House
Study
Bill
623
-
Introduced
HOUSE
FILE
_____
BY
(PROPOSED
COMMITTEE
ON
HEALTH
AND
HUMAN
SERVICES
BILL
BY
CHAIRPERSON
MEYER)
A
BILL
FOR
An
Act
relating
to
the
Iowa
health
information
network
and
a
1
state-designated
health
data
utility.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
5482YC
(11)
90
pf/ko
H.F.
_____
Section
1.
Section
135D.1,
Code
2024,
is
amended
to
read
as
1
follows:
2
135D.1
Short
title.
3
This
chapter
shall
be
known
and
may
be
cited
as
the
“Iowa
4
Health
Information
Network
and
Health
Data
Utility
Act”
.
5
Sec.
2.
Section
135D.2,
Code
2024,
is
amended
to
read
as
6
follows:
7
135D.2
Definitions.
8
As
used
in
this
chapter
,
unless
the
context
otherwise
9
requires:
10
1.
“Board
of
directors”
or
“board”
means
the
entity
that
11
governs
and
administers
the
Iowa
health
information
network.
12
2.
1.
“Care
coordination”
means
the
management
of
all
13
aspects
of
a
patient’s
care
to
improve
health
care
quality.
14
2.
“Community
information
exchange”
means
an
ecosystem
15
comprised
of
multidisciplinary
network
participants
that
16
use
standardized
technical
language,
a
resource
database,
17
and
an
integrated
technology
platform
to
deliver
enhanced
18
community
care
planning
using
care
planning
tools
that
enable
19
participants
to
integrate
data
from
multiple
sources
and
make
20
bidirectional
referrals
to
create
a
shared
longitudinal
record.
21
3.
“Department”
means
the
department
of
health
and
human
22
services.
23
4.
“Designated
entity”
means
the
nonprofit
corporation
24
designated
by
the
department
through
a
competitive
process
as
25
the
entity
responsible
for
administering
and
governing
the
Iowa
26
health
information
network
and
the
state-designated
health
data
27
utility
.
28
5.
“Exchange”
means
the
authorized
electronic
sharing
of
29
health
information
and
data
between
health
care
professionals,
30
payors,
consumers,
public
health
agencies,
the
designated
31
entity,
the
department,
and
other
authorized
participants
32
utilizing
the
Iowa
health
information
network
,
and
Iowa
health
33
information
network
services
,
and
the
state-designated
HDU
.
34
6.
“Federally
qualified
health
center”
means
a
health
care
35
-1-
LSB
5482YC
(11)
90
pf/ko
1/
17
H.F.
_____
entity
that
receives
grant
funding
under
section
330
of
the
1
federal
Public
Health
Service
Act,
Pub.
L.
No.
78-410.
2
7.
“Governing
board”
means
the
board
of
directors
that
3
governs
and
administers
the
designated
entity.
4
6.
8.
“Health
care
professional”
means
a
person
who
is
5
licensed,
certified,
or
otherwise
authorized
or
permitted
by
6
the
law
of
this
state
to
administer
health
care
in
the
ordinary
7
course
of
business
or
in
the
practice
of
a
profession.
8
9.
“Health
data
utility”
means
a
locally
governed,
9
statewide,
multifaceted
resource
that
provides
services
for
the
10
interchange
of
health
data
within
the
health
care
and
public
11
health
ecosystems
for
the
purpose
of
advancing
health
care
12
and
improving
public
health
outcomes.
A
“health
data
utility”
13
combines,
enhances,
and
exchanges
electronic
health
data
across
14
care
and
service
settings
for
treatment,
care
coordination,
15
quality
improvement,
and
public
and
community
health
purposes,
16
in
accordance
with
applicable
state
and
federal
laws
protecting
17
patient
privacy.
18
7.
10.
“Health
information”
means
health
information
as
19
defined
in
45
C.F.R.
§160.103
that
is
created
or
received
by
an
20
authorized
a
participant.
21
11.
“Health
information
exchange”
means
participants
22
contributing
to
the
sharing
and
movement
of
health
information
23
electronically
across
participants
within
a
state,
region,
24
community,
or
health
care
delivery
system.
25
12.
“Health
information
network”
means
participants
in
the
26
health
information
exchange
in
the
aggregate.
27
8.
13.
“Health
information
technology”
means
the
28
application
of
information
processing,
involving
both
computer
29
hardware
and
software,
that
deals
with
the
storage,
retrieval,
30
sharing,
and
use
of
health
care
information,
data,
and
31
knowledge
for
communication,
decision
making,
quality,
safety,
32
and
efficiency
of
clinical
practice,
and
may
include
but
is
not
33
limited
to:
34
a.
