HB 1587-FN – AS AMENDED BY THE HOUSE
12Mar2008… 0722h
2008 SESSION
01/09
HOUSE BILL 1587-FN
AN ACT relative to patient health care information.
SPONSORS: Rep. Rosenwald, Hills 22; Rep. Kurk, Hills 7; Rep. MacKay, Merr 11; Rep. McLeod, Graf 2; Rep. Harding, Graf 11; Sen. Estabrook, Dist 21; Sen. Hassan, Dist 23; Sen. Gallus, Dist 1; Sen. DeVries, Dist 18
COMMITTEE: Health, Human Services and Elderly Affairs
This bill establishes procedures for access to health care information that is in the possession of health care providers. The bill specifies the rights of the individual who is the subject of the health care information. This bill also establishes a commission to develop a form to restrict disclosure of protected health care information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
12Mar2008… 0722h
08-2417
01/09
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Eight
AN ACT relative to patient health care information.
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 Statement of Purpose and Intent. The general court:
I. Believes that informational privacy is a core value of New Hampshire citizens.
II. Recognizes that the confidentiality of personal health information has been an ethical standard of health care providers since the time of Hippocrates.
III. Recognizes that a critical element in an individual’s relationship with a health care provider is trust in the health care provider’s confidentiality ethics, as well as established confidentiality rules. This trust encourages individuals to share information they would not want publicly known. This trust also promotes public health, as individuals with potentially contagious or communicable diseases are not inhibited from seeking treatment.
IV. Recognizes that there are clinical, societal, and economic reasons for a shift to electronic health records and an interoperable network of such, if there are reasonable privacy and confidentiality measures. A paper-based health records system has clinically incomplete and fragmented information, as well as challenges in achieving security and clear auditable trails of record access. While this fragmentation often has the positive privacy consequence of preventing unauthorized disclosure of personal health information, an individual is at risk of vital information not being available in emergencies, of difficulty in maintaining continuity of care, and of adverse health outcomes due to errors. Societal concerns include an unnecessary waste of health care resources and an inability to compile aggregate data on health measures and outcomes.
V. Recognizes that people differ widely in their opinions regarding privacy and confidentiality, opinions that may be influenced by the individual’s health condition as well as cultural, religious, or other beliefs, traditions, or practices. By providing individuals with reasonable choices concerning the uses and disclosures of their personal health information, the health care system and society demonstrate respect for persons. Furthermore, limiting excessive and unnecessary disclosure of personal health information helps to prevent health-based discrimination.
VI. Recognizes that public support for the electronic health record exchange depends upon public confidence and trust that personal health information will be protected. In an age in which electronic transactions are increasingly common and security lapses are reported widely, the health care industry must commit to incorporating privacy and confidentiality protections that permeate the entire health records system and respect the individual.
VII. Recognizes the difficulty in balancing the interests of privacy and confidentiality against the clinical, economic, and societal benefits of the electronic health record exchange. However, individual and societal interests are not necessarily inconsistent. There is a strong societal interest in privacy and confidentiality to promote the full candor on the part of the individual needed for quality health care. At the same time, individuals have a strong interest in giving health professionals the ability to access their personal health information to treat health conditions and safely and efficiently operate the health care system. Both the society as a whole and each individual have an interest in improvements in public health, research, and other uses of personal health information.
VIII. Recognizes that there is commercial value in personal health information and that an electronic format makes this information more accessible.
IX. Finds that commercial access to personal health information may negatively affect the patient-provider relationship, and that commercial access should, therefore, be limited.
2 Health Care Information and Rights. RSA 332-I is repealed and reenacted to read as follows:
CHAPTER 332-I
HEALTH CARE INFORMATION AND RIGHTS
332-I:1 Purpose.
I. The general court finds that:
(a) Health information is the property of the individual and should be protected at all times;
(b) Individuals are entitled to control access to their protected health information and to obtain an audit trail of who has accessed their protected health information.
II. The purpose of this chapter is to recognize the individual’s ownership of his or her health information, to recognize the individual’s right to privacy in the content of his or her health information, and to establish safeguards to protect health information that exceed the regulatory requirements under sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA):
332-I:2 Definitions. In this chapter:
I. The following terms have the same meaning as given in the regulations under sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA):
(a) Business associate;
(b) Disclosure;
(c) Health care operations;
(d) Health plan;
(e) Individually identifiable health information;
(f) Protected health information;
(g) Person;
(h) Treatment;
(i) Use; and
(j) Payment.
