MISSISSIPPI LEGISLATURE

2013 Regular Session

To: Public Health and Welfare

By: Senator(s) McDaniel

Senate Bill 2745

AN ACT TO AMEND SECTIONS 41-119-1, 41-119-7 AND 41-119-13, MISSISSIPPI CODE OF 1972, TO REDESIGNATE THE "MISSISSIPPI HEALTH INFORMATION CONFIDENTIALITY AND TECHNOLOGY ACT" RELATING TO THE PRIVACY OF PROTECTED HEALTH INFORMATION OF INDIVIDUALS NOTWITHSTANDING FEDERALLY MANDATED HEALTH INSURANCE REQUIREMENTS, TO CLARIFY THAT PATIENT MEDICAL RECORD CONFIDENTIALITY STANDARDS ARE THE RESPONSIBILITY OF THE MS-HIN BOARD, TO PROVIDE CIVIL PENALTIES FOR VIOLATION OF PATIENT RECORD CONFIDENTIALITY REQUIREMENTS, TO PROVIDE FOR A CONSUMER INFORMATION WEBSITE, AND TO PROVIDE FOR AUDITS OF COVERED ENTITIES; AND FOR RELATED PURPOSES.

     BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:

     SECTION 1.  Section 41-119-1, Mississippi Code of 1972, is amended as follows:

     41-119-1.  This chapter shall be known and may be cited as the "Health Information Confidentiality and Technology Act."

     SECTION 2.  Section 41-119-7, Mississippi Code of 1972, is amended as follows:

     41-119-7.  (1)  In furtherance of the purposes of this chapter, the MS-HIN shall have the following duties:

          (a)  Initiate a statewide health information network to:

              (i)  Facilitate communication of patient clinical and financial information;

              (ii)  Promote more efficient and effective communication among multiple health care providers and payers, including, but not limited to, hospitals, physicians, nonphysician providers, third-party payers, self-insured employers, pharmacies, laboratories and other health care entities;

              (iii)  Create efficiencies by eliminating redundancy in data capture and storage and reducing administrative, billing and data collection costs;

              (iv)  Create the ability to monitor community health status;

              (v)  Provide reliable information to health care consumers and purchasers regarding the quality and cost-effectiveness of health care, health plans and health care providers; and

              (vi)  Promote the use of certified electronic health records technology in a manner that improves quality, safety, and efficiency of health care delivery, reduces health care disparities, engages patients and families, improves health care coordination, improves population and public health, and ensures adequate privacy and security protections for personal health information * * *.;

          (b)  Develop or design other initiatives in furtherance of its purpose; and

          (c)  Perform any and all other activities in furtherance of its purpose.

     (2)  The MS-HIN board is granted all incidental powers to carry out its purposes and duties, including the following:

          (a)  To appoint an executive director, who will serve at the will and pleasure of the MS-HIN board.  The qualifications and employment terms for the executive director shall be determined by the MS-HIN board;

          (b)  To adopt, modify, repeal, promulgate, and enforce rules and regulations to carry out the purposes of the MS-HIN;

          (c)  To establish a process for hearing and determining case decisions to resolve disputes under this chapter or the rules and regulations promulgated under this chapter among participants, subscribers or the public;

          (d)  To enter into, and to authorize the executive director to execute contracts or other agreements with any federal or state agency, any public or private institution, or any individual in carrying out the provisions of this chapter; and

          (e)  To discharge other duties, responsibilities, and powers as are necessary to implement the provisions of this chapter.

     (3)  The executive director shall have the following powers and duties:

          (a)  To employ qualified professional personnel as required for the operation of the MS-HIN and as authorized by the MS-HIN board;

          (b)  To administer the policies of the MS-HIN board; and

          (c)  To supervise and direct all administrative and technical activities of the MS-HIN.

     (4)  The MS-HIN shall have the power and authority to accept appropriations, grants and donations from public or private entities and to charge reasonable fees for its services.  The revenue derived from grants, donations, fees and other sources of income shall be deposited into a special fund that is created in the State Treasury and earmarked for use by the MS-HIN in carrying out its duties under this chapter.

     (5)  The MS-HIN board shall develop privacy and security standards for the electronic sharing of protected health information notwithstanding the requirements of any federal law or regulation mandating the purchase of health insurance coverage as specifically provided in Section 41-119-13(5).

     SECTION 3.  Section 41-119-13, Mississippi Code of 1972, is amended as follows:

     41-119-13.  (1)  The MS-HIN board shall by rule or regulation ensure that patient specific health information be disclosed only in accordance with the provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, which governs the electronic transmission of that information.

     (2)  Patient specific health information and data of the MS-HIN shall not be subject to the Federal Freedom of Information Act, Mississippi Open Records Act (Section 25-61-1 et seq.) nor to subpoena by any court.  That information may only be disclosed by consent of the patient or in accordance with the MS-HIN board's rules, regulations or orders.

