S509: Health Information Exchange Act Revisions. Latest Version

Session: 2025 - 2026

Senate
Passed 1st Reading
Rules
Committee


AN ACT revising the statewide health information exchange act; and authorizing the imposition of new civil penalties for violations of the act and a new state health data assessment fee.



The General Assembly of North Carolina enacts:



SECTION 1.  Article 29B of Chapter 90 of the General Statutes reads as rewritten:



Article 29B.



Statewide Health Information Exchange Act.



§ 90‑414.1.  Title.



This act Article shall be known and may be cited as the Statewide Health Information Exchange Act.



§ 90‑414.2.  Purpose.



This Article is intended to improve the quality of health care delivery within this State by facilitating and regulating the use of a voluntary, statewide health information exchange network for the secure electronic transmission of individually identifiable health information among health care providers, health plans, and health care clearinghouses clearinghouses, and the State in a manner that is consistent with the Health Insurance Portability and Accountability Act, Privacy Rule and Security Rule, 45 C.F.R. §§ 160, 164.



§ 90‑414.3.  Definitions.



The following definitions apply in this Article:



(1)        Annual compliance report. – The annual report required by G.S. 90‑414.13.



(1a)      Business associate. – As defined in 45 C.F.R. § 160.103.



(2)        Business associate contract. – The documentation required by 45 C.F.R. § 164.502(e)(2) that meets the applicable requirements of 45 C.F.R. § 164.504(e).



(3)        Covered entity. – Any entity described in 45 C.F.R. § 160.103 or any other facility or practitioner licensed by the State to provide health care services.



(3a)      Data transfer systems. – Electronic systems or platforms that (i) facilitate the submission of any combination of clinical, demographic, or claims data to the HIE Network and (ii) are maintained, controlled, directed, or licensed by, or on behalf of, a covered entity or hybrid entity subject to this Article. Data transfer systems may be comprised of health information technology or claims processing technology, or both, including hardware, software, integrated technologies and related licenses, or packaged solutions sold as services. Data transfer systems include, but are not limited to, electronic systems or platforms related to electronic health records, pharmacy benefits and claims, claims processing, or care management. Data transfer systems do not include any information technology systems that are directly maintained, controlled, or licensed by the State Health Plan for Teachers and State Employees.



(4)        Department. – North Carolina Department of Health and Human Services.



(5)        Disclose or disclosure. – The release, transfer, provision of access to, or divulging in any other manner an individual's protected health information through the HIE Network.



(6)        Repealed by Session Laws 2017‑57, s. 11A.5(f), effective July 1, 2017.



(7)        GDAC. – The North Carolina Government Data Analytics Center.



(8)        HIE Network. – The voluntary, statewide health information exchange network network, which is a health data utility overseen and administered by the Authority.



(9)        HIPAA. – Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, P.L. 104‑191, as amended, and any federal regulations adopted to implement these sections, as amended.



(10)      Individual. – As defined in 45 C.F.R. § 160.103.



(11)      North Carolina Health Information Exchange Advisory Board or Advisory Board. – The Advisory Board established under G.S. 90‑414.8.



(12)      North Carolina Health Information Exchange Authority or Authority. – The entity established pursuant to G.S. 90‑414.7.



(13)      Opt out. – An individual's affirmative decision communicated to the Authority in writing to disallow his or her protected health information from being disclosed by the Authority to covered entities or other persons or entities through the HIE Network.



(13a)    Organization National Provider Identifier or Organization NPI. – The HIPAA Administrative Simplification Standard that utilizes a 10‑position all‑numeric identification number assigned by the federal National Provider System to uniquely identify a health care provider that is an entity other than an individual human being that furnishes health care.



(14)      Protected health information. – As defined in 45 C.F.R. § 160.103.



(15)      Public health purposes. – The public health activities and purposes described in 45 C.F.R. § 164.512(b).



(16)      Qualified organization. – An entity with which the Authority has contracted for the sole purpose of facilitating the exchange of data with or through the HIE Network.



(17)      Research purposes. – Research purposes referenced in and subject to the standards described in 45 C.F.R. § 164.512(i).



(18)      State CIO. – The State Chief Information Officer.



(19)      State‑funded health care. – Means all of the following:



a.         The North Carolina Medicaid program.



b.         The State Health Plan for Teachers and State Employees.



c.         Health care facilities and health care programs administered or operated by the Department of Health and Human Services, the Department of Public Safety, or the Department of Adult Correction, and their employees, agents, or grantees.



(20)      State health care funds. – Monies paid to providers or entities for the provision of health care services to recipients of State‑funded health care. The term includes both (i) direct payments from the State to providers and entities and (ii) payments that providers and entities receive from third parties, or the agents of third parties, that are retained by the State for the administration or delivery, or both, of State‑funded health care, including prepaid health plans as defined in G.S. 108D‑1 and claims processors as defined in G.S. 135‑48.1.



§ 90‑414.4.  Required participation in HIE Network for some providers.



(a)        Findings. – The General Assembly makes the following findings:



(1)        That controlling escalating health care costs of the Medicaid program and other State‑funded health care services is of significant importance to the State, its taxpayers, its Medicaid recipients, and other recipients beneficiaries of State‑funded health care services.care.



(2)        That the State and covered entities in North Carolina need timely access to certain demographic and clinical information pertaining to services rendered to Medicaid and other beneficiaries of State‑funded health care program beneficiaries and paid for with Medicaid or other State‑funded State health care funds in order to assess performance, improve health care outcomes, pinpoint medical expense trends, identify beneficiary health risks, and evaluate how the State is spending money on Medicaid and other State‑funded health care services. The care. To that end, the Department of Information Technology, the Department of State Treasurer, State Health Plan Division, and the Department of Health and Human Services, Division of Health Benefits, have an affirmative duty to facilitate and support participation by covered entities in the statewide health information exchange network.



(3)        That making demographic and clinical information available to the State and covered entities in North Carolina by secure electronic means as set forth in subsection (b) of this section will improve care coordination within and across health systems, increase care quality for such beneficiaries, beneficiaries of State‑funded health care, enable more effective population health management, reduce duplication of medical services, augment syndromic surveillance, allow more accurate measurement of care services and outcomes, increase strategic knowledge about the health of the population, and facilitate health care cost containment.



