Bill Text: MI HB5072 | 2023-2024 | 102nd Legislature | Introduced
Bill Title: Health: electronic records; requirements for security and storage of electronic health records; provide for. Amends secs. 16213, 20175 & 20175a of 1978 PA 368 (MCL 333.16213 et seq.).
Spectrum: Partisan Bill (Republican 18-0)
Status: (Introduced) 2023-10-03 - Bill Electronically Reproduced 09/28/2023 [HB5072 Detail]
Download: Michigan-2023-HB5072-Introduced.html
HOUSE BILL NO. 5072
A bill to amend 1978 PA 368, entitled
"Public health code,"
by amending sections 16213, 20175, and 20175a (MCL 333.16213, 333.20175, and 333.20175a), sections 16213 and 20175a as added and section 20175 as amended by 2006 PA 481.
the people of the state of michigan enact:
Sec. 16213. (1) An individual licensed under this article A licensee shall keep and maintain a record for each patient for whom he or she the licensee has provided medical services, including a full and complete record of tests and examinations performed, observations made, and treatments provided. Unless a longer retention period is otherwise required under federal or state laws or regulations or by generally accepted standards of medical practice, a licensee shall keep and retain each record for a minimum of 7 years from the date of service to which the record pertains. The records shall must be maintained in such a manner as to protect their integrity, to ensure their confidentiality and proper use, and to ensure their accessibility and availability to each patient or his or her the patient's authorized representative as required by law. A licensee may destroy a record that is less than 7 years old only if both of the following are satisfied:
(a) The licensee sends a written notice to the patient at the last known address of that patient informing the patient that the record is about to be destroyed, offering the patient the opportunity to request a copy of that record, and requesting the patient's written authorization to destroy the record.
(b) The licensee receives written authorization from the patient or his or her the patient's authorized representative agreeing to the destruction of the record.
(2) If a licensee is unable to comply with this section, the licensee shall employ or contract, arrange, or enter into an agreement with another health care provider, a health facility or agency, or a medical records company to protect, maintain, and provide access to those records required under subsection (1).
(3) If a licensee or registrant sells or closes his or her the licensee's practice, retires from practice, or otherwise ceases to practice under this article, the licensee or the personal representative of the licensee, if the licensee is deceased, shall not abandon the records required under this section and shall send a written notice to the department that specifies who will have custody of the medical records and how a patient may request access to or copies of his or her the patient's medical records and shall do either of the following:
(a) Transfer the records required under subsection (1) to any of the following:
(i) A successor licensee.
(ii) If requested by the patient or his or her the patient's authorized representative, to the patient or a specific health facility or agency or other health care provider licensed under article 15.
(iii) A health care provider, a health facility or agency, or a medical records company with which the licensee had contracted or entered into an agreement to protect, maintain, and provide access to those records required under subsection (1).
(b) In accordance with subsection (1), as long as the licensee or the personal representative of the licensee, if the licensee is deceased, sends a written notice to the last known address of each patient for whom he or she the licensee has provided medical services and receives written authorization from the patient or his or her the patient's authorized representative, destroy the records required under subsection (1). The notice shall must provide the patient with 30 days to request a copy of his or her the patient's record or to designate where he or she the patient would like his or her the patient's medical records transferred and shall must request from the patient within 30 days written authorization for the destruction of his or her the patient's medical records. If the patient fails to request a copy or transfer of his or her the patient's medical records or to provide the licensee with written authorization for the destruction, then the licensee or the personal representative of the licensee shall not destroy those records that are less than 7 years old but may destroy, in accordance with subsection (4), those that are 7 years old or older.
(4) Except as otherwise provided under this section or federal or state laws and regulations, records required to be maintained under subsection (1) may be destroyed or otherwise disposed of after being maintained for 7 years. If records maintained in accordance with this section are subsequently destroyed or otherwise disposed of, those records shall must be shredded, incinerated, electronically deleted, or otherwise disposed of in a manner that ensures continued confidentiality of the patient's health care information and any other personal information relating to the patient. If records are not destroyed or otherwise disposed of as provided under this subsection, the department may take action, including, but not limited to, contracting for or making other arrangements to ensure that those records and any other confidential identifying information related to the patient are properly destroyed or disposed of to protect the confidentiality of patient's health care information and any other personal information relating to the patient. Before the department takes action in accordance with this subsection, the department, if able to identify the licensee responsible for the improper destruction or disposal of the medical records at issue, shall send a written notice to that licensee at his or her the licensee's last known address or place of business on file with the department and provide the licensee with an opportunity to properly destroy or dispose of those medical records as required under this subsection unless a delay in the proper destruction or disposal may compromise the patient's confidentiality. The department may assess the licensee with the costs incurred by the department to enforce this subsection.
