Md. Code Regs. 10.25.18.02 - Definitions
A. In this chapter,
the following terms have the meanings indicated.
B. Terms Defined.
(39)
(41) "Part 2" means
the federal Confidentiality of Substance Use Disorder Patient Records
regulations found in 42 CFR Part 2 and supplemented by the final rule 82 FR
6052.
(1) "Ancillary clinical service provider "
means a health care provider who has a direct contractual agreement with the
hospital to provide therapeutic, diagnostic, or custodial ancillary services
for the hospital as part of its affiliation. Ancillary services may include
skilled nursing, home care, outpatient rehabilitation and therapy,
transportation, ambulatory surgery, dialysis, laboratory, radiology, pharmacy,
and chemotherapy.
(2) "Appropriate
notice to one or more health care consumers " means notice , related to a
request for identifiable data for secondary use, that meets the following
requirements:
(a) The notice :
(i) Must include educational information
pertaining to the requesting entity's secondary use of data obtained through an
HIE, including why the entity is requesting the data and how it intends to use
the data;
(ii) May describe an
ongoing scenario such as care coordination or other ongoing care management
activities against which subsequent data may be requested by the care
management organization from the HIE; in such cases, the potential need for and
nature of such requests shall be included in the description of the initial
request to the external review board and shall be plainly documented in the
notice to health care consumers;
(iii) Must include a clear and detailed
description of the steps a health care consumer must take in order to grant
authorization for the use of their information or to deny
authorization ;
(iv) Must provide
clear, detailed notice that the health care consumer's failure to respond could
result in their information being disclosed without their authorization , if an
independent external review committee waives authorization ; and
(v) Must have characteristics detailed in
Regulation .03B(2)(b)-(g) of this chapter.
(b) The care management organization , or its
third party, has provided to each health care consumer whose identifiable
information is being requested:
(i) Notice as
described above, using varied methods, where possible, to reach the health care
consumer ;
(ii) The opportunity to
submit authorization or denial of authorization through various methods such as
email, online, mail, and phone; and
(iii) At least 30 calendar days from the time
of the first notice to respond to the notice .
(3) "Authentication " means the process of
establishing confidence in user identities electronically presented to an
information system.
(5) "Authorized purpose " means the specific
reason consistent with this chapter and State and federal law for which an
authorized user may use, access, or disclose protected health information
through or from an HIE.The authorized purpose may include daily operations and
maintenance of the HIE for:
(a) The staff of
the HIE who has signed a confidentiality and nondisclosure agreement;
and
(b) The staff of the HIE 's
contractor if the contractor:
(i) Has entered
into a business associate agreement with the HIE; and
(ii) Has contractually agreed to limit access
to the HIE only to its employees, agents, and independent contractors with a
need-to-know; and who are under a confidentiality restriction, which may
include a binding work force policy and procedure.
(6) "Authorized user " means an
individual identified by a participating organization or a health information
exchange, including a health care consumer, who may use, access, or disclose
protected health information through or from a health information exchange for
a specific authorized purpose and whose HIE access is not currently suspended
or terminated under Regulation .05, .07, or .09 of this chapter.
(9) "Core elements of the
Master Patient Index (MPI)" are the minimum elements that are:
(a) Required for an HIE to identify a
particular patient across separate clinical, financial, and administrative
systems; and
(b) Needed to exchange
health information electronically.
(10) "Care management organization ", in the
context of secondary use, means any entity that:
(a) Has a financial or specific care-related
responsibilities for individuals with whom they may not have a treatment ,
payment, or health care operations relationship under 45 CFR Part 164.501(1);
and
(b) Has the legal or regulatory
authority to exercise the responsibilities stated in §B(10)(a) of this
regulation; or
(c) Is operating in
accordance -with Maryland's All-Payer Model or successor agreement between the
Centers for Medicare and Medicaid Services and the State of Maryland,
(d) Does not include a third-party entity
engaged by a participating organization to provide care management services on
behalf of such participating organization for a primary use.
(11) "Control " means providing a
method by which the health care consumer can electronically provide
instructions to an HIE regarding the disclosure of the patient 's information
being made available through the HIE, which may include specifying:
(a) The individuals and organizations to whom
the HIE may disclose the patient 's health information;
(b) The circumstances (e.g., all, emergency
only, inpatient, etc.) under which the patient 's health information may be
disclosed through the HIE; and
(c)
What type of health information may be disclosed, such as prescription history,
laboratory reports, hospital encounters, and to whom.
