(a) The Maryland Health Care Commission shall adopt regulations for the privacy and security of protected health information obtained or released through a health information exchange. (b) (1) The regulations adopted under subsection (a) of this section shall: (i) Govern the access, use, maintenance, disclosure, and redisclosure of protected health information as required by State or federal law, including the federal Health Insurance Portability and Accountability Act, the federal Health Information Technology for Economic and Clinical Health Act, the federal 21st Century Cures Act, and Title 21, Subtitle 2A of this article; (ii) Include protections for the secondary use of protected health information obtained or released through a health information exchange; (iii) Require the State-designated health information exchange to develop and maintain a consent management application, subject to State and federal law, that: 1. Allows a person in interest to opt out of having electronic health information shared or disclosed by a health information exchange; 2. Informs the person in interest of the electronic health information that may be shared or disclosed notwithstanding the choice to opt out; 3. Requires that the State-designated health information exchange provide a health information exchange with the opt-out status of a person in interest, on receipt of an electronic request from the health information exchange for the opt-out status of the person in interest; 4. Requires a health information exchange to obtain the opt-out status of a person in interest from the State-designated health information exchange before sharing or disclosing the electronic health information of the person in interest; and 5. Except as provided in paragraph (2) of this subsection, prohibits a health information exchange from sharing or disclosing the electronic health information of a person in interest if the person in interest has opted out of having electronic health information shared or disclosed by a health information exchange; and (iv) Provide appropriate penalties for noncompliance with the regulations, including fines that do not exceed $10,000 per day and that are determined based on: 1. The extent of actual or potential public harm caused by the violation; 2. The cost of investigating the violation; and 3. Whether the person committed previous violations. (2) The regulations adopted under subsection (a) of this section may not prohibit: (i) The Department, the Maryland Health Care Commission, or the Health Services Cost Review Commission from using electronic health information, subject to federal and State law, for health regulatory and public health functions; (ii) The sharing or disclosing of information that is required to be exchanged under Title 21, Subtitle 2A of this article; or (iii) The sharing or disclosing of information that is required to be exchanged under federal law, including for the purposes of payment, as defined in 45 C.F.R. § 164.501. (3) This section does not prohibit the Commission from adopting regulations that are more stringent than federal law in accordance with 45 C.F.R. § 160.203. (c) Data obtained or released through a health information exchange: (1) May not be sold for financial remuneration until the regulations required under subsections (a) and (b) of this section are adopted; and (2) May be sold for financial remuneration only in accordance with the regulations adopted under subsections (a) and (b) of this section. (d) The Maryland Health Care Commission shall consult with health care providers, payors, State health agencies, consumer advocates, and employers before adopting regulations under subsections (a) and (b) of this section. §4-302.3. IN EFFECT (a) (1) In this section the following words have the meanings indicated. (2) "Electronic health care transactions" means health care transactions that have been approved by a nationally recognized health care standards development organization to support health care informatics, information exchange, systems integration, and other health care applications. (3) "Electronic health network" means an entity: (i) Involved in the exchange of electronic health care transactions between a payor, health care provider, vendor, and any other entity; and (ii) Certified by the Maryland Health Care Commission. (4) "Nursing home" has the meaning stated in § 19-1401 of this article. (5) "Standard request" means a request for clinical information from a health information exchange that conforms to the major standards version specified by the Office of the National Coordinator for Health Information Technology. (b) This section applies to: (1) Except for the State-designated health information exchange, a health information exchange operating in the State; and (2) A payor that: (i) Holds a valid certificate of authority issued by the Maryland Insurance Commissioner; and (ii) Acts as, operates, or owns a health information exchange. (c) An entity to which this section applies shall connect to the State- designated health information exchange in a manner consistent with applicable federal and State privacy laws. (d) When a standard request for clinical information is received through the State-designated health information exchange, an entity to which this section applies shall: (1) Respond to the request to the extent authorized under federal and State privacy laws; and (2) Transmit the response to the State-designated health information exchange in the manner specified in the regulations adopted under subsection (g) of this section. (e) A consent from a patient to release clinical information to a provider obtained by an entity to which this section applies shall apply to information transmitted through the State-designated health information exchange or by other means. (f) (1) On request of the Department, a nursing home shall submit electronically clinical information to the State-designated health information exchange to facilitate the objectives stated in paragraph (3) of this subsection. (2) In accordance with State and federal law and to facilitate the objectives stated in paragraph (3) of this subsection, the State-designated health information exchange may provide the information submitted under paragraph (1) of this subsection to: (i) A health care provider; (ii) An authorized health information exchange