Md. Code Regs. 10.25.18.02 - Definitions

A. In this chapter, the following terms have the meanings indicated.

B. Terms Defined.

(1) "Adjudication of claims" means the activities necessary for the adjudication or subrogation of a health benefit claim that has been filed or may be filed by a patient, or with the authorization of a patient on the patient's behalf, including:

(a) Determinations of eligibility or coverage, including coordination of benefits or the determination of cost-sharing amounts;

(b) Reasonable prospective, concurrent, or retrospective utilization review or predetermination of benefit coverage;

(c) Review, audit, and investigation of a specific claim for payment of benefits with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(d) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing; and

(e) Risk adjustments based on enrollee health status and demographic characteristics.

(2) "Ancillary clinical service provider" means a health care provider who has a direct contractual agreement with the hospital to provide therapeutic, diagnostic, or custodial ancillary services for the hospital as part of its affiliation. Ancillary services may include skilled nursing, home care, outpatient rehabilitation and therapy, transportation, ambulatory surgery, dialysis, laboratory, radiology, pharmacy, and chemotherapy.

(3) "Application Programming Interface" or "API" has the same meaning as 'Certified API Technology' as stated at 45 CFR § 170.404.

(4) "Appropriate notice to one or more health care consumers" means notice, related to a request for individually identifiable health information for secondary use, that meets the following requirements:

(a) The notice:

(i) Must include educational information pertaining to the requesting entity's secondary use of data obtained through an HIE, including why the entity is requesting the data and how it intends to use the data;

(ii) May describe an ongoing scenario such as care coordination or other ongoing care management activities against which subsequent data may be requested by the care management organization from the HIE; in such cases, the potential need for and nature of such requests shall be included in the description of the initial request to the external review board and shall be plainly documented in the notice to health care consumers;

(iii) Must include a clear and detailed description of the steps a health care consumer must take in order to grant authorization for the use of their information or to deny authorization;

(iv) Must provide clear, detailed notice that the health care consumer's failure to respond could result in their information being disclosed without their authorization, if an independent external review committee waives authorization; and

(v) Must have characteristics detailed in Regulation .03B(2)(b)-(g) of this chapter.

(b) The care management organization, or its third party, has provided to each health care consumer whose identifiable information is being requested:

(i) Notice as described above, using varied methods, where possible, to reach the health care consumer;

(ii) The opportunity to submit authorization or denial of authorization through various methods such as email, online, mail, and phone; and

(iii) At least 30 calendar days from the time of the first notice to respond to the notice.

(5) "Authentication" means the process of establishing confidence in user identities electronically presented to an information system.

(6) "Authorization" has the meaning provided in 45 CFR § 164.508.

(7) "Authorized purpose" means the specific reason consistent with this chapter and State and federal law for which an authorized user may use, access, or disclose protected health information through or from an HIE.The authorized purpose may include daily operations and maintenance of the HIE for:

(a) The staff of the HIE who has signed a confidentiality and nondisclosure agreement; and

(b) The staff of the HIE's contractor if the contractor:

(i) Has entered into a business associate agreement with the HIE; and

(ii) Has contractually agreed to limit access to the HIE only to its employees, agents, and independent contractors with a need-to-know; and who are under a confidentiality restriction, which may include a binding work force policy and procedure.

(8) "Authorized user" means an individual identified by a participating organization or a health information exchange, including a health care consumer, who may use, access, or disclose protected health information through or from a health information exchange for a specific authorized purpose and whose HIE access is not currently suspended or terminated under Regulation .05, .07, or .09 of this chapter.

(9) "Breach" has the meaning provided in 45 CFR § 164.402.

(10) "Business associate" has the meaning provided in 45 CFR § 160.103.

(11) "Business day" means any day except Saturday, Sunday, or a holiday on which State offices are closed.

(12) "Care management organization", in the context of secondary use, means any entity that:

(a) Has a financial or specific care-related responsibilities for individuals with whom they may not have a treatment, payment, or health care operations relationship under 45 CFR Part 164.501(1) ; and

(b) Has the legal or regulatory authority to exercise the responsibilities stated in §B(12)(a) of this regulation; or

(c) Is operating in accordance -with Maryland's All-Payer Model or successor agreement between the Centers for Medicare and Medicaid Services and the State of Maryland,

(d) Does not include a third-party entity engaged by a participating organization to provide care management services on behalf of such participating organization for a primary use.

