Code of Maryland Regulations
Title 10 - MARYLAND DEPARTMENT OF HEALTH
Part 4
Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.09 - Registration and Enforcement

Universal Citation: MD Code Reg 10.25.18.09

Current through Register Vol. 51, No. 19, September 20, 2024

A. To operate an HIE in the State, a person shall be recognized by the Commission as having met requirements for registration.

(1) A person shall complete an application for registration in a form and manner specified by the Commission that shall include:
(a) The HIE's definition of what constitutes an unusual finding within Regulation .06 of this chapter;

(b) The HIE's current audited financial statement that demonstrates the financial viability of the HIE;

(c) The identity of the HIE's registered resident agent who shall accept service in Maryland on behalf of the HIE;

(d) Documentation showing its technical capabilities, which may include accreditation or candidacy status by a nationally recognized accrediting body; and

(e) Provisions for reasonable notice to participating organizations and the Commission if the HIE ceases to operate in Maryland; and

(f) Other information as required by the Commission.

(2) Financial Integrity.
(a) Following review of the financial statement provided by the HIE under §A(1)(b) of this regulation, the Commission may require a bond, letter of guarantee, or other financial instrument from the HIE, its parent company, or other responsible person.

(b) The amount of a bond, letter of guarantee, or other financial instrument required under this regulation shall be established by the Commission and be based on an HIE's financial statement.

(c) If a bond is required under §A(2)(a) of this regulation, it shall at a minimum:
(i) Identify the Commission as the sole beneficiary;

(ii) Be continuous and subject to cancellation only after 60 days' notice to the Commission;

(iii) Contain the following language or similar language acceptable to the Commission: "Payment under this bond shall be due in the event the Commission determines that the HIE is financially insolvent or unable to meet its obligations as a registered HIE in Maryland"; and

(iv) Permit the Commission to direct that the proceeds of the bond be paid or disbursed as necessary to maintain or repair the privacy and security of PHI that was or is available through the HIE.

(d) If a bond is required under §A(2)(a) of this regulation, it shall be obtained from a company licensed in the State to write surety types of insurance.

(e) If a letter of guarantee or other financial instrument is required under §A(2)(a) of this regulation, the guarantor shall submit a current balance sheet and income statement to the Commission.

(3) Within 45 days after receipt of complete information from an applicant seeking to register as an HIE in the State, the Commission shall take one of the following actions:
(a) Recognize the HIE as registered in the State; or

(b) Deny the registration for reasons enumerated to the applicant.

B. The Commission shall annually renew the registration of an HIE registered in the State that demonstrates its continued compliance with this chapter and provides the following information in a form and manner specified by the Commission, within 120 days of the close of its fiscal year:

(1) Updated information that reflects each change regarding the items in §A(1) of this regulation;

(2) Results of an audit performed in compliance with Regulation .06 of this chapter;

(3) As deemed appropriate by the Commission, additional requirements set forth in §A(2) of this regulation; and

(4) Other information as requested by the Commission.

C. The Commission may take an enforcement action against a person when there is reasonable basis to believe that the person has violated a provision of this chapter.

(1) The Commission may conduct any investigation into a potential violation.
(a) A person shall cooperate in an investigation conducted by Commission staff into a potential violation.

(b) A person shall provide information sought by Commission staff within 10 business days of its request for such information, unless an extension of time is sought for good cause shown and granted by the Commission.

(2) After an investigation under §C(1) of this regulation, the Commission staff may issue a notice of proposed action that includes:
(a) The details regarding each violation or potential violation;

(b) A request for a person to submit a corrective action plan in order to achieve compliance with this chapter, which may include:
(i) An action aimed at correcting the underlying issue; and

(ii) Any other action that is appropriate under the circumstances.

(c) A recommended resolution of the potential violation, which may include:
(i) Non-public reprimand;

(ii) Public reprimand; or

(iii) Limitations on HIE registration or a person's access to information through an HIE;

(iv) Suspension of HIE registration or a person's access to information through an HIE;

(v) Revocation of HIE registration or a person's access to information through an HIE;

(vi) Financial penalties in accordance with §C(3) of this regulation; or

(vii) Referral to another State or federal agency for civil or criminal enforcement.

(3) Civil and Criminal Penalties.
(a) Civil Penalties. A person who knowingly fails to comply with this chapter shall be subject to a civil penalty imposed by the Commission not exceeding $10,000 per day based on:
(i) The extent of actual or potential public harm caused by the violation;

(ii) The cost of the investigation; and

(iii) The person's prior record of compliance.