An
electronic
health
record
that
electronically
compiles
35
-2-
LSB
5482YC
(11)
90
pf/ko
2/
17
H.F.
_____
and
maintains
health
information
that
may
be
derived
from
1
multiple
sources
about
the
health
status
of
an
individual
,
and
2
may
include
a
core
subset
of
each
care
delivery
organization’s
3
electronic
medical
record
such
as
a
continuity
of
care
record
4
or
a
continuity
of
care
document,
computerized
physician
order
5
entry,
electronic
prescribing,
or
clinical
decision
support.
6
b.
A
personal
health
record
through
which
an
individual
and
7
any
other
person
authorized
by
the
individual
can
maintain
and
8
manage
the
individual’s
health
information.
9
c.
An
electronic
medical
record
that
is
used
by
health
care
10
professionals
to
electronically
document,
monitor,
and
manage
11
health
care
delivery
within
a
care
delivery
organization,
is
12
the
legal
record
of
the
patient’s
encounter
with
the
care
13
delivery
organization,
and
is
owned
by
the
care
delivery
14
organization.
15
d.
A
computerized
provider
health
care
professional
16
order
entry
function
that
permits
the
electronic
ordering
of
17
diagnostic
and
treatment
services,
including
prescription
18
drugs.
19
e.
A
decision
support
function
to
assist
physicians
and
20
other
health
care
providers
professionals
in
making
clinical
21
decisions
by
providing
electronic
alerts
and
reminders
to
22
improve
compliance
with
best
practices,
promote
regular
23
screenings
and
other
preventive
practices,
and
facilitate
24
diagnosis
and
treatments
treatment
.
25
f.
Tools
to
allow
for
the
collection,
analysis,
and
26
reporting
of
information
or
data
on
adverse
events,
the
quality
27
and
efficiency
of
care,
patient
satisfaction,
and
other
health
28
care-related
performance
measures.
29
9.
14.
“Health
Insurance
Portability
and
Accountability
30
Act”
or
“HIPAA”
means
the
federal
Health
Insurance
Portability
31
and
Accountability
Act
of
1996,
Pub.
L.
No.
104-191,
including
32
amendments
thereto
and
regulations
promulgated
thereunder.
33
10.
15.
“Hospital”
means
a
licensed
hospital
as
defined
in
34
section
135B.1
.
35
-3-
LSB
5482YC
(11)
90
pf/ko
3/
17
H.F.
_____
11.
16.
“Interoperability”
means
the
ability
of
two
or
more
1
systems
or
components
to
exchange
information
or
data
in
an
2
accurate,
effective,
secure,
and
consistent
manner
and
to
use
3
the
information
or
data
that
has
been
exchanged
and
includes
4
but
is
not
limited
to:
5
a.
The
capacity
to
connect
to
a
network
for
the
purpose
of
6
exchanging
information
or
data
with
other
users.
7
b.
The
ability
of
a
connected
,
authenticated
user
8
participant
to
demonstrate
appropriate
permissions
to
9
participate
in
the
instant
transaction
over
the
network
or
the
10
state-designated
HDU
.
11
c.
The
capacity
of
a
connected
,
authenticated
user
12
participant
to
access,
transmit,
receive,
and
exchange
usable
13
information
with
other
users
participants
.
14
12.
17.
“Iowa
health
information
network”
or
“network”
means
15
the
statewide
health
information
technology
network
that
is
16
the
state-designated
exchange
and
the
sole
statewide
health
17
information
network
for
Iowa
pursuant
to
this
chapter
.
18
13.
18.
“Medicaid
program”
means
the
medical
assistance
19
program
as
defined
in
section
249A.2
.
20
19.
“Nursing
facility”
means
a
licensed
nursing
facility
as
21
defined
in
section
135C.1.
22
14.
20.
“Participant”
means
an
authorized
health
care
23
professional,
payor,
patient,
health
care
organization,
public
24
health
agency,
or
the
department
entity
described
in
section
25
135D.4
that
has
agreed
entered
into
an
agreement
to
authorize,
26
submit,
access,
or
disclose
health
information
and
data
through
27
the
Iowa
health
information
network
or
the
state-designated
HDU
28
in
accordance
with
this
chapter
and
all
applicable
laws,
rules,
29
agreements,
policies,
and
standards.
30
15.
21.
“Patient”
means
a
person
who
has
received
or
is
31
receiving
health
services
from
a
health
care
professional.
32
16.
22.
“Payor”
means
a
person
who
makes
payments
for
33
health
services,
including
but
not
limited
to
an
insurance
34
company,
self-insured
employer,
government
program,
individual,
35
-4-
LSB
5482YC
(11)
90
pf/ko
4/
17
H.F.
