SENATE BILL 676

45th legislature - STATE OF NEW MEXICO - first session, 2001

INTRODUCED BY

Manny M. Aragon





FOR THE LEGISLATIVE HEALTH SUBCOMMITTEE



AN ACT

RELATING TO HEALTH INFORMATION; LIMITING USE AND DISCLOSURE OF HEALTH INFORMATION; PROVIDING PERSONAL RIGHTS; REQUIRING INFORMATION SAFEGUARDS; ESTABLISHING CIVIL AND CRIMINAL PENALTIES; ENACTING SECTIONS OF THE NMSA 1978.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

Section 1. SHORT TITLE.--This act may be cited as the "Health Information Privacy Act".

Section 2. DEFINITIONS.--As used in the Health Information Privacy Act:

A. "disclose" means to release, transmit, publish, make available or otherwise divulge protected health information;

B. "electronically maintain" means to store information on a computer or other electronic media from which information may be electronically retrieved;

C. "electronically transmit" means to disclose information using a computer or other electronic media;

D. "health care payer" means a person that provides or pays all or part of the cost of health care services, including a government agency that administers a health care services program, but does not mean a person, or a family member or friend of that person, who pays for his health care services;

E. "health care provider" means a person that is licensed or otherwise authorized by the state to furnish health care services and receives, obtains, creates, uses, maintains or discloses health information;

F. "health care operations" means the activities undertaken by or on behalf of a health care provider, health care payer or health information manager for management or support of health care services or payment;

G. "health care services" means services or supplies provided by a health care provider for the prevention, diagnosis, services, rehabilitation, maintenance, cure or relief of a health condition, illness, injury, disability or disease, including physical, mental and behavioral health and the procuring, storing or administration of blood, genetic materials or tissue;

H. "health information" means information, whether oral, written, electronic, visual, pictorial, physical or in any other form or medium, that relates to the past, present or future:

(1) physical, mental or behavioral health status or condition of a person, including substance abuse;

(2) provision of health care services to the person; or

(3) payment for the provision of health care services for the person;

I. "health information manager" means a health care provider, health care payer, health care clearinghouse, third-party administrator of health care benefits, researcher, employer, school or educational institution, financial institution, labor union, government agency or other person that:

(1) receives, obtains, creates, uses, maintains or discloses health information;

(2) facilitates the electronic transmission of health information between or among health information managers;

(3) processes or facilitates the processing of health information into a standard format for electronic transmission between or among health information managers; or

(4) transforms protected health information into non-personally identifiable health information;

J. "health oversight agency" means a government agency or an authorized contractor that performs or oversees the performance of an audit, investigation, inspection, licensure or disciplinary, administrative or other proceeding;

K. "personal representative" means:

(1) a person legally authorized to make a health care decision for another person pursuant to the Uniform Health-Care Decisions Act;

(2) the administrator or executor of a decedent's estate; or

(3) a person authorized by law to act on behalf of a decedent;

L. "protected health information" means health information that reveals, or could reasonably be foreseen to reveal, the identity of the person whose health care is the subject of the health information;

M. "public health agency" means a government agency or an authorized contractor that is responsible for activities primarily aimed at the prevention of injury, disease, disability or premature mortality or the promotion of health in the community, development of public health policy, response to public health needs and emergencies and the collection of data on disease, injury and vital events such as birth or death; and

N. "security standard" means a requirement, guideline or best practice designed to protect data privacy, integrity or availability.

Section 3. GENERAL PROVISIONS ON USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION.--

A. No health information manager shall use or disclose protected health information unless authorized pursuant to the Health Information Privacy Act or as otherwise required by law.

B. A health information manager may use or disclose protected health information:

(1) to provide health care services to the person whose health care is the subject of the information;

(2) to pay for the provision of health care services to the person whose health care is the subject of the information;

(3) for health care operations; and

(4) as otherwise authorized pursuant to the Health Information Privacy Act.

C. Permitted or required use or disclosure of protected health information by a health information manager shall be:

(1) directly related to the purpose for which the use or disclosure of the protected health information is permitted or required;

(2) limited to the minimum amount of protected health information necessary to accomplish the intended purpose, to the extent reasonably practical; and

(3) restricted to situations where use of non-protected health information is not a reasonable alternative.

