REQUIREMENTS FOR HEALTHCARE PROFESSIONALS
This bill requires a healthcare professional who is considered a covered entity under federal regulations to comply with (i) HIPAA and standards for privacy of individually identifiable health information required by federal regulations; and (ii) federal laws regulating information blocking. Additionally, this bill specifically prohibits a healthcare provider requesting a medical laboratory test from engaging in information blocking.
This bill provides that the following reports, test results, and any other related results must not be disclosed to a patient as part of the patient's electronic health record until 72 hours after the results are finalized, unless the healthcare provider directs the release of the results before the end of that 72-hour period:
(1) Pathology reports or radiology reports that have a reasonable likelihood of showing a finding of new or recurring malignancy;
(2) Tests that could reveal genetic markers;
(3) A positive HIV test, except that this does not prevent the disclosure of HIV test results, including viral load and CD4 count test results, to a patient living with HIV by a secure website or other electronic means if the patient has previously been informed about the results of a positive HIV test pursuant to this bill; or
(4) Presence of antigens indicating a hepatis infection.
REQUIREMENTS FOR COVERED ENTITIES AND PENALTIES
This bill requires a covered entity, as described in federal regulations, to comply with (i) HIPAA and standards for privacy of individually identifiable health information required by federal regulations; and (ii) federal laws regulating information blocking.
This bill authorizes the attorney general to institute an action for injunctive relief to restrain a violation of the provision above. In addition to the injunctive relief provided, the attorney general may institute an action for civil penalties against a covered entity. A civil penalty assessed must not exceed (i) $5,000 for each violation committed negligently that occurs in one year, regardless of how long the violation continues during that year; (ii) $25,000 for each violation that occurs in one year, regardless of how long the violation continues during that year, committed knowingly or intentionally; or (iii) $250,000 for each violation in which the covered entity knowingly or intentionally committed the violation for financial gain. Further, this bill authorizes a court, if it finds that the violations occurred with a frequency as to constitute a pattern or practice, to assess additional civil penalties for each violation.
This bill requires the court to consider the following in determining the amount of a penalty imposed:
(1) The seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure or blocking of information;
(2) The covered entity's compliance history;
(3) Whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation;
(4) The amount necessary to deter a future violation;
(5) The covered entity's efforts to correct the violation;
(6) The size and geographic location of the covered entity; and
(7) The financial impact the penalty would have on the covered entity's financial viability and ability to adequately serve an underserved community or population.
CONTRACTS
This bill prohibits a covered entity from entering into a contract with a person or entity that includes terms that restrict a patient or the patient's representative from accessing the patient's electronic health records. Any contract clause or provision that restricts a patient's access to the patient's electronic health records is void and unenforceable.
This bill clarifies it is an unlawful restraint of trade or commerce for a person to intentionally violate federal laws regulating information blocking, and such violations are subject to civil and criminal penalties.
APPLICATION PROGRAMMING INTERFACES
This bill requires a health insurance entity, for the purpose of facilitating patient and provider access to health information, to establish and maintain, for the benefit of all insureds and contracted providers, as applicable, (i) a patient access application programming interface ("API"); (ii) a provider directory API; and (iii) a payer-to-payer API.
For purposes of this bill, "health insurance entity" means an entity subject to the insurance laws of this state, or subject to the jurisdiction of the commissioner of health, that contracts or offers to contract to provide health insurance coverage, including an insurance company, a health maintenance organization and a nonprofit hospital and medical service corporation.
This bill requires a payer-to-payer API to be in accordance with standards published in a final rule issued by the federal centers for medicare and medicaid services and published in the Federal Register, and must align with federal effective dates, including enforcement delays and suspensions, issued by the federal centers for medicare and medicaid services.
In addition to these types of APIs, this bill authorizes the department of health to require a health insurance entity to establish and maintain a provider access API and a prior authorization API if and when final rules are published by the federal government.
ON APRIL 8, 2024, THE SENATE ADOPTED AMENDMENT #1 AND PASSED SENATE BILL 2012, AS AMENDED.
