HOUSE BILL 14
48th legislature - STATE OF NEW MEXICO - second special session, 2008
INTRODUCED BY
Elias Barela
AN ACT
RELATING TO HEALTH RECORDS; CLARIFYING INDIVIDUAL RIGHTS WITH RESPECT TO THE DISCLOSURE OF INFORMATION CONTAINED IN ELECTRONIC MEDICAL RECORDS; PROVIDING FOR A PRIVATE RIGHT OF ACTION; CLARIFYING THE PROTECTION OF PRIVACY OF ELECTRONIC MEDICAL RECORDS.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
Section 1. DEFINITIONS.--As used in this act:
A. "demographic information" means information in an electronic medical record that identifies the individual who is the subject of the medical record, including the individual's name, date of birth and address and other information that identifies the individual, that may be used to identify the individual or that associates the individual with the individual's electronic medical record;
B. "disclosure" means the release, transfer, provision or otherwise divulging of an individual's electronic medical records to a person other than the holder of the records and includes having access to those records;
C. "electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities;
D. "electronic medical record" means a medical record created, generated, sent, communicated, received or stored by electronic means;
E. "health care" means care, services or supplies related to the health of an individual and includes:
(1) preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care and counseling;
(2) service, assessment or procedure with respect to the physical or mental condition or functional status of an individual or that affects the structure or function of an individual's body; and
(3) the sale or dispensing of a drug, a device, a piece of equipment or other item in accordance with a prescription;
F. "health care group purchaser" means a person, other than a person licensed as a property and casualty or workers' compensation insurer, licensed, certified or otherwise authorized or permitted by the New Mexico Insurance Code to pay for or purchase health care coverage on behalf of an identified individual or group of individuals, except for life insurers and disability income insurers, regardless of whether the cost of coverage or services is paid for by the purchaser or the persons receiving coverage or services;
G. "health care information" means any information, whether oral or recorded in any form or medium, related to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual;
H. "health care institution" means an institution, facility or agency licensed, certified or otherwise authorized or permitted by law to provide health care in the ordinary course of business;
I. "health care provider" means an individual licensed, certified or otherwise authorized or permitted by law to provide health care in the ordinary course of business or practice of a profession;
J. "health information exchange" means an arrangement among persons providing for the disclosure of electronic medical records;
K. "information" means data, including text, images, sounds and codes and computer programs, software and databases;
L. "medical record" means a record of health care information;
M. "record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form;
N. "record locator service" means a system that provides a means of identification of the existence and location of the electronic medical records of a specified individual; and
O. "treatment" means the provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to an individual; or the referral of an individual for health care from one health care provider to another.
Section 2. USE AND DISCLOSURE OF ELECTRONIC HEALTH CARE INFORMATION.--
A. A person shall not use or disclose health care information in an individual's electronic medical record to another person in violation of state or federal law.
B. A person may disclose demographic information and information about the location of an individual's electronic medical records to a record locator service in accordance with law. A person participating in a health information exchange using a record locator service shall not have access to demographic information, information about the location of the individual's electronic medical records or information in an individual's electronic medical record except in connection with the treatment of the individual or with the express authorization of the subject of the medical record.
C. A health information exchange maintaining a record locator service, a health care provider or health care institution shall maintain an audit log of health care providers, health care institutions, persons and other entities accessing information in the record locator service that at least contains information on:
(1) the identity of the health care provider, health care institution, person or other entity accessing the information;
(2) the identity of the individual whose information was accessed by the health care provider, health care institution, person or other entity; and
(3) the date the information was accessed.
D. A health care group purchaser shall not require a health care provider or health care institution to participate in a record locator service as a condition of payment or participation.
E. A person operating a record locator service or health information exchange shall provide a mechanism under which individuals may exclude their demographic information and information about the location of their electronic medical records from the record locator service. A person operating a record locator service or a health information exchange that receives an individual's request to exclude all of the individual's information from the record locator service or to have a specific health care provider or health care institution excluded from using the record locator service to access that individual's information is responsible for removing that information from the record locator service.
F. When requesting demographic information or information in an individual's electronic medical record using a record locator service or a health information exchange, the requesting health care provider or health care institution shall warrant that the request is for the treatment of the individual and the person releasing the information may rely upon the warranty of the person making the request that the request is for the treatment of the individual.
G. An individual may annually request a copy of the audit log of the individual's medical record.
Section 3. OUT-OF-STATE DISCLOSURES.--A disclosure otherwise permissible under this act may be made to health care providers, health care institutions or record locator services located or operating outside the state.
Section 4. HEALTH CARE REPRESENTATIVES.--A health care provider, health care institution or health care group purchaser is not subject to regulatory or disciplinary actions or civil liability for:
A. complying with a request or authorization made by a person who the health care provider, health care institution or health care group reasonably believed had the authority to exercise the rights and powers of an individual pursuant to this act; or
B. declining to comply with a request or authorization made by a person based on a reasonable belief that the person lacked authority to exercise the rights and powers of an individual pursuant to this act.
