HOUSE BILL 378
49th legislature - STATE OF NEW MEXICO - first session, 2009
INTRODUCED BY
Elias Barela
AN ACT
RELATING TO HEALTH RECORDS; ENACTING THE PATIENT INFORMATION PRIVACY ACT; CLARIFYING INDIVIDUAL RIGHTS WITH RESPECT TO THE DISCLOSURE OF INFORMATION CONTAINED IN ELECTRONIC MEDICAL RECORDS; PROVIDING FOR A PRIVATE RIGHT OF ACTION; PROVIDING FOR A RIGHT TO CORRECT ERRORS IN A MEDICAL RECORD; CLARIFYING THE PROTECTION OF PRIVACY OF ELECTRONIC MEDICAL RECORDS.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
Section 1. SHORT TITLE.--This act may be cited as the "Patient Information Privacy Act".
Section 2. DEFINITIONS.--As used in the Patient Information Privacy Act:
A. "demographic information" means information in an electronic medical record that identifies the individual who is the subject of the medical record, including the individual's name, date of birth and address and other information that identifies the individual, that may be used to identify the individual or that associates the individual with the individual's electronic medical record;
B. "disclosure" means the release, transfer, provision or otherwise divulging of an individual's electronic medical records to a person other than the holder of the records and includes having access to those records;
C. "electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities;
D. "electronic medical record" means a medical record created, generated, sent, communicated, received or stored by electronic means;
E. "health care" means care, services or supplies related to the health of an individual and includes:
(1) preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care and counseling;
(2) service, assessment or procedure with respect to the physical or mental condition or functional status of an individual or that affects the structure or function of an individual's body; and
(3) the sale or dispensing of a drug, a device, a piece of equipment or other item in accordance with a prescription;
F. "health care group purchaser" means a person, licensed, certified or otherwise authorized or permitted by the New Mexico Insurance Code to pay for or purchase health care coverage on behalf of an identified individual or group of individuals, regardless of whether the cost of coverage or services is paid for by the purchaser or the persons receiving coverage or services;
G. "health care information" means any information, whether oral or recorded in any form or medium, related to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual;
H. "health care institution" means an institution, facility or agency licensed, certified or otherwise authorized or permitted by law to provide health care in the ordinary course of business;
I. "health care provider" means an individual licensed, certified or otherwise authorized or permitted by law to provide health care in the ordinary course of business or practice of a profession;
J. "health information exchange" means an arrangement among persons providing for the disclosure of electronic medical records;
K. "information" means data, including text, images, sounds and codes and computer programs, software and databases;
L. "medical record" means a record of health care information;
M. "record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form;
N. "record locator service" means a system that provides a means of identification of the existence and location of the electronic medical records of a specified individual; and
O. "treatment" means the provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to an individual; or the referral of an individual for health care from one health care provider to another.
Section 3. USE AND DISCLOSURE OF HEALTH CARE INFORMATION IN AN ELECTRONIC MEDICAL RECORD.--
A. A person shall not use or disclose health care information in an individual's electronic medical record to another person in violation of state or federal law. Prior to use or disclosure of an individual's health care information, a person shall obtain the written consent of the individual, except where the person requires the information to deliver health care to the individual in the case of an emergency as determined by the attending health care provider.
B. A person shall not intimidate, threaten, coerce, discriminate against or take other retaliatory action against any individual for the exercise by the individual of any right established by, or for participation in, any process provided for in the Patient Information Privacy Act.
C. A person shall not require individuals to waive their rights under the Patient Information Privacy Act as a condition for the provision of treatment, payment, enrollment in a health care plan or eligibility for benefits.
D. A person may disclose demographic information and information about the location of an individual's electronic medical records to a record locator service in accordance with law. A person participating in a health information exchange using a record locator service shall not have access to demographic information, information about the location of the individual's electronic medical records or information in an individual's electronic medical record except with the express authorization of the subject of the medical record, or, in the event the person requires the information to deliver health care to the individual in the case of an emergency, as determined by the attending health care provider.
