Code of Maryland Regulations
Title 10 - MARYLAND DEPARTMENT OF HEALTH
Part 4
Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.05 - Requirements for Accessing, Using, or Disclosing Health Information Through an HIE
Universal Citation: MD Code Reg 10.25.18.05
Current through Register Vol. 51, No. 19, September 20, 2024
A. As a requirement of participation in an HIE, the HIE shall require each participating organization to enter into a binding participation agreement that:
(1) Requires the participating
organization and each authorized user to comply with this chapter;
(2) Requires the participating organization
and each authorized user to comply with all applicable federal and State
privacy and security laws; and
(3)
Includes a business associate agreement:
(a)
In compliance with 45 CFR
§ 164.504; and
(b) If the participating organization will
maintain Part 2 information, the business associate agreement shall comply with
the additional requirements that apply to a qualified service organization
under 42 C.F.R. § 2.11.
(4) Permits PHI disclosed through the HIE to
the authorized user of a participating organization to be incorporated into the
patient's medical record kept by such participating organization, and requires
compliance with all applicable federal and State laws.
B. An HIE shall only disclose PHI through an HIE for a primary use consistent with the following:
(1) The disclosure shall be only to an
authorized user for the specific purpose for which that authorized user is
given access to the PHI; and
(2)
All disclosures shall be in full compliance with these regulations.
C. The Commission may suspend the registration, in accordance with Regulation .09 of this chapter, of a registered HIE that inappropriately discloses to any person any PHI, or health information derived from PHI, that is available through the HIE's infrastructure, except as consistent with or otherwise permitted by this chapter and applicable federal or State law.
D. To assure that only an authorized user accesses, uses, or discloses PHI through or from an HIE, an HIE shall:
(1) Develop and maintain an HIE access matrix
that includes the defined HIE access levels available to each authorized user.
(a) The HIE access matrix shall be used for
the following purposes:
(i) To assign an HIE
access level to each staff member of the HIE or its contractor that allows only
the minimum necessary access to PHI to perform that staff member's authorized
purpose; and
(ii) To assist each
participating organization and its system administrator in assigning the
appropriate HIE access level to each authorized user of that participating
organization.
(b) The
HIE shall review its HIE access matrix annually and revise it as necessary to
reflect relevant changes in technology, standards, or law; and
(c) The HIE shall have the necessary
technological capabilities in its core infrastructure to limit an authorized
user's access to the HIE according to the then currently assigned access level
of its access matrix.
(2) Provide technical assistance and guidance
to the system administrator of each participating organization in assigning the
appropriate HIE access level to each of its authorized users;
(3) Comply, at a minimum, with the most
recent Level 2 requirements set by the National Institute of Standards and
Technology (NIST), as set forth in April 2006 in Special Publication 800-63
(Version 1.0.2): Electronic Authentication Guideline for both Registrations and
for Registration Record Retention; and
(4) Adopt and implement an authentication
process that:
(a) Requires the authentication
of an authorized user at each "log in" prior to allowing that individual access
to the HIE;
(b) Requires a single
factor authentication with two characteristics that include a user name and a
password, along with an additional security precaution, which may include a
security question or a device registration.
(c) Ensures that the data stored in the HIE
that is used to authenticate an authorized user is encrypted to the level set
by industry best practices; and
(5) Accept as valid a third party system's
authentication of an authorized user accessing the HIE through that third party
system, as long as such access and third party system:
(a) Permits the HIE to audit and monitor the
user's HIE activities; and
(b) The
HIE has received written assurances from the third party system that it is
compliant with these regulations and all applicable federal and State privacy
and security regulations.
(6) If an HIE learns or has reason to believe
that the third party system is not compliant, then it shall immediately cease
acceptance of such third party system's authentication of authorized users
until the third party system demonstrates compliance to the reasonable
satisfaction of the HIE.
E. o assure that only an authorized user accesses, uses, or discloses PHI through or from an HIE, a participating organization shall comply with each of the following.
(1) A participating organization shall
designate a system administrator who is capable of carrying out the
requirements set forth in §F of this regulation on behalf of the
participating organization prior to exchanging any PHI through the
HIE.
(2) A participating
organization shall promptly inform its system administrator of any
circumstances that require any of the actions described under §F of this
regulation;
(3) A participating
organization shall ensure that any third party system it uses appropriately
authenticates an authorized user prior to allowing that individual access to
the HIE through the third party system.
(a)
The third party system shall authenticate an authorized user at each "log
in."
(b) The third party system
shall ensure that the data stored in the system which is used to authenticate
an authorized user is encrypted to the level set by industry best
practices.
(c) A participating
organization shall adopt and implement a protocol to be followed by a third
party system that requires a user name, a password, and an additional security
precaution which may include a security question or a device
registration.
(4) A
participating organization shall inform the HIE concerning the following:
(a) The designation of the system
administrator, or any change in such designation, within 5 business days of any
such designation or change;
(b) A
breach or non-HIPAA violation by a person who had or has access to the HIE
through the participating organization; or
(c) An act or event that it has a reasonable
basis to believe is or may be a significant violation of this
chapter.
F. The system administrator of a participating organization shall carry out each of the following measures on behalf of the participating organization.
(1) The system administrator shall identify
each authorized user within the participating organization and shall note the
individual's assigned unique user name in accordance with the most recent
applicable standards issued by NIST, or other comparable standards generally
adopted by the health care and HIE industry.
(2) The system administrator and HIE shall
coordinate with the Commission to determine a methodology for assigning each
authorized user with a unique user name and password and to assure that all
HIEs use a commonly accepted protocol to avoid the possibility of duplicate
user names and passwords.
(3) The
system administrator, in coordination with the HIE, shall assign to each
authorized user an access level that appropriately corresponds to that
individual's role within the participating organization and the permitted
access to PHI available through the HIE on behalf of the participating
organization.
(4) The system
administrator shall modify in a timely manner an authorized user's access level
as appropriate to reflect any change in that individual's role within the
participating organization; and
(5)
TThe system administrator shall immediately terminate access through an HIE in
accordance with Regulation .07 of this chapter for any authorized user:
(a) Who is suspended by the participating
organization;
(b) Who is no longer
associated with the participating organization; or
(c) Who no longer requires access to the
HIE.
(6) The system
administrator shall attest to the HIE regarding the appropriateness of a staff
member to be an authorized user and that the HIE access level assigned to that
staff member corresponds to the authorized user's role within the participating
organization.
Disclaimer: These regulations may not be the most recent version. Maryland may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
