Code of Maryland Regulations
Title 10 - MARYLAND DEPARTMENT OF HEALTH
Part 4
Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.08 - Notice of Breach and non-HIPAA Violation
Universal Citation: MD Code Reg 10.25.18.08
Current through Register Vol. 51, No. 19, September 20, 2024
A. Notification of a breach shall be required consistent with notification requirements of applicable federal and State laws, including HIPAA and the HITECH Act.
B. When federal or State law does not require an HIE or other entity to provide notification to a participating organization or to an effected health care consumer, or when Part 2 does not mandate other notification requirements, the HIE shall provide notification of breach and, if applicable, non-HIPAA violations pursuant to this chapter.
(1) If the investigation under Regulation .07
of this chapter concluded that there was a breach or non-HIPAA violation, in
addition to applicable HIPAA notification requirements, the HIE shall notify:
(a) The person who notified the HIE of the
potential breach or non-HIPAA violation, if applicable, and to the extent
permitted by HIPAA and other federal and State privacy laws;
(b) Any participating organization that has
provided health information regarding the health care consumer involved;
and
(c) Each patient or person in
interest acting on behalf of each patient whose PHI or sensitive health
information was inappropriately accessed or disclosed due to a breach or
non-HIPAA violation.
(2)
In addition to other requirements specified in this section, the HIE shall
include in its notification, the contact information for the HIE, including the
address and toll-free telephone number where the health care consumer can learn
more information.
C. Notification to a Health Care Consumer.
(1) If
the entity providing the notification under this Regulation has knowledge that
another person is acting as the health care consumer for the patient, the
entity shall provide the notification to that person instead of the
patient.
(2) A notification to the
health care consumer required under this Regulation shall be:
(a) In writing by first-class mail to the
health care consumer, at the last known address of the health care consumer, if
no prior election as to notice has been made; or
(b) As specified as a preference by the
health care consumer under Regulation .03F(1) of this chapter.
(3) If there is insufficient or
out-of-date contact information that precludes notice consistent with this
chapter, a substitute form of notice shall be provided. A substitute form of
notice may include publishing the notice on the home page of the entity's
website to the extent permitted by HIPAA and other federal and State privacy
laws.
(4) When notice about a
breach or non-HIPAA violation is required pursuant to this chapter, a
participating organization or an HIE, as required, shall notify a health care
consumer in writing within a reasonable time frame, but not later than 60 days
from the discovery of the breach or from the date that the HIE should have
reasonably discovered the breach.
(5) The written notification shall include:
(a) A description of the breach or non-HIPAA
violation that occurred and the remedial actions taken by the participating
organization, provided that the notification shall not contain any sensitive
health information;
(b) Information
about the patient's right to notify credit reporting agencies of the potential
for identity theft or medical identity theft;
(c) Contact information for the HIE,
including the address and toll-free telephone number where the health care
consumer can learn more information;
(d) Contact information for at least one
credit reporting agency;
(e)
Information concerning the patient's right to opt out of the HIE; and
(f) The toll-free numbers, addresses, and
websites for:
(i) The Office of the Attorney
General, Consumer Protection Division; and
(ii) The U.S. Department of Health and Human
Services, Office of Civil Rights.
(6) If the entity providing the notification
keeps a medical record on the patient, the notification shall be placed within
the patient's medical record.
D. Notification to Appropriate Authorities.
(1) Each participating organization and each
HIE shall report all violations of federal or State privacy or security law to:
(a) Those federal or State authorities to
which reporting such violation is required by applicable law, whether or not
such laws are specifically set forth in this chapter; and
(b) Shall promptly send a copy of such report
to the Commission.
(2)
If the Commission is notified of a breach under this regulation, it shall
forward such notification to the Office of the Attorney General, Consumer
Protection Division, within 30 days after receipt of the
notification.
Disclaimer: These regulations may not be the most recent version. Maryland may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
