Md. Code Regs. 10.25.18.03 - Rights of a Health Care Consumer Concerning Information Accessed, Used, or Disclosed Through an HIE

A. A health care consumer has the following rights in accordance with the requirements specified in this section:
(1) The right to have information regarding the health care consumer's rights under these regulations readily available to assist the health care consumer in making an informed decision concerning:
(a) The accessibility of a patient's protected health information electronically through an HIE; and
(b) The risks and benefits of participating in the HIE.
(2) The right to opt out of an HIE.
(a) A health care consumer has the right to opt out of an HIE at any time and refuse access to the patient's PHI through an HIE, except when a disclosure is limited to:
(i) Core elements of the MPI;
(ii) A disclosure that a person is required to make under federal or State law requirements;
(iii) Results of a diagnostic procedure sent to the health care provider who ordered the procedure or another provider as designated by the ordering provider as part of the care delivery of a patient;
(iv) Information regarding prescription medications dispensed or filled by a pharmacy, sent to the health care provider who ordered the prescriptions or another health care provider as designated by the ordering health care provider;
(v) Public health authorities for reporting purposes required, authorized, or otherwise compliant with applicable law; or
(vi) Communications permitted under HIPAA or State law without a health care consumer's consent or authorization when using point-to-point.
(b) Provided, however, that §A(2)(a)(iii), (iv), and (vi) of this regulation shall not apply to disclosures of sensitive health information, which receive additional protections consistent with Regulation .04 of this chapter.
(c) A health care consumer shall be advised in writing by the HIE receiving the opt-out notice or request that opting out does not preclude any participating organization that has received or accessed PHI via the HIE prior to such opt-out, and incorporated such PHI into its records, from retaining such information in its records.
(3) The right to the additional protections to and restrictions for disclosure of a patient's sensitive health information provided by State or federal law and consistent with Regulation .04 of this chapter.
(4) The right to resume participation in an HIE after previously opting out in accordance with these regulations. Any such resumption of participation shall be upon written notice or request by the health care consumer.
B. An HIE shall provide needed information about the HIE to a health care consumer whose protected health information is maintained by a health information exchange, or may be accessed, used, or disclosed through the HIE.
(1) An HIE shall develop, adopt, implement, and keep current a health care consumer education plan that considers stakeholder input.
(a) The health care consumer education plan shall include the core HIE education content as defined in Regulation .02 of this chapter.
(b) The health care consumer education plan shall outline how the HIE will make available the following information to health care consumers:
(i) A description of each type of patient health information that may be used, accessed or disclosed through the HIE;
(ii) The health information maintained by the HIE;
(iii) The specific details concerning who may access, use, or disclose a patient's health information and for what purpose;
(iv) The privacy and security measures that the HIE has implemented to protect health information, and a detailed explanation of what happens if there is a breach that results in unauthorized access to protected health information;
(v) A health care consumer's rights regarding the HIE and the control over, protection of, use of, and correction of each type of health information;
(vi) The process provided for a health care consumer to exercise the health care consumer's rights, including a detailed description of the steps a health care consumer needs to take in order to opt out from participation in the HIE;
(vii) The implications of a health care consumer's decision to opt out of participation in an HIE and not permit the disclosure of that consumer's PHI to authorized users, except as otherwise permitted under applicable law; and
(viii) The HIE's policies and procedures, including without limitation, policies and procedures consistent with these regulations regarding how the health care consumer may gain access to the patient's health information.
(2) An HIE shall develop and implement health care consumer education materials as provided in §B(1) of this regulation. Such education materials shall have the following characteristics:
(a) Provide a balanced perspective, outlining the various points of view concerning each subject matter, including the risks and benefits associated with sharing protected health information electronically through the HIE;
(b) Are not inaccurate or misleading;
(c) Minimize the use of technical terms and, when such terms are necessary, clearly define the technical terms;
(d) Use plain language that is easily understandable to each health care consumer population served, taking into account the various levels of education, understanding, and interest across that population;
(e) Use text and illustrations that are culturally sensitive, language appropriate, and that recognize user diversity including ethnicity, age, race, and gender;
(f) Update material to include and incorporate new information; and
(g) Specify the time sensitivity of any material included.
(3) An HIE shall cooperate with applicable State agencies to educate health care consumers consistent with a statewide education plan approved by such applicable State agency.
