NC
North Carolina Senate Bill S509

North Carolina 2025-2026 Regular Session

North Carolina Senate Bill S509 Compare Versions

OldNewDifferences
11 GENERAL ASSEMBLY OF NORTH CAROLINA
22 SESSION 2025
3-S 1
4-SENATE BILL 509
3+S D
4+SENATE BILL DRS15195-MGfa-82
5+
56
67
78 Short Title: Health Information Exchange Act Revisions. (Public)
89 Sponsors: Senators Hise, Burgin, and Adcock (Primary Sponsors).
9-Referred to: Rules and Operations of the Senate
10-March 26, 2025
11-*S509 -v-1*
10+Referred to:
11+
12+*DRS15195 -MGfa-82*
1213 A BILL TO BE ENTITLED 1
1314 AN ACT REVISING THE STATEWIDE HEALTH INFORMATION EXCHANGE ACT; 2
1415 AND AUTHORIZING THE IMPOSITION OF NEW CIVIL PENALTIES FOR 3
1516 VIOLATIONS OF THE ACT AND A NEW STATE HEALTH DATA ASSESSMENT FEE. 4
1617 The General Assembly of North Carolina enacts: 5
1718 SECTION 1. Article 29B of Chapter 90 of the General Statutes reads as rewritten: 6
1819 "Article 29B. 7
1920 "Statewide Health Information Exchange Act. 8
2021 "§ 90-414.1. Title. 9
2122 This act Article shall be known and may be cited as the "Statewide Health Information 10
2223 Exchange Act." 11
2324 "§ 90-414.2. Purpose. 12
2425 This Article is intended to improve the quality of health care delivery within this State by 13
2526 facilitating and regulating the use of a voluntary, statewide health information exchange network 14
2627 for the secure electronic transmission of individually identifiable health information among 15
2728 health care providers, health plans, and health care clearinghouses clearinghouses, and the State 16
2829 in a manner that is consistent with the Health Insurance Portability and Accountability Act, 17
2930 Privacy Rule and Security Rule, 45 C.F.R. §§ 160, 164. 18
3031 "§ 90-414.3. Definitions. 19
3132 The following definitions apply in this Article: 20
3233 (1) Annual compliance report. – The annual report required by G.S. 90-414.13. 21
3334 (1a) Business associate. – As defined in 45 C.F.R. § 160.103. 22
3435 (2) Business associate contract. – The documentation required by 45 C.F.R. § 23
3536 164.502(e)(2) that meets the applicable requirements of 45 C.F.R. § 24
3637 164.504(e). 25
3738 (3) Covered entity. – Any entity described in 45 C.F.R. § 160.103 or any other 26
3839 facility or practitioner licensed by the State to provide health care services. 27
3940 (3a) Data transfer systems. – Electronic systems or platforms that (i) facilitate the 28
4041 submission of any combination of clinical, demographic, or claims data to the 29
4142 HIE Network and (ii) are maintained, controlled, directed, or licensed by, or 30
4243 on behalf of, a covered entity or hybrid entity subject to this Article. Data 31
4344 transfer systems may be comprised of health information technology or claims 32
4445 processing technology, or both, including hardware, software, integrated 33
4546 technologies and related licenses, or packaged solutions sold as services. Data 34
4647 transfer systems include, but are not limited to, electronic systems or platforms 35
47-related to electronic health records, pharmacy benefits and claims, claims 36 General Assembly Of North Carolina Session 2025
48-Page 2 Senate Bill 509-First Edition
48+related to electronic health records, pharmacy benefits and claims, claims 36
49+FILED SENATE
50+Mar 25, 2025
51+S.B. 509
52+PRINCIPAL CLERK General Assembly Of North Carolina Session 2025
53+Page 2 DRS15195-MGfa-82
4954 processing, or care management. Data transfer systems do not include any 1
5055 information technology systems that are directly maintained, controlled, or 2
5156 licensed by the State Health Plan for Teachers and State Employees. 3
5257 (4) Department. – North Carolina Department of Health and Human Services. 4
5358 (5) Disclose or disclosure. – The release, transfer, provision of access to, or 5
5459 divulging in any other manner an individual's protected health information 6
5560 through the HIE Network. 7
5661 (6) Repealed by Session Laws 2017-57, s. 11A.5(f), effective July 1, 2017. 8
5762 (7) GDAC. – The North Carolina Government Data Analytics Center. 9
5863 (8) HIE Network. – The voluntary, statewide health information exchange 10
5964 network network, which is a health data utility overseen and administered by 11
6065 the Authority. 12
6166 (9) HIPAA. – Sections 261 through 264 of the federal Health Insurance 13
6267 Portability and Accountability Act of 1996, P.L. 104-191, as amended, and 14
6368 any federal regulations adopted to implement these sections, as amended. 15
6469 (10) Individual. – As defined in 45 C.F.R. § 160.103. 16
6570 (11) North Carolina Health Information Exchange Advisory Board or Advisory 17
6671 Board. – The Advisory Board established under G.S. 90-414.8. 18
6772 (12) North Carolina Health Information Exchange Authority or Authority. – The 19
6873 entity established pursuant to G.S. 90-414.7. 20
6974 (13) Opt out. – An individual's affirmative decision communicated to the Authority 21
7075 in writing to disallow his or her protected health information from being 22
7176 disclosed by the Authority to covered entities or other persons or entities 23
7277 through the HIE Network. 24
7378 (13a) Organization National Provider Identifier or Organization NPI. – The HIPAA 25
7479 Administrative Simplification Standard that utilizes a 10-position all-numeric 26
7580 identification number assigned by the federal National Provider System to 27
7681 uniquely identify a health care provider that is an entity other than an 28
7782 individual human being that furnishes health care. 29
7883 (14) Protected health information. – As defined in 45 C.F.R. § 160.103. 30
7984 (15) Public health purposes. – The public health activities and purposes described 31
8085 in 45 C.F.R. § 164.512(b). 32
8186 (16) Qualified organization. – An entity with which the Authority has contracted 33
8287 for the sole purpose of facilitating the exchange of data with or through the 34
8388 HIE Network. 35
8489 (17) Research purposes. – Research purposes referenced in and subject to the 36
8590 standards described in 45 C.F.R. § 164.512(i). 37
8691 (18) State CIO. – The State Chief Information Officer. 38
8792 (19) State-funded health care. – Means all of the following: 39
8893 a. The North Carolina Medicaid program. 40
8994 b. The State Health Plan for Teachers and State Employees. 41
9095 c. Health care facilities and health care programs administered or 42
9196 operated by the Department of Health and Human Services, the 43
9297 Department of Public Safety, or the Department of Adult Correction, 44
9398 and their employees, agents, or grantees. 45
9499 (20) State health care funds. – Monies paid to providers or entities for the provision 46
95100 of health care services to recipients of State-funded health care. The term 47
96101 includes both (i) direct payments from the State to providers and entities and 48
97102 (ii) payments that providers and entities receive from third parties, or the 49
98103 agents of third parties, that are retained by the State for the administration or 50 General Assembly Of North Carolina Session 2025
99-Senate Bill 509-First Edition Page 3
104+DRS15195-MGfa-82 Page 3
100105 delivery, or both, of State-funded health care, including prepaid health plans 1
101106 as defined in G.S. 108D-1 and claims processors as defined in G.S. 135-48.1. 2
102107 "§ 90-414.4. Required participation in HIE Network for some providers. 3
103108 (a) Findings. – The General Assembly makes the following findings: 4
104109 (1) That controlling escalating health care costs of the Medicaid program and 5
105110 other State-funded health care services is of significant importance to the 6
106111 State, its taxpayers, its Medicaid recipients, and other recipients beneficiaries 7
107112 of State-funded health care services.care. 8
108113 (2) That the State and covered entities in North Carolina need timely access to 9
109114 certain demographic and clinical information pertaining to services rendered 10
110115 to Medicaid and other beneficiaries of State-funded health care program 11
111116 beneficiaries and paid for with Medicaid or other State-funded State health 12
112117 care funds in order to assess performance, improve health care outcomes, 13
113118 pinpoint medical expense trends, identify beneficiary health risks, and 14
114119 evaluate how the State is spending money on Medicaid and other State-funded 15
115120 health care services. The care. To that end, the Department of Information 16
116121 Technology, the Department of State Treasurer, State Health Plan Division, 17
117122 and the Department of Health and Human Services, Division of Health 18
118123 Benefits, have an affirmative duty to facilitate and support participation by 19
119124 covered entities in the statewide health information exchange network. 20
120125 (3) That making demographic and clinical information available to the State and 21
121126 covered entities in North Carolina by secure electronic means as set forth in 22
122127 subsection (b) of this section will improve care coordination within and across 23
123128 health systems, increase care quality for such beneficiaries, beneficiaries of 24
