An Act To Protect Consumers' Health Information Records
Be it enacted by the People of the State of Maine as follows:
Sec. 1. 22 MRSA §1711, as amended by PL 2003, c. 418, §1, is further amended by adding at the end a new paragraph to read:
A medical record in the possession of a health care practitioner is the property of the patient who is the subject of the record.
Sec. 2. 22 MRSA §1711-A, as amended by PL 2003, c. 418, §2, is further amended to read:
Whenever a health care practitioner defined in section 1711-B furnishes requested copies of a patient's treatment record or a medical report or an addition to a treatment record or medical report to the patient or the patient's authorized representative, if the record is in written form the charge for the copies or the report may not exceed the reasonable costs incurred by the health care practitioner in making and providing the copies or the report. The charge for copies of records may not exceed $10 for the first page and 35¢ for each additional page. If the record is in electronic form, the charge for the copy may not be greater than the health care practitioner's labor costs in responding to the request for a copy.
Sec. 3. 22 MRSA §1711-C, sub-§1, ¶A-2 is enacted to read:
A-2. "Breach of the security of the system" or "security breach" has the same meaning as in Title 10, section 1347, subsection 1.
Sec. 4. 22 MRSA §1711-C, sub-§1, ¶A-3 is enacted to read:
A-3. "Business associate" means a person who, on behalf of a health care practitioner other than as an employee of the health care practitioner, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health care information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for the health care practitioner, or to or for an organized health care arrangement in which the health care practitioner participates, when the provision of the service involves the disclosure of individually identifiable health care information from the health care practitioner or arrangement, or from another business associate of the health care practitioner or arrangement, to the person.
Sec. 5. 22 MRSA §1711-C, sub-§1, ¶C, as amended by PL 1999, c. 512, Pt. A, §5 and affected by §7, is further amended to read:
C.
"Health care" means preventative, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, services, treatment, procedures or counseling, including appropriate assistance with disease or symptom management and maintenance, that affects an individual's physical, mental or behavioral condition, including individual cells or their components or genetic information, or the structure or function of the human body or any part of the human body. Health care "Health care" includes prescribing, dispensing or furnishing to an individual drugs, biologicals biologics, medical devices or health care equipment and supplies; providing hospice services to an individual; and the banking of blood, sperm, organs or any other tissue. "Health care" does not include a communication by a health care practitioner or business associate that concerns a product or service and that encourages the recipient of the communication to purchase or use the product or service, unless the purpose of the entire communication is:
(1) To describe a health-related product or service or payment for such product or service that is provided by or included in a plan of benefits of the health care practitioner making the communication, including communications about the entities participating in a health care provider network or health plan network, replacement of or enhancements to a health plan and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits;
(2) For treatment of the individual; or
(3) For case management or coordination of care for the individual or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the individual.
Sec. 6. 22 MRSA §1711-C, sub-§10-A is enacted to read:
10-A. Business associates. A business associate is subject to the provisions of this section and section 1711-E. A business associate may only obtain or create confidential health care information pursuant to a written contract with a health care practitioner. A health care practitioner shall disclose to a business associate only the minimal confidential health care information necessary to accomplish the intended purpose of the disclosure. Upon request, a health care practitioner shall report to an individual every disclosure of the individual's health care information under this subsection for the previous 3 years. A written agreement under this subsection must contain assurances from the business associate to the health care practitioner that the health care information: A. Will be appropriately safeguarded pursuant to this section;
B. Will only be used for health care purposes as detailed in the agreement; and
C. May be further exchanged for payment by the entity who is obtaining or creating the health care information only upon written consent of the individual who is the subject of the health care information.
Sec. 7. 22 MRSA §1711-C, sub-§10-B is enacted to read:
10-B. Written authorization for sale of information. A health care practitioner or a business associate may not directly or indirectly receive payment in exchange for any health care information unless the health care practitioner or business associate obtains from the individual who is the subject of the information written authorization. An exchange of health care information is not subject to this subsection if the purpose of the transaction is: A. For research or public health activity and the price charged reflects the costs of preparation and transmittal of the information for that purpose;
B. For the treatment of the individual who is the subject of the information and the price charged reflects no more than the costs of preparation and transmittal of the information for that purpose;
C. For the sale, transfer, merger or consolidation of all or part of a health care practitioner with another health care practitioner, or an entity that will become a health care practitioner, that is practicing due diligence related to the sale, transfer, merger or consolidation;
D. Between a health care provider and a business associate pursuant to a written contract under subsection 10-A;
E. To provide a copy to the individual who is the subject of the health care information pursuant to section 1711; or
F. Authorized by rules adopted by the department.
Sec. 8. 22 MRSA §1711-C, sub-§10-C is enacted to read:
10-C. Sale of health care information describing product or service. A health care practitioner or business associate may not directly or indirectly receive payment or pay for health care information describing a health care-related product or service that is exchanged for a purpose under subsection 1, paragraph C, subparagraph (1), (2) or (3), except: A. A business associate may receive payment from a health care practitioner for communicating the information on behalf of the health care practitioner that is consistent with a written contract under subsection 10-A; or
B. A health care practitioner may receive payment for communicating the information if the recipient provides a valid authorization from the individual who is the subject of the information pursuant to this section.