(13) "Commission" means the Maryland Health Care Commission.

(14) "Consent management application" means a software tool or platform designed to request, receive, store, and manage a person in interest's consent preferences regarding the sharing of the patient's electronic health information through an HIE.

(15) "Control" means providing a method by which the health care consumer can electronically provide instructions to an HIE regarding the disclosure of the patient's information being made available through the HIE, which may include specifying:

(a) The individuals and organizations to whom the HIE may disclose the patient's health information;

(b) The circumstances (e.g., all, emergency only, inpatient, etc.) under which the patient's health information may be disclosed through the HIE; and

(c) What type of health information may be disclosed, such as prescription history, laboratory reports, hospital encounters, and to whom.

(16) "Core elements of the Master Patient Index (MPI)" are the minimum elements that are required for an HIE to identify a particular patient across separate clinical, financial, and administrative systems, as needed for exchanging health information electronically.

(17) "Core HIE education content" means the educational information developed and approved by the Maryland Health Care Commission, after consultation with interested parties, and includes a general overview of:

(a) The fundamentals of health information technology, including electronic health records and the exchange of electronic health information;

(b) Health information privacy and security laws; and

(c) The benefits and risks to patients of exchanging health information through an HIE as compared to opting-out and exchanging health information through a paper-based system.

(18) "Covered entity" has the meaning provided in 45 CFR § 160.103.

(19) "Credentialed professional" means an individual who has been credentialed by a hospital to provide clinical services to patients of the hospital. Credentialing includes the formal evaluation and verification of an individual's necessary qualifications, education, training, and professional license if applicable, through the collection, verification, and evaluation of data relevant to the individual's professional performance.

(20) "Data use agreement" means an agreement that:

(a) Is entered into by an HIE and an entity receiving data for secondary data use purposes, regardless of whether or not the entity is a covered entity as defined by HIPAA; and

(b) Requires:

(i) The receiving entity to accept and comply with the requirements in this chapter and, to the extent the receiving entity meets the definition of a business associate under HIPAA, current State and federal laws pertaining to business associates and business associate agreements;

(ii) Both parties to access, transmit, and protect the PHI in accordance with current legal requirements and industry standards and practices;

(iii) The receiving entity to destroy the PHI, including back-up and archived copies of the PHI, in accordance with industry standards and practices, when the purposes for which it has been requested are completed, unless retention of the PHI is otherwise required by law; and

(iv) The receiving entity not to reuse or disclose the PHI to any person or organization, except as required or permitted by law; or if disclosed to a third party, which will act on behalf of the receiving entity, the third party and the receiving entity enter a contractual agreement that requires the third party to be bound by the provisions of the data use agreement that applies to the receiving entity.

(21) "De-identified data" means health information that neither identifies nor provides a reasonable basis to identify an individual and that meets the standards and specifications provided in 45 CFR § 164.514(a) -(b).

(22) "Disclose" or "disclosure" means the release, redisclosure, transfer, provision, access, transmission, communication, or divulgence in any other manner of health information, including an acknowledgment that a health record on a particular patient or recipient exists, outside the entity holding the information.

(23) "Dispense" has the meaning stated in Health Occupations Article, § 12-101, Annotated Code of Maryland, but does not include giving a patient prescription drug samples in accordance with Health Occupations Article, § 12-102(d), Annotated Code of Maryland.

(24) Dispenser.

(a) "Dispenser" means a person authorized by law to dispense a noncontrolled prescription drug to a patient or a patient's agent in the State, including a nonresident pharmacy so authorized.

