Md. Code Regs. 10.25.18.01 - Scope and Purpose
A. This chapter
addresses the privacy and security of protected health information maintained
by a health information exchange, or obtained or released by any person through
a health information exchange by adopting specific requirements:
(1) To assure the privacy and security of
protected health information accessed, used, or disclosed through a health
information exchange, including protections for the secondary use of protected
health information obtained, accessed, or released through a health information
exchange;
(2) To govern the access,
use, maintenance, and disclosure of protected health information through or by
a health information exchange;
(3)
To improve access to clinical records by treating clinicians; and
(4) To promote uses of a State-designated HIE
that will assist public health agencies in reaching public health
goals.
B. This chapter
applies to:
(1) An HIE, as defined in
Regulation .02B(32) of this chapter, including:
(a) An individual or entity that determines,
controls, or has discretion to administer any requirement, policy, or agreement
that allows, enables, or requires the use of any technology or services for
access, exchange, or use of electronic protected health information:
(i) Among more than two unaffiliated
individuals or entities that are enabled to exchange electronic protected
health information with each other; and
(b) A health
information technology developer of certified health information technology as
that term is defined in Regulation .02B(33) of this
chapter;
(2) A person who
accesses, uses, or discloses protected health information through an HIE;
and
(3) Electronic health
information stored in, or maintained by, an HIE.
C. This chapter does not apply to:
(1) Protected health information exchanged,
accessed, used, or disclosed:
(a) Between a
hospital and a credentialed professional;
(b) Among credentialed professionals of a
hospital's medical staff;
(c)
Between a hospital and its affiliated ancillary clinical service provider who
is affiliated with the hospital and who, if required by HIPAA, has entered into
a business associate agreement with the hospital;
(d) Among entities under common ownership as
defined at Health-General Article, §4-301, Annotated Code of Maryland, for
health care treatment, payment, or health care operations purposes, as those
terms are defined in 45 CFR
§
164.501;
(e) By a carrier, as defined in Insurance
Article, §
15-301, Annotated Code of
Maryland, exchanging information as required by
45 CFR §
156.221; or
(2) The use, access,
or disclosure of protected health information using point-to-point transmission
unless an HIE is involved in the transmission of the data.
D. In the event that an HIE is unable to meet
a requirement of this chapter independently, it may do so by the execution of a
written agreement or by requesting an exemption in accordance with Regulation
.09G or H of this chapter.
E. The
requirements in this chapter are in addition to those set forth below:
(1) The Health Insurance Portability and
Accountability Act of 1996, and the pertinent regulations at 45 CFR Parts 160
and 164;
(2) The Maryland Consumer
Protection Act, Commercial Law Article, Title 13, Annotated Code of
Maryland;
(3) The Maryland Personal
Information Protection Act, Commercial Law Article, Title 14, Subtitle 35,
Annotated Code of Maryland;
(4) The
Maryland Confidentiality of Medical Records Act, Health-General Article, Title
4, Subtitle 3, Annotated Code of Maryland;
(5) Health General Article, §4-307,
Annotated Code of Maryland, Confidentiality of Mental Health Records;
(6) 16 CFR Part 318, Health Breach
Notification Rule, adopted by the Federal Trade Commission pursuant to the
HITECH Act;
(7) 42 CFR Part 2,
Confidentiality of Substance Use Disorder Patient Records;
(8) Titles IV and XI of the
21st Century Cures Act and the pertinent
regulations, 45 CFR Part 171, and as defined at Regulation .02B(71) of this
chapter; and
(9) All other
applicable State and federal laws and regulations governing the use, access,
maintenance, and disclosure of health information.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
A. This chapter addresses the privacy and security of protected health information maintained by a health information exchange, or obtained or released by any person through a health information exchange by adopting specific requirements:
(1) To assure the privacy and security of protected health information accessed, used, or disclosed through a health information exchange, including protections for the secondary use of protected health information obtained, accessed, or released through a health information exchange;
(2) To govern the access, use, maintenance, and disclosure of protected health information through or by a health information exchange;
(3) To improve access to clinical records by treating clinicians; and
(4) To promote uses of a State-designated HIE that will assist public health agencies in reaching public health goals.
B. This chapter applies to:
(1) an HIE, as defined in Regulation .02B(32) of this chapter, including:
(a) An individual or entity that determines, controls, or has discretion to administer any requirement, policy, or agreement that allows, enables, or requires the use of any technology or services for access, exchange, or use of electronic protected health information:
(i) Among more than two unaffiliated individuals or entities that are enabled to exchange electronic protected health information with each other; and
(b) A health information technology developer of certified health information technology as that term is defined in Regulation .02B(33) of this chapter;
(2) A person who accesses, uses, or discloses protected health information through an HIE; and
(3) Electronic health information stored in, or maintained by, an HIE.
C. This chapter does not apply to:
(1) Protected health information exchanged, accessed, used, or disclosed:
(a) Between a hospital and a credentialed professional;
(b) Among credentialed professionals of a hospital's medical staff;
(c) Between a hospital and its affiliated ancillary clinical service provider who is affiliated with the hospital and who, if required by HIPAA, has entered into a business associate agreement with the hospital;
(d) Among entities under common ownership as defined at Health-General Article, §4-301, Annotated Code of Maryland, for health care treatment, payment, or health care operations purposes, as those terms are defined in 45 CFR § 164.501;
(e) By a carrier, as defined in Insurance Article, § 15-301, Annotated Code of Maryland, exchanging information as required by 45 CFR § 156.221; or
(2) The use, access, or disclosure of protected health information using point-to-point transmission unless an HIE is involved in the transmission of the data.
D. In the event that an HIE is unable to meet a requirement of this chapter independently, it may do so by the execution of a written agreement or by requesting an exemption in accordance with Regulation .09G or H of this chapter.
E. The requirements in this chapter are in addition to those set forth below:
(1) The Health Insurance Portability and Accountability Act of 1996, and the pertinent regulations at 45 CFR Parts 160 and 164;
(2) The Maryland Consumer Protection Act, Commercial Law Article, Title 13, Annotated Code of Maryland;
(3) The Maryland Personal Information Protection Act, Commercial Law Article, Title 14, Subtitle 35, Annotated Code of Maryland;
(4) The Maryland Confidentiality of Medical Records Act, Health-General Article, Title 4, Subtitle 3, Annotated Code of Maryland;
(5) Health General Article, §4-307, Annotated Code of Maryland, Confidentiality of Mental Health Records;
(6) 16 CFR Part 318, Health Breach Notification Rule, adopted by the Federal Trade Commission pursuant to the HITECH Act;
(7) 42 CFR Part 2, Confidentiality of Substance Use Disorder Patient Records;
(8) Titles IV and XI of the 21st Century Cures Act and the pertinent regulations, 45 CFR Part 171, and as defined at Regulation .02B(71) of this chapter; and
(9) All other applicable State and federal laws and regulations governing the use, access, maintenance, and disclosure of health information.