HB 1663-FN - AS INTRODUCED
2024 SESSION
24-2643
05/08
HOUSE BILL 1663-FN
AN ACT relative to the confidentiality of medical records and patient information.
SPONSORS: Rep. Layon, Rock. 13; Rep. T. Lekas, Hills. 38; Rep. Cannon, Straf. 12; Sen. Birdsell, Dist 19; Sen. Rosenwald, Dist 13
COMMITTEE: Health, Human Services and Elderly Affairs
─────────────────────────────────────────────────────────────────
ANALYSIS
This bill recodifies RSA 332-I, relative to the privacy and confidentiality of medical records and patient information.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
24-2643
05/08
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Twenty Four
AN ACT relative to the confidentiality of medical records and patient information.
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 Purpose and Findings. The general court hereby finds that:
I. The New Hampshire Constitution in Article 2-b, Section 1 states that "An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent."
(a) On Election Day 2018, over 82 percent of New Hampshire voters approved the amendment to the state constitution to enshrine this explicit right to privacy.
(b) New Hampshire’s privacy law regarding medical records, patient information and the health information organization corporation predates this important protection and therefore it is our duty to update this statute to conform to the overwhelming will of the people.
II. Recognizing that the constitution of New Hampshire places a fundamental emphasis on the protection of private and personal information, this act is necessary to uphold the will of the overwhelming majority of the state. As such, the general court requires agents of the state to defend this necessary provision and its priority over the privacy requirements in the Health Insurance Portability and Accountability Act of 1996. The general court requires the commissioner of the department of health and human services, the attorney general, and the governor to defend this constitutionally founded law to the United States Secretary of Health and Human Services as necessary under Section 1178(a)(2)(A)(i), and to file any appeals or waivers needed to protect the privacy of the people of this great state.
2 Medical Records and Patient Information. Repeal and replace RSA 332-I to read as follows:
CHAPTER 332-I
MEDICAL RECORDS AND PATIENT INFORMATION
332-I:1 Medical Records and Patient Information.
I. Consistent with article 2-b, part 1 of the New Hampshire constitution this chapter provides the state requirements for medical privacy which are intended to be more stringent than those required under the Health Insurance Portability and Accountability Act of 1996 and subject to the exemption under section 1178 of said code which provides exemptions for necessary state laws which provide for greater privacy protection.
II. All medical information contained in the medical records in the possession of any health care provider shall be deemed to be the property of the patient. The patient shall be entitled to a copy of such records upon request, and in digital or physical form as requested by the patient. The charge for the physical copying of a patient's medical records shall not exceed $15 for the first 30 pages or $.50 per page, whichever is greater; provided, that copies of filmed records such as radiograms, x-rays, and sonograms shall be copied at a reasonable cost to incorporate the cost of any storage media provided by the health care provider.
332-I:2 Definitions. In this chapter:
I. "Business associate" means a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity's workforce is not a business associate.
II. "Use" means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
III. "Disclosure" means the release, transfer, provisions of, access to, or divulgence in any manner of information outside the entity holding the information.
IV. "Health information" means any information, whether oral or recorded in any form or medium, that:
(a) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(b) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
V. "Health care provider" means any person, corporation, facility, or institution either licensed by this state or otherwise lawfully providing health care services, including, but not limited to, a physician, advanced practice registered nurse, physician assistant, hospital, office, clinic, health center or other health care facility, dentist, nurse, optometrist, pharmacist, podiatrist, physical therapist, mental health professional, care coordinator, managed care provider, or the department of health and human services, and any officer, employee, or agent of such provider acting in the course and scope of employment or agency related to or supportive of health care services.
VI. "Marketing" means:
(a) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made by the individual's health care provider:
(1) For treatment of the individual;
(2) For case management or care coordination for the individual;
(3) To direct or recommend to the individual:
(A) Alternative treatments or therapies if recommended by the individual's health care provider;
(B) Health care providers;
(C) Settings of care; or
(4) For treatment-related reminders or health promotion activities by health care providers.
