summary sent to where the patient is transferred, lab
results sent to the practitioner who ordered them, or clinical information sent
from a hospital to the patient's health plan for quality improvement or care
management/coordination activities for such patient.
(57) "Population health management purpose" means the
use of data, for secondary use, available from or through an HIE for
population-based activities relating to the improvement of patient and
population health or the reduction of health care costs, including but not
limited to:
(a) Patient outreach activities
that involve care management;
(b)
Development or assessment of, quality indicators, patient patterns or outcomes,
or support of quality reporting;
(c) Development and evaluation of innovative
care delivery models and programs; and
(d) Risk assessment.
(58) "Primary use of HIE data" or "primary
use" means use and disclosure of data accessed, used, or disclosed through an
HIE for purposes of:
(a) Treatment as defined
by HIPAA;
(b) Payment as defined by
HIPAA;
(c) Reporting to public
health authorities in compliance with reporting required or permitted by
law;
(d) Other uses or disclosures
required or permitted by law and in accordance with this chapter, including
those set forth in Health-General Article, § 4-305(b), Annotated Code of
Maryland; or
(e) Health care
operations, as defined by HIPAA, for conducting quality assessment and
improvement activities, including outcomes evaluation and development of
clinical guidelines, provided that the obtaining of generalizable knowledge is
not the primary purpose of any studies resulting from such
activities.
(59) "Privacy
board" means a group of individuals that:
(a)
Is responsible for reviewing and making a determination on a request for
secondary data for research purposes;
(b) Has the authority consistent with
45 CFR § 164.512, including approval of a waiver or
alteration of authorization requirement;
(c) Is designated or convened by the HIE,
which may establish guidelines concerning a quorum;
(d) Shall meet the member composition
requirements detailed in 45
CFR § 164.512(i)(1)(i)(B)(1) and
(3); and
(e) Shall assure that less than half of its
members considering a request are affiliated with or related to any person
affiliated with the requesting entity.
(60) "Protected health information" or "PHI,"
a subset of health information, means:
(a)
Protected health information as defined in
45 CFR § 160.103, or
(b) A medical record as defined in the
Health-General Article, §4-301(i); and
(c) Includes sensitive health
information.
(61) "Public
health authority" has the meaning provided in
45 CFR § 164.501.
(62) "Qualified research organization" means
an entity that:
(a) Has entered into a data
use agreement with the HIE from which data is being requested;
(b) Is determined, by an IRB or privacy
board, to have expertise to carry out research specific to its
request;
(c) Is determined, by an
IRB or privacy board, to have a legitimate and credible reason or obligation to
carry out research specific to its request; and
(d) Is a participating organization, public
health authority, or is engaged in joint research with a participating
organization or public health authority.
(63) "Query" means to electronically search
for information available through an HIE using the services provided by the
HIE.
(64) "Research" means the use
of secondary data available from or through an HIE for the systematic
investigation, including research development, testing, preparation, and
evaluation, designed to develop or contribute to generalizable knowledge as
defined in 45 CFR § 164.501 and
45 CFR § 46.102, including the use of de-identified
data and limited data sets.
(65)
"Secondary use of HIE data" or "secondary use" means any use or disclosure of
data accessed, used or disclosed through an HIE that is not a primary use.
Examples of secondary use include, but are not limited to, use of HIE data for
conducting research, improving patient safety, marketing, or the sale of HIE
data.
(66) "Sensitive health
information" means a subset of PHI, which consists of:
(a) Part 2 information;
(b) Legally protected health information;
or
(c) Any other information that
has specific legal protections in addition to those required under HIPAA or the
Maryland Confidentiality of M edical Records Act.
(67) "State-designated HIE" means an HIE
designated by the Maryland Health Care Commission and the Health Services Cost
Review Commission pursuant to the statutory authority set forth under
Health-General Article, §19-143, Annotated Code of Maryland.
(68) "Submit", when used in reference to
consumer-submitted data, means providing a method by which the health care
consumer can electronically upload information to the HIE to then be made
available to authorized users of the HIE.
(69) "System administrator" means an individual
employee within a participating organization (or an individual employed by a
contractor to the participating organization) who is designated by the
participating organization to manage the user accounts of specified individuals
within the participating organization in coordination with an HIE.
(70) "Third party system" means hardware or
software provided by an external entity to a participating organization, which
interoperates with an HIE to allow an authorized user access to information
through the HIE and may include an electronic health record system.
(71) "21st Century Cures Act" means the 21st
Century Cures Act, P.L.
114-255, as amended, and the pertinent regulations
at 45 CFR Parts 156, 170, and 171 and 42 CFR Parts 422, 431, 438, 457, 482, and
485.
(72) "Unusual finding" means
an irregularity in the manner in which use, access, maintenance, disclosure, or
modification of health information or sensitive health information transmitted
to or through an HIE should occur that could give rise to a breach, a violation
under this chapter or a violation of other applicable privacy or security
laws.
(73) "Use" has the meaning
provided in 45 CFR § 160.103.
(74) "User accounts" mean the records
associated with an authorized user's credentials and activities with an HIE or
a third party system.
Disclaimer: These regulations may not be the most recent version. Maryland may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