(a1)      Mandatory Connection to HIE Network. – Notwithstanding the voluntary nature of the HIE Network under G.S. 90‑414.2, the following providers and entities shall be connected to the HIE Network and begin submitting data through the HIE Network pertaining to services rendered to Medicaid beneficiaries and to other of State‑funded health care program beneficiaries and paid for with Medicaid or other State‑funded State health care funds in accordance with the following time line:



(1)        The following providers of Medicaid services licensed to operate in the State that have an electronic health record system shall begin submitting, at a minimum, demographic and clinical data by June 1, 2018:



a.         Hospitals as defined in G.S. 131E‑176(13).



b.         Physicians licensed to practice under Article 1 of Chapter 90 of the General Statutes, this Chapter, except for licensed physicians whose primary area of practice is psychiatry.



c.         Physician assistants as defined in 21 NCAC 32S.0201.



d.         Nurse practitioners as defined in 21 NCAC 36.0801.



(2)        Except as provided in subdivisions (3), (4), and (5) of this subsection, all other providers of Medicaid and State‑funded health care services and their affiliated entities shall begin submitting demographic and clinical data by January 1, 2023.



(3)        The following entities shall submit encounter and claims data, as appropriate, in accordance with the following time line:



a.         Prepaid Health Plans, as defined in G.S. 108D‑1, by the commencement date of a capitated contract with the Division of Health Benefits for the delivery of Medicaid services as specified in Article 4 of Chapter 108D of the General Statutes.



b.         Local management entities/managed care organizations, as defined in G.S. 122C‑3, by June 1, 2020.



If authorized by the Authority in accordance with this Article, the Department of Health and Human Services may submit the data required by this subsection on behalf of the entities specified in this subdivision.



(4)        The following entities shall begin submitting demographic and clinical data by January 1, 2023:



a.         Physicians who perform procedures at ambulatory surgical centers as defined in G.S. 131E‑146.



b.         Dentists licensed under Article 2 of Chapter 90 of the General Statutes.



c.         Licensed physicians whose primary area of practice is psychiatry.



d.         The State Laboratory of Public Health operated by the Department of Health and Human Services.



(5)        The following entities shall begin submitting claims data by January 1, 2023:



a.         Pharmacies registered with the North Carolina Board of Pharmacy under Article 4A of Chapter 90 of the General Statutes.this Chapter.



b.         State health care facilities operated under the jurisdiction of the Secretary of the Department of Health and Human Services, including State psychiatric hospitals, developmental centers, alcohol and drug treatment centers, neuro‑medical treatment centers, and residential programs for children such as the Wright School and the Whitaker Psychiatric Residential Treatment Facility.



c.         Dentists licensed under Article 2 of this Chapter.



(a2)      Extensions of Time for Establishing Connection to the HIE Network. – The Department of Information Technology, in consultation with the Department of Health and Human Services and the State Health Plan for Teachers and State Employees, may establish a process to grant limited extensions of the time for providers and entities to connect to the HIE Network and begin submitting data as required by this section upon the request of a provider or entity that demonstrates an ongoing good‑faith effort to take necessary steps to establish such connection and begin data submission as required by this section. The process for granting an extension of time must include a presentation by the provider or entity to the Department of Information Technology, the Department of Health and Human Services, and the State Health Plan for Teachers and State Employees on the expected time line for connecting to the HIE Network and commencing data submission as required by this section. Neither the Department of Information Technology, the Department of Health and Human Services, nor the State Health Plan for Teachers and State Employees shall grant an extension of time (i) to any provider or entity that fails to provide this information to both Departments, and the State Health Plan for Teachers and State Employees, (ii) that would result in the provider or entity connecting to the HIE Network and commencing data submission as required by this section later than January 1, 2023. The Department of Information Technology shall consult with the Department of Health and Human Services and the State Health Plan for Teachers and State Employees to review and decide upon a request for an extension of time under this section within 30 days after receiving a request for an extension.



(a3)      Exemptions from Connecting to the HIE Network. – The Secretary of Health and Human Services, or the Secretary's designee, shall have the authority to grant exemptions to classes of providers of Medicaid and other State‑funded health care services for whom acquiring and implementing an electronic health record system and connecting to the HIE Network as required by this section would constitute an undue hardship. The Secretary, or the Secretary's designee, shall promptly notify the Department of Information Technology of classes of providers granted hardship exemptions under this subsection. Neither the Secretary nor the Secretary's designee shall grant any hardship exemption that would result in any class of provider connecting to the HIE Network and submitting data later than December 31, 2022.



(a4)      Connected Status. A provider or entity identified in subsection (a1) of this section is deemed connected to the HIE Network when the covered entity that provides, maintains, controls, directs, or licenses that provider's or entity's data transfer system has done all of the following:



(1)        Established an operable technical connection with the HIE Network approved by the Authority that supports the submission of required patient data generated by the provider or entity.



(2)        Provided its Organization NPI to the Authority.



(3)        Executed with the Authority a valid, written participation agreement pursuant to subdivision (b)(6) of G.S. 90‑414.7.



(4)        Communicated to the Authority, in writing, the identity of all providers and entities on whose behalf it maintains a data transfer system.



(5)        Either has met or is making reasonable efforts to meet data quality standards established by the Authority that are published on its website.



(b)        Mandatory Submission of Demographic and Clinical Data. – Notwithstanding the voluntary nature of the HIE Network under G.S. 90‑414.2 and, except as otherwise provided in subsection subsections (c) and (c1) of this section, as a condition of receiving State funds, including Medicaid funds, the following entities shall submit at least twice daily, through the HIE network, demographic and clinical information pertaining to services rendered to Medicaid and other beneficiaries of State‑funded health care program beneficiaries and paid for with Medicaid or other State‑funded State health care funds, solely for the purposes set forth in subsection (a) of this section:



(1)        Each hospital, as defined in G.S. 131E‑176(13) that has an electronic health record system.



(2)        Each Medicaid provider, unless the provider is an ambulatory surgical center as defined in G.S. 131E‑146; however, a physician who performs a procedure at the ambulatory surgical center must be connected to the HIE Network.



(3)        Each provider that receives State health care funds for the provision of health services, State‑funded health care, unless the provider is an ambulatory surgical center as defined in G.S. 131E‑146; however, a physician who performs a procedure at the ambulatory surgical center must be connected to the HIE Network.