_____
or
other
purchaser
that
makes
such
payments.
1
23.
“Payor
information
exchange”
means
a
large-scale
2
database
that
systematically
collects
health
care
claims
data
3
from
a
variety
of
payor
sources,
including
claims
from
health
4
care
professionals.
5
24.
“Pharmacy”
means
a
pharmacy
as
defined
in
section
6
155A.3.
7
25.
“Pharmacy
information
exchange”
means
the
participants
8
contributing
to
the
sharing
and
movement
of
dispensed
pharmacy
9
information
electronically
across
participants
within
a
state,
10
region,
community,
or
health
care
delivery
system.
11
17.
26.
“Protected
health
information”
means
protected
12
health
information
as
defined
in
45
C.F.R.
§160.103
that
is
13
created
or
received
by
an
authorized
a
participant.
14
18.
27.
“Public
health
activities”
means
actions
taken
by
15
a
participant
in
its
the
participant’s
capacity
as
a
public
16
health
authority
under
the
Health
Insurance
Portability
and
17
Accountability
Act
or
as
required
or
permitted
by
other
federal
18
or
state
law.
19
19.
28.
“Public
health
agency”
means
an
entity
that
is
20
governed
by
or
contractually
responsible
to
a
local
board
of
21
health
or
the
department
to
provide
services
focused
on
the
22
health
status
of
population
groups
and
their
the
population
23
groups’
environments.
24
20.
29.
“Record
locator
service”
means
the
functionality
of
25
the
Iowa
health
information
network
that
queries
data
sources
26
to
locate
and
identify
potential
patient
records.
27
30.
“Rehabilitative
services”
means
the
same
as
defined
in
28
section
135C.1.
29
31.
“Social
care”
means
any
care,
service,
good,
or
supply
30
related
to
an
individual’s
social
needs.
“Social
care”
31
includes
but
is
not
limited
to
support
and
assistance
for
an
32
individual’s
food
stability
and
nutritional
needs,
housing,
33
transportation,
economic
stability,
employment,
education
34
access
and
quality,
childcare
and
family
relationship
needs,
35
-5-
LSB
5482YC
(11)
90
pf/ko
5/
17
H.F.
_____
and
environmental
and
physical
safety.
1
32.
“Social
care
referral
system”
means
a
system
that
shares
2
an
individual’s
social
care
information
for
the
purpose
of
3
referrals
among
health
care
entities,
public
health
agencies,
4
and
community-based
organizations.
“Social
care
referral
5
system”
includes
but
is
not
limited
to
a
network,
software,
or
6
technology
platform.
7
33.
“State-designated
health
data
utility”
or
8
“state-designated
HDU”
means
the
health
data
utility
designated
9
by
the
state
under
this
chapter.
10
34.
“State-designated
health
information
exchange”
or
11
“state-designated
exchange”
means
the
Iowa
health
information
12
network.
13
Sec.
3.
Section
135D.3,
subsection
1,
paragraph
c,
Code
14
2024,
is
amended
to
read
as
follows:
15
c.
A
health
information
network
involves
the
secure
16
electronic
sharing
of
health
information
across
the
boundaries
17
of
individual
practice
and
institutional
health
settings
and
18
with
consumers.
The
broad
use
of
health
information
technology
19
and
a
health
information
network
should
improve
improves
health
20
care
quality
and
the
overall
health
of
the
population,
increase
21
increases
efficiencies
in
administrative
health
care,
reduce
22
reduces
unnecessary
health
care
costs,
and
help
helps
prevent
23
medical
errors.
24
Sec.
4.
Section
135D.4,
subsection
2,
paragraph
b,
Code
25
2024,
is
amended
to
read
as
follows:
26
b.
The
network
provides
a
variety
of
services
from
which
to
27
choose
in
order
to
best
fit
the
needs
of
the
user
participant
.
28
Sec.
5.
Section
135D.4,
subsection
3,
paragraph
b,
Code
29
2024,
is
amended
to
read
as
follows:
30
b.
Participants
The
opportunity
for
participants
without
an
31
electronic
health
records
system
to
access
health
information
32
from
the
Iowa
health
information
network.
33
Sec.
6.
NEW
SECTION
.
135D.4A
State-designated
health
data
34
utility
——
principles
——
intent
——
technical
infrastructure
35
-6-
LSB
5482YC
(11)
90
pf/ko
6/
17
H.F.
_____
requirements.
1
1.
a.
