An Act To Ensure Patient Privacy and Control with Regard to Health Information Exchanges
Sec. 1. 22 MRSA §1711-C, sub-§6, ¶B, as amended by PL 2009, c. 387, §1, is further amended to read:
Sec. 2. 22 MRSA §1711-C, sub-§7, as amended by PL 1999, c. 512, Pt. A, §5 and affected by §7, is further amended to read:
Sec. 3. 22 MRSA §1711-C, sub-§8, as enacted by PL 1997, c. 793, Pt. A, §8 and affected by §10, is amended to read:
Sec. 4. 22 MRSA §1711-C, sub-§18 is enacted to read:
(1) A health information exchange may not collect, store or disseminate health care information about a patient without that patient's written consent.
(2) A health care practitioner may not have access to a patient's health care information through a health information exchange without that patient's written consent.
(1) Information about the health information exchange;
(2) Opportunity for the patient to consent to the inclusion of that patient's health care information and other records from that health care practitioner in the health information exchange system;
(3) Opportunity for the patient to consent to that health care practitioner's accessing the patient's health care information through the health information exchange system; and
(4) Opportunity for the patient to specifically exclude certain categories of the patient's health care information from the scope of the authorized access or disclosure under this subsection.
(1) Permit a patient to view that patient's health care information and identify who has accessed that patient's records and when such access occurred;
(2) Permit a patient to select which of the patient's treatment records the patient wishes to be included in the health information exchange system and to name the health care practitioners that may have access to selected records through the health information exchange system; and
(3) Provide a mechanism for a patient to amend or revoke consent for any access or disclosure provided under this section or to trigger complete removal of records from the health information exchange system.
(1) The health information exchange shall provide written notification by first-class mail to the individual or to the next of kin of the individual if the individual is deceased, at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.
(2) In a case in which there is insufficient or out-of-date contact information that precludes direct written or, if specified as a preference by the individual, electronic notification to the individual, a substitute form of notice must be provided. If there are 10 or more individuals for whom there is insufficient or out-of-date contact information, there must be a conspicuous posting for a period determined by the commissioner on the home page of the website of the health care facility or health care practitioner involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. The notice in media or web posting must include a toll-free telephone number where an individual can learn whether or not the individual's health care information may have been accessed, acquired or disclosed during the breach.
Sec. 5. 22 MRSA §1711-C, sub-§19 is enacted to read:
Sec. 6. 22 MRSA §1711-C, sub-§20 is enacted to read:
Sec. 7. 24 MRSA §2908 is enacted to read:
§ 2908. Protection from liability related to health information exchange
The participation or nonparticipation of a health care practitioner in a health information exchange system under Title 22, section 1711-C is not admissible evidence in any civil action for professional negligence or in any arbitration proceeding related to that civil action.
This bill provides for the control and use of patient information available through a health information exchange. The bill requires a health information exchange to obtain the consent of a patient prior to collecting, storing or disclosing that patient's health care information and prohibits a health care practitioner from accessing that information without prior authorization, which may be waived by the patient in an emergency. The bill requires certain information about a health information exchange to be provided to a patient, including how to access the patient's records and other information regarding those records either electronically or through other means; a health information exchange is prohibited from charging the patient a fee for accessing those records. The bill establishes a protocol for notification if a breach of the health information exchange system occurs and patient information is illegally accessed. A patient may not be denied health care treatment, insurance coverage or insurance payment or reimbursement based on the failure of the patient or the health care practitioner to participate in a health information exchange system. Evidence of participation or nonparticipation in a health information exchange system may not be used as evidence in a professional negligence action against a health care practitioner. The bill exempts from the freedom of access laws information regarding a patient retained by a health information exchange.