II. “Audit trail” means a chronological record identifying specific persons who have accessed an electronic medical record, the date and time the record was accessed, and, if such information is available, the area of the record that was accessed.
III. “Commissioner” means the commissioner of the department of health and human services.
IV. “Department” means the department of health and human services.
V. “Health care provider” means any person, corporation, facility, or institution either licensed by this state or otherwise lawfully providing health care services, including, but not limited to, a physician, hospital, office, clinic, health center, or other health care facility licensed under RSA 151, dentist, nurse, optometrist, pharmacist, podiatrist, physical therapist, or mental health professional, and any officer, employee, or agent of such provider acting in the course and scope of employment or agency related to or supportive of health care services. If not otherwise included in the foregoing, “health care provider” also has the meaning provided in the regulations adopted under sections 262 and 264 of HIPAA.
VI. “Health information exchange” means an entity established for the primary purpose of enabling and overseeing the exchange of protected health information for clinical decision-making purposes. The entity may operate on a regional, statewide, or multi-state basis. The entity may be developed by multiple stakeholders, including, but not limited to, the department of health and human services, a non-profit entity, or a for-profit entity. For the purpose of this chapter, “health information exchange” does not include entities solely owned and operated by health care providers, integrated delivery systems, or pharmacy exchanges.
VII. “Health promotion” means the provision of public health programs by the health care provider directly or through a business associate that attempt to prevent illness and injury. “Health promotion” includes, but is not limited to:
(a) Reminders to individuals about routine preventive procedures; and
(b) Mailings providing information on dietary practices, new developments in healthcare, support groups, organ donation, cancer prevention, and health fairs.
VIII. “Individual” means the subject of the protected health information, including a guardian or other legal representative, as appropriate.
IX. “Marketing” means:
(a) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made:
(1) For treatment of the individual;
(2) For case management or care coordination for the individual;
(3) To direct or recommend to the individual:
(A) Alternative treatments or therapies if recommended by the individual’s health care provider;
(B) Health care providers;
(C) Settings of care; or
(4) For treatment-related reminders or health promotion activities by health care providers.
(b) An arrangement between a health care provider and any other person whereby the health care provider discloses protected health information to the other person, in exchange for direct or indirect remuneration, for the other person or an affiliate of the other person to make a communication about the person’s own product or service that encourages recipients of the communication to purchase or use that product or service.
X. “Medical emergency” means medically necessary care which is immediately needed to preserve life, prevent serious impairment to bodily functions, organs, or parts, or prevent placing the physical or mental health of the patient in serious jeopardy.
XI. “Medical record” means any report, notes, orders, photographs, diagnostic imaging, or other recorded data or information whether maintained in written, electronic, or other form which is received or produced by a health care provider and contains information relating to the medical history, examination, diagnosis, or treatment of an individual.
332-I:3 Protected Health Information; Rights of the Individual. The individual has the following rights in regards to his or her protected health information that is in the possession of a health care provider or a business associate of the health care provider:
I. All medical information contained in the medical records in the possession of any health care provider or a business associate of a health care provider shall be deemed to be the property of the individual.
II. The charge for the copying of an individual’s medical records shall not exceed $15 for the first 30 pages or $.50 per page, whichever is greater; provided, that copies of filmed records such as radiograms, x-rays, and sonograms shall be copied at a reasonable cost. When available and at a reasonable cost, the individual may request and receive a copy of his or her protected health information in an electronic format.
III. The individual has the right to receive an audit trail, including an explanation of the audit trail, regarding access to his or her electronic medical record for any period, as identified by the individual, within the 3 years prior to the request for the audit trail. The health care provider or the business associate of a health care provider may impose a reasonable charge for providing the audit trail. Notwithstanding any provision of law to the contrary, if the individual who requests the audit trail is receiving Medicaid, the department of health and human services shall pay the full charge for the audit trail.
IV. The individual has the right to restrict disclosure of protected health information in accordance with section 332-I:4.
332-I:4 Protected Health Information; Disclosure for Treatment, Payment, and Health Care Operations.
