(2007)

In your capacity as Chair of the Task Force to Study Electronic Health Records, you have requested our opinion on various questions related to the impact of the Maryland Medical Records Confidentiality Act, Title 4, Subtitle 3 of the Health-General Article ("HG"), Annotated Code of Maryland, on the design and operation of a statewide health information exchange ("HIE") mechanism. An HIE, in brief, enables the electronic transmission of clinical and payment information about a patient among participating health care providers and payers.

Your specific questions are as follows:

1. Does the Medical Records Confidentiality Act prohibit creation of an HIE?

2. Assuming that the Act does not prohibit creation of an HIE, does it mandate or prohibit particular aspects of an HIE's design or operation?

3. Does the Act require explicit patient consent for his or her medical records to become part of the HIE, or may these records be included without consent?

4. If routine exchanges of medical records may occur among HIE collaborators without patient consent, does a patient nevertheless have a right under the Act to "opt out" of the HIE — that is, insist that all or part of his or her medical records be excluded from the HIE?

5 In what respects does the Act require information about mental health services to be handled differently from other medical records?

For the reasons stated below, we conclude as follows:

1. The Medical Records Confidentiality Act does not prohibit creation of an HIE.

2. The Act mandates that collaborators in the HIE enter contractual obligations regarding the security and redisclosure of medical records, so that all access to the records within the HIE is for legally recognized purposes and redisclosure outside the HIE is prohibited.

3. If a patient's medical records are to become part of an HIE as a consequence of the provider's participation in the HIE, this fact should be disclosed to the patient as part of the informed consent process preceding the rendering of services, so that the patient may weigh this factor in deciding whether to receive services from the provider. However, the "authorization" specified in the Act, which goes beyond common law consent, is not required for a patient's medical records to become part of the HIE, so long as the transmission of medical records is solely for the purposes of health care for the patient, payment for that care, or the other objectives specified in HG § 4-3051 and so long as suitable administrative and technical safeguards are in place to prevent improper access to or use of the records.2

4. A patient does not have a right under the Act to "opt out" of an HIE — to receive services from a health care provider while insisting that the medical records related to that service be excluded from the HIE.

5. To the extent that medical records pertaining to mental health services are included in the HIE, the Act requires special procedures to ensure limited access.

Most participants in an HIE would be subject to federal law on the confidentiality of medical records, particularly the Privacy Rule issued by the Department of Health and Human Services to implement the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Your request, however, does not ask us to address HIPAA issues.3 In addition, to the extent that the HIE includes the medical records of patients in alcohol abuse and drug abuse treatment programs, disclosure and use of these records would be governed by the federal regulations on confidentiality of alcohol and drug abuse patient records.42 CFR Part 2. These federal regulations are incorporated by reference into Maryland law. See HG § 8-601(c).

I Purpose and Nature of a Health Information Exchange It has become apparent that advances in information technology offer a variety of benefits for health care. "[F]ragmented, disorganized, and inaccessible clinical information adversely affects the quality of health care and compromises patient safety. . . . The expanded use of health [information technology] has great potential to improve the quality of care, bolster the preparedness of our public health infrastructure, and save money on administrative costs." Government Accountability Office, Health Information Technology: Early EffortsInitiated But Comprehensive Privacy Approach Needed for NationalStrategy, GAO Report 07-238, at 6 (January 2007).

Making patient information portable is seen as part of the overall solution. Achieving that portability can be realized via several mechanisms; an HIE is one approach. An HIE is a utility that allows for "provider-centric" patient information (generated as a result of a specific encounter between a patient and a health care provider and maintained by the provider) to be made visible and available in a "patient-centric" manner (available to any provider that a patient sees, regardless of where and when the information was generated). An HIE is based upon common standards and other design features that enable "interoperability" — the ability of the system's components to exchange patient information so that it can be readily used. See Office of the National Coordinator for Health Information Technology, Goals of Strategic Framework, available atwww.hhs.gov/healthit/goals.html (last accessed June 14, 2007).

