Md. Code Regs. - Scope and Purpose

A. This chapter addresses the privacy and security of protected health information maintained by a health information exchange, or obtained or released by any person through a health information exchange by adopting specific requirements:
(1) To assure the privacy and security of protected health information accessed, used, or disclosed through a health information exchange, including protections for the secondary use of protected health information obtained, accessed, or released through a health information exchange;
(2) To govern the access, use, maintenance, and disclosure of protected health information through or by a health information exchange;
(3) To improve access to clinical records by treating clinicians; and
(4) To promote uses of a State-designated HIE that will assist public health agencies in reaching public health goals.
B. This chapter applies to:
(1) A health information exchange, as defined in Regulation .02B(28) of this chapter;
(2) A person who accesses, uses or discloses protected health information through a health information exchange; and
(3) A person who uses or discloses information derived or obtained from, or based on protected health information obtained or released through or maintained by an HIE.
C. This chapter does not apply to:
(1) Protected health information exchanged, accessed, used, or disclosed:
(a) Between a hospital and a credentialed professional;
(b) Among credentialed professionals of a hospital's medical staff; or
(c) Between a hospital and its affiliated ancillary clinical service provider who is affiliated with the hospital and who, if required by HIPAA, has entered into a business associate agreement with the hospital.
(2) The use, access, or disclosure of protected health information using point-to-point transmission unless an HIE is involved in the transmission of the data.
D. The requirements in this chapter are in addition to those required by:
(1) The Health Insurance Portability and Accountability Act of 1996, including all pertinent regulations ( 45 CFR §§ 160 and 164 ) issued by the U.S. Department of Health and Human Services, as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 ( Pub. L. 111 "5);
(2) The Maryland Consumer Protection Act, Maryland Commercial Law Article, § 13-101 et seq., Annotated Code of Maryland;
(3) The Maryland Personal Information Protection Act, Commercial Law Article, § 14-3501 et seq., Annotated Code of Maryland;
(4) The Maryland Confidentiality of Medical Records Act, Health-General Article, Title 4, Subtitle 3, Annotated Code of Maryland, including provisions regarding confidentiality of mental health records in Health-General Article § 4-307, Annotated Code of Maryland;
(5) Health Breach Notification Rule, 16 CFR § 318, adopted by the Federal Trade Commission pursuant to the HITECH Act;
(6) 42 CFR Part 2 regulations; and
(7) All other applicable State and federal laws and regulations governing the use, access, maintenance, and disclosure of health information.


Md. Code Regs.
Regulation .01 amended effective 41:5 Md. R. 344, eff.3/17/2014 ; amended effective 43:12 Md. R. 666, eff.6/20/2016; amended effective 45:16 Md. R. 775, eff. 8/13/2018

State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.

No prior version found.