A. Access to data in the health information system shall be provided in accordance with regulations adopted by the department pursuant to the Health Information System Act.
B. A data provider may obtain data it has submitted to the system, as well as aggregate data, but, except as provided in Subsection D of this section, it shall not have access to data submitted by another provider that is limited only to that provider unless that data is aggregated data and publicly disseminated by the department. Except as provided in Subsection D of this section, in no event may a data provider obtain data regarding an individual patient except in instances where the data were originally submitted by the requesting provider. Prior to the release of any data, in any form, data sources shall be permitted the opportunity to verify the accuracy of the data pertaining to that data source. Data identified in writing as inaccurate shall be corrected prior to the data's release. Time limits shall be set for the submission and review of data by data sources, and penalties shall be established for failure to submit and review the data within the established time.
C. Any person may obtain any aggregate data publicly disseminated by the department.
D. Through a secure delivery or transmission process, the department may share record-level data with a federal agency that is authorized to collect, analyze or disseminate health information. The department shall remove identifiable individual or provider information from the record-level data prior to its disclosure to the federal agency. In providing hospital information under an agreement or arrangement with a federal agency, the department shall ensure that any identifiable hospital information disclosed is necessary for the agency's authorized use and that its disclosure meets with state and federal privacy and confidentiality laws, rules and regulations.
History: Laws 1989, ch. 29, § 6; 1994, ch. 59, § 7; 2009, ch. 166, § 2; 2012, ch. 15, § 7; 2015, ch. 121, § 2.
ANNOTATIONSThe 2015 amendment, effective June 19, 2015, allowed any person or data provider access to aggregated health information data that is publicly disseminated by the department of health; in Subsection B, after "only to that provider", added "unless that data is aggregated data and publicly disseminated by the department"; and in Subsection C, after "aggregate data", added "publicly disseminated by the department".
The 2012 amendment, effective May 16, 2012, authorized the department of health to regulate access to data in the health information system; in Subsection A, changed "commission" to "department"; in Subsection B, changed "Subsections D and E" to "Subsection D" in two instances; deleted former Subsection D, which authorized the New Mexico health policy commission to share personal data with the department of health; and relettered former Subsection E, as Subsection D and changed "commission" to "department" throughout the subsection.
The 2009 amendment, effective June 19, 2009, in Subsection B, in the first sentence, after "aggregate data, but", added "except as provided in Subsections D and E of this Section"; after "it", changed "may" to "shall" and at the beginning of the second sentence, added "Except as provided in Subsections D and E of this section"; and added Subsections D and E.
The 1994 amendment, effective March 4, 1994, substituted "commission" for "department" in Subsection A, and rewrote Subsection B.