SENATE BILL 404
57th legislature - STATE OF NEW MEXICO - first session, 2025
INTRODUCED BY
Mimi Stewart and Cindy Nava and Peter Wirth
AN ACT
RELATING TO PRIVACY; STRENGTHENING PRIVACY PROTECTIONS FOR PATIENT RECORDS BY REQUIRING SEGREGATION OF CERTAIN HEALTH CARE INFORMATION; PROHIBITING DISCLOSURE OF CERTAIN HEALTH CARE INFORMATION; REPEALING SECTION 24-14-18 NMSA 1978 (BEING LAWS 1977, CHAPTER 206, SECTION 2, AS AMENDED) THAT REQUIRES THE REPORTING OF INDUCED ABORTION.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
SECTION 1. Section 24-14B-1 NMSA 1978 (being Laws 2009, Chapter 69, Section 1) is amended to read:
"24-14B-1. SHORT TITLE.--[This act] Chapter 24, Article 14B NMSA 1978 may be cited as the "[Electronic Medical] Patient Records Privacy Act"."
SECTION 2. Section 24-14B-2 NMSA 1978 (being Laws 2009, Chapter 69, Section 2) is amended to read:
"24-14B-2. PURPOSE.--The purpose of the [Electronic Medical] Patient Records Privacy Act is to provide for the secure use, disclosure and protection of an individual's electronic [medical] patient records."
SECTION 3. Section 24-14B-3 NMSA 1978 (being Laws 2009, Chapter 69, Section 3) is amended to read:
"24-14B-3. DEFINITIONS.--As used in the [Electronic Medical] Patient Records Privacy Act:
A. "demographic information" means information that identifies the individual who is the subject of the health care information, including the individual's name, date of birth and address and other information necessary to identify the individual, that may be used to identify the individual or that associates the individual with the individual's electronic [medical] patient record;
B. "disclose" means to release, transfer, provide, give access to or otherwise divulge in any other manner information outside the entity holding the information;
C. "electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities;
D. "electronic [medical] patient record" means an electronic record of an individual patient's health care information that may contain demographic information;
E. "electronic patient record system" means a system used to process, store and maintain the patient records of individuals, including an individual's health care information;
[E.] F. "electronic signature" means an electronic sound, symbol or process attached to or logically associated with a record and executed or adopted by an individual with the intent to sign the record;
G. "gender-affirming health care" means psychological, behavioral, surgical, pharmaceutical or medical health care, services, procedures or supplies provided to an individual in support of the individual's gender identity;
[F.] H. "health care" means care, services or supplies related to the health of an individual and includes:
(1) preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care and counseling;
(2) services, tests, assessments or procedures that are concerned with the physical or mental condition or functional status of an individual or that affect the structure or function of the body of an individual; and
(3) the sale or dispensing of a drug, a device, a piece of equipment or other item in accordance with a prescription;
[G.] I. "health care group purchaser" means a person who is licensed, certified or otherwise authorized or permitted by the New Mexico Insurance Code to pay for or purchase health care on behalf of an identified individual or group of individuals, regardless of whether the cost of coverage or services is paid for by the purchaser or the persons receiving coverage or services and includes contractors or employees of the health care group purchaser;
[H.] J. "health care information" means any information, whether oral or recorded in any form or medium, related to the past, present or future physical or mental health or condition of an individual or the provision of health care to an individual [or the past, present or future payment for the provision of health care to an individual] and includes the individual's patient records, health care claims and records of payments for health care or other administrative data from a provider, health care service plan or pharmaceutical company;
[I.] K. "health care institution" means an institution, a facility or an agency licensed, certified or otherwise authorized or permitted by law to provide health care in the ordinary course of business and includes a contractor or an employee of a health care institution;
L. "health care service plan" means a plan that arranges for the provision of health care services to subscribers or enrollees, or to pay for or to reimburse any part of the cost for those services, in return for a prepaid or periodic charge paid by or on behalf of the subscribers or enrollees and includes a contractor or an employee of the health care service plan;
[J.] M. "health information exchange" means an arrangement among persons participating in a defined secure electronic network service, such as a regional health information organization, that allows the sharing of health care information about individual patients among different health care institutions or unaffiliated providers, and includes a contractor or an employee of a health information exchange. The use of an electronic [medical] patient record system by a health care provider, by or within a health care institution or by an organized health care arrangement as defined by the federal Health Insurance Portability and Accountability Act of 1996 does not constitute a health information exchange;
[K.] N. "information" means data, including text, images, sounds and codes and computer programs, software and databases;
[L.] O. "provider" means an individual [who] or entity that is licensed, certified or otherwise authorized or permitted by law in this state to provide health care, including reproductive health care and gender-affirming health care, and to access health care information in the ordinary course of business or practice of a profession;
[M.] P. "record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form;