(5) If a licensee uses an off-site physical or virtual environment, including through a medical records company, to maintain the records required under subsection (1), the licensee shall ensure that the off-site physical or virtual environment is physically maintained in a province of Canada or a state.
(6) (5) A person who that fails to comply with this section is subject to an administrative fine of not more than $10,000.00 if the failure was the result of gross negligence or willful and wanton misconduct.
(7) (6) Nothing in this This section shall must not be construed to create or change the ownership rights to any medical records.
(8) (7) As used in this section:
(a) "Medical record" or "record" means information, oral or recorded in any form or medium, that pertains to a patient's health care, medical history, diagnosis, prognosis, or medical condition and that is maintained by a licensee in the process of providing medical services.
(b) "Medical records company" means a person who that contracts for or agrees to protect, maintain, and provide access to medical records for a health care provider or health facility or agency in accordance with this section.
(c) "Patient" means an individual who receives or has received health care from a health care provider or health facility or agency. Patient includes a guardian, if appointed, and a parent, guardian, or person acting in loco parentis, if the individual is a minor, unless the minor lawfully obtained health care without the consent or notification of a parent, guardian, or other person acting in loco parentis, in which case the minor has the exclusive right to exercise the rights of a patient under this section with respect to his or her the minor's medical records relating to that care.
Sec. 20175. (1) A health facility or agency shall keep and maintain a record for each patient, including a full and complete record of tests and examinations performed, observations made, treatments provided, and in the case of a hospital, the purpose of hospitalization. Unless a longer retention period is otherwise required under federal or state laws or regulations or by generally accepted standards of medical practice, a health facility or agency shall keep and retain each record for a minimum of 7 years from the date of service to which the record pertains. A health facility or agency shall maintain the records in such a manner as to protect their integrity, to ensure their confidentiality and proper use, and to ensure their accessibility and availability to each patient or his or her the patient's authorized representative as required by law. A health facility or agency may destroy a record that is less than 7 years old only if both of the following are satisfied:
(a) The health facility or agency sends a written notice to the patient at the last known address of that patient informing the patient that the record is about to be destroyed, offering the patient the opportunity to request a copy of that record, and requesting the patient's written authorization to destroy the record.
(b) The health facility or agency receives written authorization from the patient or his or her the patient's authorized representative agreeing to the destruction of the record. Except as otherwise provided under federal or state laws and regulations, records required to be maintained under this subsection may be destroyed or otherwise disposed of after being maintained for 7 years. If records maintained in accordance with this section are subsequently destroyed or otherwise disposed of, those records shall must be shredded, incinerated, electronically deleted, or otherwise disposed of in a manner that ensures continued confidentiality of the patient's health care information and any other personal information relating to the patient. If records are not destroyed or otherwise disposed of as provided under this subsection, the department may take action, including, but not limited to, contracting for or making other arrangements to ensure that those records and any other confidential identifying information related to the patient are properly destroyed or disposed of to protect the confidentiality of patient's health care information and any other personal information relating to the patient. Before the department takes action in accordance with this subsection, the department, if able to identify the health facility or agency responsible for the improper destruction or disposal of the medical records at issue, shall send a written notice to that health facility or agency at the last known address on file with the department and provide the health facility or agency with an opportunity to properly destroy or dispose of those medical records as required under this subsection unless a delay in the proper destruction or disposal may compromise the patient's confidentiality. The department may assess the health facility or agency with the costs incurred by the department to enforce this subsection. In addition to the sanctions set forth in section 20165, a hospital that fails to comply with this subsection is subject to an administrative fine of $10,000.00.
(2) A hospital shall take precautions to assure ensure that the records required by subsection (1) are not wrongfully altered or destroyed. A hospital that fails to comply with this subsection is subject to an administrative fine of $10,000.00.
(3) Unless otherwise provided by law, the licensing and certification records required by this article are public records.
(4) Departmental officers and employees shall respect the confidentiality of patient clinical records and shall not divulge or disclose the contents of records in a manner that identifies an individual except pursuant to under court order or as otherwise authorized by law.
(5) A health facility or agency that employs, contracts with, or grants privileges to a health professional licensed or registered under article 15 shall report the following to the department not more than 30 days after it occurs:
(a) Disciplinary action taken by the health facility or agency against a health professional licensed or registered under article 15 based on the licensee's or registrant's professional competence, disciplinary action that results in a change of employment status, or disciplinary action based on conduct that adversely affects the licensee's or registrant's clinical privileges for a period of more than 15 days. As used in this subdivision, "adversely affects" means the reduction, restriction, suspension, revocation, denial, or failure to renew the clinical privileges of a licensee or registrant by a health facility or agency.
