Below are a few highlights of the revised proposal:

• Requires healthcare provider organizations participating in the health information exchange to give patients a separate form that includes information about the HIE and gives the patient an opportunity to opt out. (Right now providers include information in the Notice of Privacy Practices. HealthInfoNet gives education and opt-out forms to providers today, but providers are not required to hand them out by law.)
• Requires the HIE to delete a patient’s health information in the exchange after they opt out. (This is already HealthInfoNet’s policy and has been practice from the beginning.)
• Requires the HIE to provide patients a way to opt out online and offline. (HealthInfoNet already does this.)
• Requires the HIE to provide patients the ability to request both online and offline, a report of who has accessed their records and when they were accessed. (HealthInfoNet can also do this.)
• Requires the HIE to report to the state coordinator for health IT, our plans and progress in rolling out a patient portal by January 2012.
• Requires the HIE to meet all federal law and regulations pertaining to privacy, security and breach notification regarding PHI. (HealthInforNet has to do this already by contract because they are defined under HIPAA as a “business associate.”)
• Would exempt the HIE from Freedom of Access laws.

Read the full version here.