(4)        Each prepaid health plan, as defined in G.S. 58‑93‑5, that is under a capitated contract with the Department for the delivery of Medicaid services, or a local management entity/managed care organization, as defined in G.S. 122C‑3.G.S. 122C‑3, that is under a capitated prepaid health plan contract with the Department.



(b1)      Balance Billing Prohibition. – An in‑network provider or entity who that (i) renders health care services, including prescription drugs and durable medical equipment, under a contract with the State Health Plan for Teachers and State Employees and who (ii) is not connected to the HIE Network in accordance with this Article, is prohibited from billing the State Health Plan or a Plan member more than either party would be billed if the entity or provider was connected to the HIE Network. Balance billing because the provider or entity did not connect to the HIE Network is prohibited.



(c)        Exemption for Certain Records. – Providers with patient records that are subject to the disclosure restrictions of 42 C.F.R. § 2 are exempt from the requirements of subsection (b) of this section but only with respect to the patient records subject to these disclosure restrictions. Providers shall comply with the requirements of subsection (b) of this section with respect to all other patient records. A pharmacy shall only be Pharmacies registered with the North Carolina Board of Pharmacy under Article 4A of this Chapter and dentists licensed under Article 2 of this Chapter are only required to submit claims data pertaining to services rendered to Medicaid and other State‑funded health care program beneficiaries of State‑funded health care and paid for with Medicaid or other State‑funded State health care funds.



(c1)      Exemption from Twice Daily Submission. – A pharmacy shall only be The following entities are required to submit claims data only once daily through the HIE Network Network:



(1)        Pharmacies registered with the North Carolina Board of Pharmacy under Article 4A of this Chapter, using pharmacy industry standardized formats.



(2)        Dentists licensed under Article 2 of this Chapter.



(c2)      42 C.F.R. § 2 Records. – Notwithstanding subsection (b) of this section, patient records protected by 42 C.F.R. § 2 shall be disclosed through the HIE Network only if the Authority has provided written notice to the participating entity that data protected by 42 C.F.R. § 2 can be disclosed for a specific purpose.



(d)       Method of Data Submissions. – The Any provider or entity required to submit data submissions required under this section shall be make the submission by connection to the HIE Network periodic asynchronous secure structured file transfer or any other secure electronic means commonly used in the industry and consistent with document exchange and data submission standards established by the Office Assistant Secretary for Technology Policy/Office of the National Coordinator for Information Technology within the U.S. Department of Health and Human Services.



(e)        Voluntary Connection for Certain Providers. – Notwithstanding the mandatory connection and data submission requirements in of subsections (a1) and (b) of this section, the following providers of Medicaid services or other State‑funded health care services are not required to connect to the HIE Network or submit data but may connect to the HIE Network and submit data voluntarily:



(1)        Community‑based long‑term services and supports providers, including personal care services, private duty nursing, home health, and hospice care providers.



(2)        Intellectual and developmental disability services and supports providers, such as day supports and supported living providers.



(3)        Community Alternatives Program waiver services (including CAP/DA, CAP/C, and Innovations) providers.



(4)        Eye and vision services providers.



(5)        Speech, language, and hearing services providers.



(6)        Occupational and physical therapy providers.



(7)        Durable medical equipment providers.



(8)        Nonemergency medical transportation service providers.



(9)        Ambulance (emergency medical transportation service) providers.



(10)      Local education agencies and agencies, school‑based health providers.providers, and student health centers that primarily serve students matriculating at public or private institutions of higher education in this State.



(11)      Chiropractors licensed under Article 8 of this Chapter.



(12)      Dentists licensed under Article 2 of this Chapter.



Connection to the HIE Network by any other covered entities that are not required by subsections (a1) and (b) of this section to connect to the HIE Network or submit data is voluntary.



(e1)      Mandatory and Voluntary Connection and Submissions by the Same Covered Entity. – A covered entity that provides, maintains, controls, directs, or licenses a data transfer system on behalf of providers and entities that are required to connect to, and submit data through, the HIE Network under this Article, as well as on behalf of providers and entities that voluntarily connect to, and submit data through, the HIE Network may elect not to submit through the HIE Network clinical, demographic, or claims data generated by the providers and entities that voluntarily connect to, and submit data through, the HIE Network. However, the covered entity is required to submit through the HIE Network clinical, demographic, or claims data generated by providers and entities that are required to connect to, and submit data through, the HIE Network.



(f)        Confidentiality of Data. – All data submitted to or through the HIE Network containing protected health information, personally identifying information, or a combination of these, that are in the possession of the Department of Information Technology or any other agency of the State are confidential and shall not be defined as public records under G.S. 132‑1. This subsection shall not be construed to prohibit the disclosure of any such data as otherwise permitted under federal law.



(g)        Time‑Limited Exceptions for Connecting to, and Submitting Data Through, the HIE Network. – All of the following apply to any exception granted by the Authority for connecting to, and submitting data through, the HIE Network:



(1)        A covered entity that provides, maintains, controls, directs, or licenses a data transfer system on behalf of providers or entities identified in subsection (a1) of this section may seek to obtain from the Authority a time‑limited exception for those providers or entities to connect to, and begin submitting required data through, the HIE Network.



(2)        The Authority shall administer the process by which a covered entity seeks a time‑limited exception for providers or entities to connect to, and begin submitting required data through, the HIE Network. The Authority shall make the final determination about whether to grant or deny requests for a time‑limited exception. Any exception authorized by the Authority may not exceed a one‑year period. However, a covered entity may seek to renew an exception.



(3)        In order for a covered entity to obtain a time‑limited exception for the providers and entities on whose behalf it provides, maintains, controls, directs, or licenses a data transfer system, the covered entity must demonstrate eligibility for the exception by meeting at least one of the following criteria:



a.         During the previous year, the covered entity and the providers and entities on whose behalf it maintained, controlled, directed, or licensed a data transfer system received in the aggregate less than one million dollars ($1,000,000) in State health care funds for providing health care services to beneficiaries of State‑funded health care.



b.         The covered entity and the providers and entities on whose behalf it provides, maintains, controls, directs, or licenses a data transfer system operated in whole or in part in a geographic area with limited or emergent broadband availability. The Department of Information Technology, Division of Broadband, shall identify these geographic areas and the Authority shall publish a list of the identified geographic areas to its website. Alternatively, the Authority, after consultation with the Department of Information Technology, Division of Broadband, may, in its discretion, grant a time‑limited exception after evaluating materials provided by a covered entity regarding its level of broadband connectivity.



c.         The covered entity will close, dissolve, or be acquired by another entity within the next 12 months.



d.         The provider or entity has not yet implemented or is in the process of implementing a data transfer system.



