Article 29B.

Statewide Health Information Exchange Act.

90-414.1. Title.

This act shall be known and may be cited as the "Statewide Health Information Exchange Act." (2015-241, s. 12A.5(d).)

 

90-414.2. Purpose.

This Article is intended to improve the quality of health care delivery within this State by facilitating and regulating the use of a voluntary, statewide health information exchange network for the secure electronic transmission of individually identifiable health information among health care providers, health plans, and health care clearinghouses in a manner that is consistent with the Health Insurance Portability and Accountability Act, Privacy Rule and Security Rule, 45 C.F.R. 160, 164. (2015-241, s. 12A.5(d).)

 

90-414.3. Definitions.

The following definitions apply in this Article:

(1) Business associate. - As defined in 45 C.F.R. 160.103.

(2) Business associate contract. - The documentation required by 45 C.F.R. 164.502(e)(2) that meets the applicable requirements of 45 C.F.R. 164.504(e).

(3) Covered entity. - Any entity described in 45 C.F.R. 160.103 or any other facility or practitioner licensed by the State to provide health care services.

(4) Department. - North Carolina Department of Health and Human Services.

(5) Disclose or disclosure. - The release, transfer, provision of access to, or divulging in any other manner an individual's protected health information through the HIE Network.

(6) Repealed by Session Laws 2017-57, s. 11A.5(f), effective July 1, 2017.

(7) GDAC. - The North Carolina Government Data Analytics Center.

(8) HIE Network. - The voluntary, statewide health information exchange network overseen and administered by the Authority.

(9) HIPAA. - Sections 261 through 264 of the federal Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as amended, and any federal regulations adopted to implement these sections, as amended.

(10) Individual. - As defined in 45 C.F.R. 160.103.

(11) North Carolina Health Information Exchange Advisory Board or Advisory Board. - The Advisory Board established under G.S. 90-414.8.

(12) North Carolina Health Information Exchange Authority or Authority. - The entity established pursuant to G.S. 90-414.7.

(13) Opt out. - An individual's affirmative decision communicated to the Authority in writing to disallow his or her protected health information from being disclosed by the Authority to covered entities or other persons or entities through the HIE Network.

(14) Protected health information. - As defined in 45 C.F.R. 160.103.

(15) Public health purposes. - The public health activities and purposes described in 45 C.F.R. 164.512(b).

(16) Qualified organization. - An entity with which the Authority has contracted for the sole purpose of facilitating the exchange of data with or through the HIE Network.

(17) Research purposes. - Research purposes referenced in and subject to the standards described in 45 C.F.R. 164.512(i).

(18) State CIO. - The State Chief Information Officer. (2015-241, s. 12A.5(d); 2015-264, s. 86.5(b); 2017-57, ss. 11A.5(c), (f).)

 

90-414.4. Required participation in HIE Network for some providers.

(a) Findings. - The General Assembly makes the following findings:

(1) That controlling escalating health care costs of the Medicaid program and other State-funded health care services is of significant importance to the State, its taxpayers, its Medicaid recipients, and other recipients of State-funded health care services.

(2) That the State and covered entities in North Carolina need timely access to certain demographic and clinical information pertaining to services rendered to Medicaid and other State-funded health care program beneficiaries and paid for with Medicaid or other State-funded health care funds in order to assess performance, improve health care outcomes, pinpoint medical expense trends, identify beneficiary health risks, and evaluate how the State is spending money on Medicaid and other State-funded health care services.

(3) That making demographic and clinical information available to the State and covered entities in North Carolina by secure electronic means as set forth in subsection (b) of this section will improve care coordination within and across health systems, increase care quality for such beneficiaries, enable more effective population health management, reduce duplication of medical services, augment syndromic surveillance, allow more accurate measurement of care services and outcomes, increase strategic knowledge about the health of the population, and facilitate health care cost containment.

(a1) Mandatory Connection to HIE Network. - Notwithstanding the voluntary nature of the HIE Network under G.S. 90-414.2, the following providers and entities shall be connected to the HIE Network and begin submitting data through the HIE Network pertaining to services rendered to Medicaid beneficiaries and to other State-funded health care program beneficiaries and paid for with Medicaid or other State-funded health care funds in accordance with the following time line:

(1) The following providers of Medicaid services licensed to operate in the State that have an electronic health record system shall begin submitting, at a minimum, demographic and clinical data by June 1, 2018:

a. Hospitals as defined in G.S. 131E-176(13).

b. Physicians licensed to practice under Article 1 of Chapter 90 of the General Statutes, except for licensed physicians whose primary area of practice is psychiatry.

c. Physician assistants as defined in 21 NCAC 32S.0201.

d. Nurse practitioners as defined in 21 NCAC 36.0801.

