§ 90-414.7. North Carolina Health Information Exchange Authority.
(a) Creation. - There is hereby established the North Carolina Health Information Exchange Authority to oversee and administer the HIE Network in accordance with this Article. The Authority shall be located within the Department of Information Technology and shall be under the supervision, direction, and control of the State CIO. The State CIO shall employ an Authority Director and may delegate to the Authority Director all powers and duties associated with the daily operation of the Authority, its staff, and the performance of the powers and duties set forth in subsection (b) of this section. In making this delegation, however, the State CIO maintains the responsibility for the performance of these powers and duties.
(b) Powers and Duties. - The Authority has the following powers and duties:
(1) Oversee and administer the HIE Network in a manner that ensures all of the following:
a. Compliance with this Article.
b. Compliance with HIPAA and any rules adopted under HIPAA, including the Privacy Rule and Security Rule.
c. Compliance with the terms of any participation agreement, business associate agreement, or other agreement the Authority or qualified organization or other person or entity enters into with a covered entity participating in submission of data through or accessing the HIE Network.
d. Notice to the patient by the healthcare provider or other person or entity about the HIE Network, including information and education about the right of individuals on a continuing basis to opt out or rescind a decision to opt out.
e. Opportunity for all individuals whose data has been submitted to the HIE Network to exercise on a continuing basis the right to opt out or rescind a decision to opt out.
f. Nondiscriminatory treatment by covered entities of individuals who exercise the right to opt out.
g. Facilitation of HIE Network interoperability with electronic health record systems of all covered entities listed in G.S. 90-414.4(b).
h. Minimization of the amount of data required to be submitted under G.S. 90-414.4(b) and any use or disclosure of such data to what is determined by the Authority to be required in order to advance the purposes set forth in G.S. 90-414.2 and G.S. 90-414.4(a).
(2) In consultation with the Advisory Board, set guiding principles for the development, implementation, and operation of the HIE Network.
(3) Employ staff necessary to carry out the provisions of this Article and determine the compensation, duties, and other terms and conditions of employment of hired staff.
(4) Enter into contracts pertaining to the oversight and administration of the HIE Network, including contracts of a consulting or advisory nature. G.S. 143-64.20 does not apply to this subdivision.
(5) Establish fees for participation in the HIE Network and report the established fees to the General Assembly, with an explanation of the fee determination process.
(6) Following consultation with the Advisory Board, develop, approve, and enter into, directly or through qualified organizations acting under the authority of the Authority, written participation agreements with persons or entities that participate in or are granted access or user rights to the HIE Network. The participation agreements shall set forth terms and conditions governing participation in, access to, or use of the HIE Network not less than those set forth in agreements already governing covered entities' participation in the federal eHealth Exchange. The agreement shall also require compliance with policies developed by the Authority pursuant to this Article or pursuant to applicable laws of the state of residence for entities located outside of North Carolina.
(7) Receive, access, add, and remove data submitted through and stored by the HIE Network in accordance with this Article.
(8) Following consultation with the Advisory Board, enter into, directly or through qualified organizations acting under the authority of the Authority, a HIPAA compliant business associate agreement with each of the persons or entities participating in or granted access or user rights to the HIE Network.
(9) Following consultation with the Advisory Board, grant user rights to the HIE Network to business associates of covered entities participating in the HIE Network (i) at the request of the covered entities and (ii) at the discretion of and subject to contractual, policy, and other requirements of the Authority upon consideration of and consistent with the business associates' legitimate need for utilizing the HIE Network and privacy and security concerns.
(10) Facilitate and promote use of the HIE Network by covered entities.
(11) Actively monitor compliance with this Article by the Department, covered entities, and any other persons or entities participating in or granted access or user rights to the HIE Network or any data submitted through or stored by the HIE Network.
(12) Collaborate with the State CIO to ensure that resources available through the GDAC are properly leveraged, assigned, or deployed to support the work of the Authority. The duty to collaborate under this subdivision includes collaboration on data hosting and development, implementation, operation, and maintenance of the HIE Network.
(13) Initiate or direct expansion of existing public-private partnerships within the GDAC as necessary to meet the requirements, duties, and obligations of the Authority. Notwithstanding any other provision of law and subject to the availability of funds, the State CIO, at the request of the Authority, shall assist and facilitate expansion of existing contracts related to the HIE Network, provided that such request is made in writing by the Authority to the State CIO with reference to specific requirements set forth in this Article.
(14) In consultation with the Advisory Board, develop a strategic plan for achieving statewide participation in the HIE Network by all hospitals and health care providers licensed in this State.
(15) In consultation with the Advisory Board, define the following with respect to operation of the HIE Network:
a. Business policy.
b. Protocols for data integrity, data sharing, data security, HIPAA compliance, and business intelligence as defined in G.S. 143B-1381. To the extent permitted by HIPAA, protocols for data sharing shall allow for the disclosure of data for academic research.
c. Qualitative and quantitative performance measures.
d. An operational budget and assumptions.
(16) Annually report to the Joint Legislative Oversight Committee on Health and Human Services and the Joint Legislative Oversight Committee on Information Technology on the following:
a. The operation of the HIE Network.
b. Any efforts or progress in expanding participation in the HIE Network.
c. Health care trends based on information disclosed through the HIE Network.
(17) Ensure that the HIE Network interfaces with the federal level HIE, the eHealth Exchange. (2015-241, s. 12A.5(d); 2017-102, s. 39(b).)