Enacts new Article 29A, the North Carolina Health Information Exchange Act, to GS Chapter 90. Indicates the purpose is to improve the quality of health care delivery in NC by facilitating and regulating the use of a voluntary, statewide health information exchange network for the secure electronic transmission of individually identifiable health information, consistent with the Health Insurance Portability and Accountability Act (HIPAA).
Defines North Carolina Health Information Exchange (NC HIE) as the nonprofit corporation selected by the Governor to serve as the subrecipient of grant funds or as the state-designated entity named pursuant to federal law, as indicated. Defines HIE Network as the voluntary statewide health information exchange network overseen and administered by the NC HIE. Lists additional definitions applicable to proposed Article 29A. Requires that the NC HIE satisfy seven enumerated requirements, including the directive to develop and enter into written participation agreements with covered entities utilizing the HIE network, and the duty to comply with HIPAA. Clarifies that the NC HIE is not restricted from exercising any corporate powers in a manner not inconsistent with proposed Article 29A.
Requires that each covered entity participating in the HIE Network enter into a business associate contract and a written participation agreement with the NC HIE before disclosing or accessing any protected health information through the HIE Network. Also allows each participating covered entity to authorize its business associates to disclose or access protected health information on the entity’s behalf. Authorizes each covered entity participating in the HIE Network to disclose an individual’s protected health information (1) to other covered entities for any purpose permitted by HIPAA, unless the individual has opted out and (2) to facilitate emergency medical treatment to the individual, subject to specified limitations. Provides that any health care provider relying in good faith on information obtained through the HIE Network will not be criminally or civilly liable for damages caused by inaccurate or incomplete information.
States that each individual has the continuing right to opt out or rescind a decision to opt out, and directs the NC HIE to enforce the individual’s decision prospectively from the date the NC HIE receives notice. Prohibits a covered entity from denying treatment or benefits to an individual who opted out. Provides that the protected health information of an individual who opted out will not be disclosed to covered entities for any purpose, with the following exceptions: (1) the information may be disclosed to facilitate emergency medical treatment to the individual if specified criteria are met and (2) the information may be disclosed for public health purposes or research purposes if such disclosure is permitted by HIPAA and state law.
Clarifies that proposed Article 29A does not: (1) impair rights conferred under HIPAA, including six enumerated rights; (2) authorize disclosure of protected health information if the disclosure is restricted by federal laws or regulations; (3) restrict authorized disclosures for public health and research purposes; and (4) prohibit the NC HIE or any participating covered entity from storing electronically the protected health information of an individual who opted out, provided the information remains undisclosed and unused as required. Also clarifies that proposed Article 29A applies only to disclosures of protected health information made through the HIE Network.
Details the following possible penalties for a covered entity that discloses protected health information: (1) any civil or criminal penalty, or both, may be imposed pursuant to federal law; (2) any civil remedy under federal law; (3) disciplinary action by the relevant licensing board or regulatory agency; (4) any penalty authorized by the Identity Theft Protection Act; and (5) any other civil or administrative remedy.
Effective October 1, 2011.