Section 11. Any plan approved by the executive office and council or the e-Health institute, including every grantee and implementing organization that receives monies funded in whole or in part from the e-Health Institute Fund established in section 6E of chapter 40J or the Massachusetts Health Information Exchange Fund established under section 10, shall:
(1) establish a mechanism to allow patients to opt-in to the health information exchange and to opt-out at any time;
(2) maintain identifiable health information in physically and technologically secure environments by means including, but not limited to: prohibiting the storage or transfer of unencrypted and non-password protected identifiable health information on portable data storage devices; requiring data encryption, unique alpha-numerical identifiers and password protection; and other methods to prevent unauthorized access to identifiable health information;
(3) provide patients the option of, upon request to a provider, obtaining a list of individuals and entities that have accessed their identifiable health information from that provider;
(4) develop and distribute to authorized users of the health information exchange and to prospective exchange participants, written guidelines addressing privacy, confidentiality and security of health information and inform individuals: the information available through the exchange, who may access their information and the purposes for which their information may be accessed; and
(5) ensure compliance with all state and federal privacy requirements, including those imposed by the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, the American Recovery and Reinvestment Act of 2009, P.L. 111-5, 42 C.F.R. §§ 2.11 et seq. and 45 C.F.R. §§ 160, 162 and 164.