GENERAL ASSEMBLY OF NORTH CAROLINA
SESSION 2011
SESSION LAW 2011-337
SENATE BILL 375
AN ACT to FACILITATE AND REGULATE THE DISCLOSURE OF PROTECTED HEALTH INFORMATION THROUGH A VOLUNTARY, STATEWIDE HEALTH INFORMATION EXCHANGE NETWORK.
The General Assembly of North Carolina enacts:
SECTION 1. Chapter 90 of the General Statutes is amended by adding a new Article to read:
"Article 29A.
"North Carolina Health Information Exchange Act.
"§ 90-413.1. Title.
This act shall be known and may be cited as the "North Carolina Health Information Exchange Act."
"§ 90-413.2. Purpose.
This Article is intended to improve the quality of health care delivery within this State by facilitating and regulating the use of a voluntary, statewide health information exchange network for the secure electronic transmission of individually identifiable health information among health care providers, health plans, and health care clearinghouses in a manner that is consistent with the Health Insurance Portability and Accountability Act, Privacy Rule and Security Rule, 45 C.F.R. §§ 160, 164.
"§ 90-413.3. Definitions.
The following definitions apply in this Article:
(1) "Business associate" is as defined in 45 C.F.R. § 160.103.
(2) "Business associate contract" means the documentation required by 45 C.F.R. § 164.502(e)(2) that meets the applicable requirements of 45 C.F.R. § 164.504(e).
(3) "Covered entity" means any entity described in 45 C.F.R. § 160.103 or any other facility or practitioner licensed by the State to provide health care services.
(4) "Disclose" or "disclosure" means the release, transfer, provision of access to, or divulging in any other manner an individual's protected health information through the HIE Network.
(5) "Emergency medical condition" means a medical condition manifesting itself by acute symptoms of sufficient severity, including severe pain, such that the absence of immediate medical attention could reasonably be expected to result in (i) placing an individual's health in serious jeopardy, (ii) serious impairment to an individual's bodily functions, or (iii) serious dysfunction of any bodily organ or part of an individual.
(6) "HIE Network" means the voluntary, statewide health information exchange network overseen and administered by the NC HIE.
(7) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as amended.
(8) "Individual" is as defined in 45 C.F.R. § 160.103.
(9) "North Carolina Health Information Exchange" or "NC HIE" means the nonprofit corporation selected by the Governor to serve as the subrecipient of grant funds from or as the State-designated entity named by the State pursuant to section 3013 of the federal Health Information Technology for Economic and Clinical Health Act, P.L. 111-5, Div. A, Title XIII, section 13001, as amended.
(10) "Opt out" means an individual's affirmative decision to disallow his or her protected health information maintained by or on behalf of one or more specific covered entities from being disclosed to other covered entities through the HIE Network.
(11) "Protected health information" is as defined in 45 C.F.R. § 160.103.
(12) "Public health purposes" means the public health activities and purposes described in 45 C.F.R. § 164.512(b).
(13) "Qualified organization" means an entity designated by the NC HIE to contract with covered entities on the NC HIE's behalf to facilitate the participation of such covered entities in the HIE Network.
(14) "Research purposes" means research that meets the standard described in 45 C.F.R. § 164.512(i).
"§ 90-413.4. North Carolina Health Information Exchange; requirements.
(a) The NC HIE shall satisfy all of the following requirements:
(1) Oversee and administer the HIE Network in a manner that ensures all of the following:
a. Compliance with this Article.
b. Compliance with HIPAA and any rules adopted under HIPAA, including the Privacy Rule and Security Rule.
c. Compliance with the terms of any business associate contract the NC HIE or qualified organization enters into with a covered entity participating in the HIE Network.
d. Notice to the patient by the provider on the initial visit about the HIE Network, including information and education about the right of individuals on a continuing basis to opt out or rescind a decision to opt out.
e. Opportunity for all individuals to exercise on a continuing basis the right to opt out or rescind a decision to opt out.
f. Nondiscriminatory treatment by covered entities of individuals who exercise the right to opt out.
(2) Develop and enter into written participation agreements with covered entities that utilize the HIE Network. The participation agreements shall specify the terms and conditions governing participation in the HIE Network. The agreement shall also require compliance with policies developed by the NC HIE pursuant to this Article, or pursuant to applicable laws of the state of residence for entities located outside of North Carolina. In lieu of entering into a participation agreement directly with covered entities, the NC HIE may enter into participation agreements with qualified organizations, which in turn, enter into participation agreements with covered entities.
(3) Add, remove, disclose, and access protected health information through the HIE Network in accordance with this Article.
(4) Enter into a business associate contract with each of the covered entities participating in the HIE Network. In lieu of entering into a business associates contract directly with covered entities, the NC HIE may enter into business associates contracts with qualified organizations, which in turn, enter into business associates contracts with covered entities.
(5) Grant user rights to the HIE Network to business associates of covered entities participating in the HIE Network (i) at the request of the covered entities and (ii) at the discretion of the NC HIE upon consideration of the business associates' legitimate need for utilizing the HIE Network and privacy and security concerns.
(6) Facilitate and promote use of the HIE Network by covered entities.
(7) Periodically monitor compliance with this Article by covered entities participating in the HIE Network.
(b) Nothing in this section shall be construed to restrict the NC HIE from exercising any of its corporate powers in a manner that is not inconsistent with this Article.
"§ 90-413.5. Participation by covered entities.