A
state-designated
health
data
utility
facilitates
2
the
secure
electronic
sharing
of
health
information
and
data
3
across
a
variety
of
settings
including
health
care
delivery
4
settings,
payors,
social
care
entities,
and
consumers.
5
b.
A
state-designated
HDU
is
designed
to
achieve
better
6
health
care
outcomes,
improve
the
overall
health
and
well-being
7
of
the
people
of
the
state,
and
reduce
the
cost
of
health
8
care
by
creating
a
more
seamless,
transparent,
and
modernized
9
approach
to
the
sharing
of
health
information
and
data.
10
c.
Utilization
of
health
information
and
data
requires
11
appropriate
governance
and
policy
leadership.
The
12
state-designated
HDU
provides
clear
data
governance,
privacy,
13
and
security
policies
to
facilitate
the
sharing
of
health
14
information
and
data,
ensuring
that
the
health
information
and
15
data
follow
the
patient
and
improve
the
health
of
all
citizens
16
of
the
state.
17
d.
Health
care
professionals
and
entities
have
been
subject
18
to
HIPAA
since
1996,
and
HIPAA
has
driven
initial
efforts
to
19
develop
a
culture
and
infrastructure
of
health
information
20
governance.
As
holders
of
personal
information,
state
agencies
21
have
a
responsibility
to
demonstrate
to
the
public
the
state’s
22
commitment
to
respecting
personal
privacy.
23
e.
Health
care
entities
have
a
duty
to
share
health
24
information
and
data,
in
accordance
with
applicable
law,
with
25
other
health
care
entities
to
ensure
that
optimal
patient
26
and
population
health
is
achieved.
To
further
demonstrate
27
the
commitment
to
privacy,
the
state-designated
HDU
provides
28
opt-out
policies
and
procedures
to
allow
patients
to
opt
out
of
29
health
information
and
data
sharing.
30
2.
The
purposes
of
the
state-designated
HDU
include
all
of
31
the
following:
32
a.
The
transmittal,
collection,
aggregation,
and
analysis
33
of
clinical
information,
public
health
data,
and
health
34
administrative
and
operations
data
to
assist
the
department,
35
-7-
LSB
5482YC
(11)
90
pf/ko
7/
17
H.F.
_____
local
health
departments,
health
care
professionals,
patients,
1
policymakers,
and
the
governing
board
in
understanding
the
2
population
health
of
Iowa.
3
b.
The
enhancement
and
acceleration
of
the
interoperability
4
of
health
information
and
data
throughout
the
state,
ensuring
5
compliance
with
all
applicable
privacy
and
security
laws
and
6
regulations.
7
c.
The
empowerment
of
patients
in
accessing
and
directing
8
their
health
information
and
data,
health
care
costs,
and
9
overall
health
to
improve
quality
of
life
in
the
state.
10
3.
It
is
the
intent
of
the
general
assembly
that
the
11
state-designated
HDU
shall
not
constitute
a
health
benefit
12
network
or
a
health
insurance
network.
13
4.
A
state-designated
HDU
is
created
and
shall
operate
14
as
a
public-private
partnership.
The
state-designated
HDU
15
shall
provide
health
information
and
data,
in
accordance
with
16
applicable
law,
to
patients
and
organizations
involved
in
the
17
treatment
and
care
coordination
of
patients,
and
shall
support
18
the
health
goals
of
the
community
and
the
state.
19
5.
The
designated
entity
shall
administer
and
govern
20
the
state-designated
HDU.
The
state-designated
HDU
shall
be
21
comprised
of
all
of
the
following
data
sources:
22
a.
A
health
information
exchange.
The
governing
board
23
shall
adopt
health
care
information
interoperability
standards
24
for
the
health
information
exchange.
The
minimum
standard
of
25
sharing
shall
be
the
most
recently
approved
version
of
the
26
United
States
core
data
of
interoperability.
The
minimum
27
standard
of
sharing
may
be
enhanced
by
the
governing
board.
28
b.
A
pharmacy
information
exchange.
29
(1)
Unless
otherwise
prohibited
by
state
or
federal
law,
30
each
licensed
pharmacy
that
dispenses
prescription
drugs
to
31
patients
in
the
state
shall
provide
all
dispensed
prescription
32
information
to
the
state-designated
HDU
in
compliance
with
all
33
applicable
state
and
federal
rules.
34
(2)
The
governing
board
shall
adopt
interoperability
35
-8-
LSB
5482YC
(11)
90
pf/ko
8/
17
H.F.
_____
standards,
data
elements,
and
terminologies
necessary
to
1
provide
data
in
as
close
to
real
time
as
possible
to
facilitate
2
data
exchange.
3
c.
A
payor
information
exchange.
