The General Laws are hereby amended by inserting after chapter 111O the following chapter:-

Chapter 111P. Exchange of protected health information

Section 1. Definitions.

For purposes of this chapter the following words shall, unless the context clearly indicates otherwise, have the following meanings:-

“Authorization”, an authorization that (i) meets the requirements for a valid authorization as prescribed by 45 C.F.R. 164.508; and (ii) includes a statement informing the individual that the individual may elect to receive a share of any remuneration received by the covered entity, business associate, subcontractor or other third party, in exchange for authorizing the commercial sale of the individual’s protected health information, health information or de-identified data.

“Business associate”, as defined in 45 C.F.R. 160.103.

“Commercial sale”, the disclosure of health information, including de-identified data, by a covered entity, business associate, subcontractor or other third party, if the covered entity, business associate, subcontractor or other third party directly or in- directly receives remuneration from or on behalf of the recipient of the health information in exchange for the information; provided however, that “commercial sale” does not include the disclosure of health information by a covered entity, business associate, subcontractor or other third party for any of the following purposes:

(i) public health activities as described in 45 C.F.R. 164.512(b);

(ii) research, as described in 45 C.F.R. 164.512(i) and 164.514(e);

(iii) judicial and administrative proceedings as described in 45 C.F.R. 164.512(e);

(iv) Treatment, payment or health care operations as described in 45 C.F.R. 164.506(a) and (c);

(v) sale, transfer, merger or consolidation of all or part of the covered entity, business associate, subcontractor or other third party and for related due diligence;

(vi) performance of services delineated in a contract or other arrangement, as described in 45 C.F.R. 164.502(e) or 164.504(e), in which the only remuneration provided is to a covered entity, business associate, subcontractor or other third party for the performance of the services;

(vii) activities of a health oversight agency as described in 45 C.F.R. 164.512(d);

(viii) law enforcement activities as described in 45 C.F.R. 164.512(f);

(ix) to avert a serious threat to health or safety as described in 45 C.F.R. 164.512(j);

(x) specialized governmental functions as described in 45 C.F.R. 164.512(k);

(xi) workers’ compensation as described in 45 C.F.R. 164.512(l);

(xii) to address fraud, security or technical issues as may be reasonably necessary to protect the covered entity, business associate, subcontractor or other third party or to protect the individual; or

(xiii) when required by law as described in 45 C.F.R. 164.512(a).

“Covered entity”, as defined in 45 C.F.R. 160.103.

“De-identified data”, health information that meets the requirements for de-identification of protected health information un- der 45 C.F.R. 164.514.

“Disclosure”, the release, transfer, sharing, dissemination or any other communication, whether orally, in writing, electronically or by any other means, of health information to a third party.

“Health care operations”, as defined in 45 C.F.R. 164.501.

“Health information”, as defined in 45 C.F.R. 160.103.

“Health oversight agency”, as defined in 45 C.F.R. 164.501.

“Individual”, the individual who is the subject of protected health information.

“Payment”, as defined in 45 C.F.R. 164.501;

“Protected health information” as defined in 45 C.F.R. 160.103.

“Required by law” as defined in 45 C.F.R. 164.103.

“Research”, as defined in 45 C.F.R. 164.501.

“Subcontractor”, as defined in 45 C.F.R. 160.103.

“Third party”, a person who is not a covered entity, business associate or subcontractor authorized to do business in this state and who is not the individual.

“Treatment”, as defined in 45 C.F.R. 164.501.

Section 2. (1) A covered entity, business associate, subcontractor or other third party doing business in this state may not engage in the commercial sale of protected health information, health information or de-identified data without first obtaining a signed authorization from the individual.

(2) A covered entity, business associate, subcontractor or other third party doing business in this state may not discriminate against or penalize an individual who declines to sign an authorization or who elects to receive remuneration in exchange for signing an authorization.

(3) A covered entity, business associate, subcontractor or other third party shall provide a share of any remuneration received by the covered entity, business associate, subcontractor or other third party to an individual who elects to receive remuneration in exchange for signing an authorization.

(4) A third party that has not obtained a signed authorization from the individual may not engage in the commercial sale of any protected health information, health information or de-identified data purchased or otherwise obtained from a covered entity, business associate or subcontractor without first documenting that a signed authorization has been obtained by the covered entity, business associate or subcontractor in accordance with subsection (1) of this section.

(5) This section does not apply to a public body, a federal agency or the business associates or subcontractors of a public body or federal agency with respect to health information created, received, transmitted or maintained by the business associate or subcontractor on behalf of the public body or federal agency.