124129 State-funded health care, enable more effective population health 25
125130 management, reduce duplication of medical services, augment syndromic 26
126131 surveillance, allow more accurate measurement of care services and 27
127132 outcomes, increase strategic knowledge about the health of the population, 28
128133 and facilitate health care cost containment. 29
129134 (a1) Mandatory Connection to HIE Network. – Notwithstanding the voluntary nature of 30
130135 the HIE Network under G.S. 90-414.2, the following providers and entities shall be connected to 31
131136 the HIE Network and begin submitting data through the HIE Network pertaining to services 32
132137 rendered to Medicaid beneficiaries and to other of State-funded health care program beneficiaries 33
133138 and paid for with Medicaid or other State-funded State health care funds in accordance with the 34
134139 following time line: 35
135140 (1) The following providers of Medicaid services licensed to operate in the State 36
136141 that have an electronic health record system shall begin submitting, at a 37
137142 minimum, demographic and clinical data by June 1, 2018: 38
138143 a. Hospitals as defined in G.S. 131E-176(13). 39
139144 b. Physicians licensed to practice under Article 1 of Chapter 90 of the 40
140145 General Statutes, this Chapter, except for licensed physicians whose 41
141146 primary area of practice is psychiatry. 42
142147 c. Physician assistants as defined in 21 NCAC 32S.0201. 43
143148 d. Nurse practitioners as defined in 21 NCAC 36.0801. 44
144149 (2) Except as provided in subdivisions (3), (4), and (5) of this subsection, all other 45
145150 providers of Medicaid and State-funded health care services and their 46
146151 affiliated entities shall begin submitting demographic and clinical data by 47
147152 January 1, 2023. 48
148153 (3) The following entities shall submit encounter and claims data, as appropriate, 49
149154 in accordance with the following time line: 50 General Assembly Of North Carolina Session 2025
150-Page 4 Senate Bill 509-First Edition
155+Page 4 DRS15195-MGfa-82
151156 a. Prepaid Health Plans, as defined in G.S. 108D-1, by the 1
152157 commencement date of a capitated contract with the Division of 2
153158 Health Benefits for the delivery of Medicaid services as specified in 3
154159 Article 4 of Chapter 108D of the General Statutes. 4
155160 b. Local management entities/managed care organizations, as defined in 5
156161 G.S. 122C-3, by June 1, 2020. 6
157162 If authorized by the Authority in accordance with this Article, the Department 7
158163 of Health and Human Services may submit the data required by this subsection 8
159164 on behalf of the entities specified in this subdivision. 9
160165 (4) The following entities shall begin submitting demographic and clinical data 10
161166 by January 1, 2023: 11
162167 a. Physicians who perform procedures at ambulatory surgical centers as 12
163168 defined in G.S. 131E-146. 13
164169 b. Dentists licensed under Article 2 of Chapter 90 of the General Statutes. 14
165170 c. Licensed physicians whose primary area of practice is psychiatry. 15
166171 d. The State Laboratory of Public Health operated by the Department of 16
167172 Health and Human Services. 17
168173 (5) The following entities shall begin submitting claims data by January 1, 2023: 18
169174 a. Pharmacies registered with the North Carolina Board of Pharmacy 19
170175 under Article 4A of Chapter 90 of the General Statutes.this Chapter. 20
171176 b. State health care facilities operated under the jurisdiction of the 21
172177 Secretary of the Department of Health and Human Services, including 22
173178 State psychiatric hospitals, developmental centers, alcohol and drug 23
174179 treatment centers, neuro-medical treatment centers, and residential 24
175180 programs for children such as the Wright School and the Whitaker 25
176181 Psychiatric Residential Treatment Facility. 26
177182 c. Dentists licensed under Article 2 of this Chapter. 27
178183 (a2) Extensions of Time for Establishing Connection to the HIE Network. – The 28
179184 Department of Information Technology, in consultation with the Department of Health and 29
180185 Human Services and the State Health Plan for Teachers and State Employees, may establish a 30
181186 process to grant limited extensions of the time for providers and entities to connect to the HIE 31
182187 Network and begin submitting data as required by this section upon the request of a provider or 32
183188 entity that demonstrates an ongoing good-faith effort to take necessary steps to establish such 33
184189 connection and begin data submission as required by this section. The process for granting an 34
185190 extension of time must include a presentation by the provider or entity to the Department of 35
186191 Information Technology, the Department of Health and Human Services, and the State Health 36
187192 Plan for Teachers and State Employees on the expected time line for connecting to the HIE 37
188193 Network and commencing data submission as required by this section. Neither the Department 38
189194 of Information Technology, the Department of Health and Human Services, nor the State Health 39
190195 Plan for Teachers and State Employees shall grant an extension of time (i) to any provider or 40
191196 entity that fails to provide this information to both Departments, and the State Health Plan for 41
192197 Teachers and State Employees, (ii) that would result in the provider or entity connecting to the 42
193198 HIE Network and commencing data submission as required by this section later than January 1, 43
194199 2023. The Department of Information Technology shall consult with the Department of Health 44
195200 and Human Services and the State Health Plan for Teachers and State Employees to review and 45
196201 decide upon a request for an extension of time under this section within 30 days after receiving 46
197202 a request for an extension. 47
198203 (a3) Exemptions from Connecting to the HIE Network. – The Secretary of Health and 48
199204 Human Services, or the Secretary's designee, shall have the authority to grant exemptions to 49
200205 classes of providers of Medicaid and other State-funded health care services for whom acquiring 50
201206 and implementing an electronic health record system and connecting to the HIE Network as 51 General Assembly Of North Carolina Session 2025
202-Senate Bill 509-First Edition Page 5
207+DRS15195-MGfa-82 Page 5
203208 required by this section would constitute an undue hardship. The Secretary, or the Secretary's 1
204209 designee, shall promptly notify the Department of Information Technology of classes of 2
205210 providers granted hardship exemptions under this subsection. Neither the Secretary nor the 3
206211 Secretary's designee shall grant any hardship exemption that would result in any class of provider 4
207212 connecting to the HIE Network and submitting data later than December 31, 2022. 5
208213 (a4) Connected Status. – A provider or entity identified in subsection (a1) of this section 6
209214 is deemed connected to the HIE Network when the covered entity that provides, maintains, 7
210215 controls, directs, or licenses that provider's or entity's data transfer system has done all of the 8
211216 following: 9
212217 (1) Established an operable technical connection with the HIE Network approved 10
213218 by the Authority that supports the submission of required patient data 11
214219 generated by the provider or entity. 12
215220 (2) Provided its Organization NPI to the Authority. 13
216221 (3) Executed with the Authority a valid, written participation agreement pursuant 14
217222 to subdivision (b)(6) of G.S. 90-414.7. 15
218223 (4) Communicated to the Authority, in writing, the identity of all providers and 16
219224 entities on whose behalf it maintains a data transfer system. 17
220225 (5) Either has met or is making reasonable efforts to meet data quality standards 18
221226 established by the Authority that are published on its website. 19
222227 (b) Mandatory Submission of Demographic and Clinical Data. – Notwithstanding the 20
223228 voluntary nature of the HIE Network under G.S. 90-414.2 and, except as otherwise provided in 21
224229 subsection subsections (c) and (c1) of this section, as a condition of receiving State funds, 22
225230 including Medicaid funds, the following entities shall submit at least twice daily, through the 23
226231 HIE network, demographic and clinical information pertaining to services rendered to Medicaid 24
227232 and other beneficiaries of State-funded health care program beneficiaries and paid for with 25
228233 Medicaid or other State-funded State health care funds, solely for the purposes set forth in 26
229234 subsection (a) of this section: 27
230235 (1) Each hospital, as defined in G.S. 131E-176(13) that has an electronic health 28
231236 record system. 29
232237 (2) Each Medicaid provider, unless the provider is an ambulatory surgical center 30
233238 as defined in G.S. 131E-146; however, a physician who performs a procedure 31
