HOUSE JUDICIARY COMMITTEE SUBSTITUTE FOR

HOUSE BILL 37

48th legislature - STATE OF NEW MEXICO - second session, 2008

 

 

 

 

 

 

 

AN ACT

RELATING TO HEALTH RECORDS; CREATING THE ELECTRONIC MEDICAL RECORDS ACT; AUTHORIZING THE CREATION, MAINTENANCE AND USE OF ELECTRONIC MEDICAL RECORDS; CLARIFYING INDIVIDUAL RIGHTS WITH RESPECT TO THE DISCLOSURE OF INFORMATION CONTAINED IN ELECTRONIC MEDICAL RECORDS; CLARIFYING THE PROTECTION OF PRIVACY OF ELECTRONIC MEDICAL RECORDS.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     Section 1. SHORT TITLE.--This act may be cited as the "Electronic Medical Records Act".

      Section 2. PURPOSE.--The purpose of the Electronic Medical Records Act is to provide for the implementation, maintenance, use and protection of electronic medical records.

     Section 3. DEFINITIONS.--As used in the Electronic Medical Records Act:

          A. "demographic information" means information in an electronic medical record that identifies the individual who is the subject of the medical record, including the individual's name, date of birth, address and other information that identifies the individual, that may be used to identify the individual or that associates the individual with the individual's electronic medical record;

          B. "disclosure" means the release, transfer, provision or otherwise divulging of an individual's electronic medical records to a person other than the holder of the records and includes having access to those records;

          C. "electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities;

          D. "electronic medical record" means a medical record created, generated, sent, communicated, received or stored by electronic means;

          E. "electronic signature" means an electronic sound, symbol or process attached to or logically associated with a record and executed or adopted by an individual with the intent to sign the record;

          F. "health care" means care, services or supplies related to the health of an individual and includes:

                (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care and counseling;

                 (2) service, assessment or procedure with respect to the physical or mental condition or functional status of an individual or that affects the structure or function of the body; and

                (3) the sale or dispensing of a drug, a device, a piece of equipment or other item in accordance with a prescription;

          G. "health care group purchaser" means a person, other than a person licensed as a property and casualty or workers' compensation insurer, licensed, certified or otherwise authorized or permitted by the New Mexico Insurance Code to pay for or purchase health care on behalf of an identified individual or group of individuals, except for life insurers and disability income insurers, regardless of whether the cost of coverage or services is paid for by the purchaser or the persons receiving coverage or services;

          H. "health care information" means any information, whether oral or recorded in any form or medium, related to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual;

          I. "health care institution" means an institution, facility or agency licensed, certified or otherwise authorized or permitted by law to provide health care in the ordinary course of business;

          J. "health care provider" means an individual licensed, certified or otherwise authorized or permitted by law to provide health care in the ordinary course of business or practice of a profession;

          K. "health information exchange" means an arrangement among persons providing for the disclosure of electronic medical records;

          L. "information" means data, including text, images, sounds and codes and computer programs, software and databases;

          M. "medical record" means a record of health care information;

          N. "record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form;

          O. "record locator service" means a system that provides a means of identification of the existence and location of the electronic medical records of a specified individual; and

          P. "treatment" means the provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to an individual; or the referral of an individual for health care from one health care provider to another.

     Section 4. IMPLEMENTATION PLAN FOR ELECTRONIC CLAIMS AND BILLING.--

           A. The New Mexico telehealth and health information technology commission, no later than November 1, 2008, shall develop an implementation plan for all health care providers and health care institutions doing business in New Mexico to migrate to the use of electronic claims and bills and for all health care group purchasers doing business in New Mexico to migrate to the use of electronic claims processing and remittance. The plan shall be based on research, best practices, the use of standard forms and processes, national standards and a realistic assessment of the cost of the migration to health care providers, health care institutions and health care group purchasers and of their readiness to make the migration to the use of electronic claims, bills and remittances. The plan shall include:

                (1) how electronic medical records used in the claim and billing process shall be maintained in an electronic database that is secure from misuse, malicious attacks and mistakes through the use of applications, including intrusion detection, access control, auditing, authentication and encryption; and

                (2) how an audit log shall be maintained during the claim and billing process of persons accessing and information disclosed from an individual's electronic medical record that is in the possession of a health care provider, health care institution, health information exchange or health care group purchaser that, at a minimum, includes the identity of the person accessing or receiving disclosures from the electronic medical record, a description of the information accessed or disclosed and the date and time the information was accessed or disclosed.

          B. The implementation plan shall be presented to the department of health by November 1, 2008. After evaluation and consultation, the department, together with the New Mexico telehealth and health information technology commission, shall make recommendations to the governor and the legislature regarding specific legislation or appropriations for implementation of the plan prior to the first session of the forty-ninth legislature.

