(a) This subtitle does not apply to: (1) A regulatory, administrative, advisory, executive, appointive, legislative, judicial body or instrumentality of the State, including a board, bureau, commission, or unit of the State or a political subdivision of the State; (2) A national securities association that is registered under § 15 of the federal Securities Exchange Act of 1934 or a registered futures association designated in accordance with § 17 of the federal Commodity Exchange Act; (3) A financial institution, an affiliate of a financial institution, or data that is subject to Title V of the federal Gramm-Leach-Bliley Act and regulations adopted under that act; or (4) A nonprofit controller that processes or shares personal data solely for the purposes of assisting: (i) Law enforcement agencies in investigating criminal or fraudulent acts relating to insurance; or (ii) First responders in responding to catastrophic events. (b) The following information and data are exempt from this subtitle: (1) Protected health information under HIPAA; (2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2; (3) Identifiable private information that is used for purposes of the federal policy for the protection of human subjects in accordance with 45 C.F.R. § 46; (4) Identifiable private information to the extent that it is collected and used as part of human subjects research in accordance with the ICH 36 Good Clinical Practice Guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 C.F.R. §§ 50 and 56; (5) Patient safety work product that is created and used for purposes of patient safety improvement in accordance with 42 C.F.R. § 3, established in accordance with 42 U.S.C. §§ 299b-21 through 299b-26; (6) (i) Information to the extent it is used for public health, community health, or population health activities and purposes, as authorized by HIPAA, when provided by or to a covered entity or when provided by or to a business associate in accordance with the business associate agreement with a covered entity; (ii) Information that is a medical record under § 4-301 of the Health - General Article if: 1. The information is held by an entity that is a covered entity or business associate under HIPAA because it collects, uses, or discloses protected health information; and 2. The entity applies the same standards for the collection, use, and disclosure of the information as required for protected health information under HIPAA and medical records under § 4-301 of the Health - General Article, including specific standards regarding legally protected health care; and (iii) Information that is de-identified in accordance with the requirements for de-identification set forth in 45 C.F.R. 164.514 that is derived from individually identifiable health information as described in HIPAA or personal information consistent with the human subject protection requirements of the U.S. Food and Drug Administration; (7) The collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the federal Fair Credit Reporting Act; (8) Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994; (9) Personal data regulated by the federal Family Educational Rights and Privacy Act; (10) Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act; (11) Data processed or maintained: (i) In the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of the role; (ii) As the emergency contact information of a consumer if the data is used for emergency contact purposes; or (iii) That is: 1. Necessary to retain to administer benefits for another individual relating to the consumer who is the subject of the information under item (i) of this item; and 2. Used for the purposes of administering the benefits; (12) Personal data collected, processed, sold, or disclosed in relation to price, route, or service by an air carrier subject to the federal Airline Deregulation Act to the extent this subtitle is preempted by the federal Airline Deregulation Act; and (13) Personal data collected by or on behalf of a person regulated under the Insurance Article or an affiliate of such a person, in furtherance of the business of insurance. (c) Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be considered compliant with an obligation to obtain parental consent in accordance with this subtitle with respect to a consumer who is a child.
‹ Prev All Maryland sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.