E. A person maintaining a record locator service, a health care provider or health care institution shall maintain an audit log of health care providers, health care institutions, persons and other entities accessing information during the previous six years in the record locator service that at a minimum contains information on:
(1) the identity of the person accessing the information;
(2) the identity of the individual whose information was accessed by the person; and
(3) the date that the information was accessed.
F. An individual may annually request a copy of the audit log of the individual's medical record.
G. A person operating a record locator service or health information exchange shall provide a mechanism under which individuals may exclude their demographic information and information about the location of their electronic medical records from the record locator service. A person operating a record locator service or a health information exchange that receives an individual's request to exclude all of the individual's information from the record locator service or to have a specific person excluded from using the record locator service to access that individual's information is responsible for removing that information from the record locator service or the health information exchange.
H. When requesting demographic information or information in an individual's electronic medical record using a record locator service or a health information exchange, the requesting person shall warrant that the request is for the treatment of the individual who is the subject of the electronic medical record and the person releasing the information may rely upon the warranty of the person making the request that the request is for the treatment of the individual and is in compliance with state and federal law.
I. In accordance with the provisions of this subsection, a person operating a health care facility may maintain a directory containing individuals' information. When maintaining a directory of individuals in a person's health care facility, a person:
(1) may use or disclose an individual's:
(a) name;
(b) location in the person's facility;
(c) condition described in general terms that does not communicate specific medical information about the individual; and
(d) religious affiliation;
(2) may disclose the information described in Paragraph (1) of this subsection to members of the clergy;
(3) may disclose the information described in Subparagraphs (a), (b) and (c) of Paragraph (1) of this subsection, but shall not disclose the individual's religious affiliation, to other persons that ask for the individual by name;
(4) shall inform an individual in the facility that the person intends to use the individual's information in the directory and shall give the individual an opportunity to object to the individual's information being included in the directory. If the individual objects, the person shall not include the individual's information in the directory; and
(5) in emergency treatment circumstances or circumstances where the individual's incapacity does not practicably allow the individual to be informed of the fact that the individual's information is being included in the person's directory and does not give the individual an opportunity to object, the information shall:
(a) be included in the directory only if the individual's prior expressed preference that this information be included is known to the person; or
(b) be included if the individual's attending health care provider, in the exercise of professional judgment, determines that inclusion of this information is in the individual's best interest.
Section 4. NOTICE OF PRIVACY PRACTICES FOR HEALTH CARE INFORMATION.--
A. A health care provider shall provide, electronically or in paper form, to individuals to whom it provides health care a written notice of:
(1) the health care provider's uses and disclosures of the individual's health care information; and
(2) the health care provider's legal duties with respect to protected health care information.
B. The notice shall be written in plain language and shall contain:
(1) a statement that is set out as a header or otherwise prominently displayed in a bold font no smaller than 16-point bold Courier New and that contains the following: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN OBTAIN ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.";
(2) disclosures that are set out in a font no smaller than 12-point Courier New, in an area of the notice that shall be grouped together and segregated from any other text and that shall only contain information directly related to the disclosures as follows:
(a) "Except when required for your treatment in the case of a medical emergency, your health care provider must obtain your written consent before using or disclosing your health care information.";
(b) "Anyone holding your electronic medical records must tell you if someone has hacked into your electronic medical records.";
(c) "You have the right to correct any mistakes in your electronic medical records. Your health care provider must inform you of the method by which you may request corrections."; and
(d) "You have the right to sue certain persons when they disclose your health care information in violation of the Act.";
(3) a description, including at least one example, of the types of uses and disclosures that the health care provider is permitted to make for the purposes of treatment, payment and health care operations; provided that the provider has the prior written consent of the individual affected by the use or disclosure or that the use or disclosure is required in the case of a medical emergency as determined by the attending health care provider;
(4) a description of the other purposes for which the health care provider is permitted or required under state or federal law to use or disclose health care information without the written authorization of the individual affected by the use or disclosure;
(5) if a use or disclosure for any purpose described in Paragraph (1) or (2) of this subsection is prohibited or materially limited by other applicable law, a description of the use or disclosure that reflects the more stringent law;