(4)        To request a time‑limited exception under this subsection, the covered entity shall submit to the Authority an application and attestation form, which shall both be created by the Authority and made available on its website, containing at least all of the following information:



a.         Date of request and application period.



b.         Name, Organization NPI, and location.



c.         Names of providers and entities on whose behalf the covered entity is applying, as well as their respective Organization NPIs.



d.         Technical information regarding its data transfer system and vendor,



            if applicable.



e.         Provider network information for the State Health Plan for Teachers and State Employees and the North Carolina Medicaid program, as applicable.



f.          Identification of the bases criterion, or criteria, in subdivision (g)(3) of this section for which the covered entity seeks a time‑limited exception.



g.         Supporting documents and materials determined by the Authority to be necessary to substantiate the covered entity's eligibility for the exception.



h.         An attestation executed by an authorized representative of the covered entity regarding the validity, truth, and completeness of the application and attestation form submitted by the covered entity to the Authority.



§ 90‑414.5.  State agency and legislative access to HIE Network data.



(a)        The Authority shall provide the Department and the State Health Plan for Teachers and State Employees secure, real‑time access to data and information disclosed through the HIE Network, solely for the purposes set forth in G.S. 90‑414.4(a) and in G.S. 90‑414.2. The Authority shall limit access granted to the State Health Plan for Teachers and State Employees pursuant to this section to data and information disclosed through the HIE Network that pertains to services (i) rendered to teachers and State employees and (ii) paid for by the State Health Plan.



(b)        At the written request of the Director of the Fiscal Research, Legislative Drafting, or Legislative Analysis Division of the General Assembly for an aggregate analysis of the data and information disclosed through the HIE Network, the Authority shall provide the professional staff of these Divisions with the aggregated analysis responsive to the Director's request. Prior to providing the Director or General Assembly's staff with any aggregate data or information submitted through the HIE Network or with any analysis of this aggregate data or information, the Authority shall redact any personal identifying information in a manner consistent with the standards specified for de‑identification of health information under the HIPAA Privacy Rule, 45 C.F.R. § 164.514, as amended.



§ 90‑414.6.  State ownership of HIE Network data.



Any data pertaining to services rendered to Medicaid and other beneficiaries of State‑funded health care program beneficiaries that is submitted through and stored by the HIE Network pursuant to G.S. 90‑414.4 or any other provision of this Article shall be and will remain the sole property of the State. Any data or product derived from the aggregated, de‑identified data submitted to and stored by the HIE Network pursuant to G.S. 90‑414.4 or any other provision of this Article, shall be and will remain the sole property of the State. The Authority shall not allow data it receives pursuant to G.S. 90‑414.4 or any other provision of this Article to be used or disclosed by or to any person or entity for commercial purposes or for any other purpose other than those set forth in G.S. 90‑414.4(a) or G.S. 90‑414.2. To the extent the Authority receives requests for electronic health information as the term is defined in 45 C.F.R. § 171.102, or other medical records from an individual, an individual's personal representative, or an individual or entity purporting to act on an individual's behalf, the Authority (i) shall not fulfill the request and (ii) shall make available to the requester and the public, via the Authority's website, educational materials about how to access such information from other sources. If the Authority participates in the Trusted Exchange Framework and Common Agreement, then it may provide individual access services through the Trusted Exchange Framework and Common Agreement. Patient identifiers created and utilized by the Authority to integrate identity data in the HIE Network, along with the minimum necessary required demographic information related to those patients, shall be released to the GDAC and the Department by the Authority for purposes of entity resolution and master data management. These identifiers shall not be considered public records pursuant to Chapter 132 of the General Statutes.



§ 90‑414.7.  North Carolina Health Information Exchange Authority.



(a)        Creation. – There is hereby established the North Carolina Health Information Exchange Authority to oversee and administer the HIE Network in accordance with this Article. The Authority shall be located within the Department of Information Technology and shall be under the supervision, direction, and control of the State CIO. The State CIO shall employ an Authority Director and may delegate to the Authority Director all powers and duties associated with the daily operation of the Authority, its staff, and the performance of the powers and duties set forth in subsection (b) of this section. In making this delegation, however, the State CIO maintains the responsibility for the performance of these powers and duties.



(b)        Powers and Duties. – The Authority has the following powers and duties:



(1)        Oversee and administer the HIE Network in a manner that ensures all of the following:



a.         Compliance with this Article.



b.         Compliance with HIPAA and any rules adopted under HIPAA, including the Privacy Rule and Security Rule.



c.         Compliance with the terms of any participation agreement, business associate agreement, or other agreement the Authority or qualified organization or other person or entity enters into with a covered entity participating in submission of data through or accessing the HIE Network.



d.         Notice to the patient by the healthcare provider or other person or entity about the HIE Network, including information and education about the right of individuals on a continuing basis to opt out or rescind a decision to opt out.



e.         Opportunity for all individuals whose data has been submitted to the HIE Network to exercise on a continuing basis the right to opt out or rescind a decision to opt out.



f.          Nondiscriminatory treatment by covered entities of individuals who exercise the right to opt out.



g.         Facilitation of HIE Network interoperability with electronic health record systems of all covered entities listed in G.S. 90‑414.4(b).



h.         Minimization of the amount of data required to be submitted under G.S. 90‑414.4(b) and any use or disclosure of such data to what is determined by the Authority to be required in order to advance the purposes set forth in G.S. 90‑414.2 and G.S. 90‑414.4(a).



(2)        In consultation with the Advisory Board, set guiding principles for the development, implementation, and operation of the HIE Network.



(3)        Employ staff necessary to carry out the provisions of this Article and determine the compensation, duties, and other terms and conditions of employment of hired staff.



(4)        Enter into contracts pertaining to the oversight and administration of the HIE Network, including contracts of a consulting or advisory nature. G.S. 143‑64.20 does not apply to this subdivision.



(5)        Establish fees for participation in the HIE Network and report the established fees to the General Assembly, with an explanation of the fee determination process.