234239 at the ambulatory surgical center must be connected to the HIE Network. 32
235240 (3) Each provider that receives State health care funds for the provision of health 33
236241 services, State-funded health care, unless the provider is an ambulatory 34
237242 surgical center as defined in G.S. 131E-146; however, a physician who 35
238243 performs a procedure at the ambulatory surgical center must be connected to 36
239244 the HIE Network. 37
240245 (4) Each prepaid health plan, as defined in G.S. 58-93-5, that is under a capitated 38
241246 contract with the Department for the delivery of Medicaid services, or a local 39
242247 management entity/managed care organization, as defined in 40
243248 G.S. 122C-3.G.S. 122C-3, that is under a capitated prepaid health plan 41
244249 contract with the Department. 42
245250 (b1) Balance Billing Prohibition. – An in-network provider or entity who that (i) renders 43
246251 health care services, including prescription drugs and durable medical equipment, under a 44
247252 contract with the State Health Plan for Teachers and State Employees and who (ii) is not 45
248253 connected to the HIE Network in accordance with this Article, is prohibited from billing the State 46
249254 Health Plan or a Plan member more than either party would be billed if the entity or provider was 47
250255 connected to the HIE Network. Balance billing because the provider or entity did not connect to 48
251256 the HIE Network is prohibited. 49
252257 (c) Exemption for Certain Records. – Providers with patient records that are subject to 50
253258 the disclosure restrictions of 42 C.F.R. § 2 are exempt from the requirements of subsection (b) 51 General Assembly Of North Carolina Session 2025
254-Page 6 Senate Bill 509-First Edition
259+Page 6 DRS15195-MGfa-82
255260 of this section but only with respect to the patient records subject to these disclosure restrictions. 1
256261 Providers shall comply with the requirements of subsection (b) of this section with respect to all 2
257262 other patient records. A pharmacy shall only be Pharmacies registered with the North Carolina 3
258263 Board of Pharmacy under Article 4A of this Chapter and dentists licensed under Article 2 of this 4
259264 Chapter are only required to submit claims data pertaining to services rendered to Medicaid and 5
260265 other State-funded health care program beneficiaries of State-funded health care and paid for 6
261266 with Medicaid or other State-funded State health care funds. 7
262267 (c1) Exemption from Twice Daily Submission. – A pharmacy shall only be The following 8
263268 entities are required to submit claims data only once daily through the HIE Network Network: 9
264269 (1) Pharmacies registered with the North Carolina Board of Pharmacy under 10
265270 Article 4A of this Chapter, using pharmacy industry standardized formats. 11
266271 (2) Dentists licensed under Article 2 of this Chapter. 12
267272 (c2) 42 C.F.R. § 2 Records. – Notwithstanding subsection (b) of this section, patient 13
268273 records protected by 42 C.F.R. § 2 shall be disclosed through the HIE Network only if the 14
269274 Authority has provided written notice to the participating entity that data protected by 42 C.F.R. 15
270275 § 2 can be disclosed for a specific purpose. 16
271276 (d) Method of Data Submissions. – The Any provider or entity required to submit data 17
272277 submissions required under this section shall be make the submission by connection to the HIE 18
273278 Network periodic asynchronous secure structured file transfer or any other secure electronic 19
274279 means commonly used in the industry and consistent with document exchange and data 20
275280 submission standards established by the Office Assistant Secretary for Technology Policy/Office 21
276281 of the National Coordinator for Information Technology within the U.S. Department of Health 22
277282 and Human Services. 23
278283 (e) Voluntary Connection for Certain Providers. – Notwithstanding the mandatory 24
279284 connection and data submission requirements in of subsections (a1) and (b) of this section, the 25
280285 following providers of Medicaid services or other State-funded health care services are not 26
281286 required to connect to the HIE Network or submit data but may connect to the HIE Network and 27
282287 submit data voluntarily: 28
283288 (1) Community-based long-term services and supports providers, including 29
284289 personal care services, private duty nursing, home health, and hospice care 30
285290 providers. 31
286291 (2) Intellectual and developmental disability services and supports providers, 32
287292 such as day supports and supported living providers. 33
288293 (3) Community Alternatives Program waiver services (including CAP/DA, 34
289294 CAP/C, and Innovations) providers. 35
290295 (4) Eye and vision services providers. 36
291296 (5) Speech, language, and hearing services providers. 37
292297 (6) Occupational and physical therapy providers. 38
293298 (7) Durable medical equipment providers. 39
294299 (8) Nonemergency medical transportation service providers. 40
295300 (9) Ambulance (emergency medical transportation service) providers. 41
296301 (10) Local education agencies and agencies, school-based health 42
297302 providers.providers, and student health centers that primarily serve students 43
298303 matriculating at public or private institutions of higher education in this State. 44
299304 (11) Chiropractors licensed under Article 8 of this Chapter. 45
300305 (12) Dentists licensed under Article 2 of this Chapter. 46
301306 Connection to the HIE Network by any other covered entities that are not required by 47
302307 subsections (a1) and (b) of this section to connect to the HIE Network or submit data is voluntary. 48
303308 (e1) Mandatory and Voluntary Connection and Submissions by the Same Covered Entity. 49
304309 – A covered entity that provides, maintains, controls, directs, or licenses a data transfer system 50
305310 on behalf of providers and entities that are required to connect to, and submit data through, the 51 General Assembly Of North Carolina Session 2025
306-Senate Bill 509-First Edition Page 7
311+DRS15195-MGfa-82 Page 7
307312 HIE Network under this Article, as well as on behalf of providers and entities that voluntarily 1
308313 connect to, and submit data through, the HIE Network may elect not to submit through the HIE 2
309314 Network clinical, demographic, or claims data generated by the providers and entities that 3
310315 voluntarily connect to, and submit data through, the HIE Network. However, the covered entity 4
311316 is required to submit through the HIE Network clinical, demographic, or claims data generated 5
312317 by providers and entities that are required to connect to, and submit data through, the HIE 6
313318 Network. 7
314319 (f) Confidentiality of Data. – All data submitted to or through the HIE Network 8
315320 containing protected health information, personally identifying information, or a combination of 9
316321 these, that are in the possession of the Department of Information Technology or any other 10
317322 agency of the State are confidential and shall not be defined as public records under G.S. 132-1. 11
318323 This subsection shall not be construed to prohibit the disclosure of any such data as otherwise 12
319324 permitted under federal law. 13
320325 (g) Time-Limited Exceptions for Connecting to, and Submitting Data Through, the HIE 14
321326 Network. – All of the following apply to any exception granted by the Authority for connecting 15
322327 to, and submitting data through, the HIE Network: 16
323328 (1) A covered entity that provides, maintains, controls, directs, or licenses a data 17
324329 transfer system on behalf of providers or entities identified in subsection (a1) 18
325330 of this section may seek to obtain from the Authority a time-limited exception 19
326331 for those providers or entities to connect to, and begin submitting required 20
327332 data through, the HIE Network. 21
328333 (2) The Authority shall administer the process by which a covered entity seeks a 22
329334 time-limited exception for providers or entities to connect to, and begin 23
330335 submitting required data through, the HIE Network. The Authority shall make 24
331336 the final determination about whether to grant or deny requests for a 25
332337 time-limited exception. Any exception authorized by the Authority may not 26
333338 exceed a one-year period. However, a covered entity may seek to renew an 27
334339 exception. 28
335340 (3) In order for a covered entity to obtain a time-limited exception for the 29
336341 providers and entities on whose behalf it provides, maintains, controls, directs, 30
337342 or licenses a data transfer system, the covered entity must demonstrate 31
338343 eligibility for the exception by meeting at least one of the following criteria: 32
339344 a. During the previous year, the covered entity and the providers and 33
340345 entities on whose behalf it maintained, controlled, directed, or licensed 34
341346 a data transfer system received in the aggregate less than one million 35
