SENATE BILL 305
48th legislature - STATE OF NEW MEXICO - second session, 2008
INTRODUCED BY
Joseph J. Carraro
AN ACT
RELATING TO HEALTH RECORDS; CREATING THE ELECTRONIC MEDICAL RECORDS ACT; AUTHORIZING THE CREATION, MAINTENANCE AND USE OF ELECTRONIC MEDICAL RECORDS; PROVIDING FOR INDIVIDUAL RIGHTS WITH RESPECT TO THE DISCLOSURE OF INFORMATION CONTAINED IN ELECTRONIC MEDICAL RECORDS; PROVIDING FOR THE PROTECTION OF PRIVACY OF ELECTRONIC MEDICAL RECORDS; CREATING PENALTIES.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
Section 1. SHORT TITLE.--This act may be cited as the "Electronic Medical Records Act".
Section 2. PURPOSE.--The purpose of the Electronic Medical Records Act is to provide for the implementation, maintenance, use and protection of electronic medical records.
Section 3. DEFINITIONS.--As used in the Electronic Medical Records Act:
A. "authorization" means a document that meets the requirements of a valid authorization under 45 C.F.R. Section 164.508(b);
B. "business associate" means a person acting as a business associate in accordance with the provisions of 45 C.F.R. Sections 160.103 and 164.502(e)(1);
C. "demographic information" means information in a medical record that identifies the individual that is the subject of the medical record, including the individual's name, date of birth, address and other information that identifies the individual; that may be used to identify the individual; or that associates the individual with the individual's medical record;
D. "disclosure" means the release, transfer, provision or otherwise divulging of an individual's medical records to a person other than the holder of the records and includes having access to those records;
E. "electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities;
F. "electronic medical record" means a medical record created, generated, sent, communicated, received or stored by electronic means;
G. "electronic signature" means an electronic sound, symbol or process attached to or logically associated with a record and executed or adopted by an individual with the intent to sign the record;
H. "health care" means care, services or supplies related to the health of an individual and includes:
(1) preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care and counseling;
(2) service, assessment or procedure with respect to the physical or mental condition or functional status of an individual or that affects the structure or function of the body; and
(3) the sale or dispensing of a drug, a device, a piece of equipment or other item in accordance with a prescription;
I. "health care group purchaser" means a person licensed, certified or otherwise authorized or permitted by law to pay for or purchase health care on behalf of an identified group of individuals, regardless of whether the cost of coverage or services is paid for by the purchaser or the persons receiving coverage or services;
J. "health care information" means any information, whether oral or recorded in any form or medium, related to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual;
K. "health care institution" means an institution, facility or agency licensed, certified or otherwise authorized or permitted by law to provide health care in the ordinary course of business;
L. "health care provider" means an individual licensed, certified or otherwise authorized or permitted by law to provide health care in the ordinary course of business or practice of a profession;
M. "health information exchange" means an arrangement among persons providing for the disclosure of electronic medical records;
N. "individually identifiable health information" means health care information that is created or received by a health care provider, health care institution or group health care purchaser:
(1) that identifies the individual that is the subject of the health care information; or
(2) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual that is the subject of the health care information;
O. "information" means data, including text, images, sounds and codes and computer programs, software and databases;
P. "medical emergency" means a situation or condition that requires medically necessary health care immediately to preserve life, to prevent serious impairment to bodily functions, organs or parts or to prevent placing the physical or mental health of an individual in serious jeopardy;
Q. "medical record" means a record of health care information, including records of the disclosure of information in the medical record;
R. "record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form;
S. "record locator service" means a system that provides a means of identification of the existence of and location of the electronic medical records of a specified individual; and
T. "related health care entity" means an affiliate of a health care provider or health care institution disclosing the information. As used in this subsection, "affiliate" means an entity that controls, is controlled by or is under common control with another entity.