(6)        Following consultation with the Advisory Board, develop, approve, and enter into, directly or through qualified organizations acting under the authority of the Authority, written participation agreements with persons or entities that participate in or are granted access or user rights to the HIE Network. The participation agreements shall set forth terms and conditions governing participation in, access to, or use of the HIE Network not less than those set forth in agreements already governing covered entities' participation in the federal eHealth Exchange. The agreement shall also require compliance with policies developed by the Authority pursuant to this Article or pursuant to applicable laws of the state of residence for entities located outside of North Carolina.



(7)        Receive, access, add, and remove data submitted through and stored by the HIE Network in accordance with this Article.



(8)        Following consultation with the Advisory Board, enter into, directly or through qualified organizations acting under the authority of the Authority, a HIPAA compliant business associate agreement with each of the persons or entities participating in or granted access or user rights to the HIE Network.Network, except for federal agencies that access the HIE Network solely to review patient data for treatment purposes and exchanges made through eHealth Exchange or the Trusted Exchange Framework and Common Agreement so long as the Authority enters into the agreements that are required to participate in each of these respective national networks.



(9)        Following consultation with the Advisory Board, grant user rights to the HIE Network to business associates of covered entities participating in the HIE Network (i) at the request of the covered entities and (ii) at the discretion of and subject to contractual, policy, and other requirements of the Authority upon consideration of and consistent with the business associates' legitimate need for utilizing the HIE Network and privacy and security concerns.



(10)      Facilitate and promote use of the HIE Network by covered entities.entities and business associates acting on their behalf.



(11)      Actively monitor compliance with this Article by the Department, covered entities, and any other persons or entities participating in or granted access or user rights to the HIE Network or any data submitted through or stored by the HIE Network.



(12)      Collaborate with the State CIO to ensure that resources available through the GDAC are properly leveraged, assigned, or deployed to support the work of the Authority. The duty to collaborate under this subdivision includes collaboration on data hosting and development, implementation, operation, and maintenance of the HIE Network.



(13)      Initiate or direct expansion of existing public‑private partnerships within the GDAC as necessary to meet the requirements, duties, and obligations of the Authority. Notwithstanding any other provision of law and subject to the availability of funds, the State CIO, at the request of the Authority, shall assist and facilitate expansion of existing contracts related to the HIE Network, provided that such request is made in writing by the Authority to the State CIO with reference to specific requirements set forth in this Article.



(14)      In consultation with the Advisory Board, develop a strategic plan for achieving statewide participation in the HIE Network by all hospitals and health care providers licensed in this State.



(15)      In consultation with the Advisory Board, define the following with respect to operation of the HIE Network:



a.         Business policy.



b.         Protocols for data integrity, data sharing, data security, HIPAA compliance, and business intelligence as defined in G.S. 143B‑1381. To the extent permitted by HIPAA, protocols for data sharing shall allow for the disclosure of data for academic research.



c.         Qualitative and quantitative performance measures.



d.         An operational budget and assumptions.



(16)      Annually report to the Joint Legislative Oversight Committee on Health and Human Services and the Joint Legislative Oversight Committee on Information Technology on the following:



a.         The operation of the HIE Network.



b.         Any efforts or progress in expanding participation in the HIE Network.



c.         Health care trends based on information disclosed through the HIE Network.



(17)      Ensure that the HIE Network interfaces with the federal level HIE, the eHealth Exchange.



(18)      Enforce the provisions of this Article.



(19)      Provide data related services, as allowed by G.S. 90‑414.16.



(20)      Adopt rules as needed to implement the appeal process established by G.S. 90‑414.15.



§ 90‑414.8.  North Carolina Health Information Exchange Advisory Board.



(a)        Creation and Membership. – There is hereby established the North Carolina Health Information Exchange Advisory Board within the Department of Information Technology. The Advisory Board shall consist of the following 12 13 members:



(1)        The following four members appointed by the President Pro Tempore of the Senate:



a.         A licensed physician in good standing and actively practicing in this State.



b.         A patient representative.



c.         An individual with technical expertise in health data analytics.



d.         A representative of a behavioral health provider.



(2)        The following four members appointed by the Speaker of the House of Representatives:



a.         A representative of a critical access hospital.



b.         A representative of a federally qualified health center.



c.         An individual with technical expertise in health information technology.



d.         A representative of a health system or integrated delivery network.



(3)        The following three ex officio, nonvoting members:



a.         The State Chief Information Officer or a designee.



b.         The Director of GDAC or a designee.



c.         The Secretary of Health and Human Services, or a designee.



(4)        The following ex officio, voting member:members:



a.         The Executive Administrator of the State Health Plan for Teachers and State Employees, or a designee.



b.         The Deputy Secretary for the State's Medicaid program, or a designee.



(b)        Chairperson. – A chairperson shall be elected from among the members. The chairperson shall organize and direct the work of the Advisory Board.



(c)        Administrative Support. – The Department of Information Technology shall provide necessary clerical and administrative support to the Advisory Board.



(d)       Meetings. – The Advisory Board shall meet at least quarterly and at the call of the chairperson. A majority of the Advisory Board constitutes a quorum for the transaction of business.



(e)        Terms. – In order to stagger terms, in making initial appointments, the President Pro Tempore of the Senate shall designate two of the members appointed under subdivision (1) of subsection (a) of this section to serve for a one‑year period from the date of appointment and, the Speaker of the House of Representatives shall designate two members appointed under subdivision (2) of subsection (a) of this section to serve for a one‑year period from the date of appointment. The remaining appointed voting members shall serve two‑year periods. Future appointees who are voting members shall serve terms of two years, with staggered terms based on this subsection. Appointed voting members may serve up to two consecutive terms, not including the abbreviated two‑year terms that establish staggered terms or terms of less than two years that result from the filling of a vacancy. Ex officio, nonvoting and voting members are not subject to these term limits. A vacancy other than by expiration of a term shall be filled by the appointing authority.



(f)        Expenses. – Members of the Advisory Board who are State officers or employees shall receive no compensation for serving on the Advisory Board but may be reimbursed for their expenses in accordance with G.S. 138‑6. Members of the Advisory Board who are full‑time salaried public officers or employees other than State officers or employees shall receive no compensation for serving on the Advisory Board but may be reimbursed for their expenses in accordance with G.S. 138‑5(b). All other members of the Advisory Board may receive compensation and reimbursement for expenses in accordance with G.S. 138‑5.