(b) An arrangement between a health care provider and any other person whereby the health care provider discloses protected health information to the other person, in exchange for direct or indirect remuneration, for the other person or an affiliate of the other person to make a communication about the person's own product or service that encourages recipients of the communication to purchase or use that product or service.
VII. "Audit trail" means a chronological record identifying specific persons who have accessed an electronic medical record, the date and time the record was accessed, and, if such information is available, the area of the record that was accessed. An audit trail shall not be considered a part of a person's medical care.
VIII. "Individual" means the subject of the protected health information, including a guardian or other legal representative.
IX. "Consent" means an express, written, voluntary, and informed affirmation for a specific action that cannot be combined with any additional actions.
X. "Research" means investigations, experiments, and studies to discover, develop, or verify knowledge relating to the causes, diagnosis, treatment, prevention, or control of human physical or mental diseases and impairments.
XI. "Medical record" means any information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of a patient; the provision of medical care to a patient; or the past, present, or future payment for the provision of medical care to a patient.
XII. "Health information exchange" or "health information organization" means a system which allows health care professionals and patients to appropriately access and securely share a patient’s medical information electronically.
332-I:3 Patient Information.
I.(a) The patient has the right to courtesy, respect, dignity, responsiveness, and timely attention to his or her needs.
(b) The patient has the right to receive information from the health care provider and to discuss the benefits, risks, and costs of appropriate treatment alternatives.
(c) The patient shall be fully informed by the health care provider of his or her medical condition, health care needs and diagnostic test results, including the manner by which such results will be provided and the expected time interval between testing and receiving results, unless medically inadvisable and so documented in the medical record.
(d) The patient has the right to make decisions regarding the health care that is recommended by the health care provider. Accordingly, patients may accept or refuse any recommended medical treatment and be involved in research upon the patient's written consent only.
(e) The health care provider shall not reveal confidential communications or information without the consent of the patient. A provider, or a person who receives medical records from a provider, must only release a patient’s medical records in accordance with RSA 332-I:3.
(f) Subject to the terms and conditions of the patient's insurance plan, the patient shall have access to any provider in his or her insurance plan network and referral to a provider or facility within such network shall not be unreasonably withheld pursuant to RSA 420-J:8, XIV.
(g) When an individual's medical record is maintained in electronic form, the individual has the right to a report, based on whatever audit trail of that record is then maintained, of access to the record by a health care provider. The report shall indicate whether a provider had access, or did not have access, or whether access could not be determined with the available data. If a provider had access, the report shall summarize, as the available data permit, the extent of access to the record and give an accounting of disclosures.
II. This section shall not apply to individuals being held in correctional facilities within the state.
332-1:4 Release or Disclosure of Medical Records.
I. Medical records can only be released or disclosed as specified in this section.
II. A provider, or a person who receives medical records from a provider, may not release a patient’s medical records to a person without:
(a) A signed and dated consent from the patient or the patient's legally authorized representative authorizing the release;
(b) Specific authorization in law; or
(c) A representation from a provider that holds a signed and dated consent from the patient authorizing the release.
III. A patient's medical record, including, but not limited to, laboratory reports, x-rays, prescriptions, and other technical information used in assessing the patient's condition, or the pertinent portion of the record relating to a specific condition, or a summary of the record, shall promptly be furnished to another provider upon the written request of the patient. The written request shall specify the name of the provider to whom the medical record is to be furnished. The provider who furnishes the medical record or summary may retain a copy of the materials furnished. The patient shall be responsible for the reasonable costs of furnishing the information.
IV. Except as provided in this section, a consent is valid for one year or for a period specified in the consent that is no longer than 3 years.
V. This section does not prohibit the release of medical records:
(a) For a medical emergency when the provider is unable to obtain the patient's consent due to the patient's condition or the nature of the medical emergency; or
(b) To other providers within related health care entities when necessary for the current treatment of the patient.
VI. Release or use of patient identifiable medical information for the purpose of sales or marketing of services or products shall be prohibited without written authorization.
332-I:5 Release of a Minor's Medical Records to a Parent or Guardian. A minor's parent or legal guardian shall have access to a minor's medical record unless:
I. Consent from the parent or legal guardian is not required for the minor to receive the medical care or treatment, as directed by federal or specific state law. In such cases, the minor may provide specific, written consent for release of the medical records to the parent or legal guardian.
