Bill > S226

This bill aims to strengthen privacy protections for electronic health records by giving patients more control over who can access their individually identifiable health information within statewide interoperable electronic health records networks or health information exchanges, allowing them to designate specific healthcare providers for dissemination. It also mandates that any plans for such networks or exchanges, as well as organizations receiving funds from the E-Health Institute Fund for health information technology adoption, must adhere to stricter privacy and security standards. Furthermore, the bill requires these organizations to conduct annual privacy and security audits to identify potential breaches, reporting the results to the health information technology council, which will then inform the Attorney General of any violations. The health information technology council will also define key terms like "identifiable health information" and "unauthorized access" to clarify these regulations. Importantly, individuals who believe their privacy has been violated by these networks or exchanges can bring civil lawsuits, and the Attorney General can also pursue legal action to enforce these obligations, with provisions for damages, attorney's fees, and protection against retaliation for employees who report violations.