The
governing
board
shall
4
adopt
the
interoperability
standards
for
claims
data
sharing
by
5
all
payors
required
to
share
data.
6
d.
A
community
information
exchange.
The
governing
board
7
shall
adopt
the
interoperability
standards
for
data
sharing
by
8
social
care
entities
specified
by
the
governing
board.
9
6.
By
December
31,
2024,
all
hospitals,
critical
access
10
hospitals,
general
acute
care
hospitals,
rehabilitative
11
hospitals,
provider
clinics,
ambulatory
surgical
centers,
12
mental
health
and
substance
use
treatment
centers,
psychiatric
13
or
mental
hospitals,
facilities
providing
rehabilitative
14
services,
imaging
centers,
laboratories,
federally
qualified
15
health
centers,
and
payors
in
the
state
shall
be
participants
16
with
the
state-designated
HDU,
and
shall
share
all
data
in
17
accordance
with
standards,
policies,
and
procedures
adopted
by
18
the
governing
board
pursuant
to
this
chapter.
19
7.
By
March
31,
2025,
all
entities
utilizing
digital
20
technology
for
the
purposes
of
social
care
referral
and
21
care
coordination
in
the
state,
including
but
not
limited
to
22
community-based
organizations,
shall
be
participants
with
the
23
state-designated
HDU,
and
shall
share
data
in
accordance
with
24
federal
interoperability
guidance
and
policies
adopted
by
the
25
governing
board
pursuant
to
this
chapter.
26
8.
By
December
31,
2025,
all
health
clinics,
public
health
27
clinics,
urgent
care
facilities,
nursing
facilities,
and
28
pharmacies
shall
be
participants
with
the
state-designated
29
HDU,
and
shall
share
all
data
in
accordance
with
policies
and
30
procedures
adopted
by
the
governing
board
pursuant
to
this
31
chapter.
32
Sec.
7.
Section
135D.5,
Code
2024,
is
amended
to
read
as
33
follows:
34
135D.5
Designated
entity
——
selection,
administration
,
and
35
-9-
LSB
5482YC
(11)
90
pf/ko
9/
17
H.F.
_____
governance.
1
1.
The
Iowa
health
information
network
and
the
2
state-designated
HDU
shall
be
administered
and
governed
3
by
a
designated
entity
selected
by
the
department
through
4
a
competitive
process.
The
designated
entity
shall
be
5
established
as
a
nonprofit
corporation
organized
under
6
chapter
504
.
Unless
otherwise
provided
in
this
chapter
,
the
7
corporation
is
subject
to
the
provisions
of
chapter
504
.
8
The
designated
entity
shall
be
established
for
the
purpose
9
of
administering
and
governing
the
statewide
Iowa
health
10
information
network.
11
2.
The
designated
entity
shall
collaborate
with
the
12
department,
but
the
designated
entity
shall
not
be
considered,
13
in
whole
or
in
part,
an
agency,
department,
or
administrative
14
unit
of
the
state.
15
a.
The
designated
entity
shall
not
be
required
to
comply
16
with
any
requirements
that
apply
to
a
state
agency,
department,
17
or
administrative
unit
and
shall
not
exercise
any
sovereign
18
power
of
the
state.
19
b.
The
designated
entity
does
not
have
authority
to
pledge
20
the
credit
of
the
state.
The
assets
and
liabilities
of
21
the
designated
entity
shall
be
separate
from
the
assets
and
22
liabilities
of
the
state
and
the
state
shall
not
be
liable
23
for
the
debts
or
obligations
of
the
designated
entity.
All
24
debts
and
obligations
of
the
designated
entity
shall
be
payable
25
solely
from
the
designated
entity’s
funds.
The
state
shall
26
not
guarantee
any
obligation
of
or
have
any
obligation
to
the
27
designated
entity.
28
3.
The
articles
of
incorporation
of
the
designated
entity
29
shall
provide
for
its
the
designated
entity’s
governance
and
30
its
efficient
management.
In
providing
for
its
the
designated
31
entity’s
governance,
the
articles
of
incorporation
of
the
32
designated
entity
shall
address
the
following:
33
a.
A
governing
board
of
directors
to
govern
the
designated
34
entity.
35
-10-
LSB
5482YC
(11)
90
pf/ko
10/
17
H.F.
_____
b.
The
appointment
of
a
chief
executive
officer
by
the
1
governing
board
to
manage
the
designated
entity’s
daily
2
operations.
3
c.
The
delegation
of
such
powers
and
responsibilities
to
the
4
chief
executive
officer
as
may
be
necessary
for
the
designated
5
entity’s
efficient
operation.