(2) Except as provided in subdivisions (3), (4), and (5) of this subsection, all other providers of Medicaid and State-funded health care services shall begin submitting demographic and clinical data by June 1, 2020.

(3) The following entities shall submit encounter and claims data, as appropriate, in accordance with the following time line:

a. Prepaid Health Plans, as defined in G.S. 108D-1, by the commencement date of a capitated contract with the Division of Health Benefits for the delivery of Medicaid and NC Health Choice services as specified in Article 4 of Chapter 108D of the General Statutes.

b. Local management entities/managed care organizations, as defined in G.S. 122C-3, by June 1, 2020.

(4) The following entities shall begin submitting demographic and clinical data by June 1, 2021:

a. Ambulatory surgical centers as defined in G.S. 131E-146.

b. Dentists licensed under Article 2 of Chapter 90 of the General Statutes.

c. Licensed physicians whose primary area of practice is psychiatry.

d. The State Laboratory of Public Health operated by the Department of Health and Human Services.

(5) The following entities shall begin submitting claims data by June 1, 2021:

a. Pharmacies registered with the North Carolina Board of Pharmacy under Article 4A of Chapter 90 of the General Statutes.

b. State health care facilities operated under the jurisdiction of the Secretary of the Department of Health and Human Services, including State psychiatric hospitals, developmental centers, alcohol and drug treatment centers, neuro-medical treatment centers, and residential programs for children such as the Wright School and the Whitaker Psychiatric Residential Treatment Facility.

(a2) Extensions of Time for Establishing Connection to the HIE Network. - The Department of Information Technology, in consultation with the Department of Health and Human Services and the State Health Plan for Teachers and State Employees, may establish a process to grant limited extensions of the time for providers and entities to connect to the HIE Network and begin submitting data as required by this section upon the request of a provider or entity that demonstrates an ongoing good-faith effort to take necessary steps to establish such connection and begin data submission as required by this section. The process for granting an extension of time must include a presentation by the provider or entity to the Department of Information Technology, the Department of Health and Human Services, and the State Health Plan for Teachers and State Employees on the expected time line for connecting to the HIE Network and commencing data submission as required by this section. Neither the Department of Information Technology, the Department of Health and Human Services, nor the State Health Plan for Teachers and State Employees shall grant an extension of time (i) to any provider or entity that fails to provide this information to both Departments, and the State Health Plan for Teachers and State Employees, (ii) that would result in the provider or entity connecting to the HIE Network and commencing data submission as required by this section later than June 1, 2020, or (iii) that would result in any provider or entity specified in subdivisions (4) and (5) of subsection (a1) of this section connecting to the HIE Network and commencing data submission as required by this section later than June 1, 2022. The Department of Information Technology shall consult with the Department of Health and Human Services and the State Health Plan for Teachers and State Employees to review and decide upon a request for an extension of time under this section within 30 days after receiving a request for an extension.

(a3) Exemptions from Connecting to the HIE Network. - The Secretary of Health and Human Services, or the Secretary's designee, shall have the authority to grant exemptions to classes of providers of Medicaid and other State-funded health care services for whom acquiring and implementing an electronic health record system and connecting to the HIE Network as required by this section would constitute an undue hardship. The Secretary, or the Secretary's designee, shall promptly notify the Department of Information Technology of classes of providers granted hardship exemptions under this subsection. Neither the Secretary nor the Secretary's designee shall grant any hardship exemption that would result in any class of provider connecting to the HIE Network and submitting data later than December 31, 2022.

(b) Mandatory Submission of Demographic and Clinical Data. - Notwithstanding the voluntary nature of the HIE Network under G.S. 90-414.2 and, except as otherwise provided in subsection (c) of this section, as a condition of receiving State funds, including Medicaid funds, the following entities shall submit at least twice daily, through the HIE network, demographic and clinical information pertaining to services rendered to Medicaid and other State-funded health care program beneficiaries and paid for with Medicaid or other State-funded health care funds, solely for the purposes set forth in subsection (a) of this section:

(1) Each hospital, as defined in G.S. 131E-176(13) that has an electronic health record system.

(2) Each Medicaid provider.

(3) Each provider that receives State funds for the provision of health services.