user; (iii) A health information exchange authorized by the Maryland Health Care Commission; (iv) A federal official; and (v) A State official. (3) (i) If approved by the Maryland Health Care Commission, the information submitted under paragraph (1) of this subsection may be combined with other data maintained by the State-designated health information exchange to facilitate: 1. A State health improvement program; 2. Mitigation of a public health emergency; 3. Improvement of patient safety; and 4. The participation of the State in the Center for Medicare and Medicaid Innovation's States Advancing All-Payer Health Equity Approaches and Development (AHEAD) Model and any successor models. (ii) The information submitted by a nursing home under paragraph (1) of this subsection may be used only to facilitate the objectives stated in subparagraph (i) of this paragraph and may not be used for any other purpose, including licensing and certification. (g) (1) The State-designated health information exchange shall: (i) Participate in the advisory committee established under § 13-4306(a)(1) of this article; and (ii) Maintain a data set for the Maryland Commission on Health Equity and provide data from the data set consistent with the parameters defined by the advisory committee. (2) If approved by the Maryland Commission on Health Equity, the State-designated health information exchange may use the data set maintained under paragraph (1) of this subsection to improve health outcomes for patients. (h) (1) An electronic health network shall provide electronic health care transactions to the State-designated health information exchange for the following public health and clinical purposes: (i) A State health improvement program; (ii) Mitigation of a public health emergency; (iii) Improvement of patient safety; and (iv) The participation of the State in the Center for Medicare and Medicaid Innovation's States Advancing All-Payer Health Equity Approaches and Development (AHEAD) Model and any successor models. (2) An electronic health network may not charge a fee to a health care provider, health care payor, or to the State-designated health information exchange for providing the information as required under paragraph (1) of this subsection. (3) The State-designated health information exchange shall develop and implement policies and procedures to implement paragraph (1) of this subsection that are consistent with regulations adopted by the Maryland Health Care Commission. (i) The Maryland Health Care Commission: (1) Shall adopt regulations for implementing the connectivity to the State-designated health information exchange required under this section; and (2) Shall seek, through any regulations adopted under item (1) of this subsection, to promote technology standards and formats that conform to those specified by the Office of the National Coordinator for Health Information Technology. (j) (1) The Maryland Health Care Commission shall adopt regulations that: (i) Specify the scope of clinical information to be exchanged or sent under this section; and (ii) Provide for a uniform, gradual implementation of the exchange of clinical information under this section. (2) Any regulations adopted under paragraph (1) of this subsection shall limit the scope of the clinical information to purposes that: (i) Improve treatment, including improved access to clinical records by treating clinicians; (ii) Promote uses of the State-designated health information exchange important to public health; or (iii) The protection of the electronic health information of a person in interest who has opted out of having electronic health information shared or disclosed by a health information exchange. (3) Regulations adopted under paragraph (1) of this subsection: (i) Shall limit redisclosure of financial information, including billed or paid amounts available in electronic claims transactions; (ii) May not restrict the State's use of financial information, including billed or paid amounts available in electronic claims transactions, for public health purposes related to the participation of the State in the Center for Medicare and Medicaid Innovation's States Advancing All-Payer Health Equity Approaches and Development (AHEAD) Model and any successor models; (iii) Shall restrict data of patients who have opted out of records sharing through the State-designated health information exchange or a health information exchange authorized by the Maryland Health Care Commission; (iv) Shall restrict data from health care providers that possess sensitive health care information; and (v) Shall restrict data of patients who have obtained legally protected health care. (k) This section does not: (1) Require an entity to which this section applies to collect clinical information or obtain any authorizations, not otherwise required by federal or State law, relating to information to be sent or received through the State-designated health information exchange; (2) Prohibit an entity to which this section applies from directly receiving or sending information to providers or subscribers outside of the State- designated health information exchange; or (3) Prohibit an entity to which this section applies from connecting and interoperating with the State-designated health information exchange in a manner and scope beyond that required under this section. §4-302.3. // EFFECTIVE DECEMBER 31, 2030 PER CHAPTER 615 OF 2025 // (a) (1) In this section the following words have the meanings indicated. (2) "Electronic health care transactions" means health care transactions that have been approved by a nationally recognized health care standards development organization to support health care informatics, information exchange, systems integration, and other health care applications. (3) "Electronic health network" means an entity: (i) Involved in the exchange of electronic health care transactions between a payor, health care provider, vendor, and any other entity; and (ii) Certified by the Maryland Health Care Commission. (4) "Nursing home" has the meaning stated in § 19-1401 of this article. (5) "Standard request" means a request for clinical information from a health information exchange that conforms to the major standards version specified by the Office of the National Coordinator for Health Information Technology. (b) This section applies to: (1) Except for the State-designated health information exchange, a health information exchange operating in the State; and (2) A payor that: (i) Holds a valid certificate of authority issued by the Maryland Insurance Commissioner; and (ii) Acts as, operates, or owns a health information exchange. (c) An entity to which this section applies shall connect to the State- designated health information exchange in a manner consistent with applicable federal and State privacy laws. (d) When a standard request for clinical information is received through the State-designated health information exchange, an entity to which this section applies shall: (1) Respond to the request to the extent authorized under federal and State privacy laws; and (2) Transmit the response to the State-designated health information exchange in the manner specified in the regulations adopted under subsection (g) of this section. (e) A consent from a patient to release clinical information to a provider obtained by an entity to which this section applies shall apply to information transmitted through the State-designated health information exchange or by other means. (f) (1) On request of the Department, a nursing home shall submit electronically clinical information to the State-designated health information exchange to facilitate the objectives stated in paragraph (3) of this subsection. (2) In accordance with State and federal law and to facilitate the objectives stated in paragraph (3) of this subsection, the State-designated health information exchange may provide the information submitted under paragraph (1) of this subsection to: (i) A health care provider; (ii) An authorized health information exchange user; (iii) A health information exchange authorized by the Maryland Health Care Commission; (iv) A federal official; and (v) A State official. (3) (i) If approved by the Maryland Health Care Commission, the information submitted under paragraph (1) of this subsection may be combined with other data maintained by the State-designated health information exchange to facilitate: 1. A State health improvement program; 2. Mitigation of a public health emergency; and 3. Improvement of patient safety. (ii) The information submitted by a nursing home under paragraph (1) of this subsection may be used only to facilitate the objectives stated in subparagraph (i) of this paragraph and may not be used for any other purpose, including licensing and certification. (g) (1) The State-designated health information exchange shall: (i) Participate in the advisory committee established under § 13-4306(a)(1) of this article; and (ii) Maintain a data set for the Maryland Commission on Health Equity and provide data from the data set consistent with the parameters defined by the advisory committee. (2) If approved by the Maryland Commission on Health Equity, the State-designated health information exchange may use the data set maintained under paragraph (1) of this subsection to improve health outcomes for patients. (h) (1) An electronic health network shall provide electronic health care transactions to the State-designated health information exchange for the following public health and clinical purposes: (i) A State health improvement program; (ii) Mitigation of a public health emergency; and (iii) Improvement of patient safety. (2) An electronic health network may not charge a fee to a health care provider, health care payor, or to the State-designated health information exchange for providing the information as required under paragraph (1) of this subsection. (3) The State-designated health information exchange shall develop and implement policies and procedures to implement paragraph (1) of this subsection that are consistent with regulations adopted by the Maryland Health Care Commission. (i) The Maryland Health Care Commission: (1) Shall adopt regulations for implementing the connectivity to the State-designated health information exchange required under this section; and (2) Shall seek, through any regulations adopted under item (1) of this subsection, to promote technology standards and formats that conform to those specified by the Office of the National Coordinator for Health Information Technology. (j) (1) The Maryland Health Care Commission shall adopt regulations that: (i) Specify the scope of clinical information to be exchanged or sent under this section; and (ii) Provide for a uniform, gradual implementation of the exchange of clinical information under this section. (2) Any regulations adopted under paragraph (1) of this subsection shall limit the scope of the clinical information to purposes that: (i) Improve treatment, including improved access to clinical records by treating clinicians; (ii) Promote uses of the State-designated health information exchange important to public health; or (iii) The protection of the electronic health information of a person in interest who has opted out of having electronic health information shared or disclosed by a health information exchange. (3) Regulations adopted under paragraph (1) of this subsection shall: (i) Limit redisclosure of financial information, including billed or paid amounts available in electronic claims transactions; (ii) Restrict data of patients who have opted out of records sharing through the State-designated health information exchange or a health information exchange authorized by the Maryland Health Care Commission; (iii) Restrict data from health care providers that possess sensitive health care information; and (iv) Restrict data of patients who have obtained legally protected health care. (k) This section does not: (1) Require an entity to which this section applies to collect clinical information or obtain any authorizations, not otherwise required by federal or State law, relating to information to be sent or received through the State-designated health information exchange; (2) Prohibit an entity to which this section applies from directly receiving or sending information to providers or subscribers outside of the State- designated health information exchange; or (3) Prohibit an entity to which this section applies from connecting and interoperating with the State-designated health information exchange in a manner and scope beyond that required under this section.
‹ Prev All Maryland sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.