Code of Maryland Regulations
Title 10 - MARYLAND DEPARTMENT OF HEALTH
Part 4
Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.07 - Remedial Actions to Be Taken by an HIE
Universal Citation: MD Code Reg 10.25.18.07
Current through Register Vol. 51, No. 19, September 20, 2024
A. An HIE shall immediately suspend a person's access to the HIE when it is necessary to avoid serious harm to the privacy or security of health information accessed, used, or disclosed through or from the HIE.
(1) An
HIE may, in its sole discretion, suspend a person's access to the HIE pursuant
to this section before an investigation under Regulation .07B of this chapter
is completed.In addition, if the HIE determines that serious harm to the
privacy or security of health information or an ongoing risk of improper use,
access, maintenance, or disclosure of PHI may occur prior to conclusion of an
investigation, it shall suspend a person's access to the HIE pursuant to this
section before an investigation is complete.
(2) Such suspension shall continue until the
underlying threat to the privacy or security of health information is
contained.
B. An HIE shall conduct an investigation if there is reason to believe that a breach or non-HTPAA violation has occurred.
(1) The HIE
shall begin the investigation upon learning of the allegations giving rise to a
potential breach or violation.
(2)
The HIE shall conduct the investigation in a thorough, timely, professional
manner and take all necessary actions to gather information concerning the
potential breach or violation that reflects the size and scope of such
potential breach or violation.
(3)
If appropriate, an investigation shall include an audit under Regulation .06 of
this chapter.
(4) Upon the
completion of an investigation, which shall not exceed 14 business days, an HIE
shall:
(a) Make a written finding describing
the results of an investigation and provide a copy to the Commission;
and
(b) Maintain records of each
investigation (audits, complaints, breaches, non-HIPAA violations) for at least
5 years from the date of completion of such investigation or 5 years from the
date a minor patient becomes an adult, whichever is longer.
C. If an HIE has a reasonable belief that a breach or non-HIPAA violation has occurred, either as a result of an investigation or otherwise, the HIE shall:
(1) For a breach, follow Regulation .08 of
this chapter and federal breach notification requirements and
timelines;
(2) For non-HIPAA
violations, submit a corrective action plan to the Commission within 10
business days of conclusion of its investigation, which shall include:
(a) Any remedial action necessary to address
the breach or violation as soon as practicable;
(b) Any steps necessary to correct the
underlying problem, such as a change in processes or procedures, new
technology, and training; and
(c)
An appropriate and reasonable time frame for implementing the remedial
action;
(3) Within a
reasonable time frame, but in no event more than 10 business days following the
investigation, provide the following to the Commission, and to the
participating organizations:
(a) A copy of the
findings of the investigation, excluding any PHI or sensitive health
information;
(b) Available
information demonstrates a significant non-HIPAA violation by a
person;
(c) Available information
demonstrates a violation of State or federal law relevant to privacy or
security by a person;
(d) The
identity of the person that is responsible for carrying out each action to
mitigate harm; and
(e) Any future
action that the HIE may take, including suspension of access or progressive
discipline, if a person does not comply with the remedial action;
(4) Immediately suspend access of
a person when one of the following occurs:
(a)
Available information demonstrates a significant breach by the
person;
(b) Available information
demonstrates a significant non-HIPAA violation by the person;
(c) Available information demonstrates a
violation of State or federal law relevant to privacy or security by the
person;
(d) The person has sold
health information accessed through the HIE in violation of these
regulations;
(e) The person has
failed to carry out the remedial actions identified by the HIE; or
(f) The Commission issues a request for
suspension of the person as provided in Regulation .09 of this chapter;
and
(5) Notify the
health care consumer pursuant to Regulation .08 of this chapter, if such
notification is required under applicable law, including HIPAA, or if so
directed by the Commission.
D. After verifying that each remedial action is complete, an HIE may reinstate a person's authorization to access information through the HIE provided that:
(1) The Commission has not revoked the
person's access to the HIE as provided in Regulation .09 of this chapter;
and
(2) The HIE modifies the
person's access as needed to ensure compliance with this chapter.
E. A person may file a written notice or request with the Commission that the Commission review an HIE's action under Regulation .07 of this chapter when the person has reason to believe that the HIE has acted inappropriately.
(1) A request for review shall be filed
within 30 days after the person knew or had reason to know of the HIE's action
in question;
(2) The request for
review shall set forth each reason why the person believes that the HIE's
action is inappropriate.
(3) The
Commission may determine that no investigation is necessary or may take action
under Regulation .09C.
F. An HIE shall provide notice of each suspension and each reinstatement of a person's authorization to access information through an HIE in the following manner:
(1) The HIE shall send an electronic
notice to the person who is the subject of the action within 24 hours of the
suspension or the reinstatement and to the Commission on a monthly
basis.
(2) The notice shall
include:
(a) The name of the person who is
the subject of the action;
(b) The
name of any affected participating organization;
(c) The basis for the suspension or
reinstatement; and
(d) The
effective date of the suspension or reinstatement.
(3) The notice shall not include
PHI.
(4) The notice shall not be
considered confidential.
Disclaimer: These regulations may not be the most recent version. Maryland may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
