MA. BH. 1900. Ensuring patient privacy and control with regard to health information exchanges.

MA. BH. 1900. Ensuring patient privacy and control with regard to health information exchanges.
Short Title
Official Text MA. BH. 1900. Ensuring patient privacy and control with regard to health information exchanges.
Country/Jurisdiction United States
State or Province Massachusetts
Regulatory Bodies
Date Enacted 2015

Scope of the Law Health
Information

Taxonomy Breach of Confidentiality, Disclosure
Strategies


Text of the law

Bill H.1900
SECTION 1. Section 1 of chapter 111 of the General Laws, as appearing in the 2012 Official Edition, is hereby amended by inserting the following after line 81:-
"Authorized representative of an individual" or "authorized representative" means an individual's legal guardian; or other authorized representative or, after death, that person's personal representative or a person identified in section 70I subsection (d). For a minor who has not consented to health care treatment in accordance with the provisions of state law, "authorized representative" means the minor's parent, legal guardian or guardian ad litem.
"Authorization to disclose" means authorization to disclose health care information in accordance with chapter 70I.
"Disclosure" means the release, transfer of or provision of access to health care information in any manner obtained as a result of a professional health care relationship between the individual and the health care practitioner or facility to a person or entity other than the individual.
"Health care" means preventative, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, treatment, procedures or counseling, including appropriate assistance with disease or symptom management and maintenance, that affects an individual's physical, mental or behavioral condition, including individual cells or their components or genetic information, or the structure or function of the human body or any part of the human body. Health care includes prescribing, dispensing or furnishing to an individual drugs, biologicals, medical devices or health care equipment and supplies; providing hospice services to an individual; and the banking of blood, sperm, organs or any other tissue.
“Health care facility" or "facility" means a facility, institution or entity licensed pursuant to this Title that offers health care to persons in this State, including a home health care provider, hospice program and a pharmacy licensed pursuant to the General Laws. For the purposes of this section, "health care facility" does not include a state mental health institute, the Elizabeth Levinson Center, the Aroostook Residential Center or Freeport Towne Square.
"Health care information" means information that directly identifies the individual and that relates to an individual's physical, mental or behavioral condition, personal or family medical history or medical treatment or the health care provided to that individual. "Health care information" does not include information that protects the anonymity of the individual by means of encryption or encoding of individual identifiers or information pertaining to or derived from federally sponsored, authorized or regulated research governed by 21 Code of Federal Regulations, Parts 50 and 56 and 45 Code of Federal Regulations, Part 46, to the extent that such information is used in a manner that protects the identification of individuals. The Board of Directors of the Maine Health Data Organization shall adopt rules to define health care information that directly identifies an individual. Rules adopted pursuant to this paragraph are routine technical rules as defined in the General Laws.
"Health care information" does not include information that is created or received by a member of the clergy or other person using spiritual means alone for healing as provided in the General Laws.
"Health care practitioner" means a person licensed by this State to provide or otherwise lawfully providing health care or a partnership or corporation made up of those persons or an officer, employee, agent or contractor of that person acting in the course and scope of employment, agency or contract related to or supportive of the provision of health care to individuals.
"Individual" means a natural person who is the subject of the health care information under consideration and, in the context of disclosure of health care information, includes the individual's authorized representative.
"Third party" or "3rd party" means a person other than the individual to whom the health care information relates.
SECTION 2. Chapter 111 of the General Laws, as appearing in the 2012 Official Edition, is hereby amended by inserting after section 70H the following section:-
Section 70I – Confidentiality of Health Care Information Breach of Confidentiality
(a) Confidentiality of health information; disclosure. An individual's health care information is confidential and may not be disclosed other than to the individual by the health care practitioner or facility except as provided in this section. Nothing in this section prohibits a health care practitioner or health care facility from adhering to applicable ethical or professional standards provided that these standards do not decrease the protection of confidentiality granted by this section.