I. As necessary, a health care provider may disclose an individual’s protected health information for treatment of the individual, for payment for services rendered to the individual, or for the health care provider’s essential health care operations, unless the individual elects otherwise in writing in accordance with paragraph III.
(a) Health care operations are not essential when those operations can be carried on with reasonable effectiveness and efficiency without protected health information.
(b) Health care operations that are not essential include: fundraising and disclosure of protected health information for sale, rent, or barter.
II.(a) For the purposes of this section, one or more health care providers who as of January 1, 2008 are affiliated or business associates for the purpose of sharing an electronic medical record system or comprise an organized health care arrangement, shall be considered one health care provider, if the following criteria are met:
(1) The electronic medical record system is not structured to restrict disclosure as required by this section; and
(2) After January 1, 2008, only active medical staff or other health care providers in the local community or service area who were offered the opportunity to share in the electronic medical record system prior to such date may be added to the foregoing arrangement.
(b) Active medical staff or other health care providers who have not received an offer to share in an electronic medical records system prior to January 1, 2008 may share in such an electronic medical record arrangement only when the electronic medical record system restricts disclosure between the separate providers in accordance with this section.
III. At the initial encounter with an individual, a health care provider shall inform the individual of the right to elect to restrict disclosure of the individual’s protected health information pursuant to paragraph I. The following procedures shall apply to such election:
(a) If the individual elects to restrict disclosure, at the initial encounter or any time thereafter, the health care provider shall inform the individual of the possible consequences associated with such an election. The health care provider shall also supply a form, as described in paragraph VIII, on which the individual shall make the election to restrict disclosure in writing, including by electronic signature. The election is effective on the date the written election is made and the health care provider is not liable for disclosures made prior to receipt of such election.
(b) An individual may at any time revoke an election to restrict disclosure. Such revocation is effective on the date an oral or written election to revoke is made, received, and documented by the health care provider. The health care provider shall not be liable for an access denial made prior to such election.
(c) Notwithstanding an individual’s election to restrict disclosure, a health care provider may, at its discretion, send an individual’s name and address to a health information exchange.
IV. Notwithstanding an election by an individual to restrict disclosure, a health care provider may disclose protected health information to:
(a) An insurance issuer or other person when a written request for protected health information from the insurance issuer or other person includes the individual’s signature authorizing disclosure;
(b) A pharmacist when the health care provider arranges with the individual to submit a prescription directly to the pharmacy, by phone, electronic format, or other direct submission method, and the individual does not object or request a paper prescription; or
(c) The state, when required by state law.
V. An election to restrict disclosure under this section shall not prohibit the disclosure of protected health information during a medical emergency when the treating health care provider is unable to obtain the individual’s authorization due to the individual’s condition or the nature of the medical emergency. The treating health care provider shall make the clinical determination as to whether or not a medical emergency exists.
VI. A health care provider shall not be required to provide treatment to an individual who elects not to disclose protected health information that the health care provider deems clinically necessary, unless such treatment is required by law. No health care provider who, in good faith, renders reasonable care shall be held liable for any adverse health outcome to an individual that results from that individual’s election to limit access to his or her protected health information permitted by this section.
VII. If the individual elects to restrict disclosure of protected health information for the purpose of payment, the health care provider may condition treatment upon self-payment by the individual, unless such condition would otherwise be prohibited by law. If the individual elects to restrict disclosure for the purpose of payment, the health care provider is prohibited from submitting a claim to a health plan or other insurer. A health plan or other insurer shall not be liable for the failure to pay a claim if the individual has elected to restrict disclosure of protected health information for the purpose of payment and the individual has not provided the health plan or other insurer with sufficient information to pay the claim.
VIII. The form on which an individual elects to restrict disclosure of protected health information shall be developed, and revised as necessary by the commissioner, and that process shall be exempt from the requirements of RSA 541-A. At a minimum, the form shall:
(a) Be written in clear, plain language, in large-type font;
(b) Contain the name of the health care provider;
(c) Meet any applicable requirements of the regulations under sections 262 and 264 of HIPAA; and
(d) Contain the following in a clear and conspicuous manner:
(1) A statement of the election;
(2) A statement that the election may be revoked at any future time, orally or in writing;
(3) A statement that the authorization will be effective until revoked;
(4) A statement that the individual has been informed of the risks and benefits associated with such an election; and
(5) Contact information for the department of justice for submission of a complaint.