6
d.
The
employment
of
personnel
necessary
for
the
efficient
7
performance
of
the
duties
assigned
to
the
designated
entity.
8
All
such
personnel
shall
be
considered
employees
of
a
private,
9
nonprofit
corporation
and
shall
be
exempt
from
the
personnel
10
requirements
imposed
on
state
agencies,
departments,
and
11
administrative
units.
12
e.
The
financial
operations
of
the
designated
entity
13
including
the
authority
to
receive
and
expend
funds
from
public
14
and
private
sources
and
to
use
its
property,
money,
or
other
15
resources
for
the
purpose
of
the
designated
entity.
16
Sec.
8.
Section
135D.6,
Code
2024,
is
amended
to
read
as
17
follows:
18
135D.6
Board
of
directors
Governing
board
——
composition
——
19
duties.
20
1.
The
designated
entity
shall
be
administered
by
a
21
governing
board
of
directors
.
22
2.
A
single
industry
shall
not
be
disproportionately
23
represented
as
voting
members
of
the
governing
board.
The
24
governing
board
shall
include
at
least
one
member
who
is
a
25
consumer
of
health
services
and
a
majority
of
the
voting
26
members
of
the
governing
board
shall
be
representative
of
27
participants
in
the
Iowa
health
information
network
and
28
the
state-designated
HDU
.
The
director
of
health
and
human
29
services
or
the
director’s
designee
and
the
director
of
the
30
Medicaid
program
or
the
director’s
designee
shall
act
as
31
voting
members
of
the
governing
board.
The
commissioner
of
32
insurance
shall
act
as
an
ex
officio,
nonvoting
member
of
33
the
governing
board.
Individuals
serving
in
an
ex
officio,
34
nonvoting
capacity
shall
not
be
included
in
the
total
number
of
35
-11-
LSB
5482YC
(11)
90
pf/ko
11/
17
H.F.
_____
individuals
authorized
as
members
of
the
governing
board.
1
3.
The
governing
board
of
directors
shall
do
all
of
the
2
following:
3
a.
Ensure
that
the
designated
entity
enters
into
contracts
4
with
each
state
agency
necessary
for
state
reporting
5
requirements.
6
b.
Develop,
implement,
and
enforce
the
following:
7
(1)
A
single
patient
identifier
or
alternative
mechanism
8
to
share
secure
patient
health
information
and
data
that
is
9
utilized
by
all
health
care
professionals.
10
(2)
Standards,
requirements,
policies,
and
procedures
11
for
access
to,
use,
secondary
use,
privacy,
and
security
of
12
health
information
and
data,
including
clinical
information,
13
exchanged
through
the
Iowa
health
information
network
and
the
14
state-designated
HDU
,
consistent
with
applicable
federal
and
15
state
standards
and
laws.
16
c.
Direct
a
public
and
private
collaborative
effort
to
17
promote
the
adoption
and
use
of
health
information
technology
18
in
the
state
to
improve
health
care
quality,
increase
patient
19
safety,
reduce
health
care
costs,
enhance
public
health,
20
and
empower
individuals
and
health
care
professionals
with
21
comprehensive,
real-time
medical
information
to
provide
22
continuity
of
care
and
make
the
best
health
care
decisions.
23
d.
Educate
the
public
and
the
health
care
sector
about
24
the
value
of
health
information
technology
in
improving
25
patient
care,
and
methods
to
promote
increased
support
and
26
collaboration
of
state
and
local
public
health
agencies,
27
health
care
professionals,
and
consumers
in
health
information
28
technology
initiatives.
29
e.
Work
to
align
interstate
and
intrastate
interoperability
30
standards
in
accordance
with
national
health
information
31
exchange
standards.
32
f.
Provide
an
annual
budget
and
fiscal
report
for
the
Iowa
33
health
information
network
and
the
state-designated
HDU
to
the
34
governor,
the
department
of
health
and
human
services
,
the
35
-12-
LSB
5482YC
(11)
90
pf/ko
12/
17
H.F.
_____
department
of
management,
the
chairs
and
ranking
members
of
the
1
legislative
government
oversight
standing
committees,
and
the
2
legislative
services
agency.
The
report
shall
also
include
3
information
about
the
services
provided
through
the
network
and
4
the
state-designated
HDU
and
information
on
the
participant
5
usage
of
the
network
and
the
state-designated
HDU
.
6
g.
Ensure
any
health
information
and
data
within
the
7
state-designated
HDU
is
shared
and
accessed
according
to
all
8
applicable
state
and
federal
laws
and
standards,
including
9
HIPAA,
to
uphold
the
privacy
and
security
of
a
patient’s
10
protected
health
information.