[N.] Q. "record locator service" means an information service that contains demographic information and the location of health care information of a specified individual across different health care institutions or unaffiliated providers that participate in the service, and includes a contractor or an employee of a record locator service. The use of an electronic [medical] patient record system by a health care provider or by an organized health care arrangement as defined by the federal Health Insurance Portability and Accountability Act of 1996 does not constitute a record locator service; [and]
R. "reproductive health care" means psychological, behavioral, surgical, pharmaceutical or medical care, services or supplies that relate to the human reproductive system, including services related to:
(1) preventing a pregnancy;
(2) abortion;
(3) managing a pregnancy loss;
(4) prenatal, birth, perinatal and postpartum health;
(5) managing perimenopause and menopause;
(6) managing infertility;
(7) treating cancers of the reproductive system; or
(8) preventing or treating sexually transmitted infections or diseases; and
[O.] S. "treatment" means the provision, coordination or management of health care and related services by one or more providers, including the coordination or management of health care by a provider with a third party; consultation between providers relating to an individual; or the referral of an individual for health care from one provider to another."
SECTION 4. Section 24-14B-6 NMSA 1978 (being Laws 2009, Chapter 69, Section 6, as amended) is amended to read:
"24-14B-6. USE AND DISCLOSURE OF ELECTRONIC HEALTH CARE INFORMATION--SEGREGATED HEALTH CARE INFORMATION--REQUIREMENTS.--
A. A provider, health care institution, health information exchange, health care service plan or health care group purchaser shall not use or disclose health care information in an individual's electronic [medical] patient record to another person without the consent of the individual except as [allowed] required by state or federal law.
B. A health information exchange or electronic patient record system operating in the state that electronically stores or maintains medical information, electronic patient records, personal health records, health care claims, payments or other administrative data on behalf of a provider, health care service plan, pharmaceutical company, contractor or employer shall:
(1) segregate an individual's health care information related to reproductive health care, gender- affirming health care, mental health care, alcohol or substance use treatment and any other similar health care or health care service as deemed appropriate for record segregation by the health care authority;
(2) limit user access privileges to an individual's segregated health care information to persons or entities to whom the individual has provided written authorization for access;
(3) provide a process for an individual to provide written authorization to disable access to the individual's segregated health care information by persons or entities in another state; and
(4) notify an individual whose segregated health care information is the subject of a civil, criminal or regulatory inquiry, investigation, subpoena or summons for the release of the individual's segregated health care information and notify each provider that rendered health care as documented in the individual's segregated health care information at least thirty days prior to complying with the civil, criminal or regulatory inquiry, investigation, subpoena
or summons for release of the individual's segregated health care information.
[B.] C. A provider, health care institution, health care service plan or health care group purchaser may disclose demographic information and information about the location of an individual's electronic [medical] patient records to a record locator service in accordance with state or federal law. A provider or health care institution participating in a health information exchange using a record locator service shall not have access to demographic information, information about the location of the individual's electronic [medical] patient records or information in an individual's electronic [medical] patient record except in connection with the treatment of the individual or as permitted by the consent of the individual or as otherwise permitted by state or federal law.
[C.] D. A record locator service shall maintain an audit log of persons obtaining access to information in the record locator service, which audit log shall contain, at a minimum, information on:
(1) the identity of the person obtaining access to the information;
(2) the identity of the individual whose information was obtained;
(3) the location from which the information was obtained;
(4) the specific information obtained; and
(5) the date that the information was obtained.
[D.] E. The audit log shall be made available by a health information exchange on the request of an individual whose health care information is the subject of the audit log; provided, however, that the audit log made available to the individual shall include only information related to that individual. The audit log shall be made available to the requesting individual annually for a fee not to exceed twenty-five cents ($.25) per page as established by the [department of] health care authority.
[E.] F. A record locator service shall provide a mechanism under which individuals may exclude their demographic information and information about the location of their electronic [medical] patient records from the record locator service. A person operating a record locator service or a health information exchange that receives an individual's request to exclude all of the individual's information from the record locator service is responsible for removing that information from the record locator service within thirty days. An individual's request for exclusion of information shall be in writing and shall include a waiver of liability for any harm caused by the exclusion of the individual's information.