A recent federal study identified 101 state-based HIE projects in 35 different states. Agency for Healthcare Research and Quality,Evolution of State Health Information Exchange: A Study of Vision,Strategy, and Progress 4 (January 2006). This study observed that, although these projects "share similar goals to improve quality health care and reduce costs," they "vary tremendously with respect to engaged stakeholders, available funding, community history, selected technology, and implementation strategy. This variation is particularly true for the infrastructure components selected to enable information sharing."Id. at 1.

Key issues about the design and operation of a statewide HIE in Maryland are unresolved. Indeed, making recommendations on this point is one of the assignments of the Task Force. Chapter 291, Laws of Maryland 2005. Based on the experience in other states, we can assume that, were an HIE to be established, participants would include hospitals, physicians and other health care professionals, laboratories, pharmacies, and payers of various kinds. It is unlikely, we gather, that an HIE would entail the aggregation of medical records into a single database. Instead, the HIE would probably involve a central locator, which is an electronic index showing which providers have information about a particular patient, and a protocol by which the information could be accessed once its location had been identified. One or more contractors would undoubtedly be necessary to operate the exchange and its component technology.

II Scope and Purpose of Medical Records Confidentiality Act Maryland's Medical Records Confidentiality Act, enacted in 1990, long predated the HIPAA Privacy Rule and is generally not preempted by it.4 The State law applies to any "medical record," a term that includes "any oral, written, or other transmission in any form or medium of information" that identifies a patient, is entered in a patient's record, and "relates to the health care of the patient. . . ." HG § 4-301(h).5 Thus, although medical records in electronic form may have been uncommon when the Act became law, the definition's comprehensive phrasing ("any form or medium of information") means that the Act encompasses paper records themselves, the electronic embodiment of paper records after scanning or some other imaging process, and records initially created in electronic form.

Both individual health care professionals and health care facilities are the "health care providers" to whom most of the Act's obligations are addressed. HG § 4-301(g)(1). The term also includes "the agents, employees, officers, and directors of a facility and the agents and employees of a health care provider." HG § 4-301(g)(2).

The overall duty of a health care provider is to keep a patient's medical record confidential and disclose it only as authorized in the Act or another provision of law. HG § 4-302(a). "Disclosure" of a medical record occurs when a health care provider transmits or communicates information in a medical record or even acknowledges that a record exists. HG § 4-301(c). A person to whom a medical record is disclosed may not redisclose the medical record to any other person unless the redisclosure is done with the patient's authorization or otherwise permitted by the Act. HG § 4-302(d).6

III Requirements for Disclosure within an HIE

A. Insufficiency of Notice and Implied Consent; Impracticability of"Authorization"

"[T]he relationship between a health care provider and [a] patient is one of trust and confidence." Consequently, "absent a statute permitting otherwise, the patient has a right to assume that his medical condition will not voluntarily be disclosed by the provider to other persons without the patient's consent." Lemon v. Stewart, 111 Md. App. 511, 525,682 A.2d 1177, cert. denied, 344 Md. 329, 686 A.2d 635 (1996); seegenerally Annotation, Physician's Tort Liability for UnauthorizedDisclosure of Confidential Information about Patient, 48 A.L.R. 4th 668 (1986).

Courts have found, in a variety of circumstances, that a physician's disclosure of patient information to a third party nonetheless is consistent with the physician's fiduciary duty to maintain patient confidentiality.7 In general, if a patient is on notice that a medical encounter will entail third-party disclosure and continues with the provider, consent is implied and so the disclosure does not breach the physician's duty. Compare, e.g., Bratt v. International BusinessMachines Corp., 785 F.2d 352, 362 (1st Cir. 1986) with Acosta v.Cary, 365 So. 2d 4, 5 (La.App. 1978). A HIPAA Privacy Rule "notice of privacy practices" referring to disclosures within an HIE would probably suffice under this common law approach to confidentiality. See45 CFR § 164.520.

The Medical Records Confidentiality Act, however, goes beyond the general requirements of common law confidentiality and consent by establishing "clear and certain rules . . . for the disclosure and redisclosure" of the personal and sensitive information in medical records. Chapter 480, Laws of Maryland 1990 (Preamble). Hence, "the disclosure of medical records must be consistent with the provisions of the Act." Shady Grove Psych. Group v. State, 128 Md. App. 163, 171,736 A.2d 1168 (1999); see Warner v. Lerner, 348 Md. 733, 705 A.2d 1169 (1998).