(6) for the purposes described in Paragraphs (1) and (2) of this subsection, a description that includes sufficient detail to place an individual on notice of the uses and disclosures that are permitted or required by this subsection and other applicable law;
(7) a statement that the health care provider or a health care institution, health information exchange, health care group purchaser or record locator service shall not use or disclose an individual's health care information for fundraising, marketing or research purposes, except with the individual's prior written authorization;
(8) a statement that an individual's health care provider may contact the individual to provide appointment reminders;
(9) a statement that a group health plan, or a health insurance issuer or health maintenance organization with respect to a group health care plan, shall not disclose an individual's health care information to the sponsor of the group health plan;
(10) a statement that an individual has the right to inspect and copy the individual's health care information;
(11) a statement that an individual has the right to amend the individual's health care information;
(12) a statement that an individual has the right to receive an accounting of disclosures of the individual's health care information;
(13) a statement that an individual has the right to obtain a paper copy of the notice from the health care provider upon request;
(14) information about the health care provider's duties, including:
(a) a statement that the health care provider is required by law to maintain the privacy of an individual's health care information and to provide individuals with notice of the health care provider's legal duties and privacy practices with respect to health care information;
(b) a statement that the health care provider is required to abide by the terms of the notice currently in effect; and
(c) a statement that the health care provider may apply a change in a privacy practice that is described in the notice currently in effect to the individual's health care information that the health care provider created or received prior to issuing a revised notice, and that the health care provider reserves the right to change the terms of its notice and to make the revised notice provisions effective for all health care information that it maintains. The statement shall also describe how it will provide the individual with a revised notice;
(15) a statement that individuals may recover in a civil action from a health care provider, health care institution or person engaged in a record locator service or health information exchange that knowingly or willfully violates the provisions of the Patient Information Privacy Act;
(16) the name, or title, and telephone number of a person or office to contact for further information; and
(17) the date on which the notice is first in effect, which date shall not be earlier than the date on which the notice is first printed or otherwise published.
C. A health care provider shall promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, an individual's rights, the health care provider's legal duties or other privacy practices stated in the notice. Except when required by law, a material change to any term of the notice shall not be implemented prior to the effective date of the notice in which such material change is reflected.
D. A health care provider shall make the notice required by this section available on request to any person and to individuals and shall retain, for six years from the date of providing the notice, proof of each individual's timely receipt of the notice. Notice shall be determined to be timely if provided:
(1) within one hundred-eighty days from the effective date of this act to individuals served by the health care provider;
(2) after the time period specified in Paragraph (1) of this subsection, no later than the date of the first service delivery, including service delivered electronically, to an individual served by the health care provider after the effective date of this act, or in an emergency treatment situation, as soon as reasonably practicable after the emergency treatment; and
(3) within sixty days of a material revision to the notice to individuals served by the health care provider.
E. No less frequently than once every three years, the health care provider shall notify individuals then served by the provider of the availability of the notice and how to obtain the notice.
F. If the health care provider maintains a physical service delivery site, the health care provider shall:
(1) have the notice available at the service delivery site for individuals to request to take with them; and
(2) post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the health care provider to be able to read the notice.
G. A health care provider that maintains a web site that provides information about the health care provider's customer services shall prominently post its notice on the web site and make the notice available electronically through the web site.
H. Health care providers that participate in joint health care arrangements may comply with this section by a joint notice; provided that:
(1) the health care providers participating in the joint health care arrangement agree to abide by the terms of the notice with respect to health care information created or received by the health care provider as part of its participation in the joint health care arrangement;
(2) the joint notice:
(a) meets the implementation specifications set forth in this section, except that the statements required by this section may be altered to reflect the fact that the notice covers more than one health care provider;
(b) describes with reasonable specificity the health care providers, or class of providers, to which the joint notice applies;
(c) describes with reasonable specificity the service delivery sites, or classes of service delivery sites, to which the joint notice applies; and
(d) states that the health care providers participating in the joint health care arrangement will not share health care information of an individual with each other unless prior written authorization is obtained from the individual or as deemed necessary by an attending health care provider for purposes of emergency treatment.