(a) Each covered entity that elects to participate in the HIE Network shall enter into a business associate contract and a written participation agreement with the NC HIE or qualified organization prior to disclosing or accessing any protected health information through the HIE Network.
(b) Each covered entity that elects to participate in the HIE Network may authorize its business associates to disclose or access protected health information on behalf of the covered entity through the HIE Network in accordance with this Article and at the discretion of the NC HIE, as provided in G.S. 90-413.4(5).
(c) Notwithstanding any State law or regulation to the contrary, each covered entity that elects to participate in the HIE Network may disclose an individual's protected health information through the HIE Network (i) to other covered entities for any purpose permitted by HIPAA, unless the individual has exercised the right to opt out and (ii) in order to facilitate the provision of emergency medical treatment to the individual, subject to the requirements set forth in G.S. 90-413.6(e).
(d) Any health care provider who relies in good faith upon any information provided through the NC HIE or through a qualified organization in the health care provider's treatment of a patient shall not incur criminal or civil liability for damages caused by the inaccurate or incomplete nature of this information.
"§ 90-413.6. Continuing right to opt out; effect of opt out; exception for emergency medical treatment.
(a) Each individual has the right on a continuing basis to opt out or rescind a decision to opt out.
(b) The NC HIE or its designee shall enforce an individual's decision to opt out or rescind an opt out prospectively from the date the NC HIE or its designee receives notice of the individual's decision to opt out or rescind an opt out in the manner prescribed by the NC HIE. An individual's decision to opt out or rescind an opt out does not affect any disclosures made by the NC HIE or covered entities through the HIE Network prior to receipt by the NC HIE or its designee of the individual's notice to opt out or rescind an opt out.
(c) A covered entity may not deny treatment or benefits to an individual because of the individual's decision to opt out. However, nothing in this Article is intended to restrict a treating physician from otherwise appropriately terminating a relationship with a patient in accordance with applicable law and professional ethical standards.
(d) Except as otherwise permitted in subsection (e) of this section and G.S. 90-413.7(a)(3), the protected health information of an individual who has exercised the right to opt out may not be disclosed to covered entities through the HIE Network for any purpose.
(e) The protected health information of an individual who has exercised the right to opt out may be disclosed through the HIE Network in order to facilitate the provision of emergency medical treatment to the individual if all of the following criteria are met:
(1) The reasonably apparent circumstances indicate to the treating health care provider that (i) the individual has an emergency medical condition, (ii) a meaningful discussion with the individual about whether to rescind a previous decision to opt out is impractical due to the nature of the individual's emergency medical condition, and (iii) information available through the HIE Network could assist in the diagnosis or treatment of the individual's emergency medical condition.
(2) The disclosure through the HIE Network is limited to the covered entities providing diagnosis and treatment of the individual's emergency medical condition.
(3) The circumstances and extent of the disclosure through the HIE Network is recorded electronically in a manner that permits the NC HIE or its designee to periodically audit compliance with this subsection.
"§ 90-413.7. Construction and applicability.
(a) Nothing in this Article shall be construed to do any of the following:
(1) Impair any rights conferred upon an individual under HIPAA, including all of the following rights related to an individual's protected health information:
a. The right to receive a notice of privacy practices.
b. The right to request restriction of use and disclosure.
c. The right of access to inspect and obtain copies.
d. The right to request amendment.
e. The right to request confidential forms of communication.
f. The right to receive an accounting of disclosures.
(2) Authorize the disclosure of protected health information through the HIE Network to the extent that the disclosure is restricted by federal laws or regulations, including the federal drug and alcohol confidentiality regulations set forth in 42 C.F.R. Part 2.
(3) Restrict the disclosure of protected health information through the HIE Network for public health purposes or research purposes, so long as disclosure is permitted by both HIPAA and State law.
(4) Prohibit the NC HIE or any covered entity participating in the HIE Network from maintaining in the NC HIE or qualified organization's computer system a copy of the protected health information of an individual who has exercised the right to opt out, as long as the NC HIE or the qualified organization does not access, use, or disclose the individual's protected health information for any purpose other than for necessary system maintenance or as required by federal or State law.
(b) This Article applies only to disclosures of protected health information made through the HIE Network, including disclosures made within qualified organizations. It does not apply to the use or disclosure of protected health information in any context outside of the HIE Network, including the redisclosure of protected health information obtained through the HIE Network.
"§ 90-413.8. Penalties and remedies.
A covered entity that discloses protected health information in violation of this Article is subject to the following:
(1) Any civil penalty or criminal penalty, or both, that may be imposed on the covered entity pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, P.L. 111-5, Div. A, Title XIII, section 13001, as amended, and any regulations adopted under the HITECH Act.
(2) Any civil remedy under the HITECH Act or any regulations adopted under the HITECH Act that is available to the Attorney General or to an individual who has been harmed by a violation of this Article, including damages, penalties, attorneys' fees, and costs.
(3) Disciplinary action by the respective licensing board or regulatory agency with jurisdiction over the covered entity.
(4) Any penalty authorized under Article 2A of Chapter 75 of the General Statutes if the violation of this Article is also a violation of Article 2A of Chapter 75 of the General Statutes.
(5) Any other civil or administrative remedy available to a plaintiff by State or federal law or equity."
SECTION 2. This act becomes effective October 1, 2011.
In the General Assembly read three times and ratified this the 17th day of June, 2011.
s/ Walter H. Dalton
President of the Senate
s/ Thom Tillis
Speaker of the House of Representatives
s/ Beverly E. Perdue
Governor
Approved 11:41 a.m. this 27th day of June, 2011