(4) Each local management entity/managed care organization, as defined in G.S. 122C-3.

(c) Exemption for Certain Records. - Providers with patient records that are subject to the disclosure restrictions of 42 C.F.R. 2 are exempt from the requirements of subsection (b) of this section but only with respect to the patient records subject to these disclosure restrictions. Providers shall comply with the requirements of subsection (b) of this section with respect to all other patient records. A pharmacy shall only be required to submit claims data pertaining to services rendered to Medicaid and other State-funded health care program beneficiaries and paid for with Medicaid or other State-funded health care funds.

(c1) Exemption from Twice Daily Submission. - A pharmacy shall only be required to submit claims data once daily through the HIE Network using pharmacy industry standardized formats.

(d) Method of Data Submissions. - The data submissions required under this section shall be by connection to the HIE Network periodic asynchronous secure structured file transfer or any other secure electronic means commonly used in the industry and consistent with document exchange and data submission standards established by the Office of the National Coordinator for Information Technology within the U.S. Department of Health and Human Services.

(e) Voluntary Connection for Certain Providers. - Notwithstanding the mandatory connection and data submission requirements in subsections (a1) and (b) of this section, the following providers of Medicaid services or other State-funded health care services are not required to connect to the HIE Network or submit data but may connect to the HIE Network and submit data voluntarily:

(1) Community-based long-term services and supports providers, including personal care services, private duty nursing, home health, and hospice care providers.

(2) Intellectual and developmental disability services and supports providers, such as day supports and supported living providers.

(3) Community Alternatives Program waiver services (including CAP/DA, CAP/C, and Innovations) providers.

(4) Eye and vision services providers.

(5) Speech, language, and hearing services providers.

(6) Occupational and physical therapy providers.

(7) Durable medical equipment providers.

(8) Nonemergency medical transportation service providers.

(9) Ambulance (emergency medical transportation service) providers.

(10) Local education agencies and school-based health providers.

(f) Confidentiality of Data. - All data submitted to or through the HIE Network containing protected health information, personally identifying information, or a combination of these, that are in the possession of the Department of Information Technology or any other agency of the State are confidential and shall not be defined as public records under G.S. 132-1. This subsection shall not be construed to prohibit the disclosure of any such data as otherwise permitted under federal law. (2015-241, s. 12A.5(d); 2017-57, s. 11A.5(b); 2018-41, s. 9(a); 2019-23, s. 1; 2019-81, s. 2.)

 

90-414.5. State agency and legislative access to HIE Network data.

(a) The Authority shall provide the Department and the State Health Plan for Teachers and State Employees secure, real-time access to data and information disclosed through the HIE Network, solely for the purposes set forth in G.S. 90-414.4(a) and in G.S. 90-414.2. The Authority shall limit access granted to the State Health Plan for Teachers and State Employees pursuant to this section to data and information disclosed through the HIE Network that pertains to services (i) rendered to teachers and State employees and (ii) paid for by the State Health Plan.

(b) At the written request of the Director of the Fiscal Research, Legislative Drafting, Legislative Analysis, or Program Evaluation Division of the General Assembly for an aggregate analysis of the data and information disclosed through the HIE Network, the Authority shall provide the professional staff of these Divisions with the aggregated analysis responsive to the Director's request. Prior to providing the Director or General Assembly's staff with any aggregate data or information submitted through the HIE Network or with any analysis of this aggregate data or information, the Authority shall redact any personal identifying information in a manner consistent with the standards specified for de-identification of health information under the HIPAA Privacy Rule, 45 C.F.R. 164.514, as amended. (2015-241, s. 12A.5(d); 2017-102, s. 39(a); 2018-142, s. 4(b).)

 

90-414.6. State ownership of HIE Network data.

Any data pertaining to services rendered to Medicaid and other State-funded health care program beneficiaries submitted through and stored by the HIE Network pursuant to G.S. 90-414.4 or any other provision of this Article shall be and will remain the sole property of the State. Any data or product derived from the aggregated, de-identified data submitted to and stored by the HIE Network pursuant to G.S. 90-414.4 or any other provision of this Article, shall be and will remain the sole property of the State. The Authority shall not allow data it receives pursuant to G.S. 90-414.4 or any other provision of this Article to be used or disclosed by or to any person or entity for commercial purposes or for any other purpose other than those set forth in G.S. 90-414.4(a) or G.S. 90-414.2. (2015-241, s. 12A.5(d).)

 

90-414.7. North Carolina Health Information Exchange Authority.

