At the Maryland Health Care Commission (MHCC) meeting last month, members discussed the types of regulations needed to implement House Bill 812, which went into effect on June 1st. The bill allows for the adoption of emergency regulations to restrict the sharing of patient data concerning legally protected healthcare—specifically reproductive care, including abortions.
David Sharp, director of the Center of Health Information Technology and Innovative Care Delivery, stated that MHCC’s plan for advancing health information technology balances the need for information sharing with strong privacy and security policies.
“HIEs [health information exchanges] enable the sharing of clinical records electronically among healthcare providers,” Sharp said. “Sharing info electronically enables providers timely access… and [to] confidentially share patients’ vital medical history where patients are receiving care, and to provide more effective care tailored to patients’ unique health needs.”
COMAR 10.25.18—a state law from 2011—requires MHCC to adopt regulations to govern the privacy and security of protected health information that is obtained or released through HIEs. HB 812 regulates the disclosure of specific health information tied to legally protected healthcare of public records, HIEs, and electronic health networks (EHNs). The bill also requires regulations adopted by MHCC on clinical information be exchanged through a state-designated exchange to restrict data from patients who have obtained legally protected healthcare.
In Maryland, EHNs must be accredited or certified by nationally recognized organizations where standards related to confidentiality, privacy, business practices, physical and human resources, technical performance, and security are evaluated. So far, there are 29 certified EHNs in the state.
“The new law defines what legally protected healthcare is, which is all reproductive health services, medications, and supplies related to, one: the provision of abortion care, and two: other sensitive services. ‘Other sensitive services’ means reproductive health services other than abortion care, as determined by the Secretary, based on the recommendations of the protected health care commission (PHCC).”
— Caitlin Tepe, assistant attorney general, MHCC Legal Services
HB 812 established the PHCC, which requires the state’s Department of Health to adopt emergency regulations, within 90 days after the effective date, to restrict the disclosure of abortion care and other sensitive health information. PHCC requires the MHCC to also adopt emergency regulations, within nine months after the effective date, to restrict the data sharing of patients who obtained legally protected healthcare.
Beginning on June 1st, 2024, noncompliance fines will be issued and will not exceed $10,000 per day. MHCC will also be required to report on the implementation and progress of implementation of the law in 2024 and 2025.
“A PHCC, like I said, is charged with identifying sensitive health services, information by diagnosis or procedure, medication and related codes when disclosure would create a substantial risk to patients or healthcare providers,” Tepe said. “They are permitted to consult organizations who have expertise in legal issues in this area.”
The PHCC will issue semi-annual reports to the state Secretary of Health, identifying sensitive health services, an assessment of possible risk to patients and healthcare providers that would result from the disclosure of identified sensitive health services. Within 60 days of receiving the semi-annual report, the Secretary of Health will establish findings and determinations in a written response to the PHCC, the Senate Finance Committee, and the House Health and Government Committee.
Tepe said she thought it was worth mentioning activities at the federal level when it comes to reproductive healthcare privacy, including the fall of Roe v. Wade last summer.
“On April 12th, 2023, the Office of Civil Rights issued a notice proposing rulemaking to modify the HIPAA privacy rules to strengthen reproductive healthcare privacy,” Tepe said.
She explained how the privacy rule standards prohibit the use or disclosure of protected health information by covered entities or their business associates relating to criminal, civil, administrative investigations, or proceedings against any individual in connection with seeking, obtaining, providing, or facilitating reproductive healthcare, including abortion-related care.
The notice of modifications prevents an individual’s information from being disclosed to investigate, sue, or prosecute a patient, healthcare provider, or other select individuals for seeking, obtaining, providing, and facilitating legal reproductive healthcare.
MHCC will update COMAR 10.25.18 and COMAR 10.25.07 to support the law, and will propose draft amendments to the regulations, which will be released for a 30-day comment period at the September MHCC meeting. At the November MHCC meeting, COMAR 10.25.18 and COMAR 10.25.07 will be presented as final regulations.