CHAPTER 213

HB 619 – FINAL VERSION

24Mar2009… 0683h

24Jun2009… 2070eba

2009 SESSION

09-0508

01/10

HOUSE BILL 619

AN ACT relative to medical records and patient information.

SPONSORS: Rep. Rosenwald, Hills 22; Rep. Bridgham, Carr 2; Rep. Kurk, Hills 7; Rep. Batula, Hills 19; Rep. Case, Rock 1; Sen. Cilley, Dist 6; Sen. Fuller Clark, Dist 24

COMMITTEE: Health, Human Services and Elderly Affairs

ANALYSIS

This bill establishes procedures for access to health care information that is in the possession of health care providers and business associates of health care providers.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

24Mar2009… 0683h

24Jun2009… 2070eba

09-0508

01/10

STATE OF NEW HAMPSHIRE

In the Year of Our Lord Two Thousand Nine

AN ACT relative to medical records and patient information.

Be it Enacted by the Senate and House of Representatives in General Court convened:

213:1 Patient Information. Amend the chapter heading of RSA 332-I to read as follows:

MEDICAL RECORDS AND PATIENT INFORMATION

213:2 Medical Records and Patient Information. Amend the section heading of RSA 332-I:1 to read as follows:

332-I:1 Medical Records; Definitions.

213:3 Definitions Added. RSA 332-I:1, II is repealed and reenacted to read as follows:

II. In this chapter:

(a) The following terms have the same meaning as given in the regulations under sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

(1) Business associate;

(2) Use;

(3) Disclosure; and

(4) Protected health information.

(b) “Health care provider” means any person, corporation, facility, or institution either licensed by this state or otherwise lawfully providing health care services, including, but not limited to, a physician, hospital, office, clinic, health center or other health care facility, dentist, nurse, optometrist, pharmacist, podiatrist, physical therapist, or mental health professional, and any officer, employee, or agent of such provider acting in the course and scope of employment or agency related to or supportive of health care services.

(c) “Marketing” means:

(1) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made by the individual’s health care provider:

(A) For treatment of the individual;

(B) For case management or care coordination for the individual;

(C) To direct or recommend to the individual:

(i) Alternative treatments or therapies if recommended by the individual’s health care provider;

(ii) Health care providers;

(iii) Settings of care; or

(D) For treatment-related reminders or health promotion activities by health care providers.

(2) An arrangement between a health care provider and any other person whereby the health care provider discloses protected health information to the other person, in exchange for direct or indirect remuneration, for the other person or an affiliate of the other person to make a communication about the person’s own product or service that encourages recipients of the communication to purchase or use that product or service.

213:4 New Sections; Use and Disclosure of Protected Health Information; Marketing; Fundraising. Amend RSA 332-I by inserting after section 2 the following new sections:

332-I:3 Use and Disclosure of Protected Health Information; Marketing; Fundraising.

I. A health care provider, or a business associate of the health care provider, shall obtain an authorization for any use or disclosure of protected health information for marketing. Such authorization shall meet the authorization implementation specifications for marketing under the regulations adopted pursuant to sections 262 and 264 of HIPAA, as amended.

II.(a) For use or disclosure of protected health information for fundraising, a health care provider, or a business associate of the health care provider, shall, in a clear and conspicuous manner, provide an opportunity for any intended recipient of one or more fundraising communications to elect not to receive such communications. A clear and conspicuous opportunity shall include, but not be limited to, simple election language and type of a sufficient size as to be easily readable by the average adult reader. Such opportunity shall be provided:

(1) Sixty days prior to any fundraising communication; or

(2) Upon presentation of the notice of privacy practices required by regulations adopted pursuant to sections 262 and 264 of HIPAA, as amended, if such notice is given to the intended recipient prior to any fundraising communication; or

(3) To an individual who does not elect to not receive fundraising communications in the opportunities in subparagraph (1) or (2), in any subsequent written fundraising communications.

(b) When an individual elects not to receive any fundraising communication, such election shall be treated as a revocation of authorization under 45 C.F.R. section 164.508.

III. Protected health information disclosed for marketing or fundraising shall not be disclosed by voice mail, an unattended facsimile, or through other methods of communication that are not secure.

332-I:4 Unauthorized Disclosure. In the event of a use or disclosure of protected health information by a health care provider or a business associate of a health care provider that is allowed under federal law but not permitted by RSA 332-I:3, the health care provider shall promptly notify in writing the individual or individuals whose protected health information was disclosed. A business associate shall be responsible for the cost of such notification if the use or disclosure was by the business associate.

332-I:5 Complaints; Right of Action. An aggrieved individual may bring a civil action under RSA 332-I:3 or RSA 332-I:4 and, if successful, shall be awarded special or general damages of not less than $1,000 for each violation, and costs and reasonable legal fees.