(a) Creation. - There is hereby established the North Carolina Health Information Exchange Authority to oversee and administer the HIE Network in accordance with this Article. The Authority shall be located within the Department of Information Technology and shall be under the supervision, direction, and control of the State CIO. The State CIO shall employ an Authority Director and may delegate to the Authority Director all powers and duties associated with the daily operation of the Authority, its staff, and the performance of the powers and duties set forth in subsection (b) of this section. In making this delegation, however, the State CIO maintains the responsibility for the performance of these powers and duties.

(b) Powers and Duties. - The Authority has the following powers and duties:

(1) Oversee and administer the HIE Network in a manner that ensures all of the following:

a. Compliance with this Article.

b. Compliance with HIPAA and any rules adopted under HIPAA, including the Privacy Rule and Security Rule.

c. Compliance with the terms of any participation agreement, business associate agreement, or other agreement the Authority or qualified organization or other person or entity enters into with a covered entity participating in submission of data through or accessing the HIE Network.

d. Notice to the patient by the healthcare provider or other person or entity about the HIE Network, including information and education about the right of individuals on a continuing basis to opt out or rescind a decision to opt out.

e. Opportunity for all individuals whose data has been submitted to the HIE Network to exercise on a continuing basis the right to opt out or rescind a decision to opt out.

f. Nondiscriminatory treatment by covered entities of individuals who exercise the right to opt out.

g. Facilitation of HIE Network interoperability with electronic health record systems of all covered entities listed in G.S. 90-414.4(b).

h. Minimization of the amount of data required to be submitted under G.S. 90-414.4(b) and any use or disclosure of such data to what is determined by the Authority to be required in order to advance the purposes set forth in G.S. 90-414.2 and G.S. 90-414.4(a).

(2) In consultation with the Advisory Board, set guiding principles for the development, implementation, and operation of the HIE Network.

(3) Employ staff necessary to carry out the provisions of this Article and determine the compensation, duties, and other terms and conditions of employment of hired staff.

(4) Enter into contracts pertaining to the oversight and administration of the HIE Network, including contracts of a consulting or advisory nature. G.S. 143-64.20 does not apply to this subdivision.

(5) Establish fees for participation in the HIE Network and report the established fees to the General Assembly, with an explanation of the fee determination process.

(6) Following consultation with the Advisory Board, develop, approve, and enter into, directly or through qualified organizations acting under the authority of the Authority, written participation agreements with persons or entities that participate in or are granted access or user rights to the HIE Network. The participation agreements shall set forth terms and conditions governing participation in, access to, or use of the HIE Network not less than those set forth in agreements already governing covered entities' participation in the federal eHealth Exchange. The agreement shall also require compliance with policies developed by the Authority pursuant to this Article or pursuant to applicable laws of the state of residence for entities located outside of North Carolina.

(7) Receive, access, add, and remove data submitted through and stored by the HIE Network in accordance with this Article.

(8) Following consultation with the Advisory Board, enter into, directly or through qualified organizations acting under the authority of the Authority, a HIPAA compliant business associate agreement with each of the persons or entities participating in or granted access or user rights to the HIE Network.

(9) Following consultation with the Advisory Board, grant user rights to the HIE Network to business associates of covered entities participating in the HIE Network (i) at the request of the covered entities and (ii) at the discretion of and subject to contractual, policy, and other requirements of the Authority upon consideration of and consistent with the business associates' legitimate need for utilizing the HIE Network and privacy and security concerns.

(10) Facilitate and promote use of the HIE Network by covered entities.

(11) Actively monitor compliance with this Article by the Department, covered entities, and any other persons or entities participating in or granted access or user rights to the HIE Network or any data submitted through or stored by the HIE Network.

(12) Collaborate with the State CIO to ensure that resources available through the GDAC are properly leveraged, assigned, or deployed to support the work of the Authority. The duty to collaborate under this subdivision includes collaboration on data hosting and development, implementation, operation, and maintenance of the HIE Network.

(13) Initiate or direct expansion of existing public-private partnerships within the GDAC as necessary to meet the requirements, duties, and obligations of the Authority. Notwithstanding any other provision of law and subject to the availability of funds, the State CIO, at the request of the Authority, shall assist and facilitate expansion of existing contracts related to the HIE Network, provided that such request is made in writing by the Authority to the State CIO with reference to specific requirements set forth in this Article.

(14) In consultation with the Advisory Board, develop a strategic plan for achieving statewide participation in the HIE Network by all hospitals and health care providers licensed in this State.