342347 dollars ($1,000,000) in State health care funds for providing health 36
343348 care services to beneficiaries of State-funded health care. 37
344349 b. The covered entity and the providers and entities on whose behalf it 38
345350 provides, maintains, controls, directs, or licenses a data transfer system 39
346351 operated in whole or in part in a geographic area with limited or 40
347352 emergent broadband availability. The Department of Information 41
348353 Technology, Division of Broadband, shall identify these geographic 42
349354 areas and the Authority shall publish a list of the identified geographic 43
350355 areas to its website. Alternatively, the Authority, after consultation 44
351356 with the Department of Information Technology, Division of 45
352357 Broadband, may, in its discretion, grant a time-limited exception after 46
353358 evaluating materials provided by a covered entity regarding its level 47
354359 of broadband connectivity. 48
355360 c. The covered entity will close, dissolve, or be acquired by another 49
356361 entity within the next 12 months. 50 General Assembly Of North Carolina Session 2025
357-Page 8 Senate Bill 509-First Edition
362+Page 8 DRS15195-MGfa-82
358363 d. The provider or entity has not yet implemented or is in the process of 1
359364 implementing a data transfer system. 2
360365 (4) To request a time-limited exception under this subsection, the covered entity 3
361366 shall submit to the Authority an application and attestation form, which shall 4
362367 both be created by the Authority and made available on its website, containing 5
363368 at least all of the following information: 6
364369 a. Date of request and application period. 7
365370 b. Name, Organization NPI, and location. 8
366371 c. Names of providers and entities on whose behalf the covered entity is 9
367372 applying, as well as their respective Organization NPIs. 10
368373 d. Technical information regarding its data transfer system and vendor, 11
369374 if applicable. 12
370375 e. Provider network information for the State Health Plan for Teachers 13
371376 and State Employees and the North Carolina Medicaid program, as 14
372377 applicable. 15
373378 f. Identification of the bases criterion, or criteria, in subdivision (g)(3) of 16
374379 this section for which the covered entity seeks a time-limited 17
375380 exception. 18
376381 g. Supporting documents and materials determined by the Authority to 19
377382 be necessary to substantiate the covered entity's eligibility for the 20
378383 exception. 21
379384 h. An attestation executed by an authorized representative of the covered 22
380385 entity regarding the validity, truth, and completeness of the application 23
381386 and attestation form submitted by the covered entity to the Authority. 24
382387 "§ 90-414.5. State agency and legislative access to HIE Network data. 25
383388 (a) The Authority shall provide the Department and the State Health Plan for Teachers 26
384389 and State Employees secure, real-time access to data and information disclosed through the HIE 27
385390 Network, solely for the purposes set forth in G.S. 90-414.4(a) and in G.S. 90-414.2. The 28
386391 Authority shall limit access granted to the State Health Plan for Teachers and State Employees 29
387392 pursuant to this section to data and information disclosed through the HIE Network that pertains 30
388393 to services (i) rendered to teachers and State employees and (ii) paid for by the State Health Plan. 31
389394 (b) At the written request of the Director of the Fiscal Research, Legislative Drafting, or 32
390395 Legislative Analysis Division of the General Assembly for an aggregate analysis of the data and 33
391396 information disclosed through the HIE Network, the Authority shall provide the professional 34
392397 staff of these Divisions with the aggregated analysis responsive to the Director's request. Prior to 35
393398 providing the Director or General Assembly's staff with any aggregate data or information 36
394399 submitted through the HIE Network or with any analysis of this aggregate data or information, 37
395400 the Authority shall redact any personal identifying information in a manner consistent with the 38
396401 standards specified for de-identification of health information under the HIPAA Privacy Rule, 39
397402 45 C.F.R. § 164.514, as amended. 40
398403 "§ 90-414.6. State ownership of HIE Network data. 41
399404 Any data pertaining to services rendered to Medicaid and other beneficiaries of State-funded 42
400405 health care program beneficiaries that is submitted through and stored by the HIE Network 43
401406 pursuant to G.S. 90-414.4 or any other provision of this Article shall be and will remain the sole 44
402407 property of the State. Any data or product derived from the aggregated, de-identified data 45
403408 submitted to and stored by the HIE Network pursuant to G.S. 90-414.4 or any other provision of 46
404409 this Article, shall be and will remain the sole property of the State. The Authority shall not allow 47
405410 data it receives pursuant to G.S. 90-414.4 or any other provision of this Article to be used or 48
406411 disclosed by or to any person or entity for commercial purposes or for any other purpose other 49
407412 than those set forth in G.S. 90-414.4(a) or G.S. 90-414.2. To the extent the Authority receives 50
408413 requests for electronic health information as the term is defined in 45 C.F.R. § 171.102, or other 51 General Assembly Of North Carolina Session 2025
409-Senate Bill 509-First Edition Page 9
414+DRS15195-MGfa-82 Page 9
410415 medical records from an individual, an individual's personal representative, or an individual or 1
411416 entity purporting to act on an individual's behalf, the Authority (i) shall not fulfill the request and 2
412417 (ii) shall make available to the requester and the public, via the Authority's website, educational 3
413418 materials about how to access such information from other sources. If the Authority participates 4
414419 in the Trusted Exchange Framework and Common Agreement, then it may provide individual 5
415420 access services through the Trusted Exchange Framework and Common Agreement. Patient 6
416421 identifiers created and utilized by the Authority to integrate identity data in the HIE Network, 7
417422 along with the minimum necessary required demographic information related to those patients, 8
418423 shall be released to the GDAC and the Department by the Authority for purposes of entity 9
419424 resolution and master data management. These identifiers shall not be considered public records 10
420425 pursuant to Chapter 132 of the General Statutes. 11
421426 "§ 90-414.7. North Carolina Health Information Exchange Authority. 12
422427 (a) Creation. – There is hereby established the North Carolina Health Information 13
423428 Exchange Authority to oversee and administer the HIE Network in accordance with this Article. 14
424429 The Authority shall be located within the Department of Information Technology and shall be 15
425430 under the supervision, direction, and control of the State CIO. The State CIO shall employ an 16
426431 Authority Director and may delegate to the Authority Director all powers and duties associated 17
427432 with the daily operation of the Authority, its staff, and the performance of the powers and duties 18
428433 set forth in subsection (b) of this section. In making this delegation, however, the State CIO 19
429434 maintains the responsibility for the performance of these powers and duties. 20
430435 (b) Powers and Duties. – The Authority has the following powers and duties: 21
431436 (1) Oversee and administer the HIE Network in a manner that ensures all of the 22
432437 following: 23
433438 a. Compliance with this Article. 24
434439 b. Compliance with HIPAA and any rules adopted under HIPAA, 25
435440 including the Privacy Rule and Security Rule. 26
436441 c. Compliance with the terms of any participation agreement, business 27
437442 associate agreement, or other agreement the Authority or qualified 28
438443 organization or other person or entity enters into with a covered entity 29
439444 participating in submission of data through or accessing the HIE 30
440445 Network. 31
441446 d. Notice to the patient by the healthcare provider or other person or 32
442447 entity about the HIE Network, including information and education 33
443448 about the right of individuals on a continuing basis to opt out or rescind 34
444449 a decision to opt out. 35
445450 e. Opportunity for all individuals whose data has been submitted to the 36
446451 HIE Network to exercise on a continuing basis the right to opt out or 37
447452 rescind a decision to opt out. 38
448453 f. Nondiscriminatory treatment by covered entities of individuals who 39
449454 exercise the right to opt out. 40
450455 g. Facilitation of HIE Network interoperability with electronic health 41
451456 record systems of all covered entities listed in G.S. 90-414.4(b). 42
452457 h. Minimization of the amount of data required to be submitted under 43
