Md. Code Regs. 10.25.18.01 - Scope and Purpose

A. This chapter addresses the privacy and security of protected health information maintained by a health information exchange, or obtained or released by any person through a health information exchange by adopting specific requirements:
(1) To assure the privacy and security of protected health information accessed, used, or disclosed through a health information exchange, including protections for the secondary use of protected health information obtained, accessed, or released through a health information exchange;
(2) To govern the access, use, maintenance, and disclosure of protected health information through or by a health information exchange;
(3) To improve access to clinical records by treating clinicians; and
(4) To promote uses of a State-designated HIE that will assist public health agencies in reaching public health goals.
B. This chapter applies to:
(1) An HIE, as defined in Regulation .02B(32) of this chapter, including:
(a) An individual or entity that determines, controls, or has discretion to administer any requirement, policy, or agreement that allows, enables, or requires the use of any technology or services for access, exchange, or use of electronic protected health information:
(i) Among more than two unaffiliated individuals or entities that are enabled to exchange electronic protected health information with each other; and
(ii) That is for a treatment, payment, or health care operations purpose, as those terms are defined in 45 CFR § 164.501, regardless of whether the individuals or entities are subject to the requirements of 45 CFR Parts 160 and 164; and
(b) A health information technology developer of certified health information technology as that term is defined in Regulation .02B(33) of this chapter;
(2) A person who accesses, uses, or discloses protected health information through an HIE; and
(3) Electronic health information stored in, or maintained by, an HIE.
C. This chapter does not apply to:
(1) Protected health information exchanged, accessed, used, or disclosed:
(a) Between a hospital and a credentialed professional;
(b) Among credentialed professionals of a hospital's medical staff;
(c) Between a hospital and its affiliated ancillary clinical service provider who is affiliated with the hospital and who, if required by HIPAA, has entered into a business associate agreement with the hospital;
(d) Among entities under common ownership as defined at Health-General Article, §4-301, Annotated Code of Maryland, for health care treatment, payment, or health care operations purposes, as those terms are defined in 45 CFR § 164.501;
(e) By a carrier, as defined in Insurance Article, § 15-301, Annotated Code of Maryland, exchanging information as required by 45 CFR § 156.221; or
(f) Between a carrier and its business associate, as defined in 45 CFR § 160.103, if the organizational and technical processes provided or governed by the business associate are transactions, as defined in 45 CFR § 160.103; or
(2) The use, access, or disclosure of protected health information using point-to-point transmission unless an HIE is involved in the transmission of the data.
D. In the event that an HIE is unable to meet a requirement of this chapter independently, it may do so by the execution of a written agreement or by requesting an exemption in accordance with Regulation .09G or H of this chapter.
E. The requirements in this chapter are in addition to those set forth below:
(1) The Health Insurance Portability and Accountability Act of 1996, and the pertinent regulations at 45 CFR Parts 160 and 164;
(2) The Maryland Consumer Protection Act, Commercial Law Article, Title 13, Annotated Code of Maryland;
(3) The Maryland Personal Information Protection Act, Commercial Law Article, Title 14, Subtitle 35, Annotated Code of Maryland;
(4) The Maryland Confidentiality of Medical Records Act, Health-General Article, Title 4, Subtitle 3, Annotated Code of Maryland;
(5) Health General Article, §4-307, Annotated Code of Maryland, Confidentiality of Mental Health Records;
(6) 16 CFR Part 318, Health Breach Notification Rule, adopted by the Federal Trade Commission pursuant to the HITECH Act;
(7) 42 CFR Part 2, Confidentiality of Substance Use Disorder Patient Records;
(8) Titles IV and XI of the 21st Century Cures Act and the pertinent regulations, 45 CFR Part 171, and as defined at Regulation .02B(71) of this chapter; and
(9) All other applicable State and federal laws and regulations governing the use, access, maintenance, and disclosure of health information.

Notes

Md. Code Regs. 10.25.18.01
Regulation .01 amended effective 41:5 Md. R. 344, eff. 3/17/2014 ; amended effective 43:12 Md. R. 666, eff. 6/20/2016; amended effective 45:16 Md. R. 775, eff. 8/13/2018; amended effective 51:3 Md. R. 152, eff. 1/9/2024, exp. 7/7/2024(Emergency); amended effective 51:9 Md. R. 440, eff. 5/13/2024.

State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.