(15) In consultation with the Advisory Board, define the following with respect to operation of the HIE Network:

a. Business policy.

b. Protocols for data integrity, data sharing, data security, HIPAA compliance, and business intelligence as defined in G.S. 143B-1381. To the extent permitted by HIPAA, protocols for data sharing shall allow for the disclosure of data for academic research.

c. Qualitative and quantitative performance measures.

d. An operational budget and assumptions.

(16) Annually report to the Joint Legislative Oversight Committee on Health and Human Services and the Joint Legislative Oversight Committee on Information Technology on the following:

a. The operation of the HIE Network.

b. Any efforts or progress in expanding participation in the HIE Network.

c. Health care trends based on information disclosed through the HIE Network.

(17) Ensure that the HIE Network interfaces with the federal level HIE, the eHealth Exchange. (2015-241, s. 12A.5(d); 2017-102, s. 39(b).)

 

90-414.8. North Carolina Health Information Exchange Advisory Board.

(a) Creation and Membership. - There is hereby established the North Carolina Health Information Exchange Advisory Board within the Department of Information Technology. The Advisory Board shall consist of the following 12 members:

(1) The following four members appointed by the President Pro Tempore of the Senate:

a. A licensed physician in good standing and actively practicing in this State.

b. A patient representative.

c. An individual with technical expertise in health data analytics.

d. A representative of a behavioral health provider.

(2) The following four members appointed by the Speaker of the House of Representatives:

a. A representative of a critical access hospital.

b. A representative of a federally qualified health center.

c. An individual with technical expertise in health information technology.

d. A representative of a health system or integrated delivery network.

(3) The following three ex officio, nonvoting members:

a. The State Chief Information Officer or a designee.

b. The Director of GDAC or a designee.

c. The Secretary of Health and Human Services, or a designee.

(4) The following ex officio, voting member:

a. The Executive Administrator of the State Health Plan for Teachers and State Employees, or a designee.

(b) Chairperson. - A chairperson shall be elected from among the members. The chairperson shall organize and direct the work of the Advisory Board.

(c) Administrative Support. - The Department of Information Technology shall provide necessary clerical and administrative support to the Advisory Board.

(d) Meetings. - The Advisory Board shall meet at least quarterly and at the call of the chairperson. A majority of the Advisory Board constitutes a quorum for the transaction of business.

(e) Terms. - In order to stagger terms, in making initial appointments, the President Pro Tempore of the Senate shall designate two of the members appointed under subdivision (1) of subsection (a) of this section to serve for a one-year period from the date of appointment and, the Speaker of the House of Representatives shall designate two members appointed under subdivision (2) of subsection (a) of this section to serve for a one-year period from the date of appointment. The remaining appointed voting members shall serve two-year periods. Future appointees who are voting members shall serve terms of two years, with staggered terms based on this subsection. Appointed voting members may serve up to two consecutive terms, not including the abbreviated two-year terms that establish staggered terms or terms of less than two years that result from the filling of a vacancy. Ex officio, nonvoting and voting members are not subject to these term limits. A vacancy other than by expiration of a term shall be filled by the appointing authority.

(f) Expenses. - Members of the Advisory Board who are State officers or employees shall receive no compensation for serving on the Advisory Board but may be reimbursed for their expenses in accordance with G.S. 138-6. Members of the Advisory Board who are full-time salaried public officers or employees other than State officers or employees shall receive no compensation for serving on the Advisory Board but may be reimbursed for their expenses in accordance with G.S. 138-5(b). All other members of the Advisory Board may receive compensation and reimbursement for expenses in accordance with G.S. 138-5.

(g) Duties. - The Advisory Board shall provide consultation to the Authority with respect to the advancement, administration, and operation of the HIE Network and on matters pertaining to health information technology and exchange, generally. In carrying out its responsibilities, the Advisory Board may form committees of the Advisory Board to examine particular issues related to the advancement, administration, or operation of the HIE Network. (2015-241, s. 12A.5(d); 2018-84, s. 10.)

 

90-414.9. Participation by covered entities.

(a) Each covered entity that participates in the HIE Network shall enter into a HIPAA compliant business associate agreement described in G.S. 90-414.7(b)(8) and a written participation agreement described in G.S. 90-414.7(b)(6) with the Authority or qualified organization prior to submitting data through or in the HIE Network.

(b) Each covered entity that participates in the HIE Network may authorize its business associates on behalf of the covered entity to submit data through, or access data stored in, the HIE Network in accordance with this Article and at the discretion of the Authority, as provided in G.S. 90-414.7(b)(8).