453458 G.S. 90-414.4(b) and any use or disclosure of such data to what is 44
454459 determined by the Authority to be required in order to advance the 45
455460 purposes set forth in G.S. 90-414.2 and G.S. 90-414.4(a). 46
456461 (2) In consultation with the Advisory Board, set guiding principles for the 47
457462 development, implementation, and operation of the HIE Network. 48
458463 (3) Employ staff necessary to carry out the provisions of this Article and 49
459464 determine the compensation, duties, and other terms and conditions of 50
460465 employment of hired staff. 51 General Assembly Of North Carolina Session 2025
461-Page 10 Senate Bill 509-First Edition
466+Page 10 DRS15195-MGfa-82
462467 (4) Enter into contracts pertaining to the oversight and administration of the HIE 1
463468 Network, including contracts of a consulting or advisory nature. 2
464469 G.S. 143-64.20 does not apply to this subdivision. 3
465470 (5) Establish fees for participation in the HIE Network and report the established 4
466471 fees to the General Assembly, with an explanation of the fee determination 5
467472 process. 6
468473 (6) Following consultation with the Advisory Board, develop, approve, and enter 7
469474 into, directly or through qualified organizations acting under the authority of 8
470475 the Authority, written participation agreements with persons or entities that 9
471476 participate in or are granted access or user rights to the HIE Network. The 10
472477 participation agreements shall set forth terms and conditions governing 11
473478 participation in, access to, or use of the HIE Network not less than those set 12
474479 forth in agreements already governing covered entities' participation in the 13
475480 federal eHealth Exchange. The agreement shall also require compliance with 14
476481 policies developed by the Authority pursuant to this Article or pursuant to 15
477482 applicable laws of the state of residence for entities located outside of North 16
478483 Carolina. 17
479484 (7) Receive, access, add, and remove data submitted through and stored by the 18
480485 HIE Network in accordance with this Article. 19
481486 (8) Following consultation with the Advisory Board, enter into, directly or 20
482487 through qualified organizations acting under the authority of the Authority, a 21
483488 HIPAA compliant business associate agreement with each of the persons or 22
484489 entities participating in or granted access or user rights to the HIE 23
485490 Network.Network, except for federal agencies that access the HIE Network 24
486491 solely to review patient data for treatment purposes and exchanges made 25
487492 through eHealth Exchange or the Trusted Exchange Framework and Common 26
488493 Agreement so long as the Authority enters into the agreements that are 27
489494 required to participate in each of these respective national networks. 28
490495 (9) Following consultation with the Advisory Board, grant user rights to the HIE 29
491496 Network to business associates of covered entities participating in the HIE 30
492497 Network (i) at the request of the covered entities and (ii) at the discretion of 31
493498 and subject to contractual, policy, and other requirements of the Authority 32
494499 upon consideration of and consistent with the business associates' legitimate 33
495500 need for utilizing the HIE Network and privacy and security concerns. 34
496501 (10) Facilitate and promote use of the HIE Network by covered entities.entities and 35
497502 business associates acting on their behalf. 36
498503 (11) Actively monitor compliance with this Article by the Department, covered 37
499504 entities, and any other persons or entities participating in or granted access or 38
500505 user rights to the HIE Network or any data submitted through or stored by the 39
501506 HIE Network. 40
502507 (12) Collaborate with the State CIO to ensure that resources available through the 41
503508 GDAC are properly leveraged, assigned, or deployed to support the work of 42
504509 the Authority. The duty to collaborate under this subdivision includes 43
505510 collaboration on data hosting and development, implementation, operation, 44
506511 and maintenance of the HIE Network. 45
507512 (13) Initiate or direct expansion of existing public-private partnerships within the 46
508513 GDAC as necessary to meet the requirements, duties, and obligations of the 47
509514 Authority. Notwithstanding any other provision of law and subject to the 48
510515 availability of funds, the State CIO, at the request of the Authority, shall assist 49
511516 and facilitate expansion of existing contracts related to the HIE Network, 50 General Assembly Of North Carolina Session 2025
512-Senate Bill 509-First Edition Page 11
517+DRS15195-MGfa-82 Page 11
513518 provided that such request is made in writing by the Authority to the State 1
514519 CIO with reference to specific requirements set forth in this Article. 2
515520 (14) In consultation with the Advisory Board, develop a strategic plan for 3
516521 achieving statewide participation in the HIE Network by all hospitals and 4
517522 health care providers licensed in this State. 5
518523 (15) In consultation with the Advisory Board, define the following with respect to 6
519524 operation of the HIE Network: 7
520525 a. Business policy. 8
521526 b. Protocols for data integrity, data sharing, data security, HIPAA 9
522527 compliance, and business intelligence as defined in G.S. 143B-1381. 10
523528 To the extent permitted by HIPAA, protocols for data sharing shall 11
524529 allow for the disclosure of data for academic research. 12
525530 c. Qualitative and quantitative performance measures. 13
526531 d. An operational budget and assumptions. 14
527532 (16) Annually report to the Joint Legislative Oversight Committee on Health and 15
528533 Human Services and the Joint Legislative Oversight Committee on 16
529534 Information Technology on the following: 17
530535 a. The operation of the HIE Network. 18
531536 b. Any efforts or progress in expanding participation in the HIE Network. 19
532537 c. Health care trends based on information disclosed through the HIE 20
533538 Network. 21
534539 (17) Ensure that the HIE Network interfaces with the federal level HIE, the eHealth 22
535540 Exchange. 23
536541 (18) Enforce the provisions of this Article. 24
537542 (19) Provide data related services, as allowed by G.S. 90-414.16. 25
538543 (20) Adopt rules as needed to implement the appeal process established by 26
539544 G.S. 90-414.15. 27
540545 "§ 90-414.8. North Carolina Health Information Exchange Advisory Board. 28
541546 (a) Creation and Membership. – There is hereby established the North Carolina Health 29
542547 Information Exchange Advisory Board within the Department of Information Technology. The 30
543548 Advisory Board shall consist of the following 12 13 members: 31
544549 (1) The following four members appointed by the President Pro Tempore of the 32
545550 Senate: 33
546551 a. A licensed physician in good standing and actively practicing in this 34
547552 State. 35
548553 b. A patient representative. 36
549554 c. An individual with technical expertise in health data analytics. 37
550555 d. A representative of a behavioral health provider. 38
551556 (2) The following four members appointed by the Speaker of the House of 39
552557 Representatives: 40
553558 a. A representative of a critical access hospital. 41
554559 b. A representative of a federally qualified health center. 42
555560 c. An individual with technical expertise in health information 43
556561 technology. 44
557562 d. A representative of a health system or integrated delivery network. 45
558563 (3) The following three ex officio, nonvoting members: 46
559564 a. The State Chief Information Officer or a designee. 47
560565 b. The Director of GDAC or a designee. 48
561566 c. The Secretary of Health and Human Services, or a designee. 49
562567 (4) The following ex officio, voting member:members: 50 General Assembly Of North Carolina Session 2025
563-Page 12 Senate Bill 509-First Edition
568+Page 12 DRS15195-MGfa-82
564569 a. The Executive Administrator of the State Health Plan for Teachers and 1
565570 State Employees, or a designee. 2
566571 b. The Deputy Secretary for the State's Medicaid program, or a designee. 3
567572 (b) Chairperson. – A chairperson shall be elected from among the members. The 4
568573 chairperson shall organize and direct the work of the Advisory Board. 5
569574 (c) Administrative Support. – The Department of Information Technology shall provide 6
570575 necessary clerical and administrative support to the Advisory Board. 7
571576 (d) Meetings. – The Advisory Board shall meet at least quarterly and at the call of the 8
572577 chairperson. A majority of the Advisory Board constitutes a quorum for the transaction of 9
573578 business. 10
574579 (e) Terms. – In order to stagger terms, in making initial appointments, the President Pro 11
575580 Tempore of the Senate shall designate two of the members appointed under subdivision (1) of 12
576581 subsection (a) of this section to serve for a one-year period from the date of appointment and, the 13
