Health Information Exchange (HIE) aims to deliver the right information to the right place at the right time by enabling health care professionals to transfer patient data across disparate information systems. Patient data available through an HIE can include lab results, radiology reports, discharge summaries, consultation notes, transcribed documents (i.e. clinical summaries), and secure clinical messaging and referrals.
HIE Privacy and Security Regulations
The Maryland Health Care Commission (MHCC) was given authority under Maryland law in May 2011 to adopt regulations for the privacy and security of protected health information (PHI) obtained or released through an HIE.The regulations set forth requirements for HIEs including:
- Procedural and technical controls (e.g. authorization and authentication) for the exchange of health information;
- Protocols for health care consumers to opt-out from having their health information exchanged via the HIE and request information on who has accessed their health information;
- How HIEs disclose sensitive health information, including obtaining additional authorization or consent;
- Annual audits to review and test the implementation of controls, including appropriate and permitted access, use and disclosure of PHI;
- Processes to assess and respond to a breach or potential non-compliance with the regulations including investigations, remedial action plans, notifications, and suspension or termination of access, and notifications;
- Protocols for the release of data for secondary use (e.g. population care management or research); and
- Policies and procedures regarding access, use, and disclosure of data in emergency situations.
The regulations became effective March 17, 2014.
Click here for a general summary of the HIE Privacy and Security Regulations.
Code of Maryland Regulations (COMAR) 10.25.18.09, Registration and Enforcement, requires an HIE operating in the State to register with MHCC annually. Registration is valid for one year.
Who must Register
COMAR 10.25.18.02(25) defines an HIE as an entity that creates or maintains an infrastructure that provides organizational and technical capabilities in an interoperable system for the electronic exchange of PHI among participating organizations not under common ownership, in a manner that ensures the secure exchange of PHI is to provide care to patients. An HIE includes a payor HIE but does not include an entity that is acting solely as a health care clearinghouse, as defined in 45 CFR §160.103. A payor may act as, operate, or own an HIE subject to these regulations.
In accordance with COMAR 10.25.18.01C, the regulations do not apply to an HIE that solely exchanges PHI:
- Between hospitals and credentialed professionals;
- Among credentialed professionals of a hospital; or
- Between hospitals and affiliated ancillary clinical service providers that have entered into a business associate agreement as required by HIPAA.
How to Register
To register as an HIE in Maryland, please complete the application below. Please send the completed application and all supporting documents to HIE.Registration@Maryland.gov.
Application for Registration to Operate As a Health Information Exchange in Maryland
An HIE renewing its registration in Maryland must provide, in addition to a completed application and any updates to the supporting documentation, the following information within 120 days of its fiscal year end date:
a. The most current audited financial statements; and
b. The most current results of the privacy and security audit performed in accordance with COMAR 10.25.18.
Requirements for Registered HIEs
Registered HIEs in Maryland must comply with the requirements of COMAR 10.25.18. Key administrative requirements that involve notification or reporting of a registered HIE to MHCC, or performing audit-related activities at the request of the MHCC, are listed here.
List of Registered HIEs
|| Calvert Memorial Hospital
|| Chesapeake Regional Information System for our patients
|| Children's IQ Network
|| Frederick Memorial Hospital
|| Peninsula Regional Medical Center
|| Prince George's County Public Health Information Network (PGC PHIN)
|| Western Maryland Health Systems
If you have questions or need additional information regarding the HIE regulations and registration process, please contact email@example.com, or call 410-764-3330.
1Md. Code Ann., Health-Gen. §§4-301 and 4-302 (2011)
245 CFR Subtitle A (10–1–07 Edition) available at: http://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-sec160-103.pdf