AMENDMENT #1 rewrites the bill to, instead, do the following:
MEDICAL RECORDS
(1) Require a healthcare professional subject to state law on professions of the healing arts, who is considered a business associate, as that term is defined in federal regulations, to comply with (i) HIPAA and standards for privacy of individually identifiable health information required by federal regulations; and (ii) federal laws regulating information blocking, as that term is defined in federal regulations;
(2) Prohibit a healthcare provider requesting a medical laboratory test for a patient from engaging in information blocking;
(3) Establish that the following reports, test results, and any other related results must not be disclosed by a designated entity, as defined in state law, to a patient as part of the patient's electronic health record until 72 hours after the results are finalized, unless the healthcare provider directs the release of the results before the end of that 72-hour period: (i) pathology reports or radiology reports that have a reasonable likelihood of showing a finding of new or recurring malignancy; (ii) tests that could reveal genetic markers; (iii) a positive HIV test, except that this section does not prevent the disclosure of HIV test results, including viral load and CD4 count test results, to a patient living with HIV by secure internet website or other electronic means if the patient has previously been informed about the results of a positive HIV test pursuant to the requirements of this section; or (iv) presence of antigens indicating a hepatis infection;
(4) Establish that (1)-(3) above do not apply to a person or entity that is licensed under state law relative to professions of the healing arts and health, safety, and environmental protection;
REGULATION OF HEALTH AND RELATED FACILITIES
(5) Require a business associate, as that term is defined in federal regulations, to comply with (i) HIPAA and standards for privacy of individually identifiable health information required by federal regulations; and (ii) federal laws regulating information blocking;
(6) Authorize the attorney general to institute an action for injunctive relief to restrain a violation of (5) above;
(7) In addition to the injunctive relief provided in (6) above, authorize the attorney general to institute an action for civil penalties against a business associate for a violation of (5). A civil penalty assessed under this section must not exceed (i) $5,000 for each violation committed negligently that occurs in one year, regardless of how long the violation continues during that year; (ii) $25,000 for each violation committed knowingly or intentionally that occurs in one year, regardless of how long the violation continues during that year; or (iii) $250,000) for each violation in which the covered entity knowingly or intentionally committed the violation for financial gain;
(8) If the court in a pending action under (7) above finds that the violations occurred with a frequency as to constitute a pattern or practice, authorize the court to assess additional civil penalties for each violation;
(9) In determining the amount of a penalty imposed under (7) above, require the court to consider (i) the seriousness of the violation, including the nature, circumstances, extent, and gravity of the disclosure or blocking of information; (ii) the business associate's compliance history; (iii) whether the violation poses a significant risk of financial, reputational, or other harm to an individual whose protected health information is involved in the violation; (iv) the amount necessary to deter a future violation; (v) the business associate's efforts to correct the violation; (vi) the size and geographic location of the business associate; and (vii) the financial impact the penalty would have on the business associate's financial viability and ability to adequately serve an underserved community or population;
(10) Establish that (5)-(9) above do not apply to (i) persons or entities licensed under state law relative to professions of the healing arts and health, safety, and environmental protection; or (ii) a body, authority, board, bureau, commission, district, or agency of this state or a political subdivision of this state;
TRADE PRACTICES
(11) Prohibit a business associate from entering into a contract with a person or entity that includes terms that restrict a patient or the patient's representative from accessing the patient's electronic health records. Any contract clause or provision that restricts a patient's access to the patient's electronic health records is void and unenforceable;
(12) Establish that it is an unlawful restraint of trade or commerce for a person to intentionally violate federal laws regulating information blocking, and such violations are subject to the same civil and criminal penalties as a violation of state law on lessening competition and controlling prices;
POLICIES AND POLICYHOLDERS
(13) Define, for purposes of the bill, a "health insurance entity" as an entity subject to the insurance laws of this state, or subject to the jurisdiction of the commissioner of commerce and insurance ("commissioner"), that contracts or offers to contract to provide health insurance coverage, including an insurance company, a health maintenance organization and a nonprofit hospital and medical service corporation;
(14) To facilitate patient and provider access to health information, require a health insurance entity to establish and maintain the following application programming interfaces (API) for the benefit of all insureds and contracted providers, as applicable, (i) patient access API; (ii) provider directory API; and (iii) payer-to-payer exchange API;
(15) In addition to the API described in (14) above, authorize the department of commerce and insurance to require a health insurance entity to establish and maintain the following APIs if and when final rules are published by the federal government: (i) provider access API; and (ii) prior authorization support API;
(16) Require that an API described in (14)(iii) above be established in accordance with standards published in a final rule issued by the federal centers for medicare and medicaid services and published in the Federal Register, and align with federal effective dates, including enforcement delays and suspensions, issued by the federal centers for medicare and medicaid services;
(17) Establish that (13)-(16) above do not limit existing requirements under state law relative to the department; and
(18) Authorize the commissioner to promulgate rules to effectuate the bill.