Code of Maryland Regulations
Title 10 - MARYLAND DEPARTMENT OF HEALTH
Part 4
Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.10 - Requirements for Accessing, Using, or Disclosing of Data Through an HIE for Secondary Use
Universal Citation: MD Code Reg 10.25.18.10
Current through Register Vol. 51, No. 19, September 20, 2024
A. An HIE may not use or disclose a patient's sensitive health information for secondary use unless permitted by applicable federal or State laws and regulations.
B. Population Health Management.
(1) An HIE may disclose de-identified data or
a limited data set, as defined at
45 CFR § 164.514(e), to a care
management organization for purposes related to population health management,
if approval is obtained from an internal review committee designated by the
care management organization, which has:
(a)
Entered into a data use agreement with the HIE; and
(b) Attested that the request is:
(i) For population health management
purposes; and
(ii) Limited to the
minimum necessary to complete the function.
(2) An HIE may disclose individually
identifiable health information to a care management organization for purposes
related to population health management, if:
(a) The requirements of §B(1) of this
regulation are met;
(b) Appropriate
notice has been provided to health care consumers whose information is being
requested, and either:
(i) The health care
consumers have authorized the release of their information to the requesting
entity; or
(ii) An external and
independent review committee has waived the need for the requesting entity to
obtain authorization from those health care consumers who were provided
appropriate notice, in accordance with Regulation .02B(3) of this chapter;
and
(c) The disclosure is
consistent with the authorization.
(3) Any external and independent review
committee identified by the care management organization may approve an
authorization waiver request where the requesting care management organization
has demonstrated that:
(a) Appropriate notice
to each health care consumer was provided and no authorization or denial of
authorization was received from each health care consumer within the 30-day
time frame;
(b) The objectives for
which the data was requested could not be met without access to the requested
data; and
(c) The requested use or
disclosure involves no more than minimal risk to the privacy of those health
care consumers whose authorization will be waived based on the presence of
attributes that include, at a minimum:
(i) An
adequate plan presented to the external and independent review committee to
protect PHI from improper use, storage, and disclosure in accordance with
current legal requirements and industry standards and practices as determined
by the external and independent review committee;
(ii) An adequate plan to destroy the PHI when
the purposes for which it has been requested are completed, unless such
retention is authorized under the waiver or otherwise required by law;
and
(iii) Adequate written
assurances that the PHI will not be reused or disclosed to any person or
entity, except as authorized under the waiver, as required or permitted by law,
or for authorized oversight of the use.
(4) An HIE may not disclose a patient's
sensitive health information for population health management purposes unless
permitted by applicable federal and State laws and regulations.
C. Research.
(1) An HIE may disclose de-identified data to
a qualified research organization for research purposes if a privacy board has
evaluated and confirmed that the:
(a)
Requesting entity is a qualified research organization; and
(b) Requested data to be disclosed:
(i) Is for purposes related to
research;
(ii) Is limited to the
minimum necessary to complete the research purpose;
(iii) Will be used to serve a legitimate
purpose consistent with the interest of the subject individuals; and
(iv) Meets the de-identification standard and
specifications in accordance with
45 CFR § 164.514(a)-(c).
(2) An HIE may disclose
individually identifiable health information to a qualified research
organization for research purposes if:
(a)
Approval is obtained from an IRB or privacy board in accordance with
45 CFR § 164.512, including documentation of waiver
approval as detailed in § 164.512(i)(2); and
(b) The IRB or privacy board has evaluated
the request and confirmed that the requirements of §C(1)(a) and
(b)(i)-(iii) of this regulation are met.
(3) If an IRB or privacy board does not waive
or alter the requirement of authorization from health care consumers whose
individually identifiable health information is to be disclosed, an HIE may
only disclose individually identifiable health information of health care
consumers who have provided authorization, which must meet the requirements as
set forth in 45 CFR § 164.508.
(4) If an IRB or privacy board declines
jurisdiction, then the disclosure of individually identifiable health
information may only be made if health care consumer authorization is
obtained.
(5) As part of an HIE's
data use agreement with an entity to which it disclosed individually
identifiable health information for secondary use, there shall be oversight by
an IRB or privacy board for the duration of the research use.
(6) If an IRB or privacy board determines
that the qualified research organization has failed to use or protect the data
in accordance with the approved secondary use, the IRB or privacy board must
report its findings to the HIE and the HIE must:
(a) Report the findings to federal and State
agencies with jurisdiction over the violation, as deemed appropriate;
(b) Immediately terminate the data use
agreement; and
(c) Direct the
qualified research organization to destroy the data previously released by the
HIE and attest that the data has been destroyed.
(7) The qualified research organization
receiving data from an HIE for research purposes:
(a) Must contractually agree not to attempt
to link de-identified data received from the HIE with other data sources in an
effort to re-identify the data, or otherwise attempt in any other way to
re-identify the data; and
(b) May
disclose data to a third party acting on behalf of the qualified research
organization only if the qualified research organization and third party enter
into a data use agreement that requires the third party to be bound by the same
provisions in the data use agreement between the HIE and qualified research
organization.
(8) An HIE
may charge a reasonable fee to a qualified research organization to which it
discloses data for research, which fee must reflect the effort and be no
greater than the actual direct and indirect costs required to prepare and
release the data specific to the purpose authorized.
(9) An HIE may not disclose a patient's
sensitive health information for research purposes unless permitted by
applicable federal or State laws and regulations.
D. Enforcement and Reporting.
(1) An HIE is not required to take legal or
equitable action to enforce the requirements of the data use agreement or of
any other contractual assurance provided for in Regulation .05C of this
chapter.
(2) An HIE shall make
summary reports available to the public quarterly that provide specific
information about requests for data for secondary use and the release of data
for secondary purposes.
(3) An HIE
shall report at least annually to the Commission and more frequently, if
requested by the Commission, regarding the release of information for
population health management. The Commission may:
(a) Require a care management organization to
provide additional information for review by the Commission or the Commission's
designated third party regarding the care management organization's use of data
from an HIE for population health management;
(b) Require the HIE to conduct an audit of
the disclosure and use of the data utilizing a third-party auditor at the
expense of either the recipient of the data or the HIE, as determined by
Commission;
(c) Require the
receiving entity to destroy the data received and cease any further use of the
data; or
(d) Prohibit an HIE from
releasing data for all or certain secondary data use purposes.
(4) An HIE shall, upon the request
by a health care consumer, provide an accounting of any disclosures made to a
receiving entity for secondary data use purposes, in accordance with Regulation
. 03C(4) of this chapter.
Disclaimer: These regulations may not be the most recent version. Maryland may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