(b) Restriction or acceptance of the surrender of the clinical privileges of a licensee or registrant under either of the following circumstances:
(i) The licensee or registrant is under investigation by the health facility or agency.
(ii) There is an agreement in which the health facility or agency agrees not to conduct an investigation into the licensee's or registrant's alleged professional incompetence or improper professional conduct.
(c) A case in which a health professional resigns or terminates a contract or whose contract is not renewed instead of the health facility taking disciplinary action against the health professional.
(6) Upon On request by another health facility or agency seeking a reference for purposes of changing or granting staff privileges, credentials, or employment, a health facility or agency that employs, contracts with, or grants privileges to health professionals licensed or registered under article 15 shall notify the requesting health facility or agency of any disciplinary or other action reportable under subsection (5) that it has taken against a health professional licensed or registered under article 15 and employed by, under contract to, or granted privileges by the health facility or agency.
(7) For the purpose of reporting disciplinary actions under this section, a health facility or agency shall include only the following in the information provided:
(a) The name of the licensee or registrant against whom disciplinary action has been taken.
(b) A description of the disciplinary action taken.
(c) The specific grounds for the disciplinary action taken.
(d) The date of the incident that is the basis for the disciplinary action.
(8) The records, data, and knowledge collected for or by individuals or committees assigned a professional review function in a health facility or agency, or an institution of higher education in this state that has colleges of osteopathic and human medicine, are confidential, shall must be used only for the purposes provided in this article, are not public records, and are not subject to court subpoena.
Sec. 20175a. (1) If a health facility or agency is unable to comply with section 20175, the health facility or agency shall employ or contract, arrange, or enter into an agreement with another health facility or agency or a medical records company to protect, maintain, and provide access to those records required under section 20175(1).
(2) If a health facility or agency closes or otherwise ceases operation, the health facility or agency shall not abandon the records required to be maintained under section 20175(1) and shall send a written notice to the department that specifies who will have custody of the medical records and how a patient may request access to or copies of his or her the patient's medical records and shall do either of the following:
(a) Transfer the records required under section 20175(1) to any of the following:
(i) A successor health facility or agency.
(ii) If designated by the patient or his or her the patient's authorized representative, to the patient or a specific health facility or agency or a health care provider licensed or registered under article 15.
(iii) A health facility or agency or a medical records company with which the health facility or agency had contracted or entered into an agreement to protect, maintain, and provide access to those records required under section 20175(1).
(b) In accordance with section 20175(1), as long as the health facility or agency sends a written notice to the last known address of each patient for whom he or she the health facility or agency has provided medical services and receives written authorization from the patient or his or her the patient's authorized representative, destroy the records required under section 20175(1). The notice shall must provide the patient with 30 days to request a copy of his or her the patient's record or to designate where he or she the patient would like his or her the patient's medical records transferred and shall must request from the patient within 30 days written authorization for the destruction of his or her the patient's medical records. If the patient fails to request a copy or transfer of his or her the patient's medical records or to provide the health facility or agency with written authorization for the destruction, then the health facility or agency shall not destroy those records that are less than 7 years old but may destroy, in accordance with section 20175(1), those that are 7 years old or older.
(3) If a health facility or agency uses an off-site physical or virtual environment, including through a medical records company, to maintain the records required under section 20175(1), the health facility or agency shall ensure that the off-site physical or virtual environment is physically maintained in a province of Canada or a state.
(4) (3) Nothing in this This section shall must not be conducted construed to create or change the ownership rights to any medical records.
(5) (4) A person that fails to comply with this section is subject to an administrative fine of not more than $10,000.00 if the failure was the result of gross negligence or willful and wanton misconduct.
(6) (5) As used in this section and section 20175:
(a) "Medical record" or "record" means information, oral or recorded in any form or medium, that pertains to a patient's health care, medical history, diagnosis, prognosis, or medical condition and that is maintained by a licensee in the process of providing medical services.
(b) "Medical records company" means a person who that contracts for or agrees to protect, maintain, and provide access to medical records for a health facility or agency in accordance with section 20175.
(c) "Patient" means an individual who receives or has received health care from a health care provider or health facility or agency. Patient includes a guardian, if appointed, and a parent, guardian, or person acting in loco parentis, if the individual is a minor, unless the minor lawfully obtained health care without the consent or notification of a parent, guardian, or other person acting in loco parentis, in which case the minor has the exclusive right to exercise the rights of a patient under this section with respect to his or her the minor's medical records relating to that care.