(12) "Core HIE education content " means the
educational information developed and approved by the Maryland Health Care
Commission, after consultation with interested parties, and includes a general
overview of:
(a) The fundamentals of health
information technology, including electronic health records and the exchange of
electronic health information ;
(b)
Health information privacy and security laws; and
(c) The benefits and risks to patients of
exchanging health information through an HIE as compared to opting-out and
exchanging health information through a paper-based system.
(14)
"Credentialed professional " means an individual who has been credentialed by a
hospital to provide clinical services to patients of the hospital.
Credentialing includes the formal evaluation and verification of an
individual's necessary qualifications, education, training, and professional
license if applicable, through the collection, verification, and evaluation of
data relevant to the individual's professional performance.
(15) "Data use agreement " means an agreement
that:
(a) Is entered into by an HIE and an
entity receiving data for secondary data use purposes, regardless of whether or
not the entity is a covered entity as defined by HIPAA; and
(b) Requires:
(i) The receiving entity to accept and comply
with the requirements in this chapter and, to the extent the receiving entity
meets the definition of a business associate under HIPAA, current State and
federal laws pertaining to business associates and business associate
agreements;
(ii) Both parties to
access, transmit, and protect the PHI in accordance with current legal
requirements and industry standards and practices;
(iii) The receiving entity to destroy the
PHI , including back-up and archived copies of the PHI , in accordance with
industry standards and practices, when the purposes for which it has been
requested are completed, unless retention of the PHI is otherwise required by
law; and
(iv) The receiving entity
not to reuse or disclose the PHI to any person or organization, except as
required or permitted by law; or if disclosed to a third party, which will act
on behalf of the receiving entity, the third party and the receiving entity
enter a contractual agreement that requires the third party to be bound by the
provisions of the data use agreement that applies to the receiving
entity.
(16)
"De-identified data " means health information that neither identifies nor
provides a reasonable basis to identify an individual and that meets the
standards and specifications provided in 45 CFR § 164.514(a) -(b).
(17) "Disclose " or "disclosure"
means the release, redisclosure, transfer, provision, access, transmission,
communication, or divulgence in any other manner of information in a medical
record, including an acknowledgment that a medical record on a particular
patient or recipient exists, outside the entity holding such
information.
(18) "Download " means
providing a method by which the health care consumer can obtain an electronic
copy of the patient 's information that:
(a)
Is in a readily available industry standard format; and
(b) Allows the health care consumer to save,
maintain, use, or transmit the patient 's information.
(19) "Electronic health record " or "EHR"
means an electronic record of health-related information on an individual that
includes patient demographic and clinical health information that may be used
for clinical diagnosis, treatment, improvement of health care quality, and
patient care.
( 20 ) "Electronic
health record system" means technology that electronically captures, manages,
and organizes health records and may have the capacity to:
(a) Provide clinical decision
support;
(b) Support physician
order entry;
(c) Capture and query
information relevant to health care quality; and
(d) Exchange electronic health information
with and integrate the information from other sources.
(21) "Emergency " has the meaning provided in
Health-General Article, § 4-301(d), Annotated Code of Maryland
(22) "External and independent review
committee " means a group of individuals that:
(a) Is responsible for reviewing and making a
determination regarding a request for a waiver of authorization related to
population care management; and
(b)
Shall be minimally composed of:
(i) At least
three health care consumer members, three health care provider members, one
member representing the scientific community, one member with privacy and legal
expertise, and one member with HIE expertise;
(ii) Members who have appropriate
professional competencies necessary to review the request; and
(iii) More than half of the members are not
affiliated with or related to any person affiliated with the requesting entity
and are free from any conflicts of interest with the requesting
entity.
(23)
"Federalwide assurance " or "FWA " means an agreement between an entity and the
United States Department of Health and Human Services under which the entity
agrees to comply with:
(a) Federal
regulations concerning research involving human subjects;
(c) A statement of principles governing the
entity in the discharge of its responsibilities for protecting the rights and
welfare of human subjects of research conducted at or sponsored by the entity;
and
(d) Other requirements of the
agreement.
