3713L.01I                                                                                                                                                  D. ADAM CRUMBLISS, Chief Clerk



To amend chapter 191, RSMo, by adding thereto five new sections relating to health record banks.

Be it enacted by the General Assembly of the state of Missouri, as follows:

            Section A. Chapter 191, RSMo, is amended by adding thereto five new sections, to be known as sections 191.1060, 191.1061, 191.1062, 191.1063, and 191.1064, to read as follows:

            191.1060. As used in sections 191.1060 to 191.1064, the following terms shall mean:

            (1) "Access", with respect to an electronic health record, entering information into such account as well as retrieving information from such account;

            (2) "Account", an electronic health record of an individual contained in an independent health record trust;

            (3) "Affirmative consent", with respect to an electronic health record of an individual contained in a health bank, express consent given by the individual or an authorized care coordinator for the use of such record in response to a clear and conspicuous request for such consent or at the individual's own initiative;

            (4) "Authorized electronic health record data user", with respect to an electronic health record of a health bank participant contained as part of a health bank, any entity, other than the participant, authorized in the form of affirmative consent by the participant to access the electronic health record;

            (5) "Chronic condition", any regularly recurring, potentially life-threatening medical condition that requires regular supervision by a primary care physician or medical specialist;

            (6) "Confidentiality", with respect to individually identifiable health information of an individual, the obligation of those who receive such information to respect the health information privacy of the individual;

            (7) "Department", the department of social services;

            (8) "Disease state management programs", delivery of services for patients with chronic illness, including education, health management support, and coordination of health care services;

            (9) "Electronic health record", a subset of a health care delivery organization's electronic medical record that contains patient input and provides access spanning episodes of care across multiple health care delivery organizations within a community, region, or state and is stored electronically within an independent health record trust. Such record may also include:

            (a) Summaries, such as the American Society for Testing and Materials' Continuity of Care Record and Health Level Seven, Inc.'s care record summary; and

            (b) Information from pharmacy benefit management firms, reference laboratories, and other organizations about the health status of patients in the community;

            (10) "Electronic medical record" or "EMR", a patient's medical history that is stored in real-time using information technology and which can be amended, updated, or supplemented by the patient or physician using the electronic medical record;

            (11) "Health bank operator", the organization that is responsible for the administration and operation of the health bank in accordance with sections 191.1060 to 191.1064;

            (12) "Health bank participant", an individual who has a participation agreement in effect with respect to the maintenance of the individual's electronic health record by the health bank;

            (13) "Health care provider", any corporation organized for the primary purpose of maintaining medical information for the treatment or diagnosis or to allow an individual to manage his or her information, including, but not limited to physician, hospital, health maintenance organization, ambulatory surgical center, long-term care facility, including those licensed under chapter 198, RSMo, dentist, registered or licensed practical nurse, optometrist, podiatrist, pharmacist, chiropractor, professional physical therapist, psychologist, physician in training, or any other person or entity that provides health care services under the authority of a license or certificate;

            (14) "Health information privacy", with respect to individually identifiable health information of an individual, the right of such individual to control the acquisition, uses, or disclosures of such information;

            (15) "Health plan", a group health plan as defined in section 2208(1) of the Public Health Service Act, 42 U.S.C. 300bb-8(1), as well as a plan that offers health insurance coverage in the individual market;

            (16) "Health record bank", a legal arrangement under the administration of a health bank operator that meets the requirements of sections 191.1060 to 191.1064 with respect to electronic health records of individuals participating in the bank;

            (17) "HIPAA privacy regulations", the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 42 U.S.C. 1320d-2;

            (18) "Individually identifiable health information", as such term is defined in section 1171(6) of the Social Security Act, 42 U.S.C. 1320d(6);

            (19) "Longitudinal health record", a record of all health services and information prescribed and collected on an individual during the course of an individual's lifetime;

            (20) "Personal health information", any identifiable information, in electronic or physical form, regarding an individual's health, medical history, medical treatment, or diagnosis by a health care provider that is:

            (a) Created or stored by the health care provider or health carrier in the normal course of its business operations; and

            (b) Not otherwise publicly available or in the public domain;

            (21) "Security", with respect to individually identifiable health information of an individual, the physical, technological, or administrative safeguards or tools used to protect such information from unwarranted access or disclosure;

            191.1061. 1. It is the intent of the general assembly to enact sections 191.1060 to 191.1064 to enable the department of social services to select and engage non-profit organizations in the Kansas City and St. Louis Metropolitan areas who have governance boards that include representatives from employer and provider groups to deploy and manage a regional health bank.

