Md. Code Regs. 10.25.18.10 - Requirements for Accessing, Using, or Disclosing of Data Through an HIE for Secondary Use
A. An HIE may
not use or disclose a patient's sensitive health information for secondary use
unless permitted by applicable federal or State laws and regulations.
B. Population Health Management.
(1) An HIE may disclose de-identified data or
a limited data set, as defined at
45 CFR §
164.514(e), to a care
management organization for purposes related to population health management,
if approval is obtained from an internal review committee designated by the
care management organization, which has:
(a)
Entered into a data use agreement with the HIE; and
(b) Attested that the request is:
(i) For population health management
purposes; and
(ii) Limited to the
minimum necessary to complete the function.
(2) An HIE may disclose individually
identifiable health information to a care management organization for purposes
related to population health management, if:
(a) The requirements of §B(1) of this
regulation are met;
(b) Appropriate
notice has been provided to health care consumers whose information is being
requested, and either:
(i) The health care
consumers have authorized the release of their information to the requesting
entity; or
(ii) An external and
independent review committee has waived the need for the requesting entity to
obtain authorization from those health care consumers who were provided
appropriate notice, in accordance with Regulation .02B(4) of this chapter;
and
(c) The disclosure is
consistent with the authorization.
(3) Any external and independent review
committee identified by the care management organization may approve an
authorization waiver request where the requesting care management organization
has demonstrated that:
(a) Appropriate notice
to each health care consumer was provided and no authorization or denial of
authorization was received from each health care consumer within the 30-day
time frame;
(b) The objectives for
which the data was requested could not be met without access to the requested
data; and
(c) The requested use or
disclosure involves no more than minimal risk to the privacy of those health
care consumers whose authorization will be waived based on the presence of
attributes that include, at a minimum:
(i) An
adequate plan presented to the external and independent review committee to
protect PHI from improper use, storage, and disclosure in accordance with
current legal requirements and industry standards and practices as determined
by the external and independent review committee;
(ii) An adequate plan to destroy the PHI when
the purposes for which it has been requested are completed, unless such
retention is authorized under the waiver or otherwise required by law;
and
(iii) Adequate written
assurances that the PHI will not be reused or disclosed to any person or
entity, except as authorized under the waiver, as required or permitted by law,
or for authorized oversight of the use.
(4) An HIE may not disclose a patient's
sensitive health information for population health management purposes unless
permitted by applicable federal and State laws and
regulations.
C. Research.
(1) An HIE may disclose de-identified data to
a qualified research organization for research purposes if a privacy board has
evaluated and confirmed that the:
(a)
Requesting entity is a qualified research organization; and
(b) Requested data to be disclosed:
(i) Is for purposes related to
research;
(ii) Is limited to the
minimum necessary to complete the research purpose;
(iii) Will be used to serve a legitimate
purpose consistent with the interest of the subject individuals; and
(iv) Meets the de-identification standard and
specifications in accordance with
45 CFR §
164.514(a)-(c).
(2) An HIE may disclose individually
identifiable health information to a qualified research organization for
research purposes if:
(a) Approval is
obtained from an IRB or privacy board in accordance with
45 CFR §
164.512, including documentation of waiver
approval as detailed in § 164.512(i)(2); and
(b) The IRB or privacy board has evaluated
the request and confirmed that the requirements of §C(1)(a) and (b)(i)-(iii) of
this regulation are met.
(3) If an IRB or privacy board does not waive
or alter the requirement of authorization from health care consumers whose
individually identifiable health information is to be disclosed, an HIE may
only disclose individually identifiable health information of health care
consumers who have provided authorization, which must meet the requirements as
set forth in 45 CFR §
164.508.
(4) If an IRB or privacy board declines
jurisdiction, then the disclosure of individually identifiable health
information may only be made if health care consumer authorization is
obtained.
(5) As part of an HIE's
data use agreement with an entity to which it disclosed individually
identifiable health information for secondary use, there shall be oversight by
an IRB or privacy board for the duration of the research use.
