Bill H.1238

HOUSE DOCKET, NO. 2828 FILED ON: 1/19/2023

HOUSE . . . . . . . . . . . . . . . No. 1238

By Representative Ryan of Boston, a petition (accompanied by bill, House, No. 1238) of Daniel J. Ryan for legislation to establish integrated electronic health records. Health Care Financing.

The Commonwealth of Massachusetts

_______________

In the One Hundred and Ninety-Third General Court
(2023-2024)

_______________

An Act to improve patient care through integrated electronic health records.

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:

Section 118I of the General Laws is hereby amended by striking out the chapter and inserting in place thereof the following chapter:.

Chapter 118I

HEALTH INFORMATION EXCHANGE

Section 1. As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:

“Council”, the health information technology council established under section 2.

“Electronic health record”, an electronic record of patient health information generated by 1 or more encounters in any care delivery setting.

“Executive office”, the executive office of health and human services.

“Health care entity”, a payer, health care provider or provider organization.

“Health care provider”, a provider of medical or health services or any other person or organization that furnishes, bills or is paid for health care service delivery in the normal course of business.

“Health information exchange”, transmission of health care-related data among health care entities of personal health records aligning with national standards; the reliable and secure transfer of data among diverse systems and access to and retrieval of data.

“Office of the National Coordinator” or “ONC”, the Office of the National Coordinator for Health Information Technology within the United States Department of Health and Human Services.

“Payer”, any entity, other than an individual, that pays providers for the provision of health care services; provided, that “payer” shall include both governmental and private entities; provided further, that “payer” shall not include ERISA plans.

“Provider organization”, any corporation, partnership, business trust, association or organized group of persons, which is in the business of health care delivery or management, whether incorporated or not that represents 1 or more health care providers in contracting with carriers for the payments of health care services; provided, that “provider organization” shall include, but not be limited to, physician organizations, physician-hospital organizations, independent practice associations, provider networks, accountable care organizations and any other organization that contracts with carriers for payment for health care services.

“Statewide health information exchange”, health information exchange established, operated, facilitated or funded by a governmental entity or entities in the commonwealth.

Section 2. (a) There shall be a health information technology council within the executive office of health and human services. The council shall advise the executive office on design, implementation, operation and use of statewide health information exchange.

(b) The council shall consist of the following 21 members: the secretary of health and human services or a designee, who shall serve as the chair; the secretary of administration and finance or designee; the executive director of the health policy commission or a designee; the executive director of the center for health information analysis or a designee; the director of the Massachusetts eHealth Institute or a designee; the director of the office of Medicaid or a designee; and 14 members who shall be appointed by the governor, of whom at least 1 shall be an expert in health information technology; 1 shall be an expert in law and health policy; 1 shall be an expert in health information privacy and security; 1 shall be from an academic medical center; 1 shall be from a community hospital; 1 shall be from a community health center; 1 shall be from a long term care facility; 1 shall be a from large physician group practice; 1 shall be from a small physician group practice; 1 shall be a registered nurse; 1 shall be from a behavioral health, substance abuse disorder or mental health services organization; 1 shall be from the Massachusetts Association of Health Plans or a designee, 1 shall be from Blue Cross Blue Shield of Massachusetts, 1 shall be from a business group; and 2 additional members shall have experience or expertise in health information technology. The council may consult with all relevant parties, public or private, in exercising its duties under this section, including persons with expertise and experience in the development and dissemination of electronic health records systems, and the implementation of electronic health record systems by small physician groups or ambulatory care providers, as well as persons representing organizations within the commonwealth interested in and affected by the development of networks and electronic health records systems, including, but not limited to, persons representing local public health agencies, licensed hospitals and other licensed facilities and providers, private purchasers, the medical and nursing professions, physicians and health insurers, the state quality improvement organization, academic and research institutions, consumer advisory organizations with expertise in health information technology and other stakeholders as identified by the secretary of health and human services. Appointed members of the council shall serve for terms of 2 years or until a successor is appointed. Members shall be eligible to be reappointed and shall serve without compensation.

(c) Chapter 268A shall apply to all council members, except that the council may purchase from, sell to, borrow from, contract with or otherwise deal with any organization in which any council member is in anyway interested or involved; provided, however, that such interest or involvement shall be disclosed in advance to the council and recorded in the minutes of the proceedings of the council; and provided, further, that no member shall be considered to have violated section 4 of said chapter 268A because of the member’s receipt of usual and regular compensation from such member’s employer during the time in which the member participates in the activities of the council.