(4) An HIE shall make health care consumer educational materials readily available, at no charge, to participating organizations and the participating organizations' users through distribution channels such as websites, postal mail, email, secure third-party smart phone applications, and any other reasonable media or distribution channel commonly used and generally available to the HIE and health care consumer.
(5) In addition to the foregoing requirements, with regard to sensitive health information, the health care consumer educational content shall include:
(a) The scope of sensitive health information;
(b) The health care consumer's right to control sensitive health information;
(c) The method by which to engage in the granular patient consent process;
(d) The method or methods by which the health care consumer can access the patient's own sensitive health information;
(e) The circumstances under which an HIE must restrict or may disclose legally protected health information; and
(f) The method by which a health care consumer can request that a patient's legally protected health information be disclosed to a specific health care provider.
(6) When an HIE updates its health care consumer educational content, the HIE shall timely make the updated materials available to health care consumers.
C. An HIE shall comply with the following requirements to allow a health care consumer to obtain information concerning a patient's PHI that may be available through the HIE.
(1) An HIE shall provide the following information to the health care consumer, upon written notice or request by the health care consumer, describing what PHI is available through the HIE concerning the specified patient:
(a) The participating organization that disclosed the PHI to the HIE;
(b) The date the PHI was disclosed to the HIE; and
(c) The type of PHI disclosed to the HIE, if known by the HIE.
(2) An HIE shall provide written information, in accordance with this Regulation, to health care consumers concerning the methods available to such health care consumers to access a patient's PHI that is available through the HIE.
(a) If the patient's PHI is directly available electronically to the health care consumer through the HIE, the HIE shall advise the health care consumer how to obtain the PHI electronically.
(b) If the patient's PHI is not directly available electronically to the health care consumer through the HIE, the HIE shall, within 7 days from receipt of such health care consumer's written notice or request, provide the health care consumer with the contact information for each participating organization that has disclosed information to the HIE and received information from the HIE concerning the patient, so that the health care consumer may gain access to the patient's health information directly from each participating organization.
(3) An HIE shall make a good faith effort to facilitate a health care consumer's amendment of the patient's health information available through the HIE by informing the health care consumer how to seek amendment of the information.
(a) An HIE shall send information regarding the process for amending health information being made available through the HIE within 20 days of receiving notice from a health care consumer of a desire to amend the patient's health information available through the HIE and shall include the contact information of relevant participating organizations that provided the information; and
(b) This process shall be in accordance with the requirements specified in Health-General Article, §4-304(b), Annotated Code of Maryland and HIPAA, including 45 CFR § 164.526.
(c) An HIE shall make a good faith effort to notify the participating organization of each authorized user who has accessed, used, or disclosed the health information that has subsequently been amended.
(4) Upon receipt of written notice or request, an HIE shall provide each health care consumer with a report detailing any disclosure through the HIE for a time period specified by the health care consumer, of the patient's PHI. In the case of recurring disclosures to the same entity for the same purpose, a summary report may be provided by the HIE. However, if the health care consumer requests the details of the summary report, the HIE shall promptly provide them.
(a) The time period specified by the health care consumer shall not exceed the data retention period as specified in the HIPAA Privacy Rule, 45 CFR § 164.528.
(b) The report shall specify the following for each instance that the patient's PHI was disclosed during the time frame reflected in the report:
(i) The name of each authorized user;
(ii) The name of the participating organization to which the authorized user is affiliated, if such information is kept by the HIE in the ordinary course of business;
(iii) The date and time of the disclosure;
(iv) The type of PHI disclosed, if known by the HIE; and
(v) The name of the participating organization that made the protected health information available to the HIE.
(c) An HIE shall acknowledge a health care consumer's written notice or request for the report within 10 business days of receipt of the request.
(d) An HIE shall respond to a health care consumer's written notice or request with either the requested report or with a written explanation why such report is unavailable, when it will be available, or where the health care consumer may obtain the requested information, in accordance with 45 CFR § 164.528(a)(2)(D)(3). The HIE shall respond within a reasonable time frame, but not later than 30 days of the initial written notice or request by the health care consumer.
(i) An HIE shall provide up to two copies annually of the report at no cost to the health care consumer, upon written notice or request by the consumer. If the report is available in an electronic format, it shall be provided to the consumer in a generally available electronic format such as PDF, if so requested, at no additional charge.
(ii) For any additional report, the HIE may charge a reasonable fee not to exceed the cost to provide the additional report, but no more than the allowable amount in accordance with Health-General Article, §4-304, Annotated Code of Maryland, and 45 CFR § 164.524(c)(4).