(6) If an IRB or privacy board determines
that the qualified research organization has failed to use or protect the data
in accordance with the approved secondary use, the IRB or privacy board must
report its findings to the HIE and the HIE must:
(a) Report the findings to federal and State
agencies with jurisdiction over the violation, as deemed appropriate;
(b) Immediately terminate the data use
agreement; and
(c) Direct the
qualified research organization to destroy the data previously released by the
HIE and attest that the data has been destroyed.
(7) The qualified research organization
receiving data from an HIE for research purposes:
(a) Must contractually agree not to attempt
to link de-identified data received from the HIE with other data sources in an
effort to re-identify the data, or otherwise attempt in any other way to
re-identify the data; and
(b) May
disclose data to a third party acting on behalf of the qualified research
organization only if the qualified research organization and third party enter
into a data use agreement that requires the third party to be bound by the same
provisions in the data use agreement between the HIE and qualified research
organization.
(8) An HIE
may charge a reasonable fee to a qualified research organization to which it
discloses data for research, which fee must reflect the effort and be no
greater than the actual direct and indirect costs required to prepare and
release the data specific to the purpose authorized.
(9) An HIE may not disclose a patient's
sensitive health information for research purposes unless permitted by
applicable federal or State laws and regulations.
D. Enforcement and Reporting.
(1) An HIE is not required to take legal or
equitable action to enforce the requirements of the data use agreement or of
any other contractual assurance provided for in Regulation .05C of this
chapter.
(2) An HIE shall make
summary reports available to the public quarterly that provide specific
information about requests for data for secondary use and the release of data
for secondary purposes.
(3) An HIE
shall report at least annually to the Commission and more frequently, if
requested by the Commission, regarding the release of information for
population health management. The Commission may:
(a) Require a care management organization to
provide additional information for review by the Commission or the Commission's
designated third party regarding the care management organization's use of data
from an HIE for population health management;
(b) Require the HIE to conduct an audit of
the disclosure and use of the data utilizing a third-party auditor at the
expense of either the recipient of the data or the HIE, as determined by
Commission;
(c) Require the
receiving entity to destroy the data received and cease any further use of the
data; or
(d) Prohibit an HIE from
releasing data for all or certain secondary data use
purposes.
(4) An HIE
shall, upon the request by a health care consumer, provide an accounting of any
disclosures made to a receiving entity for secondary data use purposes, in
accordance with Regulation . 03C(4) of this chapter.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
A. An HIE may not use or disclose a patient 's sensitive health information for secondary use unless permitted by applicable federal or State laws and regulations.
B. Population Health Management.
(1) An HIE may disclose de-identified data or a limited data set , as defined at 45 CFR § 164.514(e), to a care management organization for purposes related to population health management, if approval is obtained from an internal review committee designated by the care management organization , which has:
(a) Entered into a data use agreement with the HIE ; and
(b) Attested that the request is:
(i) For population health management purposes; and
(ii) Limited to the minimum necessary to complete the function.
(2) An HIE may disclose individually identifiable health information to a care management organization for purposes related to population health management, if:
(a) The requirements of §B(1) of this regulation are met;
(b) Appropriate notice has been provided to health care consumers whose information is being requested, and either:
(i) The health care consumers have authorized the release of their information to the requesting entity ; or
(ii) An external and independent review committee has waived the need for the requesting entity to obtain authorization from those health care consumers who were provided appropriate notice , in accordance with Regulation .02B(3) of this chapter; and
(c) The disclosure is consistent with the authorization .
(3) Any external and independent review committee identified by the care management organization may approve an authorization waiver request where the requesting care management organization has demonstrated that:
(a) Appropriate notice to each health care consumer was provided and no authorization or denial of authorization was received from each health care consumer within the 30-day time frame;
(b) The objectives for which the data was requested could not be met without access to the requested data; and
(c) The requested use or disclosure involves no more than minimal risk to the privacy of those health care consumers whose authorization will be waived based on the presence of attributes that include, at a minimum:
(i) An adequate plan presented to the external and independent review committee to protect PHI from improper use , storage, and disclosure in accordance with current legal requirements and industry standards and practices as determined by the external and independent review committee ;
(ii) An adequate plan to destroy the PHI when the purposes for which it has been requested are completed, unless such retention is authorized under the waiver or otherwise required by law; and
(iii) Adequate written assurances that the PHI will not be reused or disclosed to any person or entity , except as authorized under the waiver, as required or permitted by law, or for authorized oversight of the use .