(g)        Duties. – The Advisory Board shall provide consultation to the Authority with respect to the advancement, administration, and operation of the HIE Network and on matters pertaining to health information technology and exchange, generally. In carrying out its responsibilities, the Advisory Board may form committees of the Advisory Board to examine particular issues related to the advancement, administration, or operation of the HIE Network.



§ 90‑414.9.  Participation by covered entities.



(a)        Each Except for federal agencies that access the HIE Network solely to review patient data for treatment purposes, all covered entity that participates entities that participate in the HIE Network shall enter into a HIPAA compliant business associate agreement described in G.S. 90‑414.7(b)(8) and a written participation agreement described in G.S. 90‑414.7(b)(6) with the Authority or qualified organization prior to submitting data through or in the HIE Network. Notwithstanding this subsection, the Authority may exchange data in the HIE Network through the national eHealth Exchange and the Trusted Exchange Framework and Common Agreement so long as the Authority enters into the agreements that are necessary to participate in each of these national networks.



(b)        Each covered entity that participates in the HIE Network may authorize its business associates on behalf of the covered entity to submit data through, or access data stored in, the HIE Network in accordance with this Article and at the discretion of the Authority, as provided in G.S. 90‑414.7(b)(8).



(c)        Notwithstanding any federal or State law or regulation to the contrary, each covered entity that participates in the HIE Network may disclose an individual's protected health information through the HIE Network to other covered entities for any purpose permitted by HIPAA.



§ 90‑414.10.  Continuing right to opt out; effect of opt out.



(a)        Each individual has the right on a continuing basis to opt out or rescind a decision to opt out.



(b)        The Authority or its designee shall enforce an individual's decision to opt out or rescind an opt out prospectively from the date the Authority or its designee receives written notice of the individual's decision to opt out or rescind an opt out in the manner prescribed by the Authority. An individual's decision to opt out or rescind an opt out does not affect any disclosures made by the Authority or covered entities through the HIE Network prior to receipt by the Authority or its designee of the individual's written notice to opt out or rescind an opt out.



(c)        A covered entity shall not deny treatment, coverage, or benefits to an individual because of the individual's decision to opt out. However, nothing in this Article is intended to restrict a health care provider from otherwise appropriately terminating a relationship with an individual in accordance with applicable law and professional ethical standards.



(d)       Except as otherwise permitted in G.S. 90‑414.11(a)(3), or as required by law, the protected health information of an individual who has exercised the right to opt out may not be made accessible or disclosed to covered entities or any other person or entity through the HIE Network for any purpose.



(e)        Repealed by Session Laws 2017‑57, s. 11A.5(e), effective July 1, 2017.



§ 90‑414.11.  Construction and applicability.



(a)        Nothing in this Article shall be construed to do any of the following:



(1)        Impair any rights conferred upon an individual under HIPAA, including all of the following rights related to an individual's protected health information:



a.         The right to receive a notice of privacy practices.



b.         The right to request restriction of use and disclosure.



c.         The right of access to inspect and obtain copies.



d.         The right to request amendment.



e.         The right to request confidential forms of communication.



f.          The right to receive an accounting of disclosures.



(2)        Authorize the disclosure of protected health information through the HIE Network to the extent that the disclosure is restricted by federal laws or regulations, including the federal drug and alcohol confidentiality regulations set forth in 42 C.F.R. Part 2.



(3)        Restrict the disclosure of protected health information through the HIE Network for public health purposes or research purposes, so long as disclosure is permitted by both HIPAA and State law.



(4)        Prohibit the Authority or any covered entity participating in the HIE Network from maintaining in the Authority's or qualified organization's computer system a copy of the protected health information of an individual who has exercised the right to opt out, as long as the Authority or the qualified organization does not access, use, or disclose the individual's protected health information for any purpose other than for necessary system maintenance or as required by federal or State law.



(b)        This Article applies only to disclosures of protected health information made through the HIE Network, including disclosures made within qualified organizations. It does not apply to the use or disclosure of protected health information in any context outside of the HIE Network, including the redisclosure of protected health information obtained through the HIE Network.



§ 90‑414.12.  Penalties and remedies; immunity for covered entities and business associates for good faith participation.



(a)        Except as provided in subsection (b) of this section, a covered entity that discloses protected health information in violation of this Article is subject to the following:



(1)        Any civil penalty or criminal penalty, or both, that may be imposed on the covered entity pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, P.L. 111‑5, Div. A, Title XIII, section 13001, as amended, and any regulations adopted under the HITECH Act.federal law or regulation.



(2)        Any civil remedy available under the HITECH Act or any regulations adopted under the HITECH Act that is available to the Attorney General or to an individual who has been harmed by a violation of this Article, including damages, penalties, attorneys' fees, and costs.federal law or regulation.



(3)        Disciplinary action by the respective licensing board or regulatory agency with jurisdiction over the covered entity.



(4)        Any penalty authorized under Article 2A of Chapter 75 of the General Statutes if the violation of this Article is also a violation of Article 2A of Chapter 75 of the General Statutes.



(5)        Any other civil or administrative remedy available to a plaintiff by State or federal law or equity.



(a1)      In connection with the submission of the annual compliance report required by G.S. 90‑414.13, it is unlawful for any person or entity to knowingly present or cause to be presented to the Authority a false record to avoid full payment of the State health data assessment under G.S. 90‑414.4. The Authority may assess against any person or entity that violates this subsection a civil penalty of not less than five thousand dollars ($5,000) and not more than ten thousand dollars ($10,000), plus three times the amount of damages sustained by the Authority as a result of that person's or entity's actions. The clear proceeds of civil penalties provided for in this subsection shall be remitted to the Civil Penalty and Forfeiture Fund in accordance with G.S. 115C‑457.2.



(a2)      The Authority may assess a civil penalty not to exceed fifty dollars ($50.00) for each day after the required reporting period or deadline that the annual compliance report remains out of compliance with the requirements prescribed by G.S. 90‑414.13.



(b)        To the extent permitted under or consistent with federal law, a covered entity or its business associate that in good faith submits data through, accesses, uses, discloses, or relies upon data submitted through the HIE Network shall not be subject to criminal prosecution or civil liability for damages caused by such submission, access, use, disclosure, or reliance.



§ 90‑414.13.  Annual compliance report.



(a)        Reporting Requirement. – Each covered entity that provides, maintains, controls, directs, or licenses the data transfer system of a provider or entity subject to G.S. 90‑414.4(a1) that provides health care services to beneficiaries of State‑funded health care shall submit an annual compliance report to the Authority on a form created by the Authority that meets the requirements of this section.