577582 Speaker of the House of Representatives shall designate two members appointed under 14
578583 subdivision (2) of subsection (a) of this section to serve for a one-year period from the date of 15
579584 appointment. The remaining appointed voting members shall serve two-year periods. Future 16
580585 appointees who are voting members shall serve terms of two years, with staggered terms based 17
581586 on this subsection. Appointed voting members may serve up to two consecutive terms, not 18
582587 including the abbreviated two-year terms that establish staggered terms or terms of less than two 19
583588 years that result from the filling of a vacancy. Ex officio, nonvoting and voting members are not 20
584589 subject to these term limits. A vacancy other than by expiration of a term shall be filled by the 21
585590 appointing authority. 22
586591 (f) Expenses. – Members of the Advisory Board who are State officers or employees 23
587592 shall receive no compensation for serving on the Advisory Board but may be reimbursed for their 24
588593 expenses in accordance with G.S. 138-6. Members of the Advisory Board who are full-time 25
589594 salaried public officers or employees other than State officers or employees shall receive no 26
590595 compensation for serving on the Advisory Board but may be reimbursed for their expenses in 27
591596 accordance with G.S. 138-5(b). All other members of the Advisory Board may receive 28
592597 compensation and reimbursement for expenses in accordance with G.S. 138-5. 29
593598 (g) Duties. – The Advisory Board shall provide consultation to the Authority with respect 30
594599 to the advancement, administration, and operation of the HIE Network and on matters pertaining 31
595600 to health information technology and exchange, generally. In carrying out its responsibilities, the 32
596601 Advisory Board may form committees of the Advisory Board to examine particular issues related 33
597602 to the advancement, administration, or operation of the HIE Network. 34
598603 "§ 90-414.9. Participation by covered entities. 35
599604 (a) Each Except for federal agencies that access the HIE Network solely to review patient 36
600605 data for treatment purposes, all covered entity that participates entities that participate in the HIE 37
601606 Network shall enter into a HIPAA compliant business associate agreement described in 38
602607 G.S. 90-414.7(b)(8) and a written participation agreement described in G.S. 90-414.7(b)(6) with 39
603608 the Authority or qualified organization prior to submitting data through or in the HIE Network. 40
604609 Notwithstanding this subsection, the Authority may exchange data in the HIE Network through 41
605610 the national eHealth Exchange and the Trusted Exchange Framework and Common Agreement 42
606611 so long as the Authority enters into the agreements that are necessary to participate in each of 43
607612 these national networks. 44
608613 (b) Each covered entity that participates in the HIE Network may authorize its business 45
609614 associates on behalf of the covered entity to submit data through, or access data stored in, the 46
610615 HIE Network in accordance with this Article and at the discretion of the Authority, as provided 47
611616 in G.S. 90-414.7(b)(8). 48
612617 (c) Notwithstanding any federal or State law or regulation to the contrary, each covered 49
613618 entity that participates in the HIE Network may disclose an individual's protected health 50 General Assembly Of North Carolina Session 2025
614-Senate Bill 509-First Edition Page 13
619+DRS15195-MGfa-82 Page 13
615620 information through the HIE Network to other covered entities for any purpose permitted by 1
616621 HIPAA. 2
617622 "§ 90-414.10. Continuing right to opt out; effect of opt out. 3
618623 (a) Each individual has the right on a continuing basis to opt out or rescind a decision to 4
619624 opt out. 5
620625 (b) The Authority or its designee shall enforce an individual's decision to opt out or 6
621626 rescind an opt out prospectively from the date the Authority or its designee receives written notice 7
622627 of the individual's decision to opt out or rescind an opt out in the manner prescribed by the 8
623628 Authority. An individual's decision to opt out or rescind an opt out does not affect any disclosures 9
624629 made by the Authority or covered entities through the HIE Network prior to receipt by the 10
625630 Authority or its designee of the individual's written notice to opt out or rescind an opt out. 11
626631 (c) A covered entity shall not deny treatment, coverage, or benefits to an individual 12
627632 because of the individual's decision to opt out. However, nothing in this Article is intended to 13
628633 restrict a health care provider from otherwise appropriately terminating a relationship with an 14
629634 individual in accordance with applicable law and professional ethical standards. 15
630635 (d) Except as otherwise permitted in G.S. 90-414.11(a)(3), or as required by law, the 16
631636 protected health information of an individual who has exercised the right to opt out may not be 17
632637 made accessible or disclosed to covered entities or any other person or entity through the HIE 18
633638 Network for any purpose. 19
634639 (e) Repealed by Session Laws 2017-57, s. 11A.5(e), effective July 1, 2017. 20
635640 "§ 90-414.11. Construction and applicability. 21
636641 (a) Nothing in this Article shall be construed to do any of the following: 22
637642 (1) Impair any rights conferred upon an individual under HIPAA, including all of 23
638643 the following rights related to an individual's protected health information: 24
639644 a. The right to receive a notice of privacy practices. 25
640645 b. The right to request restriction of use and disclosure. 26
641646 c. The right of access to inspect and obtain copies. 27
642647 d. The right to request amendment. 28
643648 e. The right to request confidential forms of communication. 29
644649 f. The right to receive an accounting of disclosures. 30
645650 (2) Authorize the disclosure of protected health information through the HIE 31
646651 Network to the extent that the disclosure is restricted by federal laws or 32
647652 regulations, including the federal drug and alcohol confidentiality regulations 33
648653 set forth in 42 C.F.R. Part 2. 34
649654 (3) Restrict the disclosure of protected health information through the HIE 35
650655 Network for public health purposes or research purposes, so long as disclosure 36
651656 is permitted by both HIPAA and State law. 37
652657 (4) Prohibit the Authority or any covered entity participating in the HIE Network 38
653658 from maintaining in the Authority's or qualified organization's computer 39
654659 system a copy of the protected health information of an individual who has 40
655660 exercised the right to opt out, as long as the Authority or the qualified 41
656661 organization does not access, use, or disclose the individual's protected health 42
657662 information for any purpose other than for necessary system maintenance or 43
658663 as required by federal or State law. 44
659664 (b) This Article applies only to disclosures of protected health information made through 45
660665 the HIE Network, including disclosures made within qualified organizations. It does not apply to 46
661666 the use or disclosure of protected health information in any context outside of the HIE Network, 47
662667 including the redisclosure of protected health information obtained through the HIE Network. 48
663668 "§ 90-414.12. Penalties and remedies; immunity for covered entities and business associates 49
664669 for good faith participation. 50 General Assembly Of North Carolina Session 2025
665-Page 14 Senate Bill 509-First Edition
670+Page 14 DRS15195-MGfa-82
666671 (a) Except as provided in subsection (b) of this section, a covered entity that discloses 1
667672 protected health information in violation of this Article is subject to the following: 2
668673 (1) Any civil penalty or criminal penalty, or both, that may be imposed on the 3
669674 covered entity pursuant to the Health Information Technology for Economic 4
670675 and Clinical Health (HITECH) Act, P.L. 111-5, Div. A, Title XIII, section 5
671676 13001, as amended, and any regulations adopted under the HITECH 6
672677 Act.federal law or regulation. 7
673678 (2) Any civil remedy available under the HITECH Act or any regulations adopted 8
674679 under the HITECH Act that is available to the Attorney General or to an 9
675680 individual who has been harmed by a violation of this Article, including 10
676681 damages, penalties, attorneys' fees, and costs.federal law or regulation. 11
677682 (3) Disciplinary action by the respective licensing board or regulatory agency 12
678683 with jurisdiction over the covered entity. 13
679684 (4) Any penalty authorized under Article 2A of Chapter 75 of the General Statutes 14
680685 if the violation of this Article is also a violation of Article 2A of Chapter 75 15
681686 of the General Statutes. 16