[F.] G. When information in an individual's electronic [medical] patient record is requested using a record locator service or a health information exchange:
(1) the requesting provider or health care institution shall warrant that the request is for the treatment of the individual, is permitted by the individual's written authorization or is otherwise permitted by state or federal law; and
(2) the person disclosing the information may rely upon the warranty of the person making the request that the request is for the treatment of the individual, is permitted with the consent of the individual or is otherwise permitted by state or federal law.
H. Notwithstanding the provisions of Subsection B of this section or any other provision of law, a provider, a contractor or an employee of the provider or a health care service plan shall not release patient records containing an individual's health care information related to that individual seeking or obtaining an abortion in response to a subpoena or request if that subpoena or request is based on another state's laws that interfere with a person's rights under the Reproductive and Gender-Affirming Health Care Freedom Act or the Reproductive and Gender-Affirming Health Care Protection Act.
[G.] I. Notwithstanding any other provision of law, information in an individual's electronic [medical] patient record may be disclosed:
(1) to a provider that has a need for information about the individual to treat a condition that poses an immediate threat to the life of any individual and that requires immediate medical attention;
(2) except as provided in the [Electronic Medical] Patient Records Privacy Act, to a record locator service or a health information exchange for the development and operation of the record locator service and the health information exchange; and
(3) to a provider, health care institution or health care group purchaser for treatment, payment or health care operation activities, in compliance with the federal Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated pursuant to that act, and if applicable, in compliance with 42 U.S.C. Section 290dd-2 and the regulations promulgated pursuant to that section.
[H.] J. For the purposes of this section, "health care operation activities" includes administrative, financial, legal and quality improvement activities of a covered entity that are necessary to conduct business and to support the core functions of treatment and payment and are limited to the activities listed in the definition of "health care operations" at 45 C.F.R. 164.501."
SECTION 5. Section 24-14B-7 NMSA 1978 (being Laws 2009, Chapter 69, Section 7) is amended to read:
"24-14B-7. LIABILITY.--If an individual requests to exclude all of the individual's information from the record locator service pursuant to Subsection [E] F of Section [6 of the Electronic Medical Records Act] 24-14B-6 NMSA 1978, the record locator service, health information exchange, health care institution or provider shall not be liable for any harm to the individual caused by the exclusion of the individual's information."
SECTION 6. Section 24-14B-8 NMSA 1978 (being Laws 2009, Chapter 69, Section 8) is amended to read:
"24-14B-8. OUT-OF-STATE DISCLOSURES.--A disclosure otherwise permissible under the [Electronic Medical] Patient Records Privacy Act may be made to providers, health care group purchasers, health care institutions, health information exchanges or record locator services located or operating outside of the state."
SECTION 7. Section 24-14B-9 NMSA 1978 (being Laws 2009, Chapter 69, Section 9) is amended to read:
"24-14B-9. EXCLUSION OF CERTAIN INSURERS.--Nothing in the [Electronic Medical] Patient Records Privacy Act shall be construed to apply to a person operating as a property and casualty insurer, workers' compensation insurer, life insurer, long-term care insurer or disability income insurer."
SECTION 8. A new section of the Patient Records Privacy Act, Section 24-14B-11 NMSA 1978, is enacted to read:
"24-14B-11. [NEW MATERIAL] ENFORCEMENT.--
A. A health information exchange or electronic patient record system determined to be in violation of the Patient Records Privacy Act shall be:
(1) subject to injunctive relief to cease or correct the violation;
(2) liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each negligent violation; or
(3) liable for a civil penalty of not more than seven thousand five hundred dollars ($7,500) for each intentional violation.
B. An individual who claims to have suffered a deprivation of a right under the Patient Records Privacy Act may maintain an action to establish liability and recover damages and equitable or injunctive relief in any New Mexico district court.
C. The attorney general or a district attorney may institute a civil action in district court if the attorney general or district attorney has reasonable cause to believe that a violation of the Patient Records Privacy Act has occurred or to prevent a violation of that act."
SECTION 9. REPEAL.--Section 24-14-18 NMSA 1978 (being Laws 1977, Chapter 206, Section 2, as amended) is repealed.
SECTION 10. EFFECTIVE DATE.--The effective date of the provisions of this act is July 1, 2025.
- 15 -