(b) "Dispenser" does not include:

(i) A licensed hospital pharmacy that only dispenses a monitored prescription drug for direct administration to an inpatient of the hospital;

(ii) An opioid treatment services program, as defined by COMAR 10.47.07.02;

(iii) A veterinarian licensed under Agriculture Article, Title 2, Subtitle 3, Annotated Code of Maryland;

(iv) A pharmacy issued a waiver permit under COMAR 10.34.17.03 that provides pharmaceutical specialty services exclusively to persons living in assisted living facilities, comprehensive care facilities, and developmental disabilities facilities; or

(v) A pharmacy issued a waiver by the Department under COMAR 10.47.07.03G from reporting dispensing to hospice patients.

(25) "Download" means providing a method by which the health care consumer can obtain an electronic copy of the patient's information that:

(a) Is in a readily available industry standard format; and

(b) Allows the health care consumer to save, maintain, use, or transmit the patient's information.

(26) "Electronic health care transactions" means transactions, as defined by 45 CFR § 160.103, that meet the specifications of 45 CFR § 162.920.

(27) "Electronic health information" means health information that is in an electronic form.

(28) "Electronic health record" or "EHR" means an electronic record of health-related information on an individual that includes patient demographic and clinical health information that may be used for clinical diagnosis, treatment, improvement of health care quality, and patient care.

(29) "Electronic health record system" means technology that electronically captures, manages, and organizes health records and may have the capacity to:

(a) Provide clinical decision support;

(b) Support physician order entry;

(c) Capture and query information relevant to health care quality; and

(d) Exchange electronic health information with and integrate the information from other sources.

(30) "Emergency" has the meaning provided in Health-General Article, § 4-301(d), Annotated Code of Maryland

(31) "External and independent review committee" means a group of individuals that:

(a) Is responsible for reviewing and making a determination regarding a request for a waiver of authorization related to population health management; and

(b) Shall be minimally composed of:

(i) At least three health care consumer members, three health care provider members, one member representing the scientific community, one member with privacy and legal expertise, and one member with HIE expertise;

(ii) Members who have appropriate professional competencies necessary to review the request; and

(iii) More than half of the members are not affiliated with or related to any person affiliated with the requesting entity and are free from any conflicts of interest with the requesting entity.

(32) "Federalwide assurance " or "FWA " means an agreement between an entity and the United States Department of Health and Human Services under which the entity agrees to comply with:

(a) Federal regulations concerning research involving human subjects;

(b) Department of Health and Human Services regulations found at 45 CFR Part 46;

(c) A statement of principles governing the entity in the discharge of its responsibilities for protecting the rights and welfare of human subjects of research conducted at or sponsored by the entity; and

(d) Other requirements of the agreement.

(33) "Granular patient consent" means expressed preferences made by a health care consumer regarding the disclosure, access, and use of the patient's protected health information according to the type of information, type of provider, purpose, or circumstance communicated by the health care consumer to the HIE through reasonable means specified by the HIE, which shall include paper and electronic means.

(34) "Health care" has the meaning provided in Health-General Article, §4-301(g), Annotated Code of Maryland.

(35) "Health care consumer" or "consumer" means a recipient, a patient, or a person in interest, as defined in this regulation.

(36) "Health care provider" has the meaning provided in HealthGeneral Article, §4-301(h), Annotated Code of Maryland.

(37) "Health Data Utility" means an HIE that operates for the following purposes:

(a) The collection, aggregation, and analysis of clinical information, public health data, and electronic administrative health care transactions;

(b) The communication of data between public health officials and health care providers to advance disease control and health equity; and

(c) The enhancement and acceleration of interoperability of health information.

(38) "Health information" means any information, whether oral or recorded in any form or medium, including electronic health information, that:

(a) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(b) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

(39) "Health information exchange" or "HIE" has the meaning provided in HealthGeneral Article §4-301(i), Annotated Code of Maryland.

(40) "Health information technology developer of certified health information technology" or "developer" means an entity that develops, sells, licenses, provides, or offers health information technology, as defined in 42 U.S.C. 300jj(5), to persons in the State and has one or more health information technology modules certified under a program that is kept or recognized by the National Coordinator in accordance with 42 U.S.C. 300jj-11(c)(5).

(41) Health Record.

(a) "Health record" means any health information, in any form or medium, created or transmitted by a participating organization or health care consumer that:

(i) Is entered in the record of a patient or recipient; and

(ii) Identifies or can readily be associated with the identity of a patient or a recipient.