     Section 5. IMPLEMENTATION PLAN FOR ELECTRONIC MEDICAL RECORDS.--

          A. The New Mexico telehealth and health information technology commission, no later than November 1, 2009, shall develop an implementation plan for all health care providers and health care institutions doing business in New Mexico and for all health care group purchasers doing business in New Mexico to migrate to the use of electronic medical records systems and the exchange of electronic health information. The plan shall be based on research, best practices, the use of standard definitions and protocols, national standards and a realistic assessment of the cost of the migration to health care providers, health care institutions and health care group purchasers and of their readiness to make the migration to the use of electronic medical records systems and the exchange of electronic health information. The plan shall include:

                (1) how electronic medical records shall be maintained in an electronic database that is secure from misuse, malicious attacks and mistakes through the use of applications, including intrusion detection, access control, auditing, authentication and encryption; and

                (2) how an audit log shall be maintained of persons accessing and information disclosed from an individual's electronic medical record that is in the possession of a health care provider, health care institution, health information exchange or health care group purchaser that, at a minimum, includes the identity of the person accessing or receiving disclosures from the electronic medical record, a description of the information accessed or disclosed and the date and time the information was accessed or disclosed.

          B. The implementation plan shall be presented to the department of health by November 1, 2009. After evaluation and consultation, the department, together with the New Mexico telehealth and health information technology commission, shall make recommendations to the governor and the legislature regarding specific legislation or appropriations for implementation of the plan.

     Section 6. ELECTRONIC RECORDS--ELECTRONIC SIGNATURES-- LEGAL RECOGNITION.--If a law requires a medical record to be in writing, or if a law requires a signature pertaining to a medical record, an electronic medical record or an electronic signature satisfies that law.

     Section 7. RETENTION OF ELECTRONIC MEDICAL RECORDS.--

          A. If a law requires that a medical record be retained, the requirement is satisfied by retaining an electronic record that:

                (1) accurately reflects the medical record after it was first generated and in its final form as an electronic medical record or otherwise; and

                (2) remains accessible and is capable of being accurately reproduced for later reference.

          B. A requirement to retain a medical record in accordance with Subsection A of this section does not apply to any information the sole purpose of which is to enable the medical record to be sent, communicated or received.

          C. If a law requires a medical record to be presented or retained in its original form or provides consequences if the medical record is not presented or retained in its original form, that law is satisfied by an electronic medical record retained in accordance with Subsection A of this section.

          D. A medical record retained as an electronic medical record in accordance with Subsection A of this section satisfies a law requiring a person to retain a medical record for evidentiary, audit or other purposes, unless a law enacted after January 1, 2009 specifically prohibits the use of an electronic medical record for the specified purpose.

     Section 8. USE AND DISCLOSURE OF ELECTRONIC HEALTH CARE INFORMATION.--

          A. A health care provider, health care institution, health information exchange or health care group purchaser shall not use or disclose health care information in an individual's electronic medical record to another person in violation of state or federal law.

          B. A health care provider, health care institution or health care group purchaser may disclose demographic information and information about the location of an individual's electronic medical records to a record locator service in accordance with law. A health care provider or health care institution participating in a health information exchange using a record locator service shall not have access to demographic information, information about the location of the individual's electronic medical records or information in an individual's electronic medical record except in connection with the treatment of the individual.

          C. A health information exchange maintaining a record locator service shall maintain an audit log of health care providers and health care institutions accessing information in the record locator service that at least contains information on:

                (1) the identity of the health care provider or health care institution accessing the information;

                (2) the identity of the individual whose information was accessed by the health care provider or health care institution; and

                (3) the date the information was accessed.

          D. A health care group purchaser shall not require a health care provider or health care institution to participate in a record locator service as a condition of payment or participation.

          E. A person operating a record locator service or health information exchange shall provide a mechanism under which individuals may exclude their demographic information and information about the location of their electronic medical records from the record locator service. A person operating a record locator service or a health information exchange that receives an individual's request to exclude all of the individual's information from the record locator service or to have a specific health care provider or health care institution excluded from using the record locator service to access that individual's information is responsible for removing that information from the record locator service.

          F. When requesting demographic information or information in an individual's electronic medical record using a record locator service or a health information exchange, the requesting health care provider or health care institution shall warrant that the request is for the treatment of the individual and the person releasing the information may rely upon the warranty of the person making the request that the request is for the treatment of the individual.

     Section 9. OUT-OF-STATE DISCLOSURES.--A disclosure otherwise permissible under the Electronic Medical Records Act may be made to health care providers, health care institutions or record locator services located or operating outside the state.

     Section 10. HEALTH CARE REPRESENTATIVES.--A health care provider, health care institution or health care group purchaser is not subject to regulatory or disciplinary actions or civil liability for:

          A. complying with a request or authorization made by a person apparently having authority to exercise the rights and powers of an individual pursuant to the Electronic Medical Records Act; or

          B. declining to comply with a request or authorization made by a person based on a reasonable belief that the person lacked authority to exercise the rights and powers of an individual pursuant to the Electronic Medical Records Act.

     Section 11. EFFECTIVE DATE.--The effective date of the provisions of Sections 6 through 10 of this act is January 1, 2009.

- 12 -