11
Sec.
9.
Section
135D.7,
Code
2024,
is
amended
to
read
as
12
follows:
13
135D.7
Legal
and
policy
——
liability
——
confidentiality.
14
1.
The
governing
board
shall
implement
industry-accepted
15
security
standards,
policies,
and
procedures
to
protect
the
16
transmission
and
receipt
of
protected
health
information
and
17
data
exchanged
through
the
Iowa
health
information
network
and
18
the
state-designated
HDU
,
which
shall,
at
a
minimum,
comply
19
with
HIPAA
and
shall
include
all
of
the
following:
20
a.
A
secure
and
traceable
electronic
audit
system
to
21
document
and
monitor
the
sender
and
recipient
of
health
22
information
exchanged
through
the
Iowa
health
information
23
network.
24
b.
A
required
standard
participation
agreement
which
25
defines
the
minimum
privacy
and
security
obligations
of
all
26
participants
using
the
Iowa
health
information
network
or
the
27
state-designated
HDU,
and
services
available
through
the
Iowa
28
health
information
network
and
the
state-designated
HDU
.
29
c.
The
opportunity
for
a
patient
to
decline
exchange
of
the
30
patient’s
health
information
or
data
through
the
record
locator
31
service
of
the
Iowa
health
information
network
or
through
the
32
state-designated
HDU
.
33
(1)
A
patient
shall
not
be
denied
care
or
treatment
for
34
declining
to
exchange
the
patient’s
health
information
or
35
-13-
LSB
5482YC
(11)
90
pf/ko
13/
17
H.F.
_____
data
,
in
whole
or
in
part,
through
the
network
or
through
the
1
state-designated
HDU
.
2
(2)
The
governing
board
shall
provide
the
means
and
process
3
by
which
a
patient
may
decline
participation.
The
means
and
4
process
utilized
shall
minimize
the
burden
on
patients
and
5
health
care
professionals.
6
(3)
Unless
otherwise
authorized
by
law
or
rule,
a
patient’s
7
decision
to
decline
participation
means
that
none
of
the
8
patient’s
health
information
or
data
shall
be
accessible
9
through
the
record
locator
service
function
of
the
Iowa
health
10
information
network
or
through
the
state-designated
HDU
.
A
11
patient’s
decision
to
decline
having
health
information
or
12
data
shared
through
the
record
locator
service
function
or
13
through
the
state-designated
HDU
shall
not
limit
a
health
14
care
professional
with
whom
the
patient
has
or
is
considering
15
a
treatment
relationship
from
sharing
health
information
16
concerning
the
patient
through
the
secure
messaging
function
of
17
the
Iowa
health
information
network.
18
(4)
A
patient
who
declines
participation
in
the
Iowa
19
health
information
network
or
the
state-designated
HDU
may
20
later
decide
to
have
the
patient’s
health
information
or
data
21
shared
through
the
network
or
through
the
state-designated
22
HDU
.
A
patient
who
is
participating
in
the
network
or
the
23
state-designated
HDU
may
later
decline
participation
in
the
24
network
or
the
state-designated
HDU
.
25
2.
A
participant
shall
not
be
compelled
by
subpoena,
court
26
order,
or
other
process
of
law
to
access
health
information
or
27
data
through
the
Iowa
health
information
network
or
through
the
28
state-designated
HDU
in
order
to
gather
records
or
information
29
not
created
by
the
participant.
30
3.
A
participant
exchanging
health
information
and
data
31
through
the
Iowa
health
information
network
or
through
the
32
state-designated
HDU
shall
grant
to
other
participants
of
the
33
network
or
the
state-designated
HDU
a
nonexclusive
license
to
34
retrieve
and
use
that
health
information
or
data
in
accordance
35
-14-
LSB
5482YC
(11)
90
pf/ko
14/
17
H.F.
_____
with
applicable
state
and
federal
laws,
and
the
policies
and
1
standards
established
by
the
governing
board.
2
4.
A
health
care
professional
who
relies
reasonably
and
3
in
good
faith
upon
any
health
information
or
data
provided
4
through
the
Iowa
health
information
network
or
through
the
5
state-designated
HDU
in
the
treatment
of
a
patient
who
is
the
6
subject
of
the
health
information
or
data
shall
be
immune
7
from
criminal
or
civil
liability
arising
from
the
damages
8
caused
by
such
reasonable,
good-faith
reliance.
Such
immunity
9
shall
not
apply
to
acts
or
omissions
constituting
negligence,
10
recklessness,
or
intentional
misconduct.
11
5.
