NOTE: As provided in LFC policy, this report is intended for use by the standing finance committees of the legislature.  The Legislative Finance Committee does not assume responsibility for the accuracy of the information in this report when used in any other situation.



Only the most recent FIR version, excluding attachments, is available on the Intranet. Previously issued FIRs and attachments may be obtained from the LFC office in Suite 101 of the State Capitol Building North.





F I S C A L I M P A C T R E P O R T





SPONSOR: SJC DATE TYPED: 03/05/01 HB
SHORT TITLE: Health Information Privacy Act SB 676/SJCS
ANALYST: Wilson


APPROPRIATION



Appropriation Contained
Estimated Additional Impact
Recurring

or Non-Rec

Fund

Affected

FY01 FY02 FY01 FY02
See Narrative



(Parenthesis ( ) Indicate Expenditure Decreases)

SOURCES OF INFORMATION



Health Policy Commission (HPC)

Human Services Department (HSD)



SUMMARY



Synopsis of Bill



SB 676/SJCS protects health data and information by requiring that health information managers comply with the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA). SB 676/SJCS requires health information managers to establish and maintain privacy

procedures and provides for civil and criminal penalties. The Health Information Privacy Act now has an effective date of June 30, 2003.



Significant Issues



HSD has noted that SB 676/SJCS makes specific exceptions to federal law. Section 3 essentially specifies that Section 7 take precedence over the cited federal laws. Some provisions of Section 7 contradict the federal law.



The Human Services Department (HSD) is the New Mexico state agency charged under the Social Security and Food Stamp Acts with providing safeguards restricting the use and disclosure of information concerning applicants and recipients to purposes directly connected with the administration of programs under the Acts.



42 USC Section 1396 a(a)(7) is the relevant federal statute pertaining to the safeguarding of Medicaid information. Section 3 only refers to Part C of Title 11 of the Social Security Act. Thus, SB 676/SJCs would fall short of assuring that Medicaid information would be protected. Section 3 should be expanded to include the above statute.



FISCAL IMPLICATIONS



By generally following federal law and having an implementation date that approximates the new federal privacy requirements, the fiscal implications are no greater than will be required under federal law.



However, if HSD or any other state agency is in violation of state or federal statutes and regulations, it could face monetary penalties in accordance with Section 5 and criminal penalties in accordance with Section 6.



ADMINISTRATIVE IMPLICATIONS



By generally following federal law and having an implementation date that approximates the new federal privacy requirements, the administrative implications are no greater than will be required under federal law.



RELATIONSHIP



Relates to: HB 829, Health Information Privacy Act



TECHNICAL ISSUES



The HPC noted that in Section 3, the requirement to comply with the privacy requirements of HIPAA, Title 2, Subtitle F, Part C, Section 264, should be clarified to require compliance with any privacy regulations issued in accordance with this section in HIPAA.



OTHER SUBSTANTIVE ISSUES



The Health Information and Privacy Act would require health information managers to comply with the privacy requirements of HIPAA. These requirements have been outlined by the HPC and are as follows:



"The Privacy Rule affects over 600,000 entities and virtually every American. It is estimated to cost in excess of $17.6 billion over ten years. The Department received over 52,000 public comments in the public comment period on the proposed rule; in the period following publication of the final rule, HHS has received approximately a thousand inquiries about the impact and operation of the Privacy Rule on numerous sectors of the economy. Many comments exhibit substantial confusion over how the Rule will operate; others express great concern over the complexity and workability of the Rule. The significance of the Privacy Rule for the health care industry and for society as a whole, and the substantial nature of some concerns that have been raised have led us to conclude that an additional comment period on the Privacy Rule is warranted."

DW/ar