Sec. 9. 22 MRSA §1711-C, sub-§10-D is enacted to read:
10-D. Security breach. In the case of a security breach of health care information, a person subject to this section or section 1711-E shall follow the notice requirements under Title 10, section 1348.
Sec. 10. 22 MRSA §1711-C, sub-§13, ¶C, as amended by PL 1999, c. 512, Pt. A, §5 and affected by §7, is further amended to read:
C. A person who intentionally violates this section is subject to a civil penalty not to exceed $5,000, payable to the State, plus costs. If a court finds that intentional violations of this section have occurred after due notice of the violating conduct with sufficient frequency to constitute a general business practice, the person is subject to a civil penalty not to exceed $10,000 for health care practitioners and business associates and $50,000 for health care facilities, payable to the State. A civil penalty under this subsection is recoverable in a civil action.
Sec. 11. 22 MRSA §1711-C, sub-§15-A is enacted to read:
15-A. Department advisor. The department shall designate an individual within the department to offer guidance and education to a health care practitioner, business associate or individual on the provisions of this section and section 1711-E. The department shall create a guide to the provisions of this section, which must be posted on a publicly accessible portion of the department's website and may be published in written form, and other educational literature or efforts to educate a health care practitioner, business associate or individual on the provisions of this section.
Sec. 12. 22 MRSA §1711-C, sub-§18 is enacted to read:
18. Pharmacists. This section does not prohibit a pharmacist from communicating with an individual in order to reduce medication errors and improve patient safety as long as there is no payment to the pharmacist other than an amount that does not exceed the pharmacist's costs for the communication.
Sec. 13. 22 MRSA §1711-C, sub-§19 is enacted to read:
19. Rules. The department shall adopt rules to implement this section. Rules adopted pursuant to this subsection are routine technical rules as defined by Title 5, chapter 375, subchapter 2-A.
Sec. 14. Department to review and report . The Department of Health and Human Services shall review the relevant statutes and other information regarding health care information and identify those activities involving health care practitioners and business associates of health care practitioners that can reasonably and efficiently be conducted through the use of health care information in which the identity of the individual has been removed and those activities that should require authorization from the individual for use or disclosure. The department shall submit a report that includes its findings and recommendations, including suggested legislation, to the Joint Standing Committee on Health and Human Services no later than December 2, 2009. The committee is authorized to introduce legislation related to this report to the Second Regular Session of the 124th Legislature at the time of submission of the report.
Sec. 15. Application. Notwithstanding the Maine Revised Statutes, Title 22, section 1711-C, subsection 16, this Act only applies to a transaction or disclosure occurring after the effective date of this Act.
summary
This bill concerns the confidentiality of health care information. This bill:
1. Asserts that medical records in the possession of a health care practitioner are the property of the patient and limits the costs a health care practitioner may recoup for providing electronic medical records;
2. Creates a definition of "business associate" of a health care practitioner and applies health care information confidentiality provisions to a business associate;
3. Excepts from the definition of "health care" the activity of communicating with a patient for the purpose of selling or using a product or service in most circumstances;
4. Allows business associates of a health care practitioner to obtain or create health care information only pursuant to a written contract with the health care practitioner;
5. Requires the written authorization from an individual for the sale or payment for the individual's health care information with certain exceptions;
6. Limits the ability of a health care practitioner or business associate to pay or be paid for the exchange of health care information concerning the sale or use of a product or service;
7. Clarifies that a health care practitioner or business associate is subject to the Notice of Risk to Personal Data Act in case of a security breach of health care information;
8. Requires the Department of Health and Human Services to designate an individual in the department to advise health care practitioners, business associates and individuals and to create educational material about the provisions of health care information confidentiality;
9. Clarifies that the provisions concerning the sale of health care information do not prevent a pharmacist from recouping costs in communicating with individuals to reduce medication errors and to improve patient safety; and
10. Requires the Department of Health and Human Services to study and report to the Joint Standing Committee on Health and Human Services on what health care information can be exchanged without authorization after removing individuals' identifiable information and what must require authorization.