An Act To Amend Laws Relating to Health Care Data
Be it enacted by the People of the State of Maine as follows:
Sec. 1. 22 MRSA §1711-C, sub-§1, ¶E, as amended by PL 1999, c. 512, Pt. A, §5 and affected by §7 and c. 790, Pt. A, §§58 and 60, is further amended to read:
E. "Health care information" means information that directly identifies the , or with respect to which there is a reasonable basis to believe the information could be used to identify, an individual and that relates to an the individual's physical, mental or behavioral condition, personal or family medical history or medical treatment or the health care provided to that individual , including demographic information, information related to payment for provision of health care and protected health information as defined in 45 Code of Federal Regulations, Section 160.103 (2013). "Health care information" does not include information that protects the anonymity of the individual by means of encryption or encoding of individual identifiers or information pertaining to or derived from federally sponsored, authorized or regulated research governed by 21 Code of Federal Regulations, Parts 50 and 56 and 45 Code of Federal Regulations, Part 46, to the extent that such information is used in a manner that protects the identification of individuals. The Board of Directors of the Maine Health Data Organization shall adopt rules to define health care information that directly identifies an individual. Rules adopted pursuant to this paragraph are routine technical rules as defined in Title 5, chapter 375, subchapter II-A 2-A.
"Health care information" does not include information that is created or received by a member of the clergy or other person using spiritual means alone for healing as provided in Title 32, sections 2103 and 3270.
Sec. 2. 22 MRSA §1711-C, sub-§6, ¶F-3 is enacted to read:
F-3. To the Maine Health Data Organization as required by and for use in accordance with chapter 1683. Health care information, including protected health information, as defined in 45 Code of Federal Regulations, Section 160.103 (2013), submitted to and maintained by the Maine Health Data Organization must be protected by means of encryption;
Sec. 3. 22 MRSA §8702, sub-§1-B is enacted to read:
1-B. Business associate. "Business associate" has the same meaning as under 45 Code of Federal Regulations, Section 160.103 (2013).
Sec. 4. 22 MRSA §8702, sub-§2-A is enacted to read:
2-A. Covered entity. "Covered entity" has the same meaning as under 45 Code of Federal Regulations, Section 160.103 (2013).
Sec. 5. 22 MRSA §8702, sub-§8-C is enacted to read:
8-C. Protected health information. "Protected health information" has the same meaning as under 45 Code of Federal Regulations, Section 160.103 (2013) and includes individually identifiable health information such as demographic information about an individual reported to the organization that relates to the past, present or future physical or mental health or condition of the individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual and that identifies, or with respect to which there is a reasonable basis to believe the information could be used to identify, the individual.
Sec. 6. 22 MRSA §8705-A, first ¶, as enacted by PL 2003, c. 659, §2, is amended to read:
The board shall adopt rules to ensure that payors and providers file data as required by section 8704, subsection 1; that users that obtain health data and information from the organization safeguard the identification of patients and health care practitioners as required by section 8707 8714, subsections 1 and 2, 3 and 4; and that payors and providers pay all assessments as required by section 8706, subsection 2.
Sec. 7. 22 MRSA §8705-A, sub-§3, as amended by PL 2007, c. 136, §4, is further amended to read:
3. Fines. The following provisions apply to enforcement actions under this section except for circumstances beyond a person's or entity's control.
A. When a person or entity that is a health care facility or payor violates the requirements of this chapter, except for section 8707 8714, that person or entity commits a civil violation for which a fine of not more than $1,000 per day may be adjudged. A fine imposed under this paragraph may not exceed $25,000 for any one occurrence.
B. A person or entity that receives data or information under the terms and conditions of section 8707 8714 and intentionally or knowingly uses, sells or transfers the data in violation of the board's rules for commercial advantage, pecuniary gain, personal gain or malicious harm commits a civil violation for which a fine not to exceed $500,000 may be adjudged.