(b) Written authorization to disclose. A health care practitioner or facility may disclose health care information pursuant to a written authorization signed by an individual for the specific purpose stated in the authorization. A written authorization to disclose health care information must be retained with the individual's health care information. A written authorization to disclose is valid whether it is in an original, facsimile or electronic form. A written authorization to disclose must contain the following elements:
(1) The name and signature of the individual and the date of signature. If the authorization is in electronic form, a unique identifier of the individual and the date the individual authenticated the electronic authorization must be stated in place of the individual's signature and date of signature;
(2) The types of persons authorized to disclose health care information and the nature of the health care information to be disclosed;
(3) The identity or description of the 3rd party to whom the information is to be disclosed;
(4) The specific purpose or purposes of the disclosure and whether any subsequent disclosures may be made pursuant to the same authorization. An authorization to disclose health care information related to substance abuse treatment or care subject to the requirements of 42 United States Code, Section 290dd-2 (Supplement 1998) is governed by the provisions of that law;
(5) The duration of the authorization;
(6) A statement that the individual may refuse authorization to disclose all or some health care information but that refusal may result in improper diagnosis or treatment, denial of coverage or a claim for health benefits or other insurance or other adverse consequences;
(7) A statement that the authorization may be revoked at any time by the individual by executing a written revocation, subject to the right of any person who acted in reliance on the authorization prior to receiving notice of revocation, instructions on how to revoke an authorization and a statement that revocation may be the basis for denial of health benefits or other insurance coverage or benefits; and
(8) A statement that the individual is entitled to a copy of the authorization form.
(c) Oral authorization to disclose. When it is not practical to obtain written authorization under subsection 3 from an individual or person acting pursuant to subsection D or when a person chooses to give oral authorization to disclose, a health care practitioner or facility may disclose health care information pursuant to oral authorization. A health care practitioner or facility shall record with the individual's health care information receipt of oral authorization to disclose, including the name of the authorizing person, the date, the information and purposes for which disclosure is authorized and the identity or description of the 3rd party to whom the information is to be disclosed.
(d) Authorization to disclose provided by a 3rd party. When an individual or an authorized representative is unable to provide authorization to disclose under subsection B or C, a health care practitioner or facility may disclose health care information pursuant to authorization to disclose that meets the requirements of subsection B or C given by a 3rd party listed in this subsection. A health care practitioner or facility may determine not to obtain authorization from a person listed in this subsection when the practitioner or facility determines it would not be in the best interest of the individual to do so. In making this decision, the health care practitioner or facility shall respect the safety of the individual and shall consider any indicators, suspicion or substantiation of abuse. Persons who may authorize disclosure under this subsection include:
(1) The spouse of the individual;
(2) A parent of the individual;
(3) An adult who is a child, grandchild or sibling of the individual;
(4) An adult who is an aunt, uncle, niece or nephew of the individual, related by blood or adoption;
(5) An adult related to the individual, by blood or adoption, who is familiar with the individual's personal values; and
(6) An adult who has exhibited special concern for the individual and who is familiar with the individual's personal values.
(e) Duration of authorization to disclose. An authorization to disclose may not extend longer than 30 months, except that the duration of an authorization for the purposes of insurance coverage is governed by the relevant provisions of the General Laws.
(f) Revocation of authorization to disclose. A person who may authorize disclosure may revoke authorization to disclose at any time, subject to the rights of any person who acted in reliance on the authorization prior to receiving notice of revocation. A written revocation of authorization must be signed and dated. If the revocation is in electronic form, a unique identifier of the individual and the date the individual authenticated the electronic authorization must be stated in place of the individual's signature and date of signature. A health care practitioner or facility shall record receipt of oral revocation of authorization, including the name of the person revoking authorization and the date. A revocation of authorization must be retained with the authorization and the individual's health care information.
(g) Disclosure without authorization to disclose. A health care practitioner or facility may disclose, or when required by law must disclose, health care information without authorization to disclose under the circumstances stated in this subsection or as provided in subsection (l). Disclosure may be made without authorization as follows:
(1) To another health care practitioner or facility for diagnosis, treatment or care of individuals or to complete the responsibilities of a health care practitioner or facility that provided diagnosis, treatment or care of individuals, as provided in this paragraph.
(i) For a disclosure within the office, practice or organizational affiliate of the health care practitioner or facility, no authorization is required.
