The Commonwealth of Massachusetts

^{_______________}

PRESENTED BY:

Byron Rushing

^{_______________}

To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
                Court assembled:

                The undersigned legislators and/or citizens respectfully petition for the passage of the accompanying bill:

An Act to Clarify Privacy Protections for Electronic Medical Records.

^{_______________}

PETITION OF:

The Commonwealth of Massachusetts

^{_______________}

In the Year Two Thousand and Nine

^{_______________}

An Act to Clarify Privacy Protections for Electronic Medical Records.

                Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:

SECTION 1. Section 6D of chapter 40J of the General Laws is hereby amended by striking clause (v) in the third paragraph of subsection (d) and inserting in place thereof the following language:—

(v) give patients the option of allowing only designated health care providers to disseminate their individually identifiable health information to any statewide interoperable electronic health records network or statewide health information exchange;

SECTION 2. Section 6F of chapter 40J of the General Laws is hereby amended by striking the first paragraph and inserting in place thereof the following paragraph:—

Any plan for a statewide interoperable electronic health records network or statewide health information exchange approved by the health information technology council and every grantee and implementing organization that receives monies for the adoption of health information technology from the E-Health Institute Fund and/or pursuant to this chapter shall:

SECTION 3. Said section 6F of chapter 40J of the General Laws, as appearing in section 4 of chapter 305 of the acts of 2008, is hereby amended by inserting after the word “accessed”, in line 396, the following words:—

; and (5) require every grantee and implementing organization funded in whole or in part by the E-Health Institute Fund to conduct privacy and security audits of any and all interoperable electronic health records networks, health information exchanges, and participating entities that maintain electronic health records for potential and actual privacy and security breaches by July 1 of each year.  Each grantee and implementing organization shall report the results of the annual audit to the health information technology council by July 1.  The council shall report within 30 days to the Attorney General any audit result that indicates a violation of the rules and regulations adopted by the health information technology council or Department of Public Health pursuant to this chapter

SECTION 4. Section 6G of said chapter 40J of the General Laws is hereby amended by inserting after the first paragraph the following paragraphs:—

For the purposes of this chapter, the health information technology council shall promulgate rules and regulations necessary for the administration and enforcement of this chapter, including but not limited to defining the following terms:  “identifiable health information”, “unauthorized access” and “unauthorized disclosure.”

Any aggrieved individual claiming that any interoperable electronic health records network or health information exchange, its operators, contractors or agents, and participating entities that maintain electronic health records, funded in whole or in part by the E-Health Institute Fund failed to maintain the privacy and security protections required in Section 6F of this chapter or permitted an unauthorized access or disclosure as defined by the Health Information Technology Council  pursuant to Section 6G of this chapter may bring a civil action in Superior Court.

The Attorney General may bring a civil action in Superior Court to
enforce the privacy and data security obligations of health information network grantees, their operators, agents, and contractors, subject to GL Chapter 40J. 

A court shall find a violation and order relief if it determines that any of the following circumstances has occurred:

(1)  any interoperable electronic health records network or health information exchange, its operators, contractors, or agents, and participating entities that maintain electronic health records, funded in whole or in part by the E-Health Institute Fund, failed to maintain safeguards for the confidentiality and security of protected health information in violation of this chapter or any rule or regulation promulgated by the health information technology council pursuant to this chapter; or

(2)  any interoperable electronic health records network or health information exchange, its operators, contractors, or agents, and participating entities that maintain electronic health records, funded in whole or in part by the E-Health Institute Fund, disclosed without authorization identifiable health information as defined by any rule or regulation promulgated by the health information technology advisory council pursuant to this chapter; or

(3)  any interoperable electronic health records network or health information exchange, its operators, contractors, or agents, and participating entities that maintain electronic health records, funded in whole or in part by the E-Health Institute Fund, failed to provide notice of an unauthorized access or disclosure as required by Section 6G of Chapter 40J.

The court may order any interoperable electronic health records network or health information exchange, its operators, contractors or agents, or any participating entity or individual, to comply with this chapter and may order any other appropriate civil or equitable relief, including an injunction to prevent non-compliance.  If the court determines that there has been a violation of this chapter, the aggrieved person is entitled to recover damages for losses sustained as a result of this violation.

The measure of damages shall be the greater of the aggrieved person's actual damages, or liquidated damages of $1,000 for each violation, except that the total amount imposed on the offending party for all violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.  If the court determines that there has been a violation of this chapter that results from willful or grossly negligent conduct, the aggrieved person may recover punitive damages not to exceed $10,000, exclusive of any other loss, for each violation, except that the total amount imposed on the offending party for all violations of an identical requirement or prohibition during a calendar year may not exceed $500,000 from the offending party.

If the aggrieved person prevails, the court shall assess reasonable attorney's fees and all other expenses reasonably incurred in the litigation against the non-prevailing parties. Responsible parties are jointly and severally liable for any compensatory damages, attorney's fees or other costs awarded. Any action under this section is barred unless the action is commenced within three years after the cause of action accrues or was or should reasonably have been discovered by the aggrieved person or the person's lawful representative.

No employee shall be terminated, discharged, or retaliated against because he does any of the following based on a reasonable belief that an activity, policy or practice of the employer or another entity with whom the employer has a relationship violates this chapter or any rule or regulation promulgated pursuant to this chapter:

(1) objects to or refuses to participate in any such activity, policy or practice;

(2) discloses or threatens to disclose such activity, policy or practice to a supervisor, manager, public official, public body, or other entity; or

(3) provides information to or testifies before any body conducting an investigation, hearing or inquiry into any violation of this chapter, or rule or regulation promulgated pursuant to this chapter.