(c) Notwithstanding any federal or State law or regulation to the contrary, each covered entity that participates in the HIE Network may disclose an individual's protected health information through the HIE Network to other covered entities for any purpose permitted by HIPAA. (2015-241, s. 12A.5(d); 2015-264, s. 86.5(c); 2017-57, s. 11A.5(d).)

 

90-414.10. Continuing right to opt out; effect of opt out.

(a) Each individual has the right on a continuing basis to opt out or rescind a decision to opt out.

(b) The Authority or its designee shall enforce an individual's decision to opt out or rescind an opt out prospectively from the date the Authority or its designee receives written notice of the individual's decision to opt out or rescind an opt out in the manner prescribed by the Authority. An individual's decision to opt out or rescind an opt out does not affect any disclosures made by the Authority or covered entities through the HIE Network prior to receipt by the Authority or its designee of the individual's written notice to opt out or rescind an opt out.

(c) A covered entity shall not deny treatment, coverage, or benefits to an individual because of the individual's decision to opt out. However, nothing in this Article is intended to restrict a health care provider from otherwise appropriately terminating a relationship with an individual in accordance with applicable law and professional ethical standards.

(d) Except as otherwise permitted in G.S. 90-414.11(a)(3), or as required by law, the protected health information of an individual who has exercised the right to opt out may not be made accessible or disclosed to covered entities or any other person or entity through the HIE Network for any purpose.

(e) Repealed by Session Laws 2017-57, s. 11A.5(e), effective July 1, 2017. (2015-241, s. 12A.5(d); 2017-57, s. 11A.5(e); 2019-23, s. 2.)

 

90-414.11. Construction and applicability.

(a) Nothing in this Article shall be construed to do any of the following:

(1) Impair any rights conferred upon an individual under HIPAA, including all of the following rights related to an individual's protected health information:

a. The right to receive a notice of privacy practices.

b. The right to request restriction of use and disclosure.

c. The right of access to inspect and obtain copies.

d. The right to request amendment.

e. The right to request confidential forms of communication.

f. The right to receive an accounting of disclosures.

(2) Authorize the disclosure of protected health information through the HIE Network to the extent that the disclosure is restricted by federal laws or regulations, including the federal drug and alcohol confidentiality regulations set forth in 42 C.F.R. Part 2.

(3) Restrict the disclosure of protected health information through the HIE Network for public health purposes or research purposes, so long as disclosure is permitted by both HIPAA and State law.

(4) Prohibit the Authority or any covered entity participating in the HIE Network from maintaining in the Authority's or qualified organization's computer system a copy of the protected health information of an individual who has exercised the right to opt out, as long as the Authority or the qualified organization does not access, use, or disclose the individual's protected health information for any purpose other than for necessary system maintenance or as required by federal or State law.

(b) This Article applies only to disclosures of protected health information made through the HIE Network, including disclosures made within qualified organizations. It does not apply to the use or disclosure of protected health information in any context outside of the HIE Network, including the redisclosure of protected health information obtained through the HIE Network. (2015-241, s. 12A.5(d).)

 

90-414.12. Penalties and remedies; immunity for covered entities and business associates for good faith participation.

(a) Except as provided in subsection (b) of this section, a covered entity that discloses protected health information in violation of this Article is subject to the following:

(1) Any civil penalty or criminal penalty, or both, that may be imposed on the covered entity pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, P.L. 111-5, Div. A, Title XIII, section 13001, as amended, and any regulations adopted under the HITECH Act.

(2) Any civil remedy under the HITECH Act or any regulations adopted under the HITECH Act that is available to the Attorney General or to an individual who has been harmed by a violation of this Article, including damages, penalties, attorneys' fees, and costs.

(3) Disciplinary action by the respective licensing board or regulatory agency with jurisdiction over the covered entity.

(4) Any penalty authorized under Article 2A of Chapter 75 of the General Statutes if the violation of this Article is also a violation of Article 2A of Chapter 75 of the General Statutes.

(5) Any other civil or administrative remedy available to a plaintiff by State or federal law or equity.

(b) To the extent permitted under or consistent with federal law, a covered entity or its business associate that in good faith submits data through, accesses, uses, discloses, or relies upon data submitted through the HIE Network shall not be subject to criminal prosecution or civil liability for damages caused by such submission, access, use, disclosure, or reliance. (2015-241, s. 12A.5(d).)