D. Except as required by law, nothing in the Health Information Privacy Act shall be construed to require the disclosure of protected health information.

E. Nothing in the Health Information Privacy Act shall be construed to prevent a person from using or disclosing his protected health information in an otherwise lawful manner.

F. A health information manager shall comply with the provisions of the Health Information Privacy Act for a decedent's protected health information for two years following the death of the person, except as required for law enforcement activities or judicial proceedings.

G. A personal representative may exercise the rights of the person represented pursuant to the Health Information Privacy Act. If the person is a minor and is authorized by law to consent to health care services without parental consent, only the minor may exercise the rights of a person pursuant to the Health Information Privacy Act regarding the protected health information that relates to the health care services for which the minor lawfully consented.

Section 4. DISCLOSURE HISTORY.--

A. A health information manager shall maintain a record of all disclosures of protected health information made by the health information manager, provided that:

(1) disclosures for the provision of health care services, health care payment or health care operations need not be recorded if the disclosure is confined to recipients within the health-related divisions of the health information manager;

(2) disclosures made in accordance with a law that requires reporting of health information to a government agency need not be recorded; and

(3) a health care manager shall be exempt from maintaining a record of disclosures made for the provision of health care services or health care payment. B. A person shall be permitted to see the record of disclosures of his protected health information, except for disclosures prohibited, restricted or limited by court order.

C. The record of disclosures shall be retained for the life of the record to which it relates.

Section 5. USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION WITHOUT PERSONAL AUTHORIZATION.--

A. A health information manager may use or disclose protected health information without a person's authorization when necessary for providing health care services, health care payment or health care operations; provided that the use or disclosure shall be limited to the information necessary to provide health care services.

B. A health information manager may disclose protected health information without a person's authorization to a health oversight agency for authorized oversight activities.

C. A health information manager may disclose protected health information without a person's authorization to a government agency or a government agency contractor for inclusion in a governmental health data system that collects and analyzes health data for authorized policy, planning, regulation or management.

D. A health information manager may disclose protected health information without the person's authorization to a court or a law enforcement official if the disclosure is authorized by law or pursuant to a warrant, subpoena or order issued by a judge.

E. A health information manager may disclose protected health information concerning a decedent without his personal representative's authorization to a medical investigator or examiner to identify the decedent or determine a cause of death.

Section 6. USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION WITH A PERSON'S AUTHORIZATION.--

A. A health information manager shall request and obtain authorization from a person for all uses and disclosures of the person's protected health information that are:

(1) not directly related to the provision of health care services to the person, payment for the provision of health care services to the person or health care operations;

(2) to a health care provider or health plan, prior to a person's enrollment in a health plan, for the purpose of making eligibility or enrollment determinations relating to the person or for underwriting or risk rating determinations; or

(3) to an employer for use in employment determinations.

B. A person may request and authorize a health information manager to disclose his protected health information. The health information manager shall honor the request and authorization.

C. A person may revoke or amend an authorization to disclose protected health information at any time, except to the extent that the health information manager has taken action in reliance on the authorization.

D. A health information manager shall not condition the provision of health care services to a person or payment for health care services on a person's authorization of use or disclosure of protected health information, except where the authorization is requested in connection with the person's voluntary participation in a clinical research trial. E. A person's authorization to use or disclose protected health information shall:

(1) be on a document other than that for which the person consents to health care services;

(2) be in writing, dated and signed by the person; and

(3) include a description of the information to be disclosed, the identity of the intended recipient, the date or event by which the authorization expires and a statement that the person has the right to revoke or amend the authorization.

F. A health information manager that requests a person to authorize use or disclosure of protected health information shall provide a copy of the authorization to the person. A health information manager that discloses protected health information pursuant to a person's authorization shall keep a copy of the authorization, or revocation or amendment of authorization, and a record of the disclosure.

Section 7. PERSONAL ACCESS TO PROTECTED HEALTH INFORMATION.--

A. A health information manager shall permit a person to inspect, access or copy in a timely manner his protected health information, except as provided in Subsection B of this section.

