Section 12. In the event of an unauthorized access to or disclosure of individually identifiable patient health information by or through the statewide health information exchange or by or through any technology grantees or implementing organizations funded in whole or in part from the eāHealth Institute Fund established in section 6E of chapter 40J or the Massachusetts Health Information Exchange Fund established in section 10, the operator of such exchange or grantee or contractor shall: (i) report the conditions of such unauthorized access or disclosure as required by the executive office; and (ii) provide notice, as defined in section 1 of chapter 93H, as soon as practicable, but not later than 10 business days after such unauthorized access or disclosure, to any person whose patient health information may have been compromised as a result of such unauthorized access or disclosure, and shall report the conditions of such unauthorized access or disclosure. Any unauthorized access or disclosures shall be punishable by the civil penalties under section 16.
Structure Massachusetts General Laws
Part I - Administration of the Government
Chapter 118i - Health Information Technology
Section 2 - Health Information Technology Council
Section 5 - Statewide Health Information Exchange Implementation Plan
Section 6 - Patient's Electronic Access to Health Records
Section 8 - Penalties for Non-Compliance
Section 10 - Massachusetts Health Information Exchange Fund
Section 11 - Plan Requirements
Section 12 - Unauthorized Access or Disclosure; Reporting; Notice to Patient
Section 13 - Patient Election to Participate in Health Information Exchange