682687 (5) Any other civil or administrative remedy available to a plaintiff by State or 17
683688 federal law or equity. 18
684689 (a1) In connection with the submission of the annual compliance report required by 19
685690 G.S. 90-414.13, it is unlawful for any person or entity to knowingly present or cause to be 20
686691 presented to the Authority a false record to avoid full payment of the State health data assessment 21
687692 under G.S. 90-414.4. The Authority may assess against any person or entity that violates this 22
688693 subsection a civil penalty of not less than five thousand dollars ($5,000) and not more than ten 23
689694 thousand dollars ($10,000), plus three times the amount of damages sustained by the Authority 24
690695 as a result of that person's or entity's actions. The clear proceeds of civil penalties provided for 25
691696 in this subsection shall be remitted to the Civil Penalty and Forfeiture Fund in accordance with 26
692697 G.S. 115C-457.2. 27
693698 (a2) The Authority may assess a civil penalty not to exceed fifty dollars ($50.00) for each 28
694699 day after the required reporting period or deadline that the annual compliance report remains out 29
695700 of compliance with the requirements prescribed by G.S. 90-414.13. 30
696701 (b) To the extent permitted under or consistent with federal law, a covered entity or its 31
697702 business associate that in good faith submits data through, accesses, uses, discloses, or relies 32
698703 upon data submitted through the HIE Network shall not be subject to criminal prosecution or 33
699704 civil liability for damages caused by such submission, access, use, disclosure, or reliance. 34
700705 "§ 90-414.13. Annual compliance report. 35
701706 (a) Reporting Requirement. – Each covered entity that provides, maintains, controls, 36
702707 directs, or licenses the data transfer system of a provider or entity subject to G.S. 90-414.4(a1) 37
703708 that provides health care services to beneficiaries of State-funded health care shall submit an 38
704709 annual compliance report to the Authority on a form created by the Authority that meets the 39
705710 requirements of this section. 40
706711 (b) The Authority shall develop and make available to covered entities an annual 41
707712 compliance report form, which the Authority may update from time to time after consultation 42
708713 with the Advisory Board. The annual compliance report form shall include fields for at least all 43
709714 of the following information: 44
710715 (1) Name of the covered entity, its location, and the Organization NPI. 45
711716 (2) Names of providers and entities on whose behalf the covered entity is 46
712717 submitting the annual compliance report, as well as their respective 47
713718 Organization NPIs. 48
714719 (3) Acknowledgment of the provision of health care services to beneficiaries of 49
715720 State-funded health care. 50 General Assembly Of North Carolina Session 2025
716-Senate Bill 509-First Edition Page 15
721+DRS15195-MGfa-82 Page 15
717722 (4) Status of technical connection to the HIE Network, as determined under 1
718723 G.S. 90-414.4(a4). 2
719724 (5) The status of data submission through the HIE Network that is in compliance 3
720725 with G.S. 90-414.4. 4
721726 (6) Representations regarding each of the following, as applicable: 5
722727 a. For a covered entity that has executed an agreement with the 6
723728 Authority, a representation regarding that entity's compliance with 7
724729 such agreement. 8
725730 b. For a covered entity that has received a time-limited exception from 9
726731 the Authority, a representation regarding its present intent to connect 10
727732 to, and begin submitting data through, the HIE Network. 11
728733 c. For a covered entity that is required to pay the State health data 12
729734 assessment fee authorized by G.S. 90-414.14, a representation 13
730735 regarding the amount of the fee owed to the State, an explanation of 14
731736 how the fee amount was calculated, and whether the fee was submitted 15
732737 contemporaneously with the annual compliance report as required by 16
733738 G.S. 90-414.14. 17
734739 d. For a covered entity that asserts it is exempt from paying the annual 18
735740 State health data assessment fee, representations regarding why it is 19
736741 eligible to claim the exemption allowed by G.S. 90-414.14(e). 20
737742 (7) Attestation to the completeness and validity of the annual compliance report 21
738743 form and all representations contained on the form. 22
739744 (c) Covered entities shall submit to the Authority all reports and related statements, 23
740745 documents, and payments required by this section by the first of May each year. Covered entities 24
741746 shall be deemed to have submitted timely annual compliance reports if complete reports are 25
742747 postmarked or digitally time-stamped on or before the day the reports are due to the Authority. 26
743748 If an annual compliance report or any related statements, documents, or payments are submitted 27
744749 in a manner that does not comply with this section, the Authority may assess a civil penalty not 28
745750 to exceed fifty dollars ($50.00) for each day after the first of May that the report remains out of 29
746751 compliance with the requirements of this section. The clear proceeds of civil penalties provided 30
747752 for in this subsection shall be remitted to the Civil Penalty and Forfeiture Fund in accordance 31
748753 with G.S. 115C-457.2. 32
749754 (d) A covered entity that provides, maintains, controls, directs, or licenses a data transfer 33
750755 system solely on behalf of a provider or entity that voluntarily connects to the HIE Network 34
751756 pursuant to G.S. 90-414.4(e) is not required to submit an annual compliance report. 35
752757 (e) State agencies are required to submit an abbreviated annual compliance report, on a 36
753758 form provided by the Authority, that shall be made available only to State agencies. 37
754759 (f) At the request of a covered entity, the Authority may waive any requirement in this 38
755760 section for good cause if the covered entity demonstrates to the satisfaction of the Authority that 39
756761 complying with a requirement in this section would cause an undue hardship. 40
757762 (g) The Department's Division of Health Benefits shall assist in administering the annual 41
758763 compliance report process as it pertains to the State's Medicaid providers, as determined 42
759764 necessary by the Authority. At a minimum, the Division of Health Benefits shall annually provide 43
760765 the Authority with a current list of enrolled Medicaid providers, assist with notifying those 44
761766 Medicaid providers about the annual compliance report requirement and reporting deadline 45
762767 established by this section, and provide available information requested by the Authority that is 46
763768 necessary for the Authority to audit or verify the completeness and accuracy of an enrolled 47
764769 Medicaid provider's annual compliance report and related materials submitted to the Authority 48
765770 by or on behalf of that provider. 49
766771 "§ 90-414.14. Annual State health data assessment fee. 50 General Assembly Of North Carolina Session 2025
767-Page 16 Senate Bill 509-First Edition
772+Page 16 DRS15195-MGfa-82
768773 (a) Annual Fee Requirement. – Each covered entity that provides, maintains, controls, 1
769774 directs, or licenses a data transfer system on behalf of a provider or entity subject to the 2
770775 mandatory connection and data submission requirements of G.S. 90-414.4 shall pay an annual 3
771776 State health data assessment fee each year if the covered entity meets any of the following 4
772777 criteria: 5
773778 (1) Is not connected to the HIE Network, as determined pursuant to subsection 6
774779 (a4) of G.S. 90-414.4. 7
775780 (2) Is connected to the HIE Network, as determined pursuant to subsection (a4) 8
776781 of G.S. 90-414.4 but is not submitting required data through the HIE Network. 9
777782 (b) Amount of Annual Fee. – The General Assembly shall determine the State health data 10
778783 assessment fee schedules for annual compliance report periods. 11
779784 (c) Fee Due Date. – A covered entity shall pay any required State health data assessment 12
780785 fee contemporaneously with the submission of the annual compliance report required by 13
781786 G.S. 90-414.13. 14
782787 (d) HIE Network Data and Participation Fund; Use of Proceeds. – The HIE Network Data 15
783788 and Participation Fund (Fund) is established as a special fund in the Department of Information 16
784789 Technology under the management and control of the Authority. The Fund shall consist of the 17
785790 fees collected by the Authority pursuant to this section and all other funds received by the 18
786791 Authority pursuant to this Article, except for the clear proceeds of civil penalties collected 19
787792 pursuant to G.S. 90-414.12, 90-414.13, 90-414.16, and subsection (g) of this section. The Fund 20
788793 shall be placed in an interest-bearing account, and any interest or other income derived from the 21
