45th legislature - STATE OF NEW MEXICO - first session, 2001
RELATING TO HEALTH INFORMATION; LIMITING USE AND DISCLOSURE OF HEALTH INFORMATION; PROVIDING PERSONAL RIGHTS; REQUIRING INFORMATION SAFEGUARDS; ESTABLISHING CIVIL AND CRIMINAL PENALTIES; ENACTING SECTIONS OF THE NMSA 1978.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
Section 1. SHORT TITLE.--This act may be cited as the "Health Information and Privacy Act".
Section 2. DEFINITIONS.--As used in the Health Information and Privacy Act:
A. "disclose" means to release, transmit, publish, make available or otherwise divulge protected health information;
B. "health care payer" means a person that provides or pays all or part of the cost of health care services, including a government agency that administers a health care services program, but does not mean a person, or a family member or friend of that person, who pays for his health care services;
C. "health care provider" means a person that is licensed or otherwise authorized by the state to furnish health care services and receives, obtains, creates, uses, maintains or discloses health information;
D. "health care services" means services or supplies provided by a health care provider for the prevention, diagnosis, services, rehabilitation, maintenance, cure or relief of a health condition, illness, injury, disability or disease, including physical, mental and behavioral health and the procuring, storing or administration of blood, genetic materials or tissue;
E. "health information" means information, whether oral, written, electronic, visual, pictorial, physical or in any other form or medium, that relates to the past, present or future:
(1) physical, mental or behavioral health status or condition of a person, including substance abuse;
(2) provision of health care services to the person; or
(3) payment for the provision of health care services for the person;
F. "health information manager" means a health care provider, health care payer, health care clearinghouse, third-party administrator of health care benefits, researcher, employer, school or educational institution, financial institution, labor union, government agency or other person that:
(1) receives, obtains, creates, uses, maintains or discloses health information in the normal course of business;
(2) facilitates the electronic transmission of health information between or among health information managers;
(3) processes or facilitates the processing of health information into a standard format for electronic transmission between or among health information managers; or
(4) transforms protected health information into non-personally identifiable health information; and
G. "protected health information" means health information that reveals, or could reasonably be foreseen to reveal, the identity of the person whose health care is the subject of the health information.
Section 3. PROTECTION OF HEALTH DATA AND INFORMATION.--Health information managers, except as provided for in Section 7 of the Health Information and Privacy Act, shall comply with the privacy requirements of Part C of Title 11 of the Social Security Act and Section 264 of Part C of Subtitle F of Title 2 of the Health Insurance Portability and Accountability Act of 1996.
Section 4. INFORMATION SAFEGUARDS.--
A. A health information manager shall establish and maintain reasonable and appropriate administrative, technical and physical safeguards to:
(1) ensure the confidentiality, security, accuracy and integrity of protected health information in its possession;
(2) protect against reasonably anticipated threats or hazards to the security or integrity of protected health information in its possession; and
(3) protect against unauthorized use or disclosure of protected health information in its possession.
B. A health information manager shall periodically assess potential risks and vulnerabilities to the protected health information in its possession and implement, maintain and document security measures necessary to ensure the privacy of the protected health information as required by the Health Information and Privacy Act.
C. A health information manager shall implement, maintain and document the security standards for all protected health information that the health information manager electronically maintains or transmits.
Section 5. CIVIL PENALTIES.--
A. The attorney general or district attorney may bring a civil action against a health information manager for violating the provisions of the Health Information and Privacy Act or to otherwise enforce those provisions.
B. A person whose protected health information has been wrongfully used or disclosed or whose rights under the provisions of the Health Information and Privacy Act have been violated may bring a civil action against a health information manager for damages or other relief.
C. The court may order a health information manager who violates the provisions of the Health Information and Privacy Act to comply with those provisions and may order other appropriate relief, including:
(1) damages for economic and non-economic loss;
(2) damages of up to three times the amount of economic and non-economic damages per violation in addition to any economic and non-economic loss if the violation results from willful or grossly negligent conduct;
(3) a civil penalty of not more than five thousand dollars ($5,000) per violation if the violation results from willful or grossly negligent conduct; and
(4) reasonable attorney fees and appropriate court costs.
D. In an action by a person alleging that protected health information was improperly withheld from the person, the burden of proof is on the health information manager to prove that the information was properly withheld.
E. A health information manager that discloses protected health information pursuant to a person's authorization that has been revoked or amended shall not be subject to liability or penalty under the Health Information and Privacy Act if the health information manager had no actual or constructive notice of the revocation or amendment at the time the information was disclosed.
F. A court may use protected health information to determine the cause of damage or injury and award appropriate relief.
G. Each instance of wrongful use or disclosure of protected health information or wrongful denial of a person's rights under the provisions of the Health Information and Privacy Act constitutes a separate and actionable violation of the Health Information and Privacy Act.
H. Nothing in the Health Information and Privacy Act shall be construed to affect the rights and remedies available to a person under other law.
Section 6. CRIMINAL PENALTIES.--
A. A health information manager who knowingly uses or discloses protected health information in violation of the Health Information and Privacy Act is guilty of a misdemeanor and shall be punished by a fine of not more than one thousand dollars ($1,000) or imprisonment for a definite term not to exceed one year, or both.
B. A health information manager who knowingly uses or discloses protected health information under false pretenses or with the intent to sell or transfer the information for commercial advantage, personal gain or malicious harm in violation of the Health Information and Privacy Act is guilty of a fourth degree felony and shall be punished by a fine of not more than five thousand dollars ($5,000) or imprisonment for a definite term not to exceed eighteen months, or both.
Section 7. EFFECT ON OTHER STATE LAWS.--
A. Nothing in the Health Information and Privacy Act shall be construed to invalidate or limit the authority, power or procedures established under any law providing for:
(1) reporting of disease or injury, abuse or neglect, or birth, death or other vital events;
(2) public health investigation or intervention; or
(3) a governmental health data system that collects and analyzes health data for policy, planning, regulatory or management functions authorized by law.
B. The provisions of the Health Information and Privacy Act shall prevail over any other contrary provision of state law, except that a contrary provision of state law shall prevail over a provision of the Health Information and Privacy Act if with respect to personally identifiable health information the contrary provision of state law requires:
(1) more limited use or disclosure of the information;
(2) greater rights for persons to access or amend their information;
(3) greater penalties for unlawful use or disclosure of the information;
(4) a more detailed explanation to be provided to a person about a proposed use or disclosure of information, the rights of the person, the availability of remedies or similar issues;
(5) a narrower scope or shorter duration of a person's authorization for use or disclosure of information, or procedures that increase the difficulty of obtaining a person's authorization or reduce the coercive effect of the circumstances surrounding the authorization;
(6) the retention or reporting of more detailed information or for a longer duration; or
(7) greater privacy protection for the person with respect to any other related matter.
Section 8. EFFECTIVE DATE.--The effective date of the provisions of this act is June 30, 2003.