II. The health care provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, and that release of the medical records to the parent or guardian could endanger the child.
III. The parent or legal guardian agrees to a confidential communication between the minor and a health care provider, as described by HIPAA, 45 C.F.R. section 164.502(g)(3).
332-I:6 Use and Disclosure of Protected Health Information; Health Information Exchange.
I. Except as provided in paragraph VI, a health care provider or a business associate of a health care provider or a patient or patient's legal representative may transmit the patient's protected health information through the health information organization. Only a health care provider, for purposes of treatment, care coordination, or quality assurance, or a patient or a patient's legal representative with respect to the patient's protected health information, may have access to protected health information transmitted through the health information organization.
II. A provider shall not access patient medical information through any health information exchange without first receiving the consent of the patient.
III. The health information organization shall adhere to the protected health information requirements for health care providers in state and federal law.
IV. The health information organization shall maintain an audit log of the transactions transmitted through the health information organization. The parties transmitting or receiving information through the health information organization shall maintain audit logs in accordance with nationally accepted interoperability standards, practices, regulations, and statutes, including but not limited to:
(a) The identity of the health care provider accessing the information;
(b) The identity of the individual whose protected health information was accessed by the health care provider;
(c) The date the protected health information was accessed; and
(d) The area of the record that was accessed.
V. The health information organization shall be certified, when federal certification standards are established, to be in compliance with nationally accepted interoperability standards and practices.
VI. No person shall require a health care provider to participate in the health information organization as a condition of payment or participation.
VII. An individual shall have the right to grant or refuse consent for sharing of personal information with any health information exchange. Such opportunities shall be provided in a clear and conspicuous manner, including, but not limited to, simple consent language in a font and size easily readable by the average adult reader so that the individual may make his or her decision known.
VIII. The health information organization shall follow all current and future laws relative to medical information privacy and all existing laws regarding health information exchanges.
IX. A health information organization, health information exchange, health care provider or any other person in possession of health information or medical records may not structure exchange of information, database maintenance, database queries or any other function in order to circumvent the protections provided under state or federal law.
X. Notwithstanding paragraph I, health care providers otherwise required or authorized by law to submit data to the department of health and human services may do so through a health information organization; provided, that such transmissions meet the same standards for privacy and security of protected health information that apply when such information is exchanged between providers.
332-1:7 Use and Disclosure of Protected Health Information; Marketing; Fundraising.
I. A health care provider, or a business associate of the health care provider, shall obtain patient consent for any use or disclosure of protected health information for marketing.
II.(a) For use or disclosure of protected health information for fundraising, a health care provider, or a business associate of the health care provider, shall, in a clear and conspicuous manner, provide an opportunity for any intended recipient of one or more fundraising communications to elect to receive such communications. A clear and conspicuous opportunity shall include, but not be limited to, simple election language and type of a sufficient size as to be easily readable by the average adult reader. Such opportunity shall be provided:
(1) Sixty days prior to any fundraising communication; or
(2) Upon presentation of the notice of privacy practices required by regulations adopted pursuant to sections 262 and 264 of HIPAA, as amended, if such notice is given to the intended recipient prior to any fundraising communication; or
(3) To an individual who does not elect to not receive fundraising communications in the opportunities in subparagraph (1) or (2), in any subsequent written fundraising communications.
(b) When an individual does not consent or revokes consent to receive any fundraising communication, such election shall be treated as a revocation of authorization under 45 C.F.R. section 164.508.
III. Protected health information disclosed for marketing or fundraising shall not be disclosed by voice mail, an unattended facsimile, or through other methods of communication that are not secure.
332-I:8 Unauthorized Disclosure. In the event of a use or disclosure of protected health information by a health care provider or a business associate of a health care provider that is allowed under federal law but not permitted by RSA 332-I:3, RSA 332-I:4, or RSA 332-I:5, the health care provider shall promptly notify in writing the individual or individuals whose protected health information was disclosed. A business associate shall be responsible for the cost of such notification if the use or disclosure was by the business associate.