(ii) For a disclosure outside of the office, practice or organizational affiliate of the health care practitioner or facility, authorization is not required, except that in nonemergency circumstances authorization is required for health care information derived from mental health services provided by:
(A) A clinical nurse specialist licensed under the provisions of the General Laws;
(B) A psychologist licensed under the provisions of the General Laws;
(C) A social worker licensed under the provisions of the General Laws;
(D) A counseling professional licensed under the provisions of the General Laws; or
(E) A physician specializing in psychiatry licensed under the provisions of the General Laws.
This subparagraph does not prohibit the disclosure of health care information between a licensed pharmacist and a health care practitioner or facility providing mental health services for the purpose of dispensing medication to an individual.
This subparagraph does not prohibit the disclosure without authorization of health care information covered under this section to a state-designated statewide health information exchange that satisfies the requirement in subsection 18, paragraph C of providing a general opt-out provision to an individual at all times and that provides and maintains an individual protection mechanism by which an individual may choose to opt in to allow the state-designated statewide health information exchange to disclose that individual's health care information covered under the General Laws;
(2) To an agent, employee, independent contractor or successor in interest of the health care practitioner or facility including a state-designated statewide health information exchange that makes health care information available electronically to health care practitioners and facilities or to a member of a quality assurance, utilization review or peer review team to the extent necessary to carry out the usual and customary activities relating to the delivery of health care and for the practitioner's or facility's lawful purposes in diagnosing, treating or caring for individuals, including billing and collection, risk management, quality assurance, utilization review and peer review. Disclosure for a purpose listed in this paragraph is not a disclosure for the purpose of marketing or sales;
(3) To a family or household member unless expressly prohibited by the individual or a person acting pursuant to subsection (d);
(4) To appropriate persons when a health care practitioner or facility that is providing or has provided diagnosis, treatment or care to the individual has determined, based on reasonable professional judgment, that the individual poses a direct threat of imminent harm to the health or safety of any individual. A disclosure pursuant to this paragraph must protect the confidentiality of the health care information consistent with sound professional judgment;
(5) To federal, state or local governmental entities in order to protect the public health and welfare when reporting is required or authorized by law, to report a suspected crime against the health care practitioner or facility or to report information that the health care facility's officials or health care practitioner in good faith believes constitutes evidence of criminal conduct that occurred on the premises of the health care facility or health care practitioner;
(6) As directed by order of a court or as authorized or required by statute;
(7) To a governmental entity pursuant to a lawful subpoena requesting health care information to which the governmental entity is entitled according to statute or rules of court;
(8) To a person when necessary to conduct scientific research approved by an institutional review board or by the board of a nonprofit health research organization or when necessary for a clinical trial sponsored, authorized or regulated by the federal Food and Drug Administration. A person conducting research or a clinical trial may not identify any individual patient in any report arising from the research or clinical trial. For the purposes of this paragraph, "institutional review board" means any board, committee or other group formally designated by a health care facility and authorized under federal law to review, approve or conduct periodic review of research programs. Health care information disclosed pursuant to this paragraph that identifies an individual must be returned to the health care practitioner or facility from which it was obtained or must be destroyed when it is no longer required for the research or clinical trial. Disclosure for a purpose listed in this paragraph is not a disclosure for the purpose of marketing or sales;
(9) To a person engaged in the assessment, evaluation or investigation of the provision of or payment for health care or the practices of a health care practitioner or facility or to an agent, employee or contractor of such a person, pursuant to statutory or professional standards or requirements. Disclosure for a purpose listed in this paragraph is not a disclosure for the purpose of marketing or sales;
(10) To a person engaged in the regulation, accreditation, licensure or certification of a health care practitioner or facility or to an agent, employee or contractor of such a person, pursuant to standards or requirements for regulation, accreditation, licensure or certification;
(11) To a person engaged in the review of the provision of health care by a health care practitioner or facility or payment for such health care under the General Laws or under a public program for the payment of health care or professional liability insurance for a health care practitioner or facility or to an agent, employee or contractor of such a person;
(12) To attorneys for the health care practitioner or facility that is disclosing the health care information or to a person as required in the context of legal proceedings or in disclosure to a court or governmental entity, as determined by the practitioner or facility to be required for the practitioner's or facility's own legal representation;