(24) "Granular
patient consent" means expressed preferences made by a health care consumer
regarding the disclosure, access, and use of the patient 's protected health
information according to the type of information, type of provider, purpose, or
circumstance communicated by the health care consumer to the HIE through
reasonable means specified by the HIE, which shall include paper and electronic
means.
(25) "Health care consumer "
means a patient or a person in interest, as defined in this
regulation.
(26) "Health care
provider " means:
(a) A person who is
licensed, certified, or otherwise authorized under Health Occupations Article,
Annotated Code of Maryland, or Education Article, §13"516, Annotated Code
of Maryland, to provide health care in the ordinary course of business or
practice of a profession or in an approved education or training program ;
or
(b) A facility where health care
is provided to patients or recipients, including:
(i) A facility as defined in Health-General
Article, § 10 "101(e), Annotated Code of Maryland;
(ii) A hospital as defined in Health-General
Article, § 19-3010, Annotated Code of Maryland;
(iii) A related institution as defined in
Health-General Article, § 19-301(o), Annotated Code of Maryland;
(iv) A State-certified substance use disorder
program , as defined in Health-General Article, § 8-403, Annotated Code of
Maryland;
(v) A health maintenance
organization as defined in Health-General Article, § 19 "701(g), Annotated
Code of Maryland;
(vi) An
outpatient clinic; or
(vii) A
medical laboratory;
(c)
An agent, employee, officer, or director of a health care facility, or an agent
or employee of a health care provider .
(27) "Health information " means any
information, whether oral or recorded in any form or medium, that:
(a) Is created or received by a health care
provider , health plan, public health authority, employer, life insurer, school
or university, or health care clearinghouse; and
(b) Relates to the past, present, or future
physical or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment for the
provision of health care to an individual.
(28) "Health information exchange" or "HIE"
means an entity that creates or maintains an infrastructure that provides
organizational and technical capabilities in an interoperable system for the
electronic exchange of protected health information among participating
organizations not under common ownership, in a manner that ensures the secure
exchange of protected health information to provide care to patients. An HIE
includes a payor HIE but does not include an entity that is acting solely as a
health care clearinghouse, as defined in 45 CFR § 160.103. A payor may act
as, operate, or own an HIE subject to these regulations.
(29) "HIE access matrix" means a document that is used
by a participating organization to assign access to each authorized user and
describes the type of protected health information (including, but not limited
to, lab reports, prescription drug information, prior admissions to hospitals),
that each authorized user is allowed to retrieve from an HIE. An HIE access
matrix may specify a use case (including but not limited to electronic
eligibility, clinical lab ordering/results delivery, electronic prescribing,
medication history, clinical summary exchange, and other items) and
corresponding associated data, including identified sensitive health
information.
(30) "HIPAA " means
the Health Insurance Portability and Accountability Act of 1996,
P.L.
104-191 , as amended, and the implementing
regulations at 45 CFR Parts 160 and 164, as amended, and including as amended
by the HITECH Act .
(31) "HITECH
Act " mean the Health Information Technology for Economic and Clinical Health
Act, Title XIII of Division A and Title IV of Division B of the American
Recovery and Reinvestment Act of 2009 (
Pub. L.
111-5 ), as amended.
(32) "Hospital " means an institution defined
in Health-General Article, §
19-301(f),
Annotated Code of Maryland, that is licensed by the Office of Health Care
Quality.
(33) "Identifiable data "
means any health information that includes personal identifiers, as detailed in
45 CFR § 164.501.
(34)
"Institutional Review Board " or "IRB" means a committee or other group
designated by an institution or affiliated with a State agency that performs a
review of proposed research that has:
(a)
Registered with the Office of Human Research Protections Electronic Submission
System; and
(b) Obtained FWA
approval from the Office of Human Research Protections.
(35) "Master patient index" or "MPI" means a
database that maintains a unique index identifier for each patient whose
protected health information may be accessible through an HIE and is used to
cross reference patient identifiers across multiple participating organizations
to allow for patient search, patient matching, and consolidation of duplicate
records.
(36) "MHCC " or the
"Commission" means the Maryland Health Care Commission.
(37) "Nationally recognized standards " means
technical standards for the exchange, integration, sharing, or retrieval of
electronic health information considered reliable by the health IT industry
nationally.
(38) "Non-HIPAA
violation" means an inappropriate use, access, maintenance , or disclosure of
health information that is not a HIPAA violation, but is inconsistent with
State or federal law or this chapter, including a violation of 42 CFR Part 2.