332-I:9 Complaints; Right of Action. An aggrieved individual may bring a civil action under RSA 332-I:3, RSA 332-I:4, or RSA 332-I:5 and, if successful, shall be awarded special or general damages of not less than $1,000 for each violation, and costs and reasonable legal fees.
332-I:10 Limited Immunity. Any health care provider acting in accordance with RSA 332-I:1 through RSA 332-I:5 who relies in good faith upon any information provided through the health information organization in the treatment of a patient, shall be immune from any criminal liability arising from any damages caused by such good faith reliance. This immunity shall not apply to acts or omissions constituting negligence or reckless, wanton, or intentional misconduct.
332-I:11 Disposition of Assets. In the event of the dissolution of the corporation, its remaining assets after payment of all debts and obligations of the corporation, if any, shall be distributed for one or more exempt purposes within the meaning of section 501(c)(3) of the Internal Revenue Code, or the corresponding section of any future federal tax code, or shall be distributed to the federal government, or to a state or local government, for a public purpose. Any such assets not disposed of shall be disposed by a court of competent jurisdiction of the county in which the principal office of the corporation is then located, exclusively for such purposes or to such organization or organizations as the court shall determine, which are organized and operated exclusively for such purposes.
332-I:12 Medical Records of Deceased Spouse or Next of Kin.
I. Where there is no estate administration, the surviving spouse or next of kin of the deceased is designated the personal representative of the deceased for the limited purpose of obtaining the medical records of the deceased. Such authority shall automatically cease upon the initiation of estate administration or the death of the surviving spouse or next of kin.
II.(a) In this section, "next of kin" means:
(1) Adult child by blood or adoption only in the absence of a surviving spouse.
(2) Parent, only in the absence of a surviving spouse or adult child.
(b) If 2 or more relatives in the same category qualify as next of kin, each shall be considered the deceased's personal representative under this section.
III.(a) Where there is no estate administration, the requestor shall provide:
(1) A notarized affidavit, pursuant to paragraph VII, indicating he or she is authorized to access the patient's records;
(2) An authorization in compliance with the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. section 1320d et seq., and the regulations implementing such act; and
(3) A copy of the death certificate.
(b) Upon request, a health care provider, as defined in RSA 332-I:1, II(b), shall provide the surviving spouse or next of kin with a copy of the legal medical records of the deceased, unless the deceased has indicated or any court of competent jurisdiction has ordered that the surviving spouse or next of kin not have access to those records. The health care provider shall provide such records within the time frame established under 45 C.F.R. 164.524(b)(2). Requests under this subparagraph shall be valid within the time frame established under RSA 508:4.
(c) A health care provider shall not release mental health records or other medical records afforded additional privacy protection under other state or federal law.
(d) Prior to death, a patient may designate their medical record, or any portion of their medical record, as private and it may not be released without an order from a court of competent jurisdiction. A health care provider shall, in a clear and conspicuous manner, provide an opportunity for a patient to elect to restrict their medical record under this section. A clear and conspicuous opportunity shall include, but not be limited to, simple election language and type of a sufficient size as to be easily readable by the average adult reader.
IV. A health care provider shall not be required to initiate a conversation with a patient on the subject of access to the information in a medical record by a surviving spouse or next of kin.
V. Any provider shall be justified in relying upon the affidavit provided in accordance with paragraph III.
VI. Any provider or person who in good faith releases copies of medical records in accordance with this section shall not have violated any criminal law or be civilly liable to the patient, the deceased patient's estate, or to any other person for the release of such medical records.
VII. An affidavit in the following form shall be used by any surviving spouse or next of kin seeking records under this section.
AFFIDAVIT OF SURVIVING SPOUSE OR NEXT OF KIN SEEKING ACCESS TO MEDICAL RECORDS
I, __________, being duly sworn, do hereby state as follows:
As "Surviving Spouse" or "Next of Kin" to __________(name of "decedent"), I am requesting a copy of a decedent's legal medical record.
I acknowledge and understand that Next of Kin includes the following surviving individuals:
1) Adult child by blood or adoption only in the absence of a surviving spouse.
2) Parent only in the absence of a surviving spouse or adult child.
