Code of Maryland Regulations
Title 10 - MARYLAND DEPARTMENT OF HEALTH
Part 4
Subtitle 25 - MARYLAND HEALTH CARE COMMISSION
Chapter 10.25.18 - Health Information Exchanges: Privacy and Security of Protected Health Information
Section 10.25.18.12 - Requirements for Providing Health Care Consumers Electronic Access to Their Health Information
Universal Citation: MD Code Reg 10.25.18.12
Current through Register Vol. 51, No. 19, September 20, 2024
A. An HIE or its third party that offers health care consumers electronic access to view, download, transmit, submit, or control their health information shall:
(1) Appropriately verify the identity of the
health care consumer requesting electronic access or proposing an addition or
change to the patient's information available through the HIE prior to
disclosing or accepting changes to the information;
(2) Follow, at a minimum, the National
Institute of Standards and Technology (NIST) Level 2 registration and identity
proofing requirements as outlined in the most recent version of Special
Publication 800-63: Electronic Authentication Guideline or its comparable
industry best practices and may perform remote identity proofing;
(3) Implement the health care consumer's
authorization for access within a maximum of 5 business days of receipt of all
necessary information for identity proofing;
(4) Adopt and implement authentication
processes for health care consumer electronic access that is in accordance with
Regulation .05D(3) and (4) of this chapter;
(5) Establish individual unique user names
and passwords in accordance with the most recent applicable standards issued by
NIST, or other comparable standards generally adopted by the health care and
HIE industry;
(6) Implement
processes for auditing health care consumer access that are in compliance with
applicable requirements of Regulation .06 of this chapter;
(7) Implement a process for suspending and
reinstating a health care consumer's access in compliance with applicable
requirements in Regulation .07 of this chapter;
(8) Establish processes and procedures to
allow a patient to authorize an individual to have electronic access to their
information;
(9) Establish
processes and procedures that allow an individual to electronically access
health information for a patient or patients:
(a) For whom the individual has legal
authorization for such access (e.g., guardian, person with a medical power of
attorney, etc.); or
(b) For whom
the patient has authorized such access;
(10) Establish processes and procedures to
confirm the authority of a person in interest, if not directly authorized by a
patient, which must be satisfied as a condition to providing access to that
person in interest; and
(11) Comply
with applicable federal and State laws and regulations related to sensitive
health information when disclosing such information to a health care
consumer.
B. An HIE or its third party that offers health care consumers electronic access to view, download, transmit, submit, or control their information may:
(1) Charge a reasonable cost-based published
fee for healthcare consumer electronic access consistent with applicable
federal and State laws; and
(2)
Deny a health care consumer's electronic access in accordance with:
(a) Applicable law or regulation, including
45 CFR § 164.524, in coordination with applicable
participating organizations; or
(b)
The HIE's reasonable policies, procedures, or agreements with a participating
organization and shall provide notice to the health care consumer of their
right to request access to the patient's health information from the covered
entity.
C. An HIE or its third party that offers health care consumer electronic access to view the patient's health information available through the HIE shall, in accordance with federal and State law:
(1)
Provide the patient's health information that is equivalent to what is made
available to authorized users that are health care providers, which may
include:
(a) Demographic information, such as
name, address, and date of birth;
(b) Provider encounters or procedures
performed (e.g., hospital, ambulatory, post-acute care, etc.);
(c) Immunizations;
(d) Visit summaries;
(e) Care plan (s);
(f) Clinical test results; and
(g) Prescriptions;
(2) At a minimum, and if made available
through the HIE, make the following data attributes for the patient's health
information electronically available to the health care consumer:
(a) Date of the encounter, procedure, test,
prescription, or immunization;
(b)
Results or summary of the encounter, procedure, test, prescription, or
immunization; and
(c) Source of the
health information, including provider name and organization name;
(3) Inform health care consumers
regarding:
(a) Contacting their health care
provider to discuss the health information they may be viewing if they have any
concerns or questions; and
(b)
Translation services and resources that may be available, through the HIE or
another entity, to help assist the health care consumer in understanding their
health information; and
(4) Allow the health care consumer to view
the patient's health information in an electronic format that meets the
following criteria:
(a) The information is
presented in substantially the same form and format as presented to an
authorized user that is a health care provider;
(b) The form and format presented to a health
care consumer is easy for the health care consumer to navigate;
(c) The information can be easily printed;
and
(d) If supplemental information
is made available along with the patient's health information, such as
educational resources, the supplemental information meets the criteria
specified in Regulation .03B(2)(c)-(e) of this chapter.
D. An HIE or its third party that offers health care consumers the ability to electronically control the patient's health information being made available through the HIE shall:
(1) Implement technology processes that meet
industry standards and best practices and are in compliance with State and
federal privacy and security laws; and
(2) Provide an electronic process by which a
health care consumer can control the patient's health information that is in
accordance with §C(4)(b)-(d) of this regulation.
E. An HIE or its third party that offers health care consumers the ability to download the patient's health information being made available through the HIE shall provide the patient's health information that is:
(1) In accordance with
§C(3) and (4) (b)-(d) of this regulation;
(2) Requested by the health care consumer;
and
(3) In a readily available
industry standard format.
F. An HIE or its third party that offers health care consumers the ability to submit information to the HIE:
(1) Shall identify the source of the
information, such as patient, payor, or health care provider, when presented to
an authorized user of the HIE; and
(2) May not use patient submitted health
information to override or replace health information submitted from other
sources.
G. An HIE or its third party that offers health care consumers the ability to transmit the patients' health information being made available through the HIE to a third party of the health care consumer's designation shall comply with the requirements as detailed in:
(1)
§C(3)
of this regulation;
(2)
§C(4)(b) and (d) of this regulation; and
(3)
§E(2) of this regulation.
H. Health Care Consumer Education About Electronic Access.
(1) An HIE shall
provide needed information, as part of its health care consumer education plan
(as detailed in .03B(1) of this chapter and meeting the characteristics as
detailed in Regulation .03B(2) of this chapter), about the services or features
offered by the HIE or its third party that allows the health care consumer to
electronically view, download, submit, or control the patient's information
that is available through the HIE.
(2) The health care consumer education plan
shall outline the process which, if available, allows a health care consumer to
electronically view, download, transmit, submit, or control the patient's
information that is available through the HIE, including:
(a) The information the health care consumer
must provide as part of patient identity proofing;
(b) The patient's rights to:
(i) Authorize a person in interest or
individual to also have access to the patient's health information;
and
(ii) Request a review of a
denial of access;
(c)
The extent to which the health care consumer has control of the patient's
health information being made available through the HIE; and
(d) The need to safeguard information
obtained from the HIE to the same extent they safeguard other sensitive
personal information.
Disclaimer: These regulations may not be the most recent version. Maryland may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