(4) An HIE may not disclose a patient 's sensitive health information for population health management purposes unless permitted by applicable federal and State laws and regulations.
C. Research .
(1) An HIE may disclose de-identified data to a qualified research organization for research purposes if a privacy board has evaluated and confirmed that the:
(a) Requesting entity is a qualified research organization ; and
(b) Requested data to be disclosed:
(i) Is for purposes related to research ;
(ii) Is limited to the minimum necessary to complete the research purpose;
(iii) Will be used to serve a legitimate purpose consistent with the interest of the subject individuals; and
(iv) Meets the de-identification standard and specifications in accordance with 45 CFR § 164.514(a)-(c).
(2) An HIE may disclose individually identifiable health information to a qualified research organization for research purposes if:
(a) Approval is obtained from an IRB or privacy board in accordance with 45 CFR § 164.512, including documentation of waiver approval as detailed in § 164.512(i)(2); and
(b) The IRB or privacy board has evaluated the request and confirmed that the requirements of §C(1)(a) and (b)(i)-(iii) of this regulation are met.
(3) If an IRB or privacy board does not waive or alter the requirement of authorization from health care consumers whose individually identifiable health information is to be disclosed, an HIE may only disclose individually identifiable health information of health care consumers who have provided authorization , which must meet the requirements as set forth in 45 CFR § 164.508.
(4) If an IRB or privacy board declines jurisdiction, then the disclosure of individually identifiable health information may only be made if health care consumer authorization is obtained.
(5) As part of an HIE 's data use agreement with an entity to which it disclosed individually identifiable health information for secondary use , there shall be oversight by an IRB or privacy board for the duration of the research use .
(6) If an IRB or privacy board determines that the qualified research organization has failed to use or protect the data in accordance with the approved secondary use , the IRB or privacy board must report its findings to the HIE and the HIE must :
(a) Report the findings to federal and State agencies with jurisdiction over the violation, as deemed appropriate;
(b) Immediately terminate the data use agreement ; and
(c) Direct the qualified research organization to destroy the data previously released by the HIE and attest that the data has been destroyed.
(7) The qualified research organization receiving data from an HIE for research purposes:
(a) Must contractually agree not to attempt to link de-identified data received from the HIE with other data sources in an effort to re-identify the data, or otherwise attempt in any other way to re-identify the data; and
(b) May disclose data to a third party acting on behalf of the qualified research organization only if the qualified research organization and third party enter into a data use agreement that requires the third party to be bound by the same provisions in the data use agreement between the HIE and qualified research organization .
(8) An HIE may charge a reasonable fee to a qualified research organization to which it discloses data for research , which fee must reflect the effort and be no greater than the actual direct and indirect costs required to prepare and release the data specific to the purpose authorized.
(9) An HIE may not disclose a patient 's sensitive health information for research purposes unless permitted by applicable federal or State laws and regulations.
D. Enforcement and Reporting.
(1) An HIE is not required to take legal or equitable action to enforce the requirements of the data use agreement or of any other contractual assurance provided for in Regulation .05C of this chapter.
(2) An HIE shall make summary reports available to the public quarterly that provide specific information about requests for data for secondary use and the release of data for secondary purposes.
(3) An HIE shall report at least annually to the Commission and more frequently, if requested by the Commission , regarding the release of information for population health management. The Commission may:
(a) Require a care management organization to provide additional information for review by the Commission or the Commission 's designated third party regarding the care management organization 's use of data from an HIE for population health management;
(b) Require the HIE to conduct an audit of the disclosure and use of the data utilizing a third-party auditor at the expense of either the recipient of the data or the HIE , as determined by Commission ;
(c) Require the receiving entity to destroy the data received and cease any further use of the data; or
(d) Prohibit an HIE from releasing data for all or certain secondary data use purposes.
(4) An HIE shall, upon the request by a health care consumer , provide an accounting of any disclosures made to a receiving entity for secondary data use purposes, in accordance with Regulation . 03C(4) of this chapter.