Section 5. OUT-OF-STATE DISCLOSURES.--A disclosure otherwise permissible under the Patient Information Privacy Act may be made to health care providers, health care institutions or record locator services located or operating outside the state.
Section 6. HEALTH CARE REPRESENTATIVES.--A health care provider, health care institution or health care group purchaser is not subject to regulatory or disciplinary actions or civil liability for:
A. complying with a request or authorization made by a person who the health care provider, health care institution or health care group purchaser reasonably believed had the authority to exercise the rights and powers of an individual pursuant to the Patient Information Privacy Act; or
B. declining to comply with a request or authorization made by a person based on a reasonable belief that the person lacked authority to exercise the rights and powers of an individual pursuant to the Patient Information Privacy Act.
Section 7. HACKING INTO THE SECURITY SYSTEM.--
A. A person that holds an individual's electronic medical record or maintains computerized data that includes medical records shall disclose any hacking into its data system following discovery or notification of the hacking to the individual whose medical record was, or was reasonably believed to have been, acquired by an unauthorized person.
B. The disclosure shall be made without unreasonable delay, which shall allow a person time to determine the scope of the hacking and restore the integrity of the data or data system or accommodate the legitimate needs of law enforcement pursuant to Subsection D of this section.
C. Disclosure shall be provided in the following manner:
(1) written notice;
(2) electronic notice; provided that the notice is consistent with the provisions applicable to electronic records and signatures in Section 7001 of Title 15 of the United States Code; or
(3) substitute notice, if the person demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), that the affected class of subject individuals to be notified exceeds five hundred thousand or that the person does not have sufficient contact information. Substitute notice shall be provided in the following manner:
(a) email notice;
(b) conspicuous posting of the notice on the person's commonly used web site; or
(c) notification by publication.
D. Disclosure may be delayed if a law enforcement agency determines that disclosure will impede a criminal investigation. However, disclosure shall be made after the law enforcement agency determines that it will not compromise the investigation.
E. For purposes of this section:
(1) "hacking" means unauthorized acquisition or breach of electronic data or a computerized system containing unencrypted and confidential health care information maintained in a record. Good faith acquisition of personal information by an employee or agent of the person for the purposes of the person is not a breach; provided that the health care information is not used for an unauthorized purpose or subject to further unauthorized disclosure; and
(2) "person" means a person who holds or compiles electronic medical records or maintains a computerized system that contains electronic medical records, including a health care provider, health care institution, health care group purchaser or a person engaged in a health information exchange.
Section 8. RIGHT TO CIVIL ACTION--DEFENSES--LIMITATIONS.--
A. A person aggrieved by a violation of the provisions of the Patient Information Privacy Act may recover in a civil action from a person that knowingly or willfully violates this act.
B. In a civil action under this section, relief may include:
(1) preliminary and other equitable or declaratory relief as appropriate;
(2) damages pursuant to Subsection C or D of this section; and
(3) reasonable attorney fees and other reasonable costs incurred as the result of litigation.
C. If the violator knowingly violates the provisions of the Patient Information Privacy Act, the court may assess the sum of actual damages and profits made by the violator as a result of the violation; provided that damages awarded shall not be less than one thousand dollars ($1,000).
D. If the violator willfully violates this act, the court may also assess punitive damages.
E. Good faith reliance on a subpoena, court order or legislative authorization for disclosure is a complete defense to any civil action brought under this act.
F. A civil action under this section shall not be commenced later than two years after the date upon which the claimant discovered or had a reasonable opportunity to discover the violation.
Section 9. AMENDMENT OF HEALTH CARE INFORMATION.--
A. An individual has the right to have a person that maintains the individual's health care information amend the individual's health care information for as long as the person maintains the individual's health care information.
B. A person may deny an individual's request for amendment of health care information, if the person determines that the health care information that is the subject of the request:
(1) was not created by that person, unless the individual provides a reasonable basis to believe that the person to whom the request for amendment was made is the successor in interest to the creator of the health care information;
(2) is not part of the health care information the person maintains;
(3) would not be available for inspection under state or federal law; or
(4) is accurate and complete.
