New Mexico Statutes 24-14B-6. Use and disclosure of electronic health care information
A. A provider, health care institution, health information exchange or health care group purchaser shall not use or disclose health care information in an individual’s electronic medical record to another person without the consent of the individual except as allowed by state or federal law.
B. A provider, health care institution or health care group purchaser may disclose demographic information and information about the location of an individual’s electronic medical records to a record locator service in accordance with state or federal law. A provider or health care institution participating in a health information exchange using a record locator service shall not have access to demographic information, information about the location of the individual’s electronic medical records or information in an individual’s electronic medical record except in connection with the treatment of the individual or as permitted by the consent of the individual or as otherwise permitted by state or federal law.
C. A record locator service shall maintain an audit log of persons obtaining access to information in the record locator service, which audit log shall contain, at a minimum, information on:
(1) the identity of the person obtaining access to the information; (2) the identity of the individual whose information was obtained; (3) the location from which the information was obtained;
(4) the specific information obtained; and
(5) the date that the information was obtained.
D. The audit log shall be made available by a health information exchange on the request of an individual whose health care information is the subject of the audit log; provided, however, that the audit log made available to the individual shall include only information related to that individual. The audit log shall be made available to the requesting individual annually for a fee not to exceed twenty-five cents ($.25) per page as established by the department of health.
E. A record locator service shall provide a mechanism under which individuals may exclude their demographic information and information about the location of their electronic medical records from the record locator service. A person operating a record locator service or a health information exchange that receives an individual’s request to exclude all of the individual’s information from the record locator service is responsible for removing that information from the record locator service within thirty days. An individual’s request for exclusion of information shall be in writing and shall include a waiver of liability for any harm caused by the exclusion of the individual’s information.
F. When information in an individual’s electronic medical record is requested using a record locator service or a health information exchange:
(1) the requesting provider or health care institution shall warrant that the request is for the treatment of the individual, is permitted by the individual’s written authorization or is otherwise permitted by state or federal law; and
(2) the person disclosing the information may rely upon the warranty of the person making the request that the request is for the treatment of the individual, is permitted with the consent of the individual or is otherwise permitted by state or federal law.
G. Notwithstanding any other provision of law, information in an individual’s electronic medical record may be disclosed:
(1) to a provider that has a need for information about the individual to treat a condition that poses an immediate threat to the life of any individual and that requires immediate medical attention;
(2) except as provided in the Electronic Medical Records Act, to a record locator service or a health information exchange for the development and operation of the record locator service and the health information exchange; and
(3) to a provider, health care institution or health care group purchaser for treatment, payment or health care operation activities, in compliance with the federal Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated pursuant to that act, and if applicable, in compliance with 42 U.S.C. § 290dd-2 and the regulations promulgated pursuant to that section.
H. For the purposes of this section, “health care operation activities” includes administrative, financial, legal and quality improvement activities of a covered entity that are necessary to conduct business and to support the core functions of treatment and payment and are limited to the activities listed in the definition of “health care operations” at 45 C.F.R. § 164.501.