(b) "Health record" includes a medical record as defined in Health-General §4-301(k), Annotated Code of Maryland.

(42) "HIE access matrix" means a document that is used by a participating organization to assign access to each authorized user and describes the type of protected health information (including, but not limited to, lab reports, prescription drug information, prior admissions to hospitals), that each authorized user is allowed to retrieve from an HIE. An HIE access matrix may specify a use case (including but not limited to electronic eligibility, clinical lab ordering/results delivery, electronic prescribing, medication history, clinical summary exchange, and other items) and corresponding associated data, including identified sensitive health information.

(43) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as amended, and the implementing regulations at 45 CFR Parts 160 and 164, as amended, and including as amended by the HITECH Act.

(44) "HITECH Act" mean the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5), as amended.

(45) "Hospital" has the meaning provided in Health-General Article, §19-301(f), Annotated Code of Maryland.

(46) "Improvement of patient safety" means actions, strategies, or protocols to prevent health care errors, enhance the quality of care, and ensure a safe health care environment.

(47) "Individually identifiable health information" has the meaning provided in 45 CFR § 160.103 and includes any health information that contains personal identifiers, as detailed in 45 CFR § 164.514(b).

(48) "Institutional Review Board" or "IRB" means a committee or other group designated by an institution or affiliated with a State agency that performs a review of proposed research that has:

(a) Registered with the Office of Human Research Protections Electronic Submission System; and

(b) Obtained FWA approval from the Office of Human Research Protections.

(49) "Interoperability" has the meaning provided in 45 CFR § 170.102.

(50) "Legally protected health information" means the health information with a date of service after May 31, 2022, that is subject to restrictions under Health-General Article, §4-302.5, Annotated Code of Maryland, and COMAR 10.11.08, including:

(a) Mifepristone data, as defined by the Secretary; and

(b) As specified by the Secretary, the diagnosis, procedure, medication, and other codes related to:

(i) Abortion care; and

(ii) Sensitive health services, as defined by Health-General, §4-301, Annotated Code of Maryland.

(51) "Master patient index" or "MPI" means a database that maintains a unique index identifier for each patient whose protected health information may be accessible through an HIE and is used to cross reference patient identifiers across multiple participating organizations to allow for patient search, patient matching, and consolidation of duplicate records.

(52) "MHCC" or the "Commission" means the Maryland Health Care Commission.

(53) "Nationally recognized standards" means technical standards for the exchange, integration, sharing, or retrieval of electronic health information considered reliable by the health IT industry nationally.

(54) "Noncontrolled Prescription Drugs" means a prescription drug, as defined in the Health Occupations Article § 21 201, that is not a controlled dangerous substance designated under Criminal Law Article, Title 5, Subtitle 4, Annotated Code of Maryland.

(55) "Non-HIPAA violation" means an inappropriate use, access, maintenance, or disclosure of health information that is not a HIPAA violation, but is inconsistent with State or federal law or this chapter, including a violation of 42 CFR Part 2.

(56) "Notice" (or "notify" or "notification") means an action that is required to be taken in writing or by written request under this chapter by a person, including an HIE, a health care consumer, a participating organization, or the Commission, in order to provide information to another that:

(a) Is sent by letter delivered to the person's address of record;

(b) Uses one of the following electronic or digital mechanisms where the delivery is acknowledged or confirmed:

(i) An email, when the receiving person has provided an email address;

(ii) By a health care consumer using the receiver's website; or

(iii) By a health care consumer using a patient portal;

(c) By a health care consumer using telephonic or similar method, provided that a written confirmation of the conversation is provided to the health care consumer by the person receiving the notification or request by the following means:

(i) An email, when the health care consumer has provided an email address and delivery is acknowledged or confirmed; or

(ii) A letter delivered to the health care consumer's address of record; and

(d) Complies with HIPAA and all other applicable federal and State laws and regulations.

(57) "Opt out" means the explicit written notice by a health care consumer to an HIE or through the consent management application that the patient has elected not to participate in the HIE, so that the HIE shall not disclose such patient's protected health information, or data derived from such patient's health information, except as consistent with this chapter.

