Overview
Health information exchange allows authorized users to securely and electronically access and share patient health information for clinical, quality improvement, and public health purposes. Organizations providing HIE services (HIEs) support efforts to improve safety and efficiency in health care by making the right information available in the right place at the right time. HIEs range from regional, public entities (including State-Designated entities) and developers of health information technology (health IT) (e.g., electronic health record vendors) certified by the Office of the National Coordinator for Health Information Technology
Information for Health Care Consumers
Consumers benefit from understanding the electronic exchange of their health information among treating providers. The MHCC is helping raise consumer awareness and understanding of HIEs and their role in electronic data exchange. For more information, visit MHCC's HIE Consumer web page.
Nationally, there is a coordinated focus to improve access, exchange, and use of electronic health information (see the 2020-2025 Federal Health IT Strategic Plan). Federal programs and policies aiming to advance electronic health information exchange and interoperability include:
Information Blocking
Beginning in April 2021, health care providers and HIEs are prohibited from information blocking under federal regulations. Information blocking consists of certain actions that could interfere with electronic health information access or exchange by authorized users. Certain exceptions apply. More information is available here.
Centers for Medicare & Medicaid Services (CMS) Interoperability and Patient Access Rule
As of July 2021, CMS is enforcing requirements that aim to improve patient access to their health information. Under the rule, CMS-regulated payers must implement patient access and provider directory APIs, and payer to payer data exchange. More information is available here.
Trusted Exchange Framework and Common Agreement (TEFCA)
Released in January 2022, TEFCA outlines a set of principles, terms, and conditions for nationwide electronic health information exchange. A voluntary network based on the Common Agreement offers a centralized model for standardized electronic health information exchange. More information is available here.
State Regulations
Maryland law (2011) requires MHCC to adopt regulations governing the privacy and security of protected health information (PHI) obtained or released through an HIE. COMAR 10.25.18, Health Information Exchanges: Privacy and Security of Protected Health Information (regulations) builds upon protections established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009. The regulations aim to ensure privacy and security of PHI while improving access to clinical records by treating providers and supporting public health goals.
Maryland law (2011) requires MHCC to adopt regulations governing the privacy and security of protected health information (PHI) obtained or released through an HIE. COMAR 10.25.18, Health Information Exchanges: Privacy and Security of Protected Health Information (regulations) builds upon protections established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009. The regulations aim to ensure privacy and security of PHI while improving access to clinical records by treating providers and supporting public health goals.
Amendments to the regulations are considered to keep pace with federal policy and to support the implementation of legislation passed by the Maryland General Assembly.
Consumer Consent Management Application, Health Data Utility, and Dispenser Reporting of Noncontrolled Prescription Drugs
Maryland law enacted in 2021 and 2022 requires the State-Designed Health Information Exchange (CRISP) to develop a consumer consent management application, operate a health data utility, and collect noncontrolled prescription drug information reported by dispensers.
Chapter 798 (HB1375), Health Information Exchanges - Electronic Health Information - Sharing and Disclosure (2021)
Chapter 296 (HB 1127), Public Health - State Designated Exchange - Health Data Utility (2022).
The MHCC convened stakeholder working sessions to discuss informal draft regulations
Public Comments on Proposed Regulations
Proposed amendments to COMAR 10.25.18, Health Information Exchanges: Privacy and Security of Protected Health Information were published in Volume 51, Issue 24 of the Maryland Register (December 2, 2024). The regulations support the implementation of legislation passed by the Maryland General Assembly: Chapter 798 (HB 1357), Health Information Exchanges - Electronic Health Information - Sharing and Disclosure (2021) and Chapter 296 (HB 1127), Public Health - State Designated Exchange - Health Data Utility (2022). Public comments received in response to the Notice of Proposed Action (NPA) are available here. Prior to the NPA, draft amendments were released for informal public comment in May 2024 and two virtual stakeholder working sessions were convened in July. Feedback received informed development of the proposed regulations.
Legally Protected Health Information
Maryland law enacted in 2023 prohibits the disclosure of legally protected health information by HIEs and electronic health networks (EHNs) operating in the State with some exceptions. Legally protected health information includes mifepristone data, the diagnosis, procedure, medication, and related codes for abortion care, and other sensitive health services with a date of service after May 31, 2022, as determined by the Secretary of Health and defined in COMAR 10.11.08, Abortion Care Disclosure.
Chapter 248 (Senate Bill 786) and Chapter 249 (House Bill 812), Health - Reproductive Health Services - Protected Information and Insurance Requirements (2023)
The MHCC convenes virtual Town Halls to provide a forum for stakeholders to share implementation progress and ask questions.
The MHCC prepared implementation guidance based on stakeholder questions. The following documents serve as a resource for HIEs and EHNs in the management, disclosure, and protection of legally protected health information.
Implementation Guidance: Health Information Exchanges (May 2024)
Implementation Guidance: Electronic Health Networks (May 2024)
HIEs and EHNs have submitted an affirmation of compliance or an implementation plan to comply with the law (January 2024). The majority of HIEs submitted implementation plans given the need for additional time to implement the technical capabilities for legally protected health information. The MHCC continues to request implementation updates as vendor implementation strategies are fluid and timelines are subject to change.
The next implementation update is due March 31, 2025 for registered HIEs and certified EHNs that have not previously submitted an affirmation of technical compliance with the regulations.
The MHCC prepared the following guidance for HIEs on the scope of what should be included in their implementation updates.
Implementation Update Guidance (August 2024)