Section 4. IMPLEMENTATION PLAN FOR ELECTRONIC CLAIMS AND BILLING.--
A. The New Mexico telehealth and health information technology commission, no later than June 1, 2009, shall develop an implementation plan for all health care providers and health care institutions doing business in New Mexico to migrate to the use of electronic claims and bills and all health care group purchasers doing business in New Mexico to migrate to the use of electronic claims processing and remittance. The plan shall be based on research, best practices, the use of standard forms and processes, national standards and a realistic assessment of the cost of the migration to health care providers, health care institutions and health care group purchasers and of their readiness to make the migration to the use of electronic claims, bills and remittances.
B. The implementation plan shall be presented to the department of health by July 1, 2009. After evaluation and consultation, the department, together with the New Mexico telehealth and health information technology commission, shall make recommendations to the governor and the legislature regarding specific legislation or appropriations for implementation of the plan.
Section 5. IMPLEMENTATION PLAN FOR ELECTRONIC MEDICAL RECORDS.--
A. The New Mexico telehealth and health information technology commission, no later than June 1, 2010, shall develop an implementation plan for all health care providers and health care institutions doing business in New Mexico and all health care group purchasers doing business in New Mexico to migrate to the use of electronic medical records systems and the exchange of electronic health information. The plan shall be based on research, best practices, the use of standard definitions and protocols, national standards and a realistic assessment of the cost of the migration to health care providers, health care institutions and health care group purchasers and of their readiness to make the migration to the use of electronic medical records systems and the exchange of electronic health information.
B. The implementation plan shall be presented to the department of health by July 1, 2010. After evaluation and consultation, the department, together with the New Mexico telehealth and health information technology commission, shall make recommendations to the governor and the legislature regarding specific legislation or appropriations for implementation of the plan.
Section 6. ELECTRONIC RECORDS--ELECTRONIC SIGNATURES--LEGAL RECOGNITION.--
A. A medical record or a signature pertaining to a medical record shall not be denied legal effect solely because it is in electronic form.
B. If a law requires a medical record to be in writing, an electronic medical record satisfies that law.
C. If a law requires a signature pertaining to a medical record, an electronic signature satisfies that law.
Section 7. ATTRIBUTION AND EFFECT OF ELECTRONIC MEDICAL RECORDS AND ELECTRONIC SIGNATURES.--
A. An electronic medical record or an electronic signature pertaining to a medical record is attributable to an individual if it was the act of that individual. The act of that individual may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the individual to whom the electronic medical record or the electronic signature pertaining to the medical record was attributable.
B. The effect of an electronic medical record or an electronic signature pertaining to a medical record attributed to an individual under Subsection A of this section is determined from the context and surrounding circumstances at the time of its creation, execution or adoption and as otherwise provided by law.
Section 8. NOTARIZATION AND ACKNOWLEDGMENT.--If a law requires a medical record or a signature pertaining to a medical record to be notarized, acknowledged, verified or made under oath, the requirement is satisfied if the electronic signature of the person authorized to perform those acts, together with all other information required to be included by other applicable law, is attached to or logically associated with the medical record or with the signature pertaining to the medical record.
Section 9. RETENTION OF ELECTRONIC MEDICAL RECORDS.--
A. If a law requires that a medical record be retained, the requirement is satisfied by retaining an electronic record of the information in the medical record that:
(1) accurately reflects the information set forth in the medical record after it was first generated in its final form as an electronic medical record or otherwise; and
(2) remains accessible and is capable of being accurately reproduced for later reference.
B. A requirement to retain a medical record in accordance with Subsection A of this section does not apply to any information the sole purpose of which is to enable the medical record to be sent, communicated or received.
C. A person may satisfy Subsection A of this section by using the services of another person if the requirements of that subsection are satisfied.
D. If a law requires a medical record to be presented or retained in its original form or provides consequences if the medical record is not presented or retained in its original form, that law is satisfied by an electronic medical record retained in accordance with Subsection A of this section.
E. A medical record retained as an electronic medical record in accordance with Subsection A of this section satisfies a law requiring a person to retain a medical record for evidentiary, audit or other purposes, unless a law enacted after the effective date of the Electronic Medical Records Act specifically prohibits the use of an electronic medical record for the specified purpose.