(b)        The Authority shall develop and make available to covered entities an annual compliance report form, which the Authority may update from time to time after consultation with the Advisory Board. The annual compliance report form shall include fields for at least all of the following information:



(1)        Name of the covered entity, its location, and the Organization NPI.



(2)        Names of providers and entities on whose behalf the covered entity is submitting the annual compliance report, as well as their respective Organization NPIs.



(3)        Acknowledgment of the provision of health care services to beneficiaries of State‑funded health care.



(4)        Status of technical connection to the HIE Network, as determined under G.S. 90‑414.4(a4).



(5)        The status of data submission through the HIE Network that is in compliance with G.S. 90‑414.4.



(6)        Representations regarding each of the following, as applicable:



a.         For a covered entity that has executed an agreement with the Authority, a representation regarding that entity's compliance with such agreement.



b.         For a covered entity that has received a time‑limited exception from the Authority, a representation regarding its present intent to connect to, and begin submitting data through, the HIE Network.



c.         For a covered entity that is required to pay the State health data assessment fee authorized by G.S. 90‑414.14, a representation regarding the amount of the fee owed to the State, an explanation of how the fee amount was calculated, and whether the fee was submitted contemporaneously with the annual compliance report as required by G.S. 90‑414.14.



d.         For a covered entity that asserts it is exempt from paying the annual State health data assessment fee, representations regarding why it is eligible to claim the exemption allowed by G.S. 90‑414.14(e).



(7)        Attestation to the completeness and validity of the annual compliance report form and all representations contained on the form.



(c)        Covered entities shall submit to the Authority all reports and related statements, documents, and payments required by this section by the first of May each year. Covered entities shall be deemed to have submitted timely annual compliance reports if complete reports are postmarked or digitally time‑stamped on or before the day the reports are due to the Authority. If an annual compliance report or any related statements, documents, or payments are submitted in a manner that does not comply with this section, the Authority may assess a civil penalty not to exceed fifty dollars ($50.00) for each day after the first of May that the report remains out of compliance with the requirements of this section. The clear proceeds of civil penalties provided for in this subsection shall be remitted to the Civil Penalty and Forfeiture Fund in accordance with G.S. 115C‑457.2.



(d)       A covered entity that provides, maintains, controls, directs, or licenses a data transfer system solely on behalf of a provider or entity that voluntarily connects to the HIE Network pursuant to G.S. 90‑414.4(e) is not required to submit an annual compliance report.



(e)        State agencies are required to submit an abbreviated annual compliance report, on a form provided by the Authority, that shall be made available only to State agencies.



(f)        At the request of a covered entity, the Authority may waive any requirement in this section for good cause if the covered entity demonstrates to the satisfaction of the Authority that complying with a requirement in this section would cause an undue hardship.



(g)        The Department's Division of Health Benefits shall assist in administering the annual compliance report process as it pertains to the State's Medicaid providers, as determined necessary by the Authority. At a minimum, the Division of Health Benefits shall annually provide the Authority with a current list of enrolled Medicaid providers, assist with notifying those Medicaid providers about the annual compliance report requirement and reporting deadline established by this section, and provide available information requested by the Authority that is necessary for the Authority to audit or verify the completeness and accuracy of an enrolled Medicaid provider's annual compliance report and related materials submitted to the Authority by or on behalf of that provider.



§ 90‑414.14.  Annual State health data assessment fee.



(a)        Annual Fee Requirement. – Each covered entity that provides, maintains, controls, directs, or licenses a data transfer system on behalf of a provider or entity subject to the mandatory connection and data submission requirements of G.S. 90‑414.4 shall pay an annual State health data assessment fee each year if the covered entity meets any of the following criteria:



(1)        Is not connected to the HIE Network, as determined pursuant to subsection (a4) of G.S. 90‑414.4.



(2)        Is connected to the HIE Network, as determined pursuant to subsection (a4) of G.S. 90‑414.4 but is not submitting required data through the HIE Network.



(b)        Amount of Annual Fee. – The General Assembly shall determine the State health data assessment fee schedules for annual compliance report periods.



(c)        Fee Due Date. – A covered entity shall pay any required State health data assessment fee contemporaneously with the submission of the annual compliance report required by G.S. 90‑414.13.



(d)       HIE Network Data and Participation Fund; Use of Proceeds. – The HIE Network Data and Participation Fund (Fund) is established as a special fund in the Department of Information Technology under the management and control of the Authority. The Fund shall consist of the fees collected by the Authority pursuant to this section and all other funds received by the Authority pursuant to this Article, except for the clear proceeds of civil penalties collected pursuant to G.S. 90‑414.12, 90‑414.13, 90‑414.16, and subsection (g) of this section. The Fund shall be placed in an interest‑bearing account, and any interest or other income derived from the Fund shall be credited to the Fund. The Authority shall not use monies in this Fund for any purpose other than to pay for expenses incurred by the Authority in carrying out its powers and duties as set forth in this Article. Monies in the Fund shall only be available for expenditure upon an act of appropriation of the General Assembly. The Fund is subject to the provisions of the State Budget Act, except that no unexpended surplus of the Fund shall revert to the General Fund.



(e)        Fee Exemption. – A covered entity that provides, maintains, controls, directs, or licenses a data transfer system for providers or entities subject to the HIE Network connection and data submission requirements of this Article may claim an exemption from the State health data assessment fee during a reporting period by demonstrating to the satisfaction of the Authority that one or more of the following is true:



(1)        The covered entity has secured a time‑limited exception from the Authority under G.S. 90‑414.4(g) for the applicable State health data assessment fee reporting period.



(2)        The covered entity attests, in writing, that it and the providers and entities on whose behalf it provides, maintains, controls, directs, or licenses a data transfer system received less than five hundred thousand dollars ($500,000) in State health care funds for providing health care services to beneficiaries of State‑funded health care.



(3)        The covered entity is acting in good faith to comply with the Statewide Health Information Exchange Act as evidenced by all of the following:



a.         Has entered into a participation agreement with the Authority.



b.         Maintains contact with the Authority.



c.         Timely responds to direct communications from the Authority regarding matters such as connection status, onboarding, training, and data submission.



(4)        The covered entity is in its first year of existence, as evidenced by filings with the Office of the Secretary of State.