(58) "Part 2" means the federal Confidentiality of Substance Use Disorder Patient Records regulations found in 42 CFR Part 2 and supplemented by the final rule 82 FR 6052.

(59) "Part 2 information" means any information subject to the regulations under 42 CFR Part 2.

(60) "Participating organization" means a covered entity that enters into an agreement with an HIE that governs the terms and conditions under which its authorized users may use, access, or disclose protected health information through the HIE.

(61) "Patient" means an individual who receives health care and on whom a medical record is maintained.

(62) "Payor" means:

(a) An insurer that holds a certificate of authority in the State and provides health benefit plans in the State;

(b) A health maintenance organization that holds a certificate of authority in the State;

(c) A managed care organization authorized to receive Medicaid prepaid capitation payments under Health-General Article, Title 15, Subtitle 1, Annotated Code of Maryland; or

(d) A nonprofit health service plan that holds a certificate of authority in the State

(63) "Person" means an individual, trust or estate, general or limited partnership, joint stock company, unincorporated association or society, municipal or other corporation, incorporated association, limited liability partnership, limited liability company, the State, an agency or political subdivision of the State, a court, and any other governmental entity.

(64) "Person in interest" means any of the following, but does not include a participating organization:

(a) An adult on whom a health care provider maintains a medical record;

(b) A person authorized to consent to health care for an adult consistent with the authority granted, including without limitation, a guardian, surrogate, or person with a medical power of attorney;

(c) A duly appointed personal representative of a deceased person;

(d) Either:

(i) A minor, if the medical record concerns treatment to which the minor has the right to consent and has consented under Title 20, Subtitle 1 of the Health-General Article, Annotated Code of Maryland; or

(ii) A parent, guardian, custodian, or a representative of the minor designated by a court, in the discretion of the attending physician who provided the treatment to the minor, as provided in Health-General Article, §§ 20 -102 and 20-104, Annotated Code of Maryland; or

(e) If §B(55)(d) of this regulation does not apply to a minor:

(i) A parent of the minor, except if the parent's authority to consent to health care for the minor has been specifically limited by a court order or a valid separation agreement entered into by the parents of the minor; or

(ii) A person authorized to consent to health care for the minor consistent with the authority granted; or

(f) An attorney appointed in writing by a person listed in this definition regarding matters subject to this chapter.

(65) "Point-to-point transmission" means a secure electronic transmission of PHI, including, but not limited to, records sent via facsimile or secure clinical messaging service, sent by a single entity that can be read only by the single receiving entity designated by the sender. A point-to-point transmission may be facilitated by an HIE and mirrors a paper-based exchange, such as a referral to a specialist, a discharge summary sent to where the patient is transferred, lab results sent to the practitioner who ordered them, or clinical information sent from a hospital to the patient's health plan for quality improvement or care management/coordination activities for such patient.

(66) "Population health management purpose" means the use of data, for secondary use, available from or through an HIE for population-based activities relating to the improvement of patient and population health or the reduction of health care costs, including but not limited to:

(a) Patient outreach activities that involve care management;

(b) Development or assessment of, quality indicators, patient patterns or outcomes, or support of quality reporting;

(c) Development and evaluation of innovative care delivery models and programs; and

(d) Risk assessment.

(67) "Primary use of HIE data" or "primary use" means use and disclosure of data accessed, used, or disclosed through an HIE for purposes of:

(a) Treatment as defined by HIPAA;

(b) Payment as defined by HIPAA;

(c) Reporting to public health authorities in compliance with reporting required or permitted by law;

(d) Other uses or disclosures required or permitted by law and in accordance with this chapter, including those set forth in Health-General Article, § 4-305(b), Annotated Code of Maryland; or

(e) Health care operations, as defined by HIPAA, for conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.

(68) "Privacy board" means a group of individuals that:

(a) Is responsible for reviewing and making a determination on a request for secondary data for research purposes;

(b) Has the authority consistent with 45 CFR § 164.512, including approval of a waiver or alteration of authorization requirement;

(c) Is designated or convened by the HIE, which may establish guidelines concerning a quorum;

(d) Shall meet the member composition requirements detailed in 45 CFR § 164.512(i)(1)(i)(B)(1) and (3); and

(e) Shall assure that less than half of its members considering a request are affiliated with or related to any person affiliated with the requesting entity.