B. A health information manager may deny a person's request to inspect and copy the person's protected health information if the disclosure is prohibited by law or court order.

C. A denial of a person's request to inspect and copy the person's protected health information shall be limited to the minimum amount of protected health information necessary to effectuate the reason for the denial, and the person shall be permitted to inspect and obtain a copy of any portion of the requested information not subject to the denial.

D. A health information manager shall provide protected health information pursuant to the person's request and authorization for disclosure at no cost for one retrieval or copy of the protected health information in a twelve-month period.

Section 8. CORRECTION OR AMENDMENT OF PROTECTED HEALTH INFORMATION.--For purposes of accuracy or completeness, a person, health care provider or health care payer may request a health information manager to correct or amend a person's protected health information held by the health information manager. Upon written request from a person, as promptly as required under the circumstances but no later than thirty days after receiving the request, the health information manager shall make the correction or amendment. The person may correct his name, address, phone number or other non-health related information, but any information related to health care services shall become an amendment to the protected health information. The original health information shall not be corrected unless the health care provider who rendered the health care services authorizes the corrections.

Section 9. NOTICE OF INFORMATION PRACTICES.--

A. A health information manager shall prepare a written notice in plain language to inform persons of the health information manager's information practices and persons' rights regarding protected health information, including:

(1) the uses and disclosures of protected health information authorized by the Health Information Privacy Act;

(2) the right of the person to prevent or limit disclosure of protected health information as provided in the Health Information Privacy Act;

(3) the right of the person to access, inspect or copy protected health information and to request corrections or amendments;

(4) the procedures for authorizing disclosure and for revoking authorization for disclosure of protected health information;

(5) the procedures for the exercise and redress of rights under the Health Information Privacy Act; and

(6) the availability of a copy at no charge in a twelve-month period and subsequent reasonable fees, if any, for inspection, copying, distribution or provision of protected health information.

B. A health information manager shall:

(1) provide a copy of the written notice to a person at the first health care service delivery after the effective date of the Health Information Privacy Act; and

(2) post a copy of the notice in a conspicuous location.

C. A health care payer shall include in the notice an explanation of the information required in Subsection A of this section, as consistent with the provisions of the Patient Protection Act, to newly enrolled or covered persons or when enrollment or coverage occurs.

Section 10. INFORMATION SAFEGUARDS.--

A. A health information manager shall establish and maintain reasonable and appropriate administrative, technical and physical safeguards to:

(1) ensure the confidentiality, security, accuracy and integrity of protected health information in its possession;

(2) protect against reasonably anticipated threats or hazards to the security or integrity of protected health information in its possession; and

(3) protect against unauthorized use or disclosure of protected health information in its possession.

B. A health information manager shall periodically assess potential risks and vulnerabilities to the protected health information in its possession and implement, maintain and document security measures necessary to ensure the privacy of the protected health information as required by the Health Information Privacy Act.

C. A health information manager shall implement, maintain and document the security standards for all protected health information that the health information manager electronically maintains or transmits.

Section 11. AUTHORITY OF THE DEPARTMENT OF HEALTH.--

A. The department of health shall establish administrative procedures for addressing complaints from persons concerning the use or disclosure of their protected health information by a health information manager or their rights under the provisions of the Health Information Privacy Act.

B. The department of health shall develop and promulgate security standards to protect the confidentiality, integrity and availability of protected health information that is electronically maintained or electronically transmitted.

C. The security standards shall comply with state and federal information security standards, including:

(1) administrative procedures to manage the implementation of security measures and the conduct of personnel in relation to the protection of data;

(2) physical safeguards to protect computer systems and related equipment and buildings from intrusion, fire and other natural and environmental hazards;

(3) technical security services to protect information and control authorized access to information; and

(4) technical security mechanisms to guard against unauthorized access to data that is transmitted over a communications network.

D. The department of health shall establish an advisory committee to assist it in developing and periodically reviewing health data security standards. The advisory committee shall consist of representatives of public and private health information managers, state agencies that electronically maintain or electronically transmit protected health information, consumers and professionals with expertise in areas such as information systems and data security. The advisory committee shall make recommendations to the department of health on:

(1) appropriate security standards for protected health information that is electronically maintained or electronically transmitted;

(2) implementation of security standards, including time requirements and phase-in options, if any; and

(3) review and revision of security standards.