(5)        The covered entity attests, in writing, that it is actively transitioning between data transfer systems.



(f)        Revocation of Exempt Status. – The Authority may revoke a covered entity's exemption from payment of the State health data assessment fee if the covered entity is unresponsive to communications from the Authority or if the covered entity fails to maintain contact with the Authority. The Authority may revoke an exemption from the payment of the State health data assessment fee for good cause after giving the covered entity 30 days' written notice and an opportunity to cure any unresponsiveness to, or failure to maintain contact with, the Authority.



(g)        Civil Penalty for Submitting a False Record to Avoid the Fee. – It is unlawful for any person or entity to knowingly present or cause to be presented to the Authority a false record to avoid full payment of the State health data assessment fee due under this section. The Authority shall assess against any person or entity that violates this section a civil penalty of not less than five thousand dollars ($5,000) and not more than ten thousand dollars ($10,000), plus three times the amount of damages sustained by the Authority as a result of that person's or entity's actions. The clear proceeds of civil penalties provided for in this subsection shall be remitted to the Civil Penalty and Forfeiture Fund in accordance with G.S. 115C‑457.2.



§ 90‑414.15.  Appeal of Authority's determinations.



(a)        Determinations and Appeals. – The Authority shall make the following determinations regarding providers' and entities' obligations: (i) grant or deny requests for time‑limited exceptions under G.S. 90‑414.4 and (ii) assess penalties under G.S. 90‑414.14. The Authority shall send these determinations, in writing, to providers and entities via certified mail, return receipt requested, and via email, if known to the Authority. If a provider or entity disagrees with the Authority's determination, it shall deliver a petition for appeal to the Department of Information Technology's registered agent via certified mail, return receipt requested, within 30 calendar days after receipt of the Authority's written determination. The petition for appeal shall include an explanation of the specific reasons the provider or entity disagrees with the Authority's determination and shall be supported by documentation and affidavits regarding the petitioner's compliance with this Article along with any other supporting documentation the petitioner deems relevant to the appeal. The Authority shall develop and make available on its website the form to be used by any provider or entity seeking to appeal the Authority's determination.



(b)        Untimely Appeals. – A petitioner's failure to submit a timely petition for appeal shall result in the dismissal of the appeal with prejudice. The Department of Information Technology shall notify the provider or entity of such dismissal in writing.



(c)        Review by the State CIO or the State CIO's Designee. – The State CIO or the State CIO's designee shall review all timely petitions for appeal under this section. The State CIO or the State CIO's designee may render a decision on the petition without meeting with the petitioner. If the State CIO or State CIO's designee renders a decision without meeting with the petitioner, then the State CIO or the State CIO's designee shall notify the petitioner of his or her decision, in writing, within 30 calendar days after the date the petition was received by the Department of Information Technology. If the State CIO or the State CIO's designee determines it is necessary to meet with the petitioner prior to rendering a decision, the State CIO or the State CIO's designee and petitioner shall schedule a meeting within 30 calendar days after the date the petition was received by the Department of Information Technology, or as soon as reasonably practical thereafter, or as agreed upon by the parties. Within 30 calendar days after the date of the meeting, the State CIO or the State CIO's designee shall submit a decision, in writing, to the petitioner by certified mail, return receipt requested, and via email, if known.



(d)       Administrative Review. – If the petitioner disagrees with the decision of the State CIO or the State CIO's designee, the petitioner may commence a contested case under Article 3A of Chapter 150B of the General Statutes. A petition for a contested case shall be filed within 30 calendar days after the earlier of either the date the decision of the State CIO or the State CIO's designee is mailed to the petitioner or the date the decision of the State CIO or the State CIO's designee is emailed to the petitioner. Except as otherwise provided by this Article, no other disputes between the Authority and providers or entities, including disputes involving the terms or conditions of any agreement described in G.S. 90‑414.7(b), or a party's performance under any such agreement, are subject to the contested case provisions of Chapter 150B of the General Statutes.



§ 90‑414.16.  Data related services.



(a)        Data Related Services. – The Authority may provide data related services to a covered entity participating in the HIE Network or to a business associate of the participating covered entity that is using the service to perform a function for the participating covered entity. Only covered entities participating in the HIE Network may make a request to the Authority for data related services. Nothing in this section shall be construed to require the Authority to provide data related services to covered entities or their business associates. Data disclosed or used in the Authority's provision of these services to any person or entity shall not be used for commercial purposes.



(b)        Cost Recovery. – If the Authority voluntarily elects to provide a data related service to a covered entity, then it may charge a reasonable fee that may not exceed the actual cost incurred for the service. The cost recovery shall be based on generally accepted accounting principles and may include labor costs of the personnel providing the service, any information technology expense, and any other administrative expense.



SECTION 2.  The deadline for submitting the first report due under G.S. 90‑414.13 and the accompanying State health data assessment fee, if applicable, is May 1, 2028.



SECTION 3.  Pursuant to G.S. 90‑414.14(b), the initial State health data assessment fee schedules for annual compliance report periods beginning in 2028, 2029, and 2030 are as follows:



(1)        For the annual compliance report period beginning in 2028:



Amount of State Health Care Funds             State Health Data Assessment Fee: Amount



received in 2024                                                Due



$1,000,000 +                                                      1.6% of State health care funds received in 2027



$750,001 – $1,000,000                                      $9,000



$500,001 – $750,000                                         $6,000



$250,001 – $500,000                                         $3,000



Less than $250,000                                            (No fee)



(2)        For the annual compliance report period beginning in 2029:



Amount of State Health Care Funds             State Health Data Assessment Fee: Amount



received in 2025                                                Due



$1,000,000 +                                                      1.6% of State health care funds received in 2028



$750,001 – $1,000,000                                      $12,000



$500,001 – $750,000                                         $8,000



$250,001 – $500,000                                         $4,000



Less than $250,000                                            (No fee)



(3)        For the annual compliance report period beginning in 2030:



Amount of State Health Care Funds             State Health Data Assessment Fee: Amount



received in 2026                                                Due



$1,000,000 +                                                      1.6% of State health care funds received in 2029



$750,001 – $1,000,000                                      $15,000



$500,001 – $750,000                                         $9,000



$250,001 – $500,000                                         $4,500



Less than $250,000                                            (No fee)



SECTION 4.  This act becomes effective December 1, 2025.





Back to top