A
participant
who
has
disclosed
health
information
or
12
data
through
the
Iowa
health
information
network
or
through
the
13
state-designated
HDU
in
compliance
with
applicable
law
and
the
14
standards,
requirements,
policies,
procedures,
and
agreements
15
of
the
Iowa
health
information
network
or
the
state-designated
16
HDU
shall
not
be
subject
to
criminal
or
civil
liability
for
the
17
use
or
disclosure
of
the
health
information
or
data
by
another
18
participant.
19
6.
The
following
records
shall
be
confidential
records
20
pursuant
to
chapter
22
,
unless
otherwise
ordered
by
a
court
or
21
consented
to
by
the
patient
or
by
a
person
duly
authorized
to
22
release
such
information:
23
a.
The
health
information
contained
in,
stored
in,
submitted
24
to,
transferred
or
exchanged
by,
or
released
from
the
Iowa
25
health
information
network
or
the
state-designated
HDU
.
26
b.
Any
health
information
or
data
in
the
possession
of
the
27
governing
board
due
to
its
administration
and
governance
of
the
28
Iowa
health
information
network
or
the
state-designated
HDU
.
29
7.
Unless
otherwise
provided
in
this
chapter
,
when
sharing
30
health
information
or
data
through
the
Iowa
health
information
31
network
or
,
through
the
state-designated
HDU,
or
through
a
32
private
health
information
network
maintained
in
this
state
33
that
complies
with
the
privacy
and
security
requirements
of
34
this
chapter
for
the
purposes
of
patient
treatment,
payment
,
35
-15-
LSB
5482YC
(11)
90
pf/ko
15/
17
H.F.
_____
or
health
care
operations,
as
such
terms
are
defined
in
1
HIPAA,
or
for
the
purposes
of
public
health
activities
or
care
2
coordination,
a
participant
authorized
by
the
designated
entity
3
to
use
the
record
locator
service
or
the
state-designated
HDU
4
is
exempt
from
any
other
state
law
that
is
more
restrictive
5
than
HIPAA
that
would
otherwise
prevent
or
hinder
the
exchange
6
of
patient
information
or
data
by
the
participant.
7
8.
A
patient
aggrieved
or
adversely
affected
by
the
8
designated
entity’s
failure
to
comply
with
subsection
1,
9
paragraph
“c”
,
may
bring
a
civil
action
for
equitable
relief
as
10
the
court
deems
appropriate.
11
Sec.
10.
NEW
SECTION
.
135D.8
Funding.
12
The
department
may
expend
funds
appropriated
to
or
received
13
by
the
department
for
the
purposes
of
this
chapter
to
carry
out
14
the
requirements
of
this
chapter.
15
EXPLANATION
16
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
17
the
explanation’s
substance
by
the
members
of
the
general
assembly.
18
This
bill
relates
to
the
Iowa
health
information
network
19
(IHIN)
under
Code
chapter
135D
(Iowa
health
information
20
network)
and
a
state-designated
health
data
utility
(HDU).
21
The
bill
includes
definitions
used
in
the
bill.
22
The
bill
requires
the
designated
entity
to
administer
and
23
govern
the
state-designated
HDU
for
the
state.
“Health
data
24
utility”
is
defined
under
the
bill
as
a
locally
governed,
25
multifaceted
resource
that
provides
services
for
the
26
interchange
of
health
data
within
the
health
care
and
public
27
health
ecosystems
for
the
purpose
of
advancing
health
care
and
28
improving
public
health
outcomes.
A
“health
data
utility”
29
combines,
enhances,
and
exchanges
electronic
health
data
across
30
care
and
service
settings
for
treatment,
care
coordination,
31
quality
improvement,
and
public
and
community
health
purposes,
32
in
accordance
with
applicable
state
and
federal
laws
protecting
33
patient
privacy.
34
The
bill
provides
the
principles,
intent,
and
technical
35
-16-
LSB
5482YC
(11)
90
pf/ko
16/
17
H.F.
_____
infrastructure
requirements
for
the
state-designated
HDU,
1
including
that
the
state-designated
HDU
include
data
from
a
2
health
information
exchange,
a
pharmacy
information
exchange,
3
a
payor
information
exchange,
and
a
community
information
4
exchange.
5
The
bill
requires
certain
entities
to
participate
in
the
6
state-designated
HDU
by
specified
dates.
7
The
bill
provides
that
the
department
of
health
and
human
8
services
(HHS)
may
expend
funds
appropriated
to
or
received
by
9
HHS
for
the
purposes
of
the
bill
to
carry
out
the
requirements
10
of
the
bill.
11
-17-
LSB
5482YC
(11)
90
pf/ko
17/
17