Section 10. ADMISSIBILITY AS EVIDENCE.--In an evidentiary proceeding, evidence of a medical record or of a signature pertaining to a medical record shall not be excluded solely because it is in electronic form.
Section 11. DISCLOSURE OF HEALTH CARE INFORMATION.--
A. A health care provider, health care institution or health care group purchaser shall not disclose health care information in an individual's medical record to another person without:
(1) an authorization from the individual;
(2) specific authorization in law; or
(3) a representation from a health care provider, health care institution or health care group purchaser that it holds an authorization from the individual authorizing the disclosure.
B. Health care information in an individual's medical record, the pertinent portion of a medical record relating to a specific condition or a summary of the medical record shall promptly be furnished to another health care provider, health care institution or health care group purchaser upon the written request of the individual. The written request shall specify the name of the health care provider, health care institution or health care group purchaser to whom the medical record is to be furnished. The health care provider, health care institution or health care group purchaser that furnishes the medical record or summary may retain a record of the information furnished. The individual shall be responsible for the reasonable costs incurred by the health care provider, health care institution or health care group purchaser in furnishing the health care information.
C. An authorization to disclose medical records is valid for one year or for a lesser period specified in the authorization unless:
(1) a different period is provided by law;
(2) the disclosure of information in a medical record is to a health care provider that is being advised or consulted with in connection with the disclosing health care provider's or health care institution's current treatment of the individual and a longer period of time is necessary; or
(3) the disclosure of information in a medical record is to a health care group purchaser or third-party administrator for purposes of payment of claims, fraud investigation or quality of care review and studies and a longer period of time is necessary; provided that:
(a) further use or disclosure of the individually identifiable health information in the medical record to a person other than the individual without the individual's consent is prohibited; and
(b) the recipient establishes adequate safeguards to protect the health care information from unauthorized disclosure, including a procedure for removal or destruction of demographic information.
D. This section does not prohibit the disclosure by a health care provider, health care institution or health care group purchaser of information in an individual's medical record:
(1) for treatment of an individual in a medical emergency when the health care provider or health care institution is unable to obtain the individual's authorization due to the individual's condition or the nature of the medical emergency;
(2) to other health care providers within the same or related health care entities when necessary for the current treatment of the individual;
(3) to a business associate;
(4) in the form of a limited data set in accordance with the requirements of 45 C.F.R. Section 164.514(e); or
(5) in a form that meets the standard and implementation specifications for de-identification under 45 C.F.R Sections 164.514(a) and (b).
E. A health care provider, health care institution or health care group purchaser may disclose demographic information and information about the location of an individual's medical records to a record locator service without authorization from the individual, unless the individual has elected to be excluded from the record locator service under Subsection H of this section. Except in the case of a medical emergency, a health care provider, health care institution or health care group purchaser participating in a health information exchange using a record locator service shall not have access to demographic information and information about the location of the individual's medical records without the individual's authorization for the access.
F. A health information exchange maintaining a record locator service shall maintain an audit log of health care providers, health care institutions and health care group purchasers accessing information in the record locator service that at least contains information on:
(1) the identity of the health care provider, health care institution or health care group purchaser accessing the information;
(2) the identity of the individual whose information was accessed by the health care provider, health care institution or health care group purchaser; and
(3) the date the information was accessed.
G. A health care group purchaser shall not require a health care provider or health care institution to participate in a record locator service as a condition of payment or participation.
H. A person operating a record locator service or health information exchange shall provide a mechanism under which individuals may exclude their demographic information and information about the location of their medical records from the record locator service. At a minimum, an authorization form that permits a health care provider, health care institution or health care group purchaser to access a record locator service shall include a conspicuous check-box option that allows an individual to exclude all of the individual's information from the record locator service. A health care provider, health care institution or health care group purchaser that participates in a health information exchange with a record locator service and that receives an individual's request to exclude all of the individual's information from the record locator service or to have a specific health care provider, health care institution or health care group purchaser excluded from using the record locator service to access that individual's information is responsible for removing that information from the record locator service.