C. A person maintaining an individual's health care information shall permit the individual to request that the person amend the health care information that the person maintains. The person may require an individual to make a request for amendment in writing and to provide a reason to support a requested amendment; provided that the person informs individuals in advance of such requirements.
D. The person shall act on the individual's request for amendment no later than sixty days after receipt of such a request, as follows:
(1) if the person grants the requested amendment, in whole or in part, the person shall take the actions required by this subsection;
(2) if the person denies the requested amendment, in whole or in part, the person shall provide the individual with a written denial, in accordance with this subsection; or
(3) if the person is unable to act on the amendment within sixty days, the person may extend the time for such action by no more than thirty days; provided that:
(a) the person, within sixty days, provides the individual with a written statement of the reasons for the delay and the date by which the person will complete the action on the request; and
(b) the person may have only one such extension of time for action on a request for amendment.
E. If the person accepts the requested amendment, in whole or in part, the person shall comply with the following requirements:
(1) the person shall make the appropriate amendment to the health care information or record that is the subject of the request for amendment by, at a minimum, identifying the records in the health care information that the person maintains that are affected by the amendment and appending or otherwise providing a link to the location of the amendment;
(2) the amendment shall be made in a legible fashion and inserted directly adjacent to the place in the record that the health care information to be amended exists in the record;
(3) the person shall timely inform the individual that the amendment is accepted and obtain the individual's identification of relevant persons and the individual's agreement to having the person notify the relevant persons with which the amendment needs to be shared in accordance with Paragraph (4) of this subsection; and
(4) the person shall make reasonable efforts to inform and provide the amendment within a reasonable time to:
(a) persons identified by the individual as having received health care information about the individual and needing the amendment; and
(b) persons, including business associates, that the person knows have the health care information that is the subject of the amendment and that may have relied on, or could foreseeably rely on, the information, the lack of which may be to the detriment of the individual.
F. If the person maintaining an individual's health care information denies the requested amendment, in whole or in part, the person shall comply with the following requirements:
(1) the person shall provide the individual with a timely, written denial within sixty days of receiving the request. The denial shall use plain language and contain:
(a) the basis for the denial, in accordance with Subsection B of this section;
(b) the individual's right to submit a written statement disagreeing with the denial and the method by which the individual may file such a statement;
(c) a statement that, if the individual does not submit a statement of disagreement, the individual may request that the person provide the individual's request for amendment and the denial with any future disclosures of the health care information that is the subject of the amendment; and
(d) a description of the method by which the individual may complain to the health care provider or to the secretary of health. The description shall include the name, or title, and telephone number of the contact person or office that the individual may contact to complain;
(2) the person shall permit the individual to submit to the person a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The person may reasonably limit the length of a statement of disagreement;
(3) the person may prepare a written rebuttal to the individual's statement of disagreement. Whenever a rebuttal is prepared, the person shall provide a copy to the individual who submitted the statement of disagreement;
(4) the person shall, as appropriate, identify the record or health care information that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the person's denial of the request, the individual's statement of disagreement, if any, and the person's rebuttal, if any, to the individual's statement of disagreement;
(5) if a statement of disagreement has been submitted by the individual, the person shall include the material appended in accordance with Paragraph (4) of this subsection, or, at the election of the person, an accurate summary of any such information, with any subsequent disclosure of the health care information to which the disagreement relates; and
(6) if the individual has not submitted a written statement of disagreement, the person shall include the individual's request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the individual's health care information.
G. A person that maintains an individual's health care information that is informed by another person of an amendment to an individual's health care information shall amend the health care information in the manner prescribed in Subsection C of this section.
H. A person that maintains health care information shall document the titles of the persons or offices responsible for receiving and processing requests for amendment by individuals and submit this documentation to the secretary of health.
Section 10. EFFECTIVE DATE.--The effective date of the provisions of this act is January 1, 2010.
- 25 -