(b) Criminal Penalties. Beginning June 1, 2024, a person who knowingly violates Health-General Article, §4-302.5, Annotated Code of Maryland, shall be guilty of a misdemeanor and on conviction is subject to a fine not to exceed $10,000 per day based on:
(i) The extent of actual or potential public harm caused by the violation;

(ii) The cost of the investigation; and

(iii) The person's prior record of compliance.

(4) When the Commission staff determines that a notice of proposed action is not appropriate given the lack of available evidence or other circumstances, it may issue one of the following:
(a) A letter advising that no action is recommended at that time; or

(b) A letter finding that no action is warranted.

D. A person who receives a notice of proposed action from the Commission staff may request an opportunity to show cause why the proposed action should not be taken.

(1) A written request to show cause shall be filed with the Commission and shall comply with the following:
(a) It shall be filed within 20 days of the issuance of the notice of proposed action; and

(b) It shall include each fact upon which the person relies to show cause why the proposed action should not be taken.

(2) Upon receipt of a request to show cause, the Commission staff may meet with the person to attempt to resolve the matter in a manner that protects the public and is in the public interest.

(3) If a notice of proposed action is not resolved within 45 days of the filing of a request to show cause, a hearing officer shall be designated by the executive director of the Commission.
(a) The hearing officer shall hear evidence as needed;

(b) The hearing shall be conducted in accordance with the Maryland Administrative Procedure Act, State Government Article, Title 10, Annotated Code of Maryland, and these regulations.

(c) The hearing officer shall issue a recommended decision that contains proposed findings of fact and conclusions of law and may recommend that the Commission take one of the following actions:
(i) Adopt the action proposed by Commission staff;

(ii) Adopt a proposed action recommended by the hearing officer; or

(iii) Find that no action is warranted.

E. A request that the Commission not adopt the recommended decision may be made by either Commission staff or a person who is the subject of an enforcement action.

(1) Written exceptions to the recommended decision shall be filed within 20 days of receipt of the hearing officer's recommended decision.

(2) Exceptions shall specifically identify in writing each finding and conclusion to which exception is taken, citing those portions of the record on which each exception is based.

(3) A written response to exceptions to the recommended decision may be filed by an opposing party within 15 days of receipt of exceptions.

(4) Each person taking or responding to exceptions may present oral argument to the Commission, not to exceed 10 minutes per party, unless extended by the Chair of the Commission.

(5) The decision of the Commission shall be by a majority of the quorum present and voting.

F. The Commission may coordinate with the Office of Attorney General concerning any potential violation involving a matter within the Attorney General's authority pursuant to State or federal law.

G. If an HIE has reasonably determined that it is unable to independently meet any requirements of this chapter, then the HIE shall develop and implement policies to ensure the HIE's compliance through the execution of a written agreement with a participating organization or a business associate that will bring the HIE into compliance with this chapter. Every year as a part of the registration renewal process, the HIE shall submit a written attestation by an independent third-party auditor to the Commission, attesting that the HIE has been in full compliance with the requirements of this chapter for the 12-month period prior to the audit.

H. Exemptions.

(1) An HIE may request a 1-year exemption from certain requirements of this chapter.

(2) An exemption request must:
(a) Be in writing;

(b) Identify each specific requirement of this chapter from which the HIE is requesting an exemption;

(c) Identify the time period of the exemption, if any;

(d) State the reason for each exemption request; and

(e) Include information that justifies the exemption request.

(3) Within 45 days after receipt of complete information from an HIE requesting an exemption, the Commission shall take one of the following actions:
(a) Grant the exemption by providing written notification; or

(b) Deny the exemption request by providing written notification that enumerates the reasons for the denial to the HIE.

(4) An exemption may not be made for any requirement within this chapter that is otherwise required of the HIE by federal or other State law.

(5) An exemption may be made on the following grounds:
(a) The absence of certain functionality in the infrastructure of the HIE that does not allow the HIE to maintain compliance with the requirement;

(b) The requirement would hinder the ability of the HIE to comply with other requirements of this chapter or federal or other State laws; or

(c) The requirement would cause an undue burden or hardship on the HIE, such that the HIE would no longer be able to provide HIE services in the State.

(6) For good cause shown, the Commission may renew a 1-year exemption for an additional 1-year period.

Disclaimer: These regulations may not be the most recent version. Maryland may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.