D. Consent Management Application.
(1) The State-designated HIE shall implement a consent management application that:
(a) Allows a person in interest to opt out of or opt in to having a patient's electronic health information shared or disclosed by an HIE;
(b) Allows a person in interest to view the interested patient's opt-out status.
(c) Informs the person in interest of the types of electronic health information that may be shared or disclosed by the State-designated HIE in accordance with §A(2)(a) of this regulation notwithstanding the choice to opt out;
(d) Enables HIEs to readily identify information as to whether a person in interest has opted out of sharing the patient's electronic health information; and
(e) At least includes:
(i) Personal identifiers consisting of the full name, date of birth, mailing address, telephone number, medical record number, and other unique identifiers of the patient and person in interest, if not the patient;
(ii) The person in interest's communication contact preferences;
(iii) The relationship of the person in interest to the patient; and
(iv) The date the patient's consent preferences were last updated.
(2) Within 12 months of the effective date of this regulation, the State-designated HIE shall make the consent management application it develops available to registered HIEs.
(3) The State-designated HIE shall implement the consent management application with a secure electronic interface that supports standardized interoperability between various recipient HIE systems.
(4) HIE Connection to the Consent Management Application.
(a) Exception. Section D(4)(b) of this regulation does not apply to an HIE that solely exchanges electronic health information with other HIEs and does not have any health care providers as a participating organization.
(b) An HIE shall:
(i) Establish bi-directional connectivity with the consent management application within 12 months of receiving notification from the State-designated HIE that the application is operational;
(ii) Update the HIE's system with the most recent version of the consent management application data at least every 5 business days;
(iii) Update the consent management application with any opt-out or opt-in requests it has received from an HIE or directly from a person in interest within 5 business days;
(iv) Withhold sharing or disclosure of the electronic health information of a patient to the extent the consent management application indicates that the patient has opted out of having electronic health information shared or disclosed by an HIE, except to the extent permitted by §A(2) of this regulation; and
(v) Electronically notify authorized users when a patient has restricted data sharing.
(5) An HIE shall implement the consent management application in a manner that is consistent with this chapter, its existing policies and procedures regarding use and disclosure of PHI and other personal identifiable information, and its technological capabilities.
(6) An HIE shall place a link on its website directing a person in interest to the State-designated HIE's website to globally opt out or opt in to having a patient's electronic health information shared or disclosed by an HIE.
(7) An HIE shall continue to accept opt-out and opt-in requests from health care consumers directly.
(8) The State-designated HIE shall promptly notify the Commission and all HIEs any time the consumer management application is not operational and when services are resumed.
(9) An HIE is not required to comply with §D(4)(b) of this regulation when:
(a) An emergency exists and all requirements under Regulation .11 of this chapter have been met; or
(b) The consent management application is not operational.
(10) Section D of this regulation shall be in addition to any restrictions on the disclosure of sensitive health information, consistent with Regulation .04 of this chapter.
E. An HIE shall:
(1) Establish and maintain an online process that allows health care consumers to obtain an electronic report detailing any disclosures of their information through the HIE in accordance with §C(4) (b) of this regulation; and
(2) Implement and maintain compliance with the provisions detailed in Regulation .12A(1)(7), B(1)(2), and C(4)(b)(d) of this chapter in implementing §E(1) of this regulation.
F. An HIE shall take affirmative steps to protect a patient's protected health information, including sensitive health information, that is accessible to or through the HIE from a breach or a non-HIPAA violation.
(1) An HIE shall have an easily accessible and convenient method by which a person may notify the HIE concerning a potential or an actual breach or a non-HIPAA violation.
(2) When an HIE is notified in writing of a potential or an actual breach or a non-HIPAA violation, the HIE shall:
(a) Acknowledge receipt of the notification within 1 business day;
(b) Begin an investigation concerning the matter upon receipt of the notification in compliance with Regulation .07 of this chapter and;
(c) In accordance with Regulation .08 of this chapter, provide the person filing the notification and each health care consumer whose protected health information was breached with information concerning the determination and resolution of the matter by the HIE.
(3) An HIE shall implement robust technical measures consistent with generally accepted industry best practices to assure valid patient identification and minimize patient record mismatches.
G. An HIE shall implement a process to allow a health care consumer to make an educated decision regarding the patient's participation in an HIE, opting out from such participation, or opting to resume participation in the HIE system, in accordance with this regulation.