(39) "Notice " (or "notify" or
"notification") means an action that is required to be taken in writing or by
written request under this chapter by a person, including an HIE , a health care
consumer , a participating organization, or the MHCC, in order to provide
information to another that:
(a) Is sent by
letter delivered to the person 's address of record;
(b) Uses one of the following electronic or
digital mechanisms where the delivery is acknowledged or confirmed:
(i) An email, when the receiving person has
provided an email address;
(ii) By
a health care consumer using the receiver's website; or
(iii) By a health care consumer using a
patient portal;
(c) By a
health care consumer using telephonic or similar method, provided that a
written confirmation of the conversation is provided to the health care
consumer by the person receiving the notification or request by the following
means:
(i) An email, when the health care
consumer has provided an email address and delivery is acknowledged or
confirmed; or
(ii) A letter
delivered to the health care consumer 's address of record; and
(d) Complies with HIPAA and all
other applicable federal and State laws and regulations.
(40) "Opt-out " means the explicit written
notice by a health care consumer to an HIE that the patient has elected not to
participate in the HIE, so that the HIE shall not disclose such patient 's
protected health information, or data derived from such patient 's health
information, except as consistent with this chapter.
(42) "Part 2 information"
means any information subject to the regulations under 42 CFR Part 2.
(43) "Participating organization " means a
covered entity that enters into an agreement with an HIE that governs the terms
and conditions under which its authorized users may use, access, or disclose
protected health information through the HIE.
(44) "Patient " means an individual who
receives health care and on whom a medical record is maintained.
(45) "Payor " means:
(a) An insurer that holds a certificate of
authority in the State and provides health benefit plans in the
State;
(b) A health maintenance
organization that holds a certificate of authority in the State;
(c) A managed care organization authorized to
receive Medicaid prepaid capitation payments under Health-General Article,
Title 15, Subtitle 1, Annotated Code of Maryland; or
(d) A nonprofit health service plan that
holds a certificate of authority in the State
(46) "Person " means an individual, trust or
estate, general or limited partnership, joint stock company, unincorporated
association or society, municipal or other corporation, incorporated
association, limited liability partnership, limited liability company, the
State, an agency or political subdivision of the State, a court, and any other
governmental entity.
(47) "Person
in interest" means any of the following, but does not include a participating
organization :
(a) An adult on whom a health
care provider maintains a medical record;
(b) A person authorized to consent to health
care for an adult consistent with the authority granted, including without
limitation, a guardian , surrogate, or person with a medical power of
attorney;
(c) A duly appointed
personal representative of a deceased person ;
(d) Either:
(i) A minor, if the medical record concerns
treatment to which the minor has the right to consent and has consented under
Title 20, Subtitle 1 of the Health-General Article, Annotated Code of Maryland;
or
(ii) A parent, guardian ,
custodian, or a representative of the minor designated by a court, in the
discretion of the attending physician who provided the treatment to the minor,
as provided in Health-General Article, §§ 20 -102 and 20-104,
Annotated Code of Maryland; or
(e) If §B(45)(d) of this regulation does
not apply to a minor:
(i) A parent of the
minor, except if the parent's authority to consent to health care for the minor
has been specifically limited by a court order or a valid separation agreement
entered into by the parents of the minor; or
(ii) A person authorized to consent to health
care for the minor consistent with the authority granted; or
(f) An attorney appointed in
writing by a person listed in this definition regarding matters subject to this
chapter.
(48)
"Point-to-point transmission " means a secure electronic transmission of PHI,
including, but not limited to, records sent via facsimile or secure clinical
messaging service, sent by a single entity that can be read only by the single
receiving entity designated by the sender.A point-to-point transmission may be
facilitated by an HIE and mirrors a paper-based exchange, such as a referral to
a specialist, a discharge summary sent to where the patient is transferred, lab
results sent to the practitioner who ordered them, or clinical information sent
from a hospital to the patient's health plan for quality improvement or care
management/coordination activities for such patient.
(49) "Population care management purpose "
means the use of data, for secondary use, available from or through an HIE for
population-based activities relating to the improvement of patient and
population health or the reduction of health care costs, including but not
limited to:
(a) Patient outreach activities
that involve care management;
(b)
Development or assessment of, quality indicators, patient patterns or outcomes,
or support of quality reporting;
(c) Development and evaluation of innovative
care delivery models and programs; and
(d) Risk assessment .