Section 3. (a) The executive office shall establish, operate, facilitate, or fund statewide health information exchange among health care entities, including, but not limited to, improving interoperability among health care entities and requiring the exchange of minimum standardized health data requirements.

(b) The executive office may:

(i) conduct procurements and enter into contracts for the purchase, dissemination, development of hardware and software, in connection with the implementation of statewide health information exchange; and

(ii) in consultation with the council, oversee the development, dissemination, implementation and operation of statewide health information exchange including any modules, applications, interfaces or other technology infrastructure for statewide health information exchange.

(c) In carrying out this chapter, the executive office may undertake any activities necessary to implement the powers and duties under this chapter, which may include issuing implementing regulations and the adoption of policies consistent with those adopted by the Office of the National Coordinator for Health Information Technology of the United States Department of Health and Human Services; provided, however, that nothing herein shall be construed to limit the executive office’s ability to advance interoperability and other health information technology beyond such federal standards, including without limitation any applicable meaningful use standards.

Section 4. Every patient shall have electronic access to such patient’s health records. The executive office shall ensure that each patient will have secure electronic access to such patient’s electronic health records with each of such patient’s health care providers.

Section 5. All health care entities in the commonwealth shall participate in statewide health information exchange; provided that all health care providers shall implement fully interoperable electronic records systems necessary to participate in statewide health information exchange activities, as defined by the executive office. The executive office shall issue regulations requiring that statewide health information exchange, the associated electronic records systems, comply with all state and federal privacy requirements, including those imposed by the Health Insurance Portability and Accountability Act of 1996, P.L. 104–191, the American Recovery and Reinvestment Act of 2009, P.L. 111–5, 42 C.F.R. §§ 2.11 et seq. and 45 C.F.R. §§ 160, 162 and 164.

Section 6. The executive office shall prescribe by regulation penalties for non-compliance by health care entities with the requirements of this chapter provided, however, that the executive office may waive penalties for good cause. Penalties collected under this section shall be deposited into the Health Information Technology Trust Fund, established in section 10 of chapter 35RR.

Section 7. In the event of an unauthorized access to or disclosure of individually identifiable patient health information by or through a health care entity or a vendor contracted through services of a health care entity as participants of statewide health information exchange, the health care entity or vendor shall comply with the requirements of chapter 93H and in any event shall: (i) report the conditions of such unauthorized access or disclosure as required by the executive office; and (ii) provide notice, as defined in section 1 of chapter 93H, as soon as practicable, but not later than 10 business days after such unauthorized access or disclosure, to any person whose patient health information may have been compromised as a result of such unauthorized access or disclosure, and shall report the conditions of such unauthorized access or disclosure, and further shall concurrently provide a copy of such report to the executive office. Any unauthorized access or disclosures shall be punishable by the civil penalties under section 10.

Section 8. Patients shall have the choice to opt-out of having their health data disclosed for electronic health information exchange activities that are owned and operated or contracted by the Commonwealth.

Section 9. The executive office shall pursue and maximize all opportunities to qualify for federal financial participation.

Section 10. The executive office may require participant fees from health care entities that use health information exchange services. Participant fees collected under this section shall be deposited into the Health Information Technology Trust Fund, as established by section 35RR of chapter 10, or its successor trust fund. Nonpayment or late payment of fees may subject health care entities to fines or penalties as determined by the executive office. The executive office shall promulgate regulations to assess fair and reasonable fines or penalties.

Section 11. The council shall file an annual report, not later than April 1, with the joint committee on health care financing, the joint committee on economic development and emerging technologies, the house and senate committees on ways and means and the clerks of the house and senate concerning the activities of the council in general and, in particular, describing the progress to date in developing statewide health information exchange and recommending such further legislative action as it deems appropriate.

Section 12. Unauthorized access to or disclosure of individually identifiable patient health information shall be subject to fines or penalties as determined by the executive office. The executive office shall promulgate regulations to assess fair and reasonable fines or penalties.

Section 13. Cybersecurity-based documentation, including but not limited to security audit reports, provided to the executive office shall be exempt from disclosure under clause Twenty-sixth of section 7 of chapter 4 and chapter 66.

Name:	District/Address:	Date Added:
Daniel J. Ryan	2nd Suffolk	1/19/2023