(1) An HIE shall maintain a log that records each patient's participation status over time; and
(a) The HIE shall retain the log for the duration required by State or federal law, -whichever requires a longer retention; and
(b) The HIE shall keep the log in a retrievable storage medium.
(2) An HIE may not disclose a patient's PHI if the health care consumer has submitted a written notice or request to opt out of the HIE in accordance with §(A)(2) of this regulation except as otherwise permitted under applicable law and in accordance with this chapter.
(3) An HIE may not disclose information derived from a patient's PHI, including for secondary use, if the health care consumer has submitted a written notice or request to opt out of the HIE, except as otherwise permitted under applicable law.
(4) An HIE may not unreasonably deny a health care consumer's expressed preferences.
H. The following requirements shall apply to all communications between an HIE and a health care consumer:
(1) An HIE shall implement a process to allow a health care consumer to communicate with the HIE about the patient's participation status through an appropriate medium of the health care consumer's choice, including the following:
(a) By telephone, via a toll-free number;
(b) By mail, via a standardized form;
(c) By fax, via a standardized form;
(d) Online, via a secure website; and
(e) In person at the HIE's offices during business hours.
(2) A health care consumer's communication opting out or opting in to an HIE shall be made:
(a) In writing;
(b) Online; or
(c) By telephone, if the HIE confirms the action with a written communication to the health care consumer in accordance with §H(5)(a) and (b) of this regulation.
(3) An HIE shall take appropriate measures to assure that a health care consumer who communicates with the HIE is authorized to act on behalf of the patient.
(4) An HIE shall implement the health care consumer's requested action within 5 business days of receipt of the health care consumer's written or online request concerning:
(a) Opting out of the HIE; and
(b) Resuming participation in the HIE after previously opting out.
(5) An HIE shall provide to each health care consumer the option to receive confirmation of any change in the patient's participation status. If a health care consumer requests such confirmation in writing, the HIE shall:
(a) Send the confirmation of participation status change within 3 business days of the effective date of change of such patient's participation status; and
(b) If consistent with all applicable privacy and security law and regulations, including HIPAA and applicable State law and regulations, send the confirmation of status change through one of the following methods as specified by the health care consumer:
(i) An email sent to the email address specified by the health care consumer;
(ii) A letter to an address specified by the health care consumer;
(iii) A letter by fax to a fax number specified by the health care consumer;
(iv) A letter given to the health care consumer at the HIE during normal business hours; or
(v) A text message sent to the number specified by the health care consumer.
(6) When a health care consumer changes the patient's participation status, the HIE shall provide the following to the health care consumer and, unless the patient is a minor or subject to a power of attorney or otherwise unable to handle his or her own affairs, to the patient:
(a) Information concerning when the status change will become effective; and
(b) Information concerning what information will be excluded from the HIE regarding a health care consumer who opts out.
I. A participating organization shall comply with the following requirements to assure patient and health care consumer rights.
(1) A participating organization shall inform each health care consumer no later than the first medical encounter following enrollment of the organization in an HIE, by written and oral notice, of:
(a) Such organization's participation in an HIE, including in such organization's Notice of Privacy Practices under HIPAA; and
(b) Information concerning the health care consumer's right to opt out from participation in the HIE and the process to opt out; and
(c) The types of information the participating organization will disclose to the HIE and for what purposes information accessed through the HIE may be used for treatment, payment, health care operations, and secondary use as described in this chapter.
(2) In addition to applicable HIPAA notification requirements, a participating organization shall notify each health care consumer whose protected health information, including sensitive health information, is breached or is maintained, accessed, used, or disclosed in a manner that constitutes a non-HIPAA violation in accordance with Regulation .08 of this chapter.

Notes

Md. Code Regs. 10.25.18.03
Regulation .03 amended effective 41:5 Md. R. 344, eff. 3/17/2014; amended effective 43:12 Md. R. 666, eff. 6/20/2016; amended effective 44:12 Md. R. 588, eff. 6/19/2017; amended effective 45:16 Md. R. 775, eff. 8/13/2018; amended effective 51:3 Md. R. 152, eff. 1/9/2024, exp. 7/7/2024(Emergency); amended effective 51:9 Md. R. 440, eff. 5/13/2024; amended effective 52:7 Md. R. 322, eff. 4/14/2025.

State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.