     (3)  Notwithstanding any conflicting statute, court rule or other law, the data in the network shall be confidential and shall not be subject to discovery or introduction into evidence in any civil action.  However, information and data otherwise discoverable or admissible from original sources are not to be construed as immune from discovery or use in any civil action merely because they were provided to the MS-HIN.

     (4)  Submission of information to and use of information by the State Department of Health shall be considered a permitted disclosure for uses and disclosures required by law and for public health activities under the Health Insurance Portability and Accountability Act and the privacy rules promulgated under that act.

     (5)  (a)  The MS-HIN board shall develop privacy and security standards for the electronic sharing of protected health information notwithstanding any federal law or regulation mandatory health insurance coverage.  The MS-HIN Board shall review and by rule adopt acceptable standards which must be designed to:

              (i)  Comply with the Health Insurance Portability and Accountability Act and Privacy Standards;

              (ii)  Comply with any other state and federal law

relating to the security and confidentiality of information

electronically maintained or disclosed by a covered entity;

              (iii)  Ensure the secure maintenance and disclosure of personally identifiable health information;

              (iv)  Include strategies and procedures for disclosing personally identifiable health information; and

              (v)  Support a level of system interoperability with existing health record databases in this state that is consistent with emerging standards.

     The MS-HIN board shall establish a process by which a covered entity may apply for certification by MS-HIN board of a covered entity's compliance with standards.  The MS-HIN board shall publish the standards adopted under subsection (5) on the boards Internet website.

          (b)  A health care provider is not required to provide access to a person's protected health information that is excepted from access, or to which access may be denied, under 45 C.F.R. Section 164.524.

          (c)  For purposes of paragraph (a) of this subsection, the MS-HIN board, in consultation with the State Department of State Health, the Mississippi Medical Licensure Board, and the Mississippi Department of Insurance, by rule may recommend a standard electronic format for the release of requested health records.  The standard electronic format recommended under this paragraph must be consistent, if feasible, with federal law regarding the release of electronic health records.

     (6)  The MS-HIN board shall maintain an Internet website that provides:

          (a)  Information concerning a consumer's privacy rights

regarding protected health information under federal and state law;

          (b)  A list of the state agencies, including the State

Department of Health, the Mississippi Medical Licensure Board, and the Mississippi Department of Insurance, that regulate covered entities in this state and the types of entities each agency regulates;

          (c)  Detailed information regarding each agency's complaint enforcement process; and

          (d)  Contact information, including the address of the agency's Internet website, for each agency listed under subsection (2) of this section.

     (7)  In addition to injuctive relief provided by law, the MS-HIN board may institute an action for civil penalties against a covered entity for a violation of this section.  A civil penalty assessed under this section may not exceed:

          (a)  Five Thousand Dollars ($5,000.00) for each violation that occurs in one (1) year, regardless of how long the violation continues during that year, committed negligently;

          (b)  Twenty-five Thousand Dollars ($25,000.00) for each violation that occurs in one (1) year, regardless of how long the violation continues during that year, committed knowingly or intentionally; or

          (c)  Two Hundred Fifty Thousand Dollars ($250,000.00) for each violation in which the covered entity knowingly or intentionally used protected health information for financial gain.  The total amount of a penalty assessed against a covered entity under subsection (b) in relation to a violation or violations of subsection (5) may not exceed Two Hundred Fifty Thousand Dollars ($250,000.00) annually if the court finds that the disclosure was made only to another covered entity and the court finds that:

              (i)  The protected health information disclosed was

encrypted or transmitted using encryption technology designed to

protect against improper disclosure;

              (ii)  The recipient of the protected health information did not use or release the protected health information; or

              (iii)  At the time of the disclosure of the protected health information, the covered entity had developed, implemented, and maintained security policies, including the education and training of employees responsible for the security of protected health information.

     (8)  (a)  The MS-HIN board, in coordination with the Attorney General, the Mississippi Department of Health and the Mississippi Department of Insurance:

              (i)  May request that the United States may request that the United States Secretary of Health and Human Services conduct an audit of a covered entity, as that term is defined by 45 CFR Section 160.103, in this state to determine compliance with the Health Insurance Portability and Accountability Act and Privacy Standards; and

              (ii)  Shall periodically monitor and review the results of audits of covered entities in this state conducted by the United States Secretary of Health and Human Services.

          (b)  If the MS-HIN board has evidence that a covered entity has committed violations of this act that are egregious and constitute a pattern or practice, the board may:

              (i)  Require the covered entity to submit to the board the results of a risk analysis conducted by the covered entity; or

              (ii)  If the covered entity is licensed by a licensing agency of this state, request that the licensing agency conduct an audit of the covered entity's system to determine compliance with the provisions of this act.

          (c)  The MS-HIN board shall submit to the appropriate standing committees of the Senate and the House of Representatives a report regarding the number of federal audits of covered entities in this state and the number of audits required under this subsection (8).

     ( * * *59)  Any violation of the rules or regulations regarding access or misuse of the MS-HIN health information or data shall be reported to the Office of the Attorney General, and shall be subject to prosecution and penalties under state or federal law.

     SECTION 4.  This act shall take effect and be in force from and after July 1, 2013.