E. The department of health shall promulgate rules to implement the provisions of the Health Information Privacy Act.

F. The department of health shall:

(1) independently monitor compliance with the information safeguards and security standards of the Health Information Privacy Act;

(2) inspect documentation of security standards and require additional documentation;

(3) inspect a health information manager's data systems and premises;

(4) receive reports of violations of the information safeguards and security standards of the Health Information Privacy Act; and

(5) order corrective measures.

Section 12. CIVIL PENALTIES.--

A. The attorney general or district attorney may bring a civil action against a health information manager for violating the provisions of the Health Information Privacy Act or to otherwise enforce those provisions.

B. A person whose protected health information has been wrongfully used or disclosed or whose rights under the provisions of the Health Information Privacy Act have been violated may bring a civil action against a health information manager for damages or other relief.

C. The court may order a health information manager who violates the provisions of the Health Information Privacy Act to comply with those provisions and may order other appropriate relief, including:

(1) damages for economic and non-economic loss;

(2) damages of up to five thousand dollars ($5,000) per violation in addition to any economic and non-economic loss if the violation results from willful or grossly negligent conduct;

(3) a civil penalty of not more than five thousand dollars ($5,000) per violation if the violation results from willful or grossly negligent conduct; and

(4) reasonable attorney fees and appropriate court costs.

D. In an action by a person alleging that protected health information was improperly withheld from the person, the burden of proof is on the health information manager to prove that the information was properly withheld.

E. A health information manager that discloses protected health information pursuant to a person's authorization that has been revoked or amended shall not be subject to liability or penalty under the Health Information Privacy Act if the health information manager had no actual or constructive notice of the revocation or amendment at the time the information was disclosed.

F. A court may use protected health information to determine the cause of damage or injury and award appropriate relief.

G. Each instance of wrongful use or disclosure of protected health information or wrongful denial of a person's rights under the provisions of the Health Information Privacy Act constitutes a separate and actionable violation of the Health Information Privacy Act.

H. Nothing in the Health Information Privacy Act shall be construed to affect the rights and remedies available to a person under other law.

Section 13. CRIMINAL PENALTIES.--

A. A health information manager who knowingly uses or discloses protected health information in violation of the Health Information Privacy Act is guilty of a misdemeanor and shall be punished by a fine of not more than five thousand dollars ($5,000) or imprisonment for a definite term not to exceed one year, or both.

B. A health information manager who knowingly uses or discloses protected health information under false pretenses or with the intent to sell or transfer the information for commercial advantage, personal gain or malicious harm in violation of the Health Information Privacy Act is guilty of a fourth degree felony and shall be punished by a fine of not more than five thousand dollars ($5,000) or imprisonment for a definite term not to exceed eighteen months, or both.

Section 14. EFFECT ON OTHER STATE LAWS.--

A. Nothing in the Health Information Privacy Act shall be construed to invalidate or limit the authority, power or procedures established under any law providing for:

(1) reporting of disease or injury, abuse or neglect, or birth, death or other vital events;

(2) public health investigation or intervention; or

(3) a governmental health data system that collects and analyzes health data for policy, planning, regulatory or management functions authorized by law.

B. The provisions of the Health Information Privacy Act shall prevail over any other contrary provision of state law, except that a contrary provision of state law shall prevail over a provision of the Health Information Privacy Act if with respect to personally identifiable health information the contrary provision of state law requires:

(1) more limited use or disclosure of the information;

(2) greater rights for persons to access or amend their information;

(3) greater penalties for unlawful use or disclosure of the information;

(4) a more detailed explanation to be provided to a person about a proposed use or disclosure of information, the rights of the person, the availability of remedies or similar issues;

(5) a narrower scope or shorter duration of a person's authorization for use or disclosure of information, or procedures that increase the difficulty of obtaining a person's authorization or reduce the coercive effect of the circumstances surrounding the authorization;

(6) the retention or reporting of more detailed information or for a longer duration; or

(7) greater privacy protection for the person with respect to any other related matter.

- 20 -