213:5 Definitions Added. RSA 332-I:1, II is repealed and reenacted to read as follows:

II. In this chapter:

(a) The following terms have the same meaning as given in the regulations under sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA):

(1) Business associate;

(2) Use;

(3) Disclosure; and

(4) Protected health information.

(b) “Health care provider” means any person, corporation, facility, or institution either licensed by this state or otherwise lawfully providing health care services, including, but not limited to, a physician, hospital, office, clinic, health center or other health care facility, dentist, nurse, optometrist, pharmacist, podiatrist, physical therapist, or mental health professional, and any officer, employee, or agent of such provider acting in the course and scope of employment or agency related to or supportive of health care services.

(c) “Health information exchange” means an entity established for the primary purpose of enabling and overseeing the exchange of protected health information for clinical decision-making purposes. The entity may operate on a regional, statewide, or multi-state basis. The entity may be developed by multiple stakeholders, including, but not limited to, the department of health and human services, a non-profit entity, or a for-profit entity. For the purpose of this chapter, “health information exchange” does not include entities solely owned and operated by health care providers, integrated delivery systems, or pharmacy exchanges.

(d) “Marketing” means:

(1) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made by the individual’s health care provider;

(A) For treatment of the individual;

(B) For case management or care coordination for the individual;

(C) To direct or recommend to the individual:

(i) Alternative treatments or therapies if recommended by the individual’s health care provider;

(ii) Health care providers;

(iii) Settings of care; or

(D) For treatment-related reminders or health promotion activities by health care providers.

(2) An arrangement between a health care provider and any other person whereby the health care provider discloses protected health information to the other person, in exchange for direct or indirect remuneration, for the other person or an affiliate of the other person to make a communication about the person’s own product or service that encourages recipients of the communication to purchase or use that product or service.

213:6 New Sections; Use and Disclosure of Protected Health Information; Marketing; Fundraising. Amend RSA 332-I by inserting after section 3 the following new sections:

332-I:4 Use and Disclosure of Protected Health Information; Marketing; Fundraising.

I. A health care provider, or a business associate of the health care provider, shall obtain an authorization for any use or disclosure of protected health information for marketing. Such authorization shall meet the authorization implementation specifications for marketing under the regulations adopted pursuant to sections 262 and 264 of HIPAA, as amended.

II.(a) For use or disclosure of protected health information for fundraising, a health care provider, or a business associate of the health care provider, shall, in a clear and conspicuous manner, provide an opportunity for any intended recipient of one or more fundraising communications to elect not to receive such communications. A clear and conspicuous opportunity shall include, but not be limited to, simple election language and type of a sufficient size as to be easily readable by the average adult reader. Such opportunity shall be provided:

(1) Sixty days prior to any fundraising communication; or

(2) Upon presentation of the notice of privacy practices required by regulations adopted pursuant to sections 262 and 264 of HIPAA, as amended, if such notice is given to the intended recipient prior to any fundraising communication; or

(3) To an individual who does not elect to not receive fundraising communications in the opportunities in subparagraph (1) or (2), in any subsequent written fundraising communications.

(b) When an individual elects not to receive any fundraising communication, such election shall be treated as a revocation of authorization under 45 C.F.R. section 164.508.

III. Protected health information disclosed for marketing or fundraising shall not be disclosed by voice mail, an unattended facsimile, or through other methods of communication that are not secure.

332-I:5 Unauthorized Disclosure. In the event of a use or disclosure of protected health information by a health care provider or a business associate of a health care provider that is allowed under federal law but not permitted by RSA 332-I:4, the health care provider shall promptly notify in writing the individual or individuals whose protected health information was disclosed. A business associate shall be responsible for the cost of such notification if the use or disclosure was by the business associate.

332-I:6 Complaints; Right of Action. An aggrieved individual may bring a civil action under RSA 332-I:4 or RSA 332-I:5 and, if successful, shall be awarded special or general damages of not less than $1,000 for each violation, and costs and reasonable legal fees.

213:7 Contingency. If HB 542 of the 2009 regular legislative session becomes law, sections 5 and 6 of this act shall take effect January 1, 2010 at 12:01 a.m. and sections 1-4 of this act shall not take effect. If HB 542 of the 2009 regular legislative session does not become law, sections 1-4 of this act shall take effect January 1, 2010 and sections 5 and 6 of this act shall not take effect.

213:8 Effective Date.

I. Sections 1-6 of this act shall take effect as provided in section 7 of this act.

II. The remainder of this act shall take effect upon its passage.

Approved: July 15, 2009

Effective Date: I. Sections 1-6 shall take effect as provided in section 7.

II. Remainder shall take effect July 15, 2009.