(50) "Primary use of HIE data" or "primary
use" means use and disclosure of data accessed, used, or disclosed through an
HIE for purposes of:
(a) Treatment as defined
by HIPAA;
(b) Payment as defined by
HIPAA ;
(c) Reporting to public
health authorities in compliance with reporting required or permitted by
law;
(d) Other uses or disclosures
required or permitted by law and in accordance with this chapter, including
those set forth in Health-General Article, § 4-305(b), Annotated Code of
Maryland; or
(e) Health care
operations, as defined by HIPAA , for conducting quality assessment and
improvement activities, including outcomes evaluation and development of
clinical guidelines, provided that the obtaining of generalizable knowledge is
not the primary purpose of any studies resulting from such
activities.
(51) 'Privacy
board " means a group of individuals that:
(a)
Is responsible for reviewing and making a determination on a request for
secondary data for research purposes;
(b) Has the authority consistent with 45 CFR
§ 164.512, including approval of a waiver or alteration of authorization
requirement;
(c) Is designated or
convened by the HIE , which may establish guidelines concerning a
quorum;
(d) Shall meet the member
composition requirements detailed in 45 CFR § 164.512(i)(1)(i)(B)(1) and
(3); and
(e) Shall assure that less
than half of its members considering a request are affiliated with or related
to any person affiliated with the requesting entity.
(52) "Protected health information " or "PHI,"
a subset of health information , means:
(b) A medical record as defined in the
Health-General Article, §
4-301(i);
and
(c) Includes sensitive health
information .
(54) "Qualified research
organization " means an entity that:
(a) Has
entered into a data use agreement with the HIE from which data is being
requested;
(b) Is determined, by an
IRB or privacy board , to have expertise to carry out research specific to its
request;
(c) Is determined, by an
IRB or privacy board , to have a legitimate and credible reason or obligation to
carry out research specific to its request; and
(d) Is a participating organization , public
health authority, or is engaged in joint research with a participating
organization or public health authority.
(55) "Query " means to electronically search
for information available through an HIE using the services provided by the
HIE .
(56) "Research " means the use
of secondary data available from or through an HIE for the systematic
investigation, including research development, testing, preparation, and
evaluation, designed to develop or contribute to generalizable knowledge as
defined in 45 CFR § 164.501 and 45 CFR § 46.102, including the use of
de-identified data and limited data sets.
(57) "Secondary use of HIE data" or "secondary use"
means any use or disclosure of data accessed, used or disclosed through an HIE
that is not a primary use. Examples of secondary use include, but are not
limited to, use of HIE data for conducting research, improving patient safety,
marketing, or the sale of HIE data.
(58) "Sensitive health information " means a
subset of PHI, which consists of:
(a) Part 2
information; or
(b) Any other
information that has specific legal protections in addition to those required
under HIPAA or the Maryland Confidentiality of Medical Records Act, which
include, but are not limited to, Health-General Article, §
4-307,
Annotated Code of Maryland, and the Public Health Services Act, 42 U.S.C.
§ 290d d-2, as implemented and amended in federal regulations.
(59) "State-designated HIE " means
an HIE designated by the Maryland Health Care Commission and the Health
Services Cost Review Commission pursuant to the statutory authority set forth
under Health-General Article, §
19-143,
Annotated Code of Maryland.
(60)
"Submit ", when used in reference to consumer-submitted data, means providing a
method by which the health care consumer can electronically upload information
to the HIE to then be made available to authorized users of the HIE.
(61) "System administrator " means an
individual employee within a participating organization (or an individual
employed by a contractor to the participating organization ) who is designated
by the participating organization to manage the user accounts of specified
individuals within the participating organization in coordination with an HIE .
(62) "Third party system " means
hardware or software provided by an external entity to a participating
organization , which interoperates with an HIE to allow an authorized user
access to information through the HIE and may include an electronic health
record system.
(63) "Unusual
finding " means an irregularity in the manner in which use, access, maintenance ,
disclosure, or modification of health information or sensitive health
information transmitted to or through an HIE should occur that could give rise
to a breach, a violation under this chapter or a violation of other applicable
privacy or security laws.
(65) "User accounts " mean the records
associated with an authorized user 's credentials and activities with an HIE or
a third party system.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.