C. A person or entity not covered by paragraph A or B that violates the requirements of this chapter, except for section 8707 8714, commits a civil violation for which a fine of not more than $100 per day may be adjudged. A fine imposed under this paragraph may not exceed $2,500 for any one occurrence.
Sec. 8. 22 MRSA §8707, as amended by PL 2011, c. 524, §4, is repealed.
Sec. 9. 22 MRSA §§8714 to 8717 are enacted to read:
§ 8714. General public access to data; rules
The board shall adopt rules to provide for public access to data allowed under this chapter and to implement the requirements of this section.
1. Confidentiality. All data collected by the organization that contain protected health information are confidential. Data of the organization may be collected, stored and released only in accordance with this chapter and rules adopted pursuant to this chapter. Data of the organization containing protected health information may not be open to public inspection, are not public records for purposes of any state or federal freedom of access laws and may not be examined in any judicial, executive, legislative, administrative or other proceeding as to the existence or content of any individual's identifying health information. Decisions of the organization or employees and subcommittees of the organization on data release are not reviewable.
2. General public access; confidentiality. The board shall adopt rules making information provided to the organization under this chapter available to any person, upon request, except protected health information and other confidential information, as long as an individual is not identified either directly, or through a reidentification process, or through release of information with respect to which there is a reasonable basis to believe the information could be used to identify the individual. Rules adopted pursuant to this subsection are major substantive rules as defined in Title 5, chapter 375, subchapter 2-A.
3. Release of data. The board shall adopt rules for the release of data governing all levels of information in the form of de-identified data, limited data sets and protected health information. All uses of released data are governed by the following principles of release:
A. Release of protected health information must be limited to only information that is necessary for the stated purpose of the release;
B. Data releases must be governed by data use agreements that provide adequate privacy and security measures;
C. Follow-up must be provided to ensure data are used as specified and that no protected health information is publicly revealed. The board shall adopt rules providing for any necessary data suppression; and
D. Release of more protected health information than a limited data set as described in 45 Code of Federal Regulations, Section 164.514(e) must be approved by the board.
4. Certain practitioners. The board shall adopt rules to protect the identity of certain health care practitioners, as it determines appropriate, except that the identity of practitioners performing abortions as defined in section 1596 must be designated as confidential and may not be disclosed. Rules adopted pursuant to this subsection are major substantive rules as defined in Title 5, chapter 375, subchapter 2-A.
5. Notice and comment period. The board shall adopt rules to establish criteria for determining whether information is confidential clinical data, confidential financial data or other protected health information and specify procedures to give affected health care practitioners and payors notice and opportunity to comment in response to requests for information that may be considered confidential.
6. Identifying information. The board shall adopt rules to provide that individuals may be directly or indirectly identified, including through a linking or reidentification process, only as provided in this chapter and the rules of the board. Any protected health information may be used only for the purposes for which the organization releases it.
7. Minimum use. The board shall adopt rules to provide that persons gaining access to protected health information may use that information to the minimum extent necessary to accomplish the purposes for which approval was granted and for no other purpose.
8. Limitation on release. The board may not grant approval for release of data if the board finds that the proposed identification of or contact with individuals would violate any state or federal law or diminish the confidentiality of health care information or the public's confidence in the protection of that information in a manner that outweighs the expected benefit to the public of the proposed investigation.
9. Release; publication and use of data. The board shall adopt rules to govern the release, publication and use of analyses, reports and compilations derived from the health data made available by the organization. The rules must apply to all data collected, stored and released by the organization, including reports under section 8712.
10. Other privacy protections. The board shall adopt rules to ensure compliance with all privacy and security protections required under federal and state laws.
11. Choice regarding disclosure of information. The board shall adopt rules to address the provisions for requirements regarding the disclosure of information in section 8717, subsection 3.
§ 8715. Public health
1. Permitted use and disclosure to public health authorities. The organization may disclose protected health information, without an individual's authorization, to a public health authority for public health purposes mandated by state or federal law.
