NOTE: As provided in LFC policy, this report is intended for use by the standing finance committees of the legislature. The Legislative Finance Committee does not assume responsibility for the accuracy of the information in this report when used in any other situation.
Only the most recent FIR version, excluding attachments, is available on the Intranet. Previously issued FIRs and attachments may be obtained from the LFC office in Suite 101 of the State Capitol Building North.
SPONSOR: | SJC | DATE TYPED: | 03/05/01 | HB | |||
SHORT TITLE: | Health Information Privacy Act | SB | 676/SJCS | ||||
ANALYST: | Wilson |
Recurring
or Non-Rec |
Fund
Affected | ||||
FY01 | FY02 | FY01 | FY02 | ||
See Narrative |
(Parenthesis ( ) Indicate Expenditure Decreases)
SOURCES OF INFORMATION
Health Policy Commission (HPC)
Human Services Department (HSD)
SUMMARY
Synopsis of Bill
SB 676/SJCS protects health data and information by requiring that health information managers comply with the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). SB 676/SJCS requires health information managers to establish and maintain privacy
procedures and provides for civil and criminal penalties. The Health Information Privacy Act now has an effective date of June 30, 2003.
Significant Issues
HSD has noted that SB 676/SJCS makes specific exceptions to federal law. Section 3 essentially specifies that Section 7 take precedence over the cited federal laws. Some provisions of Section 7 contradict the federal law.
The Human Services Department (HSD) is the New Mexico state agency charged under the Social Security and Food Stamp Acts with providing safeguards restricting the use and disclosure of information concerning applicants and recipients to purposes directly connected with the administration of programs under the Acts.
42 USC Section 1396 a(a)(7) is the relevant federal statute pertaining to the safeguarding of Medicaid information. Section 3 only refers to Part C of Title 11 of the Social Security Act. Thus, SB 676/SJCs would fall short of assuring that Medicaid information would be protected. Section 3 should be expanded to include the above statute.
FISCAL IMPLICATIONS
By generally following federal law and having an implementation date that approximates the new federal privacy requirements, the fiscal implications are no greater than will be required under federal law.
However, if HSD or any other state agency is in violation of state or federal statutes and regulations, it could face monetary penalties in accordance with Section 5 and criminal penalties in accordance with Section 6.
ADMINISTRATIVE IMPLICATIONS
By generally following federal law and having an implementation date that approximates the new federal privacy requirements, the administrative implications are no greater than will be required under federal law.
RELATIONSHIP
Relates to: HB 829, Health Information Privacy Act
TECHNICAL ISSUES
The HPC noted that in Section 3, the requirement to comply with the privacy requirements of HIPAA, Title 2, Subtitle F, Part C, Section 264, should be clarified to require compliance with any privacy regulations issued in accordance with this section in HIPAA.
OTHER SUBSTANTIVE ISSUES
The Health Information and Privacy Act would require health information managers to comply with the privacy requirements of HIPAA. These requirements have been outlined by the HPC and are as follows:
"The Privacy Rule affects over 600,000 entities and virtually every American. It is estimated to cost in excess of $17.6 billion over ten years. The Department received over 52,000 public comments in the public comment period on the proposed rule; in the period following publication of the final rule, HHS has received approximately a thousand inquiries about the impact and operation of the Privacy Rule on numerous sectors of the economy. Many comments exhibit substantial confusion over how the Rule will operate; others express great concern over the complexity and workability of the Rule. The significance of the Privacy Rule for the health care industry and for society as a whole, and the substantial nature of some concerns that have been raised have led us to conclude that an additional comment period on the Privacy Rule is warranted."
DW/ar