Code of Maryland Regulations
Title 10 - MARYLAND DEPARTMENT OF HEALTH
Part 4
Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.04 - Access, Use, or Disclosure of Sensitive Health Information
Universal Citation: MD Code Reg 10.25.18.04
Current through Register Vol. 51, No. 19, September 20, 2024
A. Consistency with Disclosure Requirements Under Federal and State Law.
(1) A person shall comply with all relevant
State and federal laws, including 42 CFR Part 2, and Health-General Article,
§4-302.5, Annotated Code of Maryland, concerning the access, use, or
disclosure of sensitive health information through an HIE and maintenance of
such information by an HIE.
(2) If
federal or State law requires written consent or authorization for access, use,
or disclosure of sensitive health information, a person shall obtain consent or
authorization consistent with the applicable law prior to the access, use, or
disclosure of sensitive health information to and through an HIE to an
authorized recipient.
(3) If
federal or State law does not require written consent or authorization for
access, use, or disclosure of sensitive health information, a person may not
require consent or authorization prior to the access, use, or disclosure of the
sensitive health information through an HIE.
(4) An HIE shall use only point-to-point
transmission to allow access, use, or disclosure of the sensitive health
information through an HIE, unless the HIE implements:
(a) Nationally recognized standards that
support control by the health care consumer over the electronic exchange of the
patient's sensitive health information consistent with the privacy and consent
directives made by the health care consumer;
(b) Electronic exchange controls and
processes that:
(i) Support granular patient
consent for the electronic transmission of sensitive health information
consistent with applicable State and federal laws concerning the access, use,
or disclosure of sensitive health information, including applicable standards
and technical requirements in accordance with Part 2; and
(ii) Assure that the health care consumer's
granular consent controls remain associated with the sensitive health
information and are adhered to as the information is transmitted through,
maintained, or disclosed by the HIE; and
(c) Health care consumer educational content:
(i) That is developed and established in
coordination with MHCC and stakeholders;
(ii) That is kept current; and
(iii) The receipt of which shall be
acknowledged by the health care consumer as part of the granular consent
process.
(5) In
the case of the improper access, use, maintenance, or disclosure of sensitive
health information, including an inadvertent release through an HIE, a
participating organization shall take the following actions in addition to any
other requirement imposed under federal or State law:
(a) Take all steps necessary to immediately
stop any further improper access, use, disclosure, or release of the patient's
sensitive health information through the HIE and the improper maintenance of
such information by the HIE; and
(b) In accordance with Regulation .08 of this
chapter, notify each health care consumer whose sensitive health information
has been accessed, used, maintained, or disclosed in violation of applicable
State or federal laws, including a non-HIPAA violation.
B. Procedure for disclosing or re-disclosing of Part 2 health information.
(1) A health care provider that is a Part 2
program shall identify itself as such and clearly indicate on all of its
patient records that such records may only be disclosed by point-to-point
transmission through an HIE, if appropriate patient consent or authorization
has been obtained, or as otherwise permitted by these regulations.
(2) A participating organization that
receives Part 2 information may not re-disclose such information without
appropriate patient consent or authorization, as permitted by applicable
federal and State laws and regulations.
(3) A participating organization must
maintain Part 2 records in accordance with applicable law.
C. Procedures for Disclosing or Re-Disclosing Legally Protected Health Information.
(1) An
HIE shall be in compliance with Health-General Article, §4-302.5,
Annotated Code of Maryland, and COMAR 10.11.08.
(2) By January 8, 2024, an HIE shall submit
to the Commission:
(a) An affirmation that it:
(i) Possesses the technological capability to
filter and restrict from disclosure legally protected health information to the
extent required by law;
(ii) Is
parsing restricted codes and conveying all other information in the health
record that is not prohibited by law to exchange; and
(iii) Possesses the technological capacity to
allow a consumer to request and consent to the exchange of legally protected
health information to a specific treating provider; or
(b) An implementation plan that includes:
(i) An affirmation that, despite its best
efforts, the HIE lacks the technological capability to fully comply with
§C(1) of this regulation as of January 8, 2024, including a detailed
explanation of the HIE's limitations;
(ii) A detailed description of the steps the
HIE is taking to ensure compliance with §C(1) of this regulation by June
1, 2024;
(iii) A timeline to
implement the requirements of Health-General Article §4-302.5, Annotated
Code of Maryland, by June 1, 2024; and
(iv) A description of the extent legally
protected health information and other health information will be restricted
through the HIE during the implementation of its plan.
(3) If an HIE submits an
implementation plan in accordance with §C(2)(b) of this regulation, the
HIE shall:
(a) Notify all participating
organizations by January 8, 2024, that the HIE is unable to comply with
§C(1) of this regulation with a written notice that describes the extent
legally protected health information and other health information will be
restricted through the HIE during the implementation of its plan;
(b) Provide a status report to the Commission
by April 1, 2024, detailing the progress the HIE has made under its
implementation plan; and
(c) Submit
validation to the Commission by June 1, 2024, that it possesses the
technological capability to filter and restrict from disclosure legally
protected health information to the extent required by law.
(4) The Commission shall consider
an HIE's implementation plan and reported progress when assessing penalties for
a violation of this section.
Disclaimer: These regulations may not be the most recent version. Maryland may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