"A health care provider shall disclose a medical record on the authorization of a person in interest in accordance with this section." HG § 4-303(a).8 The statutory requirements related to this authorization, however, probably makes this mechanism infeasible as a basis for disclosure by a health care provider to other participants in an HIE. Among other requirements, an authorization is to "[i]dentify to whom the information is to be disclosed." HG § 4-303(b)(3). This provision makes sense in the familiar context in which a medical record held by one provider is to be sent to another, known provider from whom care will be sought (an internist to a subspecialist, to take a common example). But one of the virtues of an HIE is that it will enable relevant information to go to unknown future providers — for example, the staff of an emergency department in a hospital distant from the patient's home. Moreover, the Act limits to no more than one year the validity of an authorization for disclosure. HG § 4-303(b)(4). Presumably, this time limitation would greatly interfere with the effective function of an HIE.

As a practical matter, therefore, an HIE is unlikely to function as envisioned if disclosure within the HIE required patient authorization. We turn, then, to HG § 4-305, which itemizes the circumstances under which a "health care provider may disclose a medical record without the authorization of a person in interest."

B. Disclosure without Authorization

Based on our understanding of the purpose and operation of an HIE, we believe that HG § 4-305 permits the flow of medical record information among collaborators in an HIE.9

Because the primary purpose of an HIE is to make clinical information about patients portable and thereby enable better care by those who see the patient in subsequent encounters, disclosure is permitted under HG § 4-305(b)(4), which permits disclosure "to another health care provider for the sole purpose of treating the patient . . . on whom the medical record is kept."10 In addition, to the extent that the HIE becomes part of the process by which health care providers are paid for the services that they render to patients, disclosure is permitted under HG § 4-305(b)(5), which covers the submission of a bill to a third party and related coverage review and audit functions.

Finally, to the extent that effective functioning of an HIE requires disclosure of medical record information to technology specialists or other persons who are not health care providers, the disclosure would be authorized by HG § 4-305(b)(1)(i), which identifies a health care provider's agents and employees as permissible recipients of the information, so long as the sole purpose of the disclosure is the "offering, providing, evaluating, or seeking payment for health care to patients . . . by the provider."11 Technical personnel involved in the operation of an HIE presumably would be agents or employees of the participating providers. In order to ensure compliance with the redisclosure limitation in H G § 4-302(d), these persons must be bound by contract to maintain the confidentiality of the records and be prohibited from redisclosure of them.

C. "Opting Out"

The disclosure of medical record information solely for purposes of clinical care and payment and to the technical personnel needed to keep the system operational, as discussed above, is permitted "without the authorization of" the patient. The phrase "without the authorization" is not compatible with a patient's exercise of a veto over otherwise permissible disclosures. "Opting out" is simply a denial of authorization. A patient, however, has no right to deny that which is not required at all. Thus, in our view, the Medical Records Confidentiality Act does not prohibit an HIE from operating on the basis that participating health care providers must make all of a patient's medical records available through the HIE, even if the patient would prefer that some information be kept out of the HIE.12

IV Mental Health Records The Medical Records Confidentiality Act separately addresses mental health records. That is, under HG § 4-307(b), "[t]he disclosure of a medical record developed in connection with the provision of mental health services shall be governed by the provisions of this section in addition to the other provisions of this subtitle." With respect to mental health records, the Act uses the term "recipient," rather than "patient," to refer to someone "who has applied for, for whom an application has been submitted, or who has received mental health services." H G § 4-301(m). The term "mental health services," in turn, refers to "health care rendered to a recipient primarily in connection with the diagnosis, evaluation, treatment, case management, or rehabilitation of any mental disorder."13

We have already discussed why patient authorization under HG § 4-303 is evidently incompatible with the nature and functioning of an HIE. Consequently, the issue is whether the additional restrictions in HG § 4-307 on disclosure of mental health records without patient authorization can accommodate access to those records via an HIE.