2. Use by public health authority. A state or federal public health authority to which protected health information has been disclosed under subsection 1 may use that information for public health activities and may disclose that information for public health activities as allowed by state or federal law and in accordance with board rules on data release adopted pursuant to section 8714.
3. Data use agreement. Prior to disclosing protected health information to a public health authority under subsection 1, the organization shall enter into a data use agreement with the public health authority. The agreement must have protocols that have been approved by the board for safeguarding confidential information and for ensuring there will be no disclosures of protected health information.
§ 8716. Health care improvement studies
The board may approve the disclosure of protected health information to persons conducting health care improvement studies, subject to the following conditions.
1. Disclosure to study entities. For health care improvement studies, regarding health care utilization, improvement, cost or quality and involving patients with whom the study entity has a treatment or payor relationship, whether the study is funded by the Federal Government or the State Government or private persons, the organization may disclose protected health information to a study entity who is a covered entity or to the covered entity's business associates if those persons conducting the study do not disclose protected health information to any person not directly involved in the study without consent from the subject of the protected health information.
2. Recipients of information. A person receiving protected health information under subsection 1 may use that information only to the minimum extent necessary to accomplish the purposes of the study for which approval was granted and for no other purpose.
3. Confidentiality; protocol. The protocol for any study entity receiving protected health information under subsection 1 must be designed to preserve the confidentiality of all health care information that can be associated with identified patients, to specify the manner in which contact is made with patients and to maintain public confidence in the protection of confidential information.
4. Additional protection. The board may not grant approval to a study entity under this section for the disclosure of protected health information if the board finds that the proposed identification of or contact with patients would violate any state or federal law or diminish the confidentiality of health care information or the public's confidence in the protection of that information in a manner that outweighs the expected benefit to the public of the proposed investigation.
5. Data use agreement. Prior to disclosing protected health information to a study entity pursuant to subsection 1, the organization shall enter into a data use agreement with the study entity. The agreement must have protocols that have been approved by the board for safeguarding confidential information and for ensuring there will be no disclosures of protected health information.
§ 8717. Covered entities' access to protected health information
1. Permitted uses and disclosures; definitions. The organization may disclose protected health information without authorization by the subject of the information for the treatment activities of any health care provider, the payment activities of a covered entity and of any health care provider or the health care operations of a covered entity or its business associates involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if the covered entity has or had a relationship with the subject of the information and the protected health information pertains to the relationship. For the purposes of this section:
A. "Health care operations" means any of the following activities of a covered entity:
(1) Quality assessment and improvement activities, including case management and care coordination;
(2) Competency assurance activities, including provider or health plan performance evaluation, credentialing and accreditation;
(3) Conducting or arranging for medical reviews, audits or legal services, including fraud and abuse detection and compliance programs;
(4) Specified insurance functions, such as underwriting, risk rating and reinsuring risks;
(5) Business planning, development, management and administration; and
(6) Business management and general administrative activities of the covered entity, including but not limited to de-identifying protected health information, creating a limited data set and permissible fund-raising for the benefit of the covered entity;
B. "Payment activities" means activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits and furnish or obtain reimbursement for health care delivered to an individual and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual; and
C. "Treatment" means the provision, coordination or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding an individual and referral of an individual by one provider to another.
2. Minimum necessary. The board shall develop policies and procedures that reasonably limit disclosures of, and requests for, protected health information for payment activities and health care operations to the minimum extent necessary.
3. Choice regarding disclosure of information. Before approving the release of any protected health information under this section, the organization shall implement a mechanism that allows an individual to choose to not allow the organization to disclose and use the individual's health care information under this section.
summary
This bill conforms state law as it relates to the release of protected health information to the restrictions established in federal law and regulations. The bill requires the Maine Health Data Organization to adopt rules for the release of protected health information.