Section 5. BREACH OF THE SECURITY SYSTEM.--
A. An entity that holds an individual's electronic medical record or maintains computerized data that includes medical records shall disclose any breach following discovery or notification of the breach to a person whose medical record was, or was reasonably believed to have been, acquired by an unauthorized person.
B. The disclosure shall be made without unreasonable delay, which shall allow an entity time to determine the scope of the breach and restore the integrity of the data or data system or accommodate the legitimate needs of law enforcement pursuant to Subsection D of this section.
C. Disclosure shall be provided in the following manner:
(1) written notice;
(2) electronic notice, provided that the notice is consistent with the provisions applicable to electronic records and signatures in Section 7001 of Title 15 of the United States Code; or
(3) substitute notice, if the entity demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), that the affected class of subject persons to be notified exceeds five hundred thousand or that the entity does not have sufficient contact information. Substitute notice shall be provided in the following manner:
(a) email notice;
(b) conspicuous posting of the notice on the entity's commonly used web site; or
(c) notification by publication.
D. Disclosure may be delayed if a law enforcement agency determines that disclosure will impede a criminal investigation. However, disclosure shall be made after the law enforcement agency determines that it will not compromise the investigation.
E. For purposes of this section:
(1) "breach" means unauthorized acquisition of electronic data or a computerized system containing unencrypted and confidential medical information maintained in a record. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach, provided that the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure; and
(2) "entity" means a person who holds or compiles electronic medical records or maintains a computerized system that contains electronic medical records, including a health care provider, health care institution, health care group purchaser or a person engaged in a health information exchange.
Section 6. LAW ENFORCEMENT ACCESS.--
A. Unless otherwise provided by this section, a law enforcement agency may require a health care provider, health care institution, health care group purchaser or person engaged in a health information exchange to disclose the contents of a medical record to the law enforcement agency by an administrative subpoena authorized by statute or a grand jury, a trial subpoena or a court order for disclosure pursuant to Subsection B of this section.
B. The disclosure of medical records to a law enforcement agency pursuant to Subsection A of this section shall be allowed only if the law enforcement agency offers specific and articulatable facts showing reasonable grounds to believe that the contents of a medical record are relevant and material to an ongoing criminal investigation.
C. The law enforcement agency shall disclose to an individual that it has requested the individual's medical records before the receipt of the records in a manner provided in Subsection C of Section 5 of this act unless a court determines otherwise pursuant to Subsection D of this section.
D. Upon request by a law enforcement agency, a court shall order that the disclosure required under Subsection C of this section be delayed for up to ninety days if the court determines that there is reason to believe that disclosure of the existence of a court order may result in:
(1) endangering the life or physical safety of an individual;
(2) flight from prosecution;
(3) destruction or tampering with evidence;
(4) intimidation of a potential witness; or
(5) jeopardizing an investigation or delaying a trial.
E. On a motion made by a health care provider, health care institution, health care group purchaser or person engaged in health information exchange, a court issuing an order for disclosure may quash or modify such order if the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on the health care provider, health care institution, health care group purchaser or person engaged in a health information exchange.
F. A willful disclosure to unauthorized persons of a medical record obtained by a law enforcement agency that is not made pursuant to a law enforcement agent's official duties shall be a violation of this act. This subsection, however, shall not apply to information disclosed to the public by a federal, state or local governmental entity or by a plaintiff in a civil action, provided that the disclosure was lawful and prior to a civil or administrative proceeding.
Section 7. RIGHT TO CIVIL ACTION--DEFENSES--LIMITATIONS.--
A. A person aggrieved by a violation of this act may recover in a civil action from a health care provider, health care institution, health care group purchaser or person engaged in a health information exchange that knowingly or willfully violates this act.
B. In a civil action under this section, relief may include:
(1) preliminary and other equitable or declaratory relief as appropriate;
(2) damages pursuant to Subsection C or D of this section; and
(3) reasonable attorney fees and other reasonable costs incurred as the result of litigation.
C. If the violator knowingly violates this act, the court may assess the sum of actual damages and profits made by the violator as a result of the violation, provided that damages awarded shall not be less than one thousand dollars ($1,000).
D. If the violator willfully violates this act, the court may also assess punitive damages.
E. Good faith reliance on a subpoena, court order or legislative authorization for disclosure is a complete defense to any civil action brought under this act.
F. A civil action under this section shall not be commenced later than two years after the date upon which the claimant discovered or had a reasonable opportunity to discover the violation.
Section 8. EFFECTIVE DATE.--The effective date of the provisions of this act is January 1, 2009.
- 12 -