(13) To a person outside the office of the health care practitioner or facility engaged in payment activities, including but not limited to submission to payors for the purposes of billing, payment, claims management, medical data processing, determination of coverage or adjudication of health benefit or subrogation claims, review of health care services with respect to coverage or justification of charges or other administrative services. Payment activities also include but are not limited to:
(i) Activities necessary to determine responsibility for coverage;
(ii) Activities undertaken to obtain payment for health care provided to an individual; and
(iii) Quality assessment and utilization review activities, including precertification and preauthorization of services and operations or services audits relating to diagnosis, treatment or care rendered to individuals by the health care practitioner or facility and covered by a health plan or other payor;
(14) To schools, educational institutions, youth camps licensed under the General Laws, correctional facilities, health care practitioners and facilities, providers of emergency services or a branch of federal or state military forces, information regarding immunization of an individual;
(15) To a person when disclosure is needed to set or confirm the date and time of an appointment or test or to make arrangements for the individual to receive those services;
(16) To a person when disclosure is needed to obtain or convey information about prescription medication or supplies or to provide medication or supplies under a prescription;
(17) To a person representing emergency services, health care and relief agencies, corrections facilities or a branch of federal or state military forces, of brief confirmation of general health status;
(18) To a member of the clergy, of information about the presence of an individual in a health care facility, including the person's room number, place of residence and religious affiliation unless expressly prohibited by the individual or a person acting pursuant to subsection (d);
(19) To a member of the media who asks a health care facility about an individual by name, of brief confirmation of general health status unless expressly prohibited by the individual or a person acting pursuant to subsection (d); and
(20) To a member of the public who asks a health care facility about an individual by name, of the room number of the individual and brief confirmation of general health status unless expressly prohibited by the individual or a person acting pursuant to subsection (d).
(h) Confidentiality policies. A health care practitioner, facility or state-designated statewide health information exchange shall develop and implement policies, standards and procedures to protect the confidentiality, security and integrity of health care information to ensure that information is not negligently, inappropriately or unlawfully disclosed. The policies of health care facilities must provide that an individual being admitted for inpatient care be given notice of the right of the individual to control the disclosure of health care information. The policies must provide that routine admission forms include clear written notice of the individual's ability to direct that that individual's name be removed from the directory listing of persons cared for at the facility and notice that removal may result in the inability of the facility to direct visitors and telephone calls to the individual.
(i) Prohibited disclosure. A health care practitioner, facility or state-designated statewide health information exchange may not disclose health care information for the purpose of marketing or sales without written or oral authorization for the disclosure.
(j) Disclosures of corrections or clarifications to health care information. A health care practitioner or facility shall provide to a 3rd party a copy of an addition submitted by an individual to the individual's health care information if:
(1) The health care practitioner or facility provided a copy of the original health care record to the 3rd party on or after February 1, 2000;
(2) The correction or clarification was submitted by the individual pursuant to the General Laws and relates to diagnosis, treatment or care;
(3) The individual requests that a copy be sent to the 3rd party and provides an authorization that meets the requirements of subsection (b), (c) or (d); and
(4) If requested by the health care practitioner or facility, the individual pays to the health care practitioner or facility all reasonable costs requested by that practitioner or facility.
(k) Requirements for disclosures. Except as otherwise provided by law, disclosures of health care information pursuant to this section are subject to the professional judgment of the health care practitioner and to the following requirements.
(1) A health care practitioner or facility that discloses health care information pursuant to subsection (b), (c) or (d) may not disclose information in excess of the information requested in the authorization.
(2) A health care practitioner or facility that discloses health care information pursuant to subsections (b), (c), (d) or (g) may not disclose information in excess of the information reasonably required for the purpose for which it is disclosed.
(3) If a health care practitioner or facility believes that release of health care information to the individual would be detrimental to the health of the individual, the health care practitioner or facility shall advise the individual and make copies of the records available to the individual's authorized representative upon receipt of a written authorization. Disclosure
(4) If a health care practitioner or facility discloses partial or incomplete health care information, as compared to the request or directive to disclose under subsection (b), (c), (d) or (g), the disclosure must expressly indicate that the information disclosed is partial or incomplete.