332-I:5 Use and Disclosure of Protected Health Information; Marketing.
I. A health care provider, or a business associate of the health care provider, shall obtain an authorization for any use or disclosure of protected health information for marketing. Such authorization shall meet the authorization implementation specifications for marketing under the regulations adopted pursuant to sections 262 and 264 of HIPAA.
II. Protected health information disclosed for marketing shall not be disclosed by voice mail, an unattended facsimile, or through other methods of communication that are not secure.
332-I:6 Use and Disclosure of Protected Health Information; Research. A business associate of a health care provider shall adhere to the standard for use and disclosure of protected health information for research purposes that applies to covered entities under the regulations adopted pursuant to sections 262 and 264 of HIPAA.
332-I:7 Use and Disclosure of Protected Health Information; Health Information Exchange.
I. A health care provider or a business associate of a health care provider may disclose an individual’s protected health information and information about the location of the individual’s medical records to a health information exchange. Only a health care provider, for purposes of treatment, may have access to protected health information in a health information exchange.
II. A health information exchange shall adhere to the protected health information requirements for health care providers in state and federal law.
III. A health information exchange shall maintain an audit log of health care providers who access protected health information, including:
(a) The identity of the health care provider accessing the information;
(b) The identity of the individual whose protected health information was accessed by the health care provider;
(c) The date the protected health information was accessed; and
(d) The area of the record that was accessed.
IV. A health information exchange shall be certified to be in compliance with nationally accepted interoperability standards and practices.
V. No person shall require a health care provider to participate in a health information exchange as a condition of payment or participation.
332-I:8 Unauthorized Disclosure.
I. In the event of a disclosure, not permitted by this chapter, of protected health information by a health care provider, the health care provider shall promptly notify in writing the individual or individuals whose protected health information was disclosed.
II. In the event of a disclosure, not permitted by this chapter, of protected health information by a business associate of a health care provider, the business associate shall promptly notify the health care provider and the attorney general. The health care provider shall promptly notify in writing the individual or individuals whose protected health information was disclosed. The business associate shall be responsible for the cost of such notification.
332-I:9 Complaints; Right of Action.
I. An individual may make a written complaint relative to a violation of 332-I:1 through 332-I:8 by a health care provider to the board or agency that licenses or certifies the health care provider. Upon receipt of such complaint, the board or agency shall review the complaint and, where sufficient evidence of a violation is presented, conduct investigations to determine whether a violation of this subdivision has occurred and take appropriate action against the health care provider.
II. An individual may make a written complaint relative to a violation of 332-I:1 through 332-I:8 by a business associate of a health care provider to the department of justice. Upon receipt of such complaint, the department of justice shall review the complaint, and where sufficient evidence of a violation is presented, conduct investigations to determine whether a violation of this subdivision has occurred. Any violation of these provisions by a business associate of a health care provider shall constitute an unfair and deceptive trade practice within the meaning of RSA 358-A:2. Any right or remedy set forth in RSA 358-A may be used to enforce the provisions.
III. An aggrieved individual may bring a civil action under this subdivision and, if successful, shall be awarded special or general damages of not less than $1,000 for each violation, and costs and reasonable legal fees.
Health Care Rights
332-I:10 Health Care Rights of the Individual.
I.(a) The individual has the right to courtesy, respect, dignity, responsiveness, and timely attention to his or her needs.
(b) The individual has the right to receive information from the health care provider and to discuss the benefits, risks, and costs of appropriate treatment alternatives.
(c) The individual shall be fully informed by the health care provider of his or her medical condition, health care needs, and diagnostic test results, including the manner by which such results will be provided and the expected time interval between testing and receiving results, unless medically inadvisable and so documented in the medical record.
(d) The individual has the right to make decisions regarding the health care that is recommended by the health care provider. Accordingly, unless required by state law, individuals may accept or refuse any recommended medical treatment and be involved in experimental research upon the individual’s written consent only.
(e) The health care provider shall not reveal confidential communications or information without the consent of the individual, unless provided for by law or by the need to protect the welfare of the individual or the public interest.
II. Facilities subject to RSA 151:21 and RSA 151:21-b shall be exempt from paragraph I.
3 Commission Established. There is established a commission to develop and recommend a form to elect to restrict disclosure of protected health information and to develop a reasonable charge for an audit trail.
