This summer New Hampshire enacted two laws that increase protection for health information. The first, H.B. 619, restricts the use of health data for marketing and fundraising purposes, and imposes new state data breach notification requirements on health care providers, including pharmacists. The second, H.B. 542, establishes a framework for health information exchange entities (HIEs) and requires that individuals be permitted to opt out of sharing their protected health information with HIEs.
H.B. 619 changes the definition of marketing to require an individual’s consent before communications can be made recommending alternative treatments, therapies, providers or settings of care unless those communications are made by the individual’s health care provider. Currently, those communications can be made by health plans without the individual’s consent. The bill also requires patients to be given an opportunity to opt out of fundraising using protected health information prior to any solicitation.
The new law will be more protective than HIPAA because it requires the covered entity to seek an opt-out before the initial fundraising material is disseminated. It also includes a private right of action that will permit patients to bring a civil action in response to violations of the new marketing and fundraising restrictions.
H.B. 619 also establishes a data breach notification requirement mandating that providers and business associates notify individuals in writing upon the unauthorized use or disclosure of their protected health information if such uses or disclosures violate New Hampshire law, even if the same uses or disclosures are “allowed under federal law”. This law differs from New Hampshire’s general breach notification law in a number of ways, most notably that the health information law does not require any risk of harm threshold to be met before notification is mandated. Individuals may sue for violations of the breach notice requirements.
H.B. 542 presents a framework for future health information exchange entities that permits providers to share information with HIEs but limits access to the information to providers and permits access for treatment purposes only. HIEs also must maintain audit logs, documenting provider access to patient information, and must meet federal certification standards once these are finalized.
Both laws take effect January 1, 2010.