(l) Health care information subject to other laws, rules and regulations. Health care information that is subject to the provisions of other provisions of state or federal law, rule or regulation is governed solely by those provisions.
(m) Minors. If a minor has consented to health care in accordance with the laws of this State, authorization to disclose health care information pursuant to this section must be given by the minor unless otherwise provided by law.
(n) Enforcement. This section may be enforced within 2 years of the date a disclosure in violation of this section was or should reasonably have been discovered.
(1) When the Attorney General has reason to believe that a person has intentionally violated a provision of this section, the Attorney General may bring an action to enjoin unlawful disclosure of health care information.
(2) An individual who is aggrieved by conduct in violation of this section may bring a civil action against a person who has intentionally unlawfully disclosed health care information in the Superior Court in the county in which the individual resides or the disclosure occurred. The action may seek to enjoin unlawful disclosure and may seek costs and a forfeiture or penalty under paragraph 3. An applicant for injunctive relief under this paragraph may not be required to give security as a condition of the issuance of the injunction.
(3) A person who intentionally violates this section is subject to a civil penalty not to exceed $5,000, payable to the State, plus costs. If a court finds that intentional violations of this section have occurred after due notice of the violating conduct with sufficient frequency to constitute a general business practice, the person is subject to a civil penalty not to exceed $10,000 for health care practitioners and $50,000 for health care facilities, payable to the State. A civil penalty under this subsection is recoverable in a civil action.
(4) Nothing in this section may be construed to prohibit a person aggrieved by conduct in violation of this section from pursuing all available common law remedies, including but not limited to an action based on negligence.
(o) Waiver prohibited. Any agreement to waive the provisions of this section is against public policy and void.
(p) Immunity. A cause of action in the nature of defamation, invasion of privacy or negligence does not arise against any person for disclosing health care information in accordance with this section. This section provides no immunity for disclosing information with malice or willful intent to injure any person.
(q) Application. This section applies to all requests, directives and authorizations to disclose health care information executed on or after February 1, 2000. An authorization to disclose health care information executed prior to February 1, 2000 that does not meet the standards of this section is deemed to comply with the requirements of this section until the next health care encounter between the individual and the health care practitioner or facility. Disclosure
(r) Participation in a state-designated statewide health information exchange. The following provisions apply to participation in a state-designated statewide health information exchange.
(1) A health care practitioner may not deny a patient health care treatment and a health insurer may not deny a patient a health insurance benefit based solely on the provider's or patient's decision not to participate in a state-designated statewide health information exchange. Except when otherwise required by federal law, a payor of health care benefits may not require participation in a state-designated statewide health information exchange as a condition of participating in the payor's provider network.
(2) Recovery for professional negligence is not allowed against any health care practitioner or health care facility on the grounds of a health care practitioner's or a health care facility's nonparticipation in a state-designated statewide health information exchange arising out of or in connection with the provision of or failure to provide health care services. In any civil action for professional negligence or in any proceeding related to such a civil action or in any arbitration, proof of a health care practitioner's, a health care facility's or a patient's participation or nonparticipation in a state-designated statewide health information exchange is inadmissible as evidence of liability or nonliability arising out of or in connection with the provision of or failure to provide health care services. ::This paragraph does not prohibit recovery or the admission of evidence of reliance on information in a state-designated statewide electronic health information exchange when there was participation by both the patient and the patient's health care practitioner.
(3) A state-designated statewide health information exchange to which health care information is disclosed under this section shall provide an individual protection mechanism by which an individual may opt out from participation to prohibit the state-designated statewide health information exchange from disclosing the individual's health care information to a health care practitioner or health care facility.