4 Membership and Compensation.
I. The members of the commission shall be as follows:
(a) Four members of the house of representatives, 2 of whom shall be from the committee on health, human services and elderly affairs, appointed by the speaker of the house of representatives.
(b) One member of the senate who shall be from the health and human services committee, appointed by the president of the senate.
(c) A representative of the department of justice, appointed by the attorney general.
(d) The commissioner of the department of health and human services, or designee.
(e) A representative of the New Hampshire Hospital Association, appointed by the association.
(f) One representative of county nursing homes, appointed by the New Hampshire Association of Counties.
(g) A representative of the New Hampshire Home Care Association, appointed by the association.
(h) A representative of the New Hampshire Medical Society, appointed by the society.
(i) A representative of the New Hampshire Medical Group Management Association, appointed by the association.
(j) A representative of the New Hampshire Institute for Health Policy and Practice, appointed by the institute.
(k) A representative of the Institute for Health, Law and Ethics at Franklin Pierce Law Center, appointed by the dean of the law center.
(l) A representative of the New Hampshire Citizens Health Initiative, appointed by the governor.
(m) The state director of the New Hampshire chapter of AARP, or designee.
(n) The executive director of the National Alliance on Mental Illness New Hampshire, or designee.
(o) A representative of the New Hampshire Council on Developmental Disabilities, appointed by the council.
(p) A representative of an AIDS and HIV service organization, appointed by the governor.
(q) The executive director of the New Hampshire Civil Liberties Union, or designee.
(r) A representative of the New Hampshire Health Information Management Association, appointed by such association.
II. Legislative members of the commission shall receive mileage at the legislative rate when attending to the duties of the commission.
5 Duties.
I. The commission shall develop:
(a) A form to elect to restrict disclosure of protected health information for use by all New Hampshire health care providers which shall include, but shall not be limited to, the elements identified in RSA 332-I:4, VIII.
(b) A standardized, simplified procedure to ease the burden on individuals who want to opt-out of future marketing contacts.
(c) A public education plan, including education of health care providers.
(d) A recommendation for a reasonable charge for an audit trail.
II. The commission shall recommend the form or forms developed pursuant to this section to the commissioner who shall finalize the form and post it on the department’s website.
6 Chairperson; Quorum. The members of the commission shall elect a chairperson from among the members. The first meeting of the commission shall be called by the first-named house member. The first meeting of the commission shall be held within 45 days of the effective date of this section. Eleven members of the commission shall constitute a quorum.
7 Report. The commission shall report its findings and any recommendations for proposed legislation to the speaker of the house of representatives, the president of the senate, the house clerk, the senate clerk, the governor, and the state library on or before November 1, 2008.
8 Effective Date.
I. Sections 3-7 of this act shall take effect upon its passage.
II. The remainder of this act shall take effect January 1, 2009.
LBAO
08-2417
Amended 03/26/08
HB 1587 FISCAL NOTE
AN ACT relative to patient health care information.
FISCAL IMPACT:
The Department of Health and Human Services states this bill, as amended by the House (Amendment #2008-0722h), may increase state, county, and local expenditures by an indeterminable amount in FY 2009 and each year thereafter. This bill will have no impact on state, county and local revenue.
METHODOLOGY:
The Department of Health and Human Services states neither New Hampshire Hospital, Anna Philbrook Center, or Glencliff home would be subject to the audit trail provision of this bill as amended because both facilities utilize paper and not electronic medical records. Currently DHHS databases do not have the capacity to electronically document an audit trail and funds would be required to bring all data systems in compliance with this requirement. Both facilities are subject to HIPAA and the requirement to provide an accounting of the disclosure of personal health information upon request. The bill requires the Department to pay the full cost of an audit trail requested by a Medicaid recipient. Since the cost of such audit trail has not been established and the volume of such audits is unknown, the cost is indeterminable. Any cost would have to be paid from 100% state general funds as such costs would not be covered by Medicaid. This bill also requires the Department to develop and revise the form on which an individual would elect to restrict disclosure of protected information. The Department states such cost is also indeterminable, but should be minimal.
The Department states this bill may impact state, county, and local (publicly operated) healthcare service providers and facilities, such as county nursing homes and local health department. The exact fiscal impact cannot be determined at this time.