I represent that, as the surviving spouse, adult child by blood or adoption, parent (circle one) of the decedent, that I am the Surviving Spouse or Next of Kin and that there is no survivor of higher priority.
I hereby represent and affirm that no estate administration has been initiated on behalf of the decedent and that I have not applied and been denied access to the requested records by any court.
I declare subject to the criminal penalty of false swearing established in RSA 641:2 that the foregoing statements are true and correct.
Date: __________ Signed: __________
STATE OF NEW HAMPSHIRE
COUNTY OF __________
Signed and sworn to (or affirmed) before me on the _____day of _____, 20 ___, by __________ (name of person).
3 Effective Date. This act shall take effect upon its passage.
24-2643
Revised 2/6/24
HB 1663-FN- FISCAL NOTE
AS INTRODUCED
AN ACT relative to the confidentiality of medical records and patient information.
FISCAL IMPACT: [ X ] State [ ] County [ ] Local [ ] None
|
| |||||
Estimated State Impact - Increase / (Decrease) | ||||||
| FY 2024 | FY 2025 | FY 2026 | FY 2027 | ||
Revenue | $0 | $0 | $0 | $0 | ||
Revenue Fund(s) | None | |||||
Expenditures | $0 | Indeterminable Increase | Indeterminable Increase | Indeterminable Increase | ||
Funding Source(s) | General Fund | |||||
Appropriations | $0 | $0 | $0 | $0 | ||
Funding Source(s) | None | |||||
• Does this bill provide sufficient funding to cover estimated expenditures? [X] No • Does this bill authorize new positions to implement this bill? [X] No | ||||||
METHODOLOGY:
This bill repeals and reenacts in its entirety RSA 332-I, relative to the privacy and confidentiality of medical records and patient information. In general terms, the Department of Health and Human Services expects the bill to result in an indeterminable increase in expenditures. This cost includes time required of Department employees and vendors to review and implement any needed changes. In addition, the Department expects it will need to review existing contracts with vendors to ensure contracted services, business associate agreements, and any other data and security provisions align with the changes contained in the bill. This may result in certain contracts needing to be completely re-negotiated.
The Department makes the following comments with respect to specific components of the bill:
- The bill enacts a new definition of the term “Business Associate” which does not fully align with the definition stated in federal regulations (45 CFR 160.103). The Department contends that the inconsistency between the terms in the bill and those in federal rule may weakens the Department’s ability when contracting to appropriately designate responsibilities and assign liability for breach liability to a business associate. The lack of clarity potentially shifts legal liability to the Department and has the potential to increase contract costs by an indeterminable amount.
- Subparagraph (g) in the re-enacted 332-I:3, I removes the three-year record keeping requirement in current statute. Removing the requirement may result in the need to maintain records indefinitely, resulting in indeterminable costs.
- The bill limits a consent to one year and no longer than three years. This standard is more restrictive than those found in the federal Health Insurance Portability and Accountability Act (HIPAA), which allows for an event to terminate the consent under appropriate circumstances. The limitation of the consent may prevent the health care provider from taking into consideration the time frame needed for treatment and the sharing of the medical record. There may be an indeterminable increase in total fund expenditures to the Department in the form of additional claims resulting from increased medical encounters being necessary to ensure that a consent is managed within these time frames.
- The bill expands legal causes of action beyond existing law and exposes the Department to greater civil liability for violations of its provisions. Whenever causes of action are expanded and potentially include the Department as a defendant, the possibility for an increase in total expenditures exists.
- The language in proposed RSA 332-I:12, III(d) permitting an individual to, prior to death, “designate their medical record or any portion for the medical record as private and it may not be released without an order from a court” may result in delay or prevent the Department from resolving matters relative to the patient’s death. This may lead to an indeterminable decrease in revenue if the Department has a claim against the estate of the decedent and is unable to obtain a court order or an indeterminable decrease in total expenditures if the Department is unable to pay claims because it does not have the necessary information to process the claim.
The Office of Professional Licensure and Certification states the bill will have no fiscal.
AGENCIES CONTACTED:
Department of Health and Human Services and Office of Professional Licensure and Certification