A key restriction is in HG § 4-307(c): "When a medical record developed in connection with the provision of mental health services is disclosed without the authorization of a person in interest, only the information in the record relevant to the purpose for which disclosure is sought may be released." In other words, a patient's mental health records may not be obtained in their entirety by a participant in the HIE and then reviewed to see what might be relevant to a current clinical issue. Instead, the provider seeking the mental health records must identify a purpose for which the records are sought, and somehow the information in the record must be categorized so that only parts relevant to the purpose stated may be obtained via the HIE. We do not know whether this is technically feasible. Unless the law is changed, however, this requirement must be accommodated in the design and operation of the HIE.

V Conclusion In summary, our opinion is that the M aryland Medical Records Confidentiality Act permits establishment of an HIE that would exchange medical records without patient authorization, provided that the HIE operates solely for the purposes identified in the law and with appropriate safeguards, especially with respect to mental health records. This conclusion about current law should not be misconstrued as a statement about desirable policy. It may well be that more patient control over the exchange of their medical records (an opt-out approach, for example) is essential if public trust in an HIE is to be realized. That, however, is a policy question robe considered, by the Task Force.

Douglas F. GanslerAttorney General

Jack SchwartzAssistant Attorney General

Robert N. McDonaldChief CounselOpinions and Advice

1 Of course, records that are part of the HIE are also subject to disclosure without patient authorization for the investigatory and other governmental purposes specified in HG § 4-306.

2 Specifying the nature of these safeguards is beyond the scope of this opinion or the expertise of this office, but no aspect of the HIE will be more important in engendering public confidence, given well-publicized examples of mishandling of sensitive personal data. The latest transgression involved unencrypted medical information sent over the Internet. Ellen Nakashima and Renae Merle, Military Medical BreachRevealed, Washington Post July 21, 2007, at D1.

3 The HIE itself, as a distinct entity, might not be subject to HIPAA. A succinct background discussion on HIPAA issues related to an HIE may be found in a recent report prepared for the California HealthCare Foundation. See Sheera Rosenfeld, Shannah Koss, and Sharon Siler, Privacy, Security, and the Regional Health InformationOrganization App. A (June 2007), available at http://www.chcf.org/documents/chronicdisease/RHIOPrivacySecurity.pdf (last accessed July 10, 2007).

4 A detailed analysis of the preemption issue may be found in 88Opinions of the Attorney General 205 (2003).

5 The Act uses the term "recipient," rather than "patient," to describe someone who receives mental health services. HG § 4-301(m). We discuss the status of medical records incorporating information about mental health services in Part IV below.

6 Two other circumstances under which redisclosure is permitted, having to do with child abuse or neglect and directory information, are not pertinent in this context.

7 Exchange of confidential information among the professional and support staff of a practice group is so integral to modern medical practice that all patients are presumed to be aware of it without need for explicit notice and consent. Suesbury v. Caceres, 840 A.2d 1285 (D.C. 2004).

8 The term "person in interest" encompasses not only the patient but also health care agents and surrogates, the parents or guardians of a minor, the personal representative of someone who has died, and lawyers representing any of these persons. HG § 4-301(k).

9 Of course, this conclusion would have to be verified once the specific details of a Maryland HIE's architecture and operation are settled.

10 This provision is made subject to "the additional limitations" for records of mental health services, a point that we address in Part IV below.

11 The activities discussed in this part of the opinion are analogous to the "treatment, payment, and health care operations" for which disclosure under the HIPAA Privacy Rule is permitted.45 CFR §§ 164.502(a)(1)(ii) and 164.506. These terms are defined in45 CFR § 164.501.

12 There is controversy over the feasibility of allowing patient choice about HIE access ("making certain health information available to only certain providers at certain times"). Andis Robeznieks, Consentdecrees: Patient control over access to their medical data often just amouse-click away, Modern Healthcare, June 11, 2007, at 30.

13 The term "mental disorder" is not defined in the Medical Records Confidentiality Act. In the Maryland Mental Hygiene Law, however, the term is defined, in part, as "a behavioral or emotional illness that results from a psychiatric or neurological disorder." HG § 10-101(f)(1). *Page 117