(4) At point of initial contact, a health care practitioner, health care facility or other entity participating in a state-designated statewide health information exchange shall provide to each patient, on a separate form, at minimum:
(i) Information about the state-designated statewide health information exchange, including a description of benefits and risks of participation in the state-designated statewide health information exchange;
(ii) A description of how and where to obtain more information about or contact the state-designated statewide health information exchange;
(iii) An opportunity for the patient to decline participation in the state-designated statewide health information exchange; and
(iv) A declaration that a health care practitioner, health care facility or other entity may not deny a patient health care treatment based solely on the provider's or patient's decision not to participate in a state-designated statewide health information exchange.
The state-designated statewide health information exchange shall develop the form for use under this paragraph, with input from consumers and providers. The form must be approved by the office of the state coordinator for health information technology within the Governor's office of health policy and finance.
(5) A health care practitioner, health care facility or other entity participating in a state-designated statewide health information exchange shall communicate to the exchange the decision of each patient who has declined participation and shall do so within a reasonable time frame, but not more than 2 business days following the receipt of a signed form, as described in paragraph 4, from the patient, or shall establish a mechanism by which the patient may decline participation in the state-designated statewide health information exchange at no cost to the patient.
(6) A state-designated statewide health information exchange shall process the request of a patient who has decided not to participate in the state-designated statewide health information exchange within 2 business days of receiving the patient's decision to decline, unless additional time is needed to verify the identity of the patient. A signed authorization from the patient is required before a patient is newly entered or reentered into the system if the patient chooses to begin participation at a later date.
Except as otherwise required by applicable law, regulation or rule or state or federal contract, or when the state-designated statewide health information exchange is acting as the agent of a health care practitioner, health care facility or other entity, the state-designated statewide health information exchange shall remove health information of individuals who have declined participation in the exchange. In no event may health information retained in the state-designated statewide health information exchange as set forth in this paragraph be made available to health care practitioners, health care facilities or other entities except as otherwise required by applicable law, regulation or rule or state or federal contract, or when the health care practitioner, health care facility or other entity is the originator of the information.
(7) A state-designated statewide health information exchange shall establish a secure website accessible to patients. This website must:
(i) Permit a patient to request a report of who has accessed that patient's records and when the access occurred. This report must be delivered to the patient within 2 business days upon verification of the patient's identity by the state-designated statewide health information exchange;
(ii) Provide a mechanism for a patient to decline participation in the state-designated statewide health information exchange; and
(iii) Provide a mechanism for the patient to consent to participation in the state-designated statewide health information exchange if the patient had previously declined participation.
(8) A state-designated statewide health information exchange shall establish for patients an alternate procedure to that provided for in paragraph 6 that does not require Internet access. A health care practitioner, health care facility or other entity participating in the state-designated statewide health information exchange shall provide information about this alternate procedure to all patients. The information must be included on the form identified in paragraph 4.
(9) A state-designated statewide health information exchange shall maintain records regarding all disclosures of health care information by and through the state-designated statewide health information exchange, including the requesting party and the dates and times of the requests and disclosures.
(10) A state-designated statewide health information exchange may not charge a patient or an authorized representative of a patient any fee for access or communication as provided in this subsection.
(11) Notwithstanding any provision of this subsection to the contrary, a health care practitioner, health care facility or other entity shall provide the form and communication required by paragraphs 4 and 6 to all existing patients following the effective date of this subsection.
(12) A state-designated statewide health information exchange shall meet or exceed all applicable federal laws and regulations pertaining to privacy, security and breach notification regarding personally identifiable protected health information, as defined in 45 Code of Federal Regulations, Part 160. If a breach occurs, the state-designated statewide health information exchange shall arrange with its participants for notification of each individual whose protected health information has been, or is reasonably believed by the exchange to have been, breached. For purposes of this paragraph, "breach" has the same meaning as in 45 Code of Federal Regulations, Part 164, as amended.
(13) The state-designated statewide health information exchange shall develop a quality management plan, including auditing mechanisms, in consultation with the office of the state coordinator for health information technology within the department, who shall review the plan and results.
(s) Exemption from freedom of access laws. Except as provided in this section, the names and other identifying information of individuals in a state-designated statewide health information exchange are confidential.



Disclaimer: The text of this law may not be the most recent version. We make no warranties or representations about the accuracy, completeness, or adequacy of the information contained on this site. Please check official sources.