(69) "Protected health information" or "PHI," a subset of health information, means:

(a) Protected health information as defined in 45 CFR § 160.103, or

(b) A medical record as defined in the Health-General Article, §4-301(i); and

(c) Includes sensitive health information.

(70) "Public health authority" has the meaning provided in 45 CFR § 164.501.

(71) "Qualified research organization" means an entity that:

(a) Has entered into a data use agreement with the HIE from which data is being requested;

(b) Is determined, by an IRB or privacy board, to have expertise to carry out research specific to its request;

(c) Is determined, by an IRB or privacy board, to have a legitimate and credible reason or obligation to carry out research specific to its request; and

(d) Is a participating organization, public health authority, or is engaged in joint research with a participating organization or public health authority.

(72) "Query" means to electronically search for information available through an HIE using the services provided by the HIE.

(73) "Research" means the use of secondary data available from or through an HIE for the systematic investigation, including research development, testing, preparation, and evaluation, designed to develop or contribute to generalizable knowledge as defined in 45 CFR § 164.501 and 45 CFR § 46.102, including the use of de-identified data and limited data sets.

(74) "Secondary use of HIE data" or "secondary use" means any use or disclosure of data accessed, used or disclosed through an HIE that is not a primary use. Examples of secondary use include, but are not limited to, use of HIE data for conducting research, improving patient safety, marketing, or the sale of HIE data.

(75) "Secretary" means the Secretary of Health.

(76) "Sensitive health information" means a subset of PHI, which consists of:

(a) Part 2 information;

(b) Legally protected health information; or

(c) Any other information that has specific legal protections in addition to those required under HIPAA or the Maryland Confidentiality of Medical Records Act.

(77) "State-designated HIE" means an HIE designated by the Maryland Health Care Commission and the Health Services Cost Review Commission pursuant to the statutory authority set forth under Health-General Article, §19-143, Annotated Code of Maryland.

(78) "State health improvement program" means a State initiative designed to enhance public health through strategic planning, targeted interventions, and collaboration with stakeholders and the federal government, including State efforts in support of the Total Cost of Care model and successor models agreed to by the federal government and the State.

(79) "Submit", when used in reference to consumer-submitted data, means providing a method by which the health care consumer can electronically upload information to the HIE to then be made available to authorized users of the HIE.

(80) "System administrator" means an individual employee within a participating organization (or an individual employed by a contractor to the participating organization) who is designated by the participating organization to manage the user accounts of specified individuals within the participating organization in coordination with an HIE.

(81) "Third party system" means hardware or software provided by an external entity to a participating organization, which interoperates with an HIE to allow an authorized user access to information through the HIE and may include an electronic health record system.

(82) "21st Century Cures Act" means the 21st Century Cures Act, P.L. 114-255, as amended, and the pertinent regulations at 45 CFR Parts 156, 170, and 171 and 42 CFR Parts 422, 431, 438, 457, 482, and 485.

(83) "Unusual finding" means an irregularity in the manner in which use, access, maintenance, disclosure, or modification of health information or sensitive health information transmitted to or through an HIE should occur that could give rise to a breach, a violation under this chapter or a violation of other applicable privacy or security laws.

(84) "Use" has the meaning provided in 45 CFR § 160.103.

(85) "User accounts" mean the records associated with an authorized user's credentials and activities with an HIE or a third party system.

Notes

Md. Code Regs. 10.25.18.02

Regulation .02 amended effective 41:5 Md. R. 344, eff. 3/17/2014; amended effective 43:12 Md. R. 666, eff. 6/20/2016; amended effective 44:12 Md. R. 588, eff. 6/19/2017; amended effective 45:16 Md. R. 775, eff. 8/13/2018; amended effective 51:3 Md. R. 152, eff. 1/9/2024, exp. 7/7/2024(Emergency); amended effective 51:9 Md. R. 440, eff. 5/13/2024; amended effective 52:7 Md. R. 322, eff. 4/14/2025.