Sec.
§
439.589
Adoption of regulations to prescribe standards relating to electronic health records, health-related information and health information exchanges.
1. The Director shall by regulation prescribe standards:
(a)
To ensure that electronic health records retained or shared by any health information exchange are secure;
(b)
To maintain the confidentiality of electronic health records and health-related information, including, without limitation, standards to maintain the confidentiality of electronic health records relating to a child who has received health care services without the consent of a parent or guardian and which ensure that a child’s right to access such health care services is not impaired;
(c)
To ensure the privacy of individually identifiable health information, including, without limitation, standards to ensure the privacy of information relating to a child who has received health care services without the consent of a parent or guardian;
(d)
For obtaining consent from a patient before retrieving the patient’s health records from a health information exchange, including, without limitation, standards for obtaining such consent from a child who has received health care services without the consent of a parent or guardian;
(e)
For making any necessary corrections to information or records retained or shared by a health information exchange; and
(f)
For notifying a patient if the confidentiality of information contained in an electronic health record of the patient is breached.
2.
The standards prescribed pursuant to this section must include, without limitation:
(a)
Requirements for the creation, maintenance and transmittal of electronic health records;
(b)
Requirements for protecting confidentiality, including control over, access to and the collection, organization and maintenance of electronic health records, health-related information and individually identifiable health information;
(c)
Requirements for the manner in which a patient may, through a health care provider who participates in the sharing of health records using a health information exchange, revoke his or her consent for a health care provider to retrieve the patient’s health records from the health information exchange;
(d)
A secure and traceable electronic audit system for identifying access points and trails to electronic health records and health information exchanges; and
(e)
Any other requirements necessary to comply with all applicable federal laws relating to electronic health records, health-related information, health information exchanges and the security and confidentiality of such records and exchanges.