I. In cases where a health care provider, health care institution or health care group purchaser discloses information in an individual's medical record without the individual's authorization, the disclosure shall be documented in the individual's medical record.
J. When individually identifiable health information is disclosed using a representation from a health care provider, health care institution or health care group purchaser that holds an authorization from the individual, the disclosing health care provider, health care institution or health care group purchaser shall document:
(1) the health care provider, health care institution or health care group purchaser requesting the information;
(2) the identity of the individual;
(3) the information in the medical record requested; and
(4) the date the information was requested.
K. When requesting information in a medical record using an authorization, or a representation of holding an authorization, a person, health care provider, health care institution or health care group purchaser warrants that the request:
(1) contains no information known to the person, health care provider, health care institution or health care group purchaser to be false;
(2) accurately states the individual's desire to have information in the individual's medical record disclosed or that there is specific authorization in law for the disclosure; and
(3) does not exceed any limits imposed by the individual in the authorization.
L. When requesting information in an individual's medical record in a medical emergency without an authorization from that individual, the requesting person shall warrant the existence of a medical emergency, in which case a person releasing the information may rely upon the warranty of the person making the request that a medical emergency exists.
M. When disclosing information in an individual's medical record, a person releasing such information warrants that the person:
(1) has complied with the requirements of this section regarding disclosure of medical records;
(2) knows of no information related to the request that is false; and
(3) has complied with any limits set by the individual in the authorization.
Section 12. OUT-OF-STATE DISCLOSURES.--A disclosure otherwise permissible under the Electronic Medical Records Act may be made to persons, health care providers, health care institutions, health care group purchasers or record locator services located or operating outside the state.
Section 13. HEALTH CARE REPRESENTATIVES.--
A. A person authorized to consent to health care for an individual may exercise the rights and powers of that individual under the Electronic Medical Records Act, consistent with that authority. If an individual is a minor and is authorized by law to consent to health care without parental consent, the minor and not the parent of the minor may exercise the rights and powers related to the information in the minor's medical record under the Electronic Medical Records Act.
B. A person exercising authority to act for an individual under the Electronic Medical Records Act shall act in good faith to represent the best interests of the individual.
C. A health care provider, health care institution or health care group purchaser is not subject to regulatory or disciplinary actions or civil liability for:
(1) complying with a request or authorization made by a person apparently having authority to exercise the rights and powers of an individual under the Electronic Medical Records Act; or
(2) declining to comply with a request or authorization made by a person based on a belief that the person lacked authority to exercise the rights and powers of an individual under the Electronic Medical Records Act.
Section 14. DISCLOSURE OF MEDICAL RECORDS FOR RESEARCH.-- Notwithstanding the provisions of Section 11 of the Electronic Medical Records Act, information in an individual's medical record may be disclosed by a health care provider, health care institution or health care group purchaser to a researcher solely for purposes of medical or scientific research in accordance with the provisions of 45 C.F.R. Section 164.512(i).
Section 15. PENALTIES.--
A. A violation of any provision of the Electronic Medical Records Act may be grounds for regulatory or disciplinary action against a health care provider, health care institution or health care group purchaser by the appropriate licensing board or regulatory agency.
B. A person is liable to an individual for compensatory damages caused by an unauthorized disclosure, plus costs and reasonable attorney fees if the person:
(1) negligently or intentionally requests or discloses information in the individual's medical record in violation of the provisions of the Electronic Medical Records Act;
(2) forges a signature on an authorization form or materially alters the authorization form of the individual without the individual's consent; or
(3) obtains an authorization form or information in the individual's medical records under false pretenses.
C. An individual is entitled to receive compensatory damages plus costs and reasonable attorney fees if a health information exchange maintaining a record locator service, or a person maintaining a record locator service for a health information exchange, negligently or intentionally violates the provisions of the Electronic Medical Records Act.
- 19 -