            2. The regional health bank as deployed by each non-profit organization shall:

            (1) Enable a secure, web based health information infrastructure for the sharing of electronic health information among health care facilities, health care professionals, public and private payers, and patients. The health bank shall comply with all state and federal privacy requirements and links all components of the health care delivery system through secure and appropriate exchanges of health information for the purpose of enhancing health care quality, patient safety, communication of patient information, chronic condition management capabilities, patient and provider satisfaction, clinical and administrative cost reductions, and public health emergency preparedness;

            (2) Enable individuals in the region by which the health record bank shall serve to create a secure, electronic health record bank account so that they may be able to consolidate their respective health information into a longitudinal electronic personal health record;

            (3) Enable the study of defined benefits to the consumer and provider with the health bank.

            3. To encourage the adoption and to receive the return on investment of health record banking, the state shall sponsor the following accounts in an opt-out fashion for the regional health banks:

            (1) MO HealthNet recipients;

            (2) State health care for uninsured children recipients;

            (3) Missouri residents receiving Medicare benefits;

            (4) Foster care children; and

            (5) State employees.

            4. The state shall authorize the regional health banks to electronically report quality measures to the state as required by current regulations on behalf of health care providers who have appropriate number of patients enrolled in said health banks to enable such quality reporting.

            191.1062. 1. Each non-profit organization as selected by the department to be a state-designated entity shall be authorized to submit and request funds in fiscal year 2011 to enable the creation of the health bank from the federal secretary of the Department of Health and Human Services as defined in the American Recovery and Reinvestment Act of 2009.

            2. Each non-profit organization as selected by the department shall be required to create and present a health banking business model that includes the following:

            (1) Required funding to be requested from the secretary of the federal Department of Health and Human Services to establish and deploy the health bank;

            (2) The Proposed Consumer, Employer, Payer, and Provider adoption model to ensure a successful implementation;

            (3) The path by which the non-profit sponsored health bank would be self-sustainable after a period of four years.

            3. Each non-profit organization as selected by the department shall be required to propose what state appropriations should be requested in fiscal years 2012, 2013, and 2014 to qualify for the federal matching funds as specified in the American Recovery and Reinvestment Act of 2009.

            191.1063. 1. In the case of a record of a covered entity, as defined for purposes of HIPAA privacy regulations, and with respect to an individual, if such individual is a participant in a regional health bank and such covered entity is an authorized electronic health record data user, the requirement under the HIPAA privacy regulations for such entity to provide the record to the participant shall be deemed met if such entity, without charge to the health record bank or the participant:

            (1) Forwards to the health record bank an appropriately formatted electronic copy of the record, and updates to such records, for inclusion in the electronic health record of the participant maintained by the health record bank within forty-eight hours of the conclusion of the visit;

            (2) Enters such record into the electronic health record of the participant so maintained within forty-eight hours of the conclusion of the visit; or

            (3) Otherwise makes such record available for electronic access by the health record bank of the individual in a manner that permits such record to be included in the account contained in the health record bank within forty-eight hours of the conclusion of the visit;

            2. If the covered entity does not have an electronic medical record system, the existing portability provisions under HIPAA privacy regulations apply.

            191.1064. 1. This section shall be known and may be cited as the "Missouri Patient Privacy Act".

            2. No personal health information of a patient which can be identified as specific to such patient shall be disclosed to any employer, public or private payor, or employee or agent of a state department or agency without the written consent of the patient and health care provider; except that, such information may be disclosed to a health insurer, employer, state employee or agent in connection with the performance of such employee's official duties. Such official duties shall be for purposes allowed under 45 C.F.R. 164.512, as amended, including but not limited to:

            (1) Oversight of state health programs, including disease state management programs;

            (2) Tracking of infectious diseases throughout the state;

            (3) State wellness initiatives and programs; and

            (4) Research state medical trends.

            3. Nothing in this section shall be construed as prohibiting disclosure of personal health information of a patient consistent with federal law, including HIPAA privacy regulations and the privacy rules set forth in this section.

            4. No health care provider shall be required to redact information when disclosing personal health information under this section.