789794 Fund shall be credited to the Fund. The Authority shall not use monies in this Fund for any 22
790795 purpose other than to pay for expenses incurred by the Authority in carrying out its powers and 23
791796 duties as set forth in this Article. Monies in the Fund shall only be available for expenditure upon 24
792797 an act of appropriation of the General Assembly. The Fund is subject to the provisions of the 25
793798 State Budget Act, except that no unexpended surplus of the Fund shall revert to the General Fund. 26
794799 (e) Fee Exemption. – A covered entity that provides, maintains, controls, directs, or 27
795800 licenses a data transfer system for providers or entities subject to the HIE Network connection 28
796801 and data submission requirements of this Article may claim an exemption from the State health 29
797802 data assessment fee during a reporting period by demonstrating to the satisfaction of the 30
798803 Authority that one or more of the following is true: 31
799804 (1) The covered entity has secured a time-limited exception from the Authority 32
800805 under G.S. 90-414.4(g) for the applicable State health data assessment fee 33
801806 reporting period. 34
802807 (2) The covered entity attests, in writing, that it and the providers and entities on 35
803808 whose behalf it provides, maintains, controls, directs, or licenses a data 36
804809 transfer system received less than five hundred thousand dollars ($500,000) 37
805810 in State health care funds for providing health care services to beneficiaries of 38
806811 State-funded health care. 39
807812 (3) The covered entity is acting in good faith to comply with the Statewide Health 40
808813 Information Exchange Act as evidenced by all of the following: 41
809814 a. Has entered into a participation agreement with the Authority. 42
810815 b. Maintains contact with the Authority. 43
811816 c. Timely responds to direct communications from the Authority 44
812817 regarding matters such as connection status, onboarding, training, and 45
813818 data submission. 46
814819 (4) The covered entity is in its first year of existence, as evidenced by filings with 47
815820 the Office of the Secretary of State. 48
816821 (5) The covered entity attests, in writing, that it is actively transitioning between 49
817822 data transfer systems. 50 General Assembly Of North Carolina Session 2025
818-Senate Bill 509-First Edition Page 17
823+DRS15195-MGfa-82 Page 17
819824 (f) Revocation of Exempt Status. – The Authority may revoke a covered entity's 1
820825 exemption from payment of the State health data assessment fee if the covered entity is 2
821826 unresponsive to communications from the Authority or if the covered entity fails to maintain 3
822827 contact with the Authority. The Authority may revoke an exemption from the payment of the 4
823828 State health data assessment fee for good cause after giving the covered entity 30 days' written 5
824829 notice and an opportunity to cure any unresponsiveness to, or failure to maintain contact with, 6
825830 the Authority. 7
826831 (g) Civil Penalty for Submitting a False Record to Avoid the Fee. – It is unlawful for any 8
827832 person or entity to knowingly present or cause to be presented to the Authority a false record to 9
828833 avoid full payment of the State health data assessment fee due under this section. The Authority 10
829834 shall assess against any person or entity that violates this section a civil penalty of not less than 11
830835 five thousand dollars ($5,000) and not more than ten thousand dollars ($10,000), plus three times 12
831836 the amount of damages sustained by the Authority as a result of that person's or entity's actions. 13
832837 The clear proceeds of civil penalties provided for in this subsection shall be remitted to the Civil 14
833838 Penalty and Forfeiture Fund in accordance with G.S. 115C-457.2. 15
834839 "§ 90-414.15. Appeal of Authority's determinations. 16
835840 (a) Determinations and Appeals. – The Authority shall make the following 17
836841 determinations regarding providers' and entities' obligations: (i) grant or deny requests for 18
837842 time-limited exceptions under G.S. 90-414.4 and (ii) assess penalties under G.S. 90-414.14. The 19
838843 Authority shall send these determinations, in writing, to providers and entities via certified mail, 20
839844 return receipt requested, and via email, if known to the Authority. If a provider or entity disagrees 21
840845 with the Authority's determination, it shall deliver a petition for appeal to the Department of 22
841846 Information Technology's registered agent via certified mail, return receipt requested, within 30 23
842847 calendar days after receipt of the Authority's written determination. The petition for appeal shall 24
843848 include an explanation of the specific reasons the provider or entity disagrees with the Authority's 25
844849 determination and shall be supported by documentation and affidavits regarding the petitioner's 26
845850 compliance with this Article along with any other supporting documentation the petitioner deems 27
846851 relevant to the appeal. The Authority shall develop and make available on its website the form to 28
847852 be used by any provider or entity seeking to appeal the Authority's determination. 29
848853 (b) Untimely Appeals. – A petitioner's failure to submit a timely petition for appeal shall 30
849854 result in the dismissal of the appeal with prejudice. The Department of Information Technology 31
850855 shall notify the provider or entity of such dismissal in writing. 32
851856 (c) Review by the State CIO or the State CIO's Designee. – The State CIO or the State 33
852857 CIO's designee shall review all timely petitions for appeal under this section. The State CIO or 34
853858 the State CIO's designee may render a decision on the petition without meeting with the 35
854859 petitioner. If the State CIO or State CIO's designee renders a decision without meeting with the 36
855860 petitioner, then the State CIO or the State CIO's designee shall notify the petitioner of his or her 37
856861 decision, in writing, within 30 calendar days after the date the petition was received by the 38
857862 Department of Information Technology. If the State CIO or the State CIO's designee determines 39
858863 it is necessary to meet with the petitioner prior to rendering a decision, the State CIO or the State 40
859864 CIO's designee and petitioner shall schedule a meeting within 30 calendar days after the date the 41
860865 petition was received by the Department of Information Technology, or as soon as reasonably 42
861866 practical thereafter, or as agreed upon by the parties. Within 30 calendar days after the date of 43
862867 the meeting, the State CIO or the State CIO's designee shall submit a decision, in writing, to the 44
863868 petitioner by certified mail, return receipt requested, and via email, if known. 45
864869 (d) Administrative Review. – If the petitioner disagrees with the decision of the State 46
865870 CIO or the State CIO's designee, the petitioner may commence a contested case under Article 3A 47
866871 of Chapter 150B of the General Statutes. A petition for a contested case shall be filed within 30 48
867872 calendar days after the earlier of either the date the decision of the State CIO or the State CIO's 49
868873 designee is mailed to the petitioner or the date the decision of the State CIO or the State CIO's 50
869874 designee is emailed to the petitioner. Except as otherwise provided by this Article, no other 51 General Assembly Of North Carolina Session 2025
870-Page 18 Senate Bill 509-First Edition
875+Page 18 DRS15195-MGfa-82
871876 disputes between the Authority and providers or entities, including disputes involving the terms 1
872877 or conditions of any agreement described in G.S. 90-414.7(b), or a party's performance under 2
873878 any such agreement, are subject to the contested case provisions of Chapter 150B of the General 3
874879 Statutes. 4
875880 "§ 90‑414.16. Data related services. 5
876881 (a) Data Related Services. – The Authority may provide data related services to a covered 6
877882 entity participating in the HIE Network or to a business associate of the participating covered 7
878883 entity that is using the service to perform a function for the participating covered entity. Only 8
879884 covered entities participating in the HIE Network may make a request to the Authority for data 9
880885 related services. Nothing in this section shall be construed to require the Authority to provide 10
881886 data related services to covered entities or their business associates. Data disclosed or used in the 11
882887 Authority's provision of these services to any person or entity shall not be used for commercial 12
883888 purposes. 13
884889 (b) Cost Recovery. – If the Authority voluntarily elects to provide a data related service 14
885890 to a covered entity, then it may charge a reasonable fee that may not exceed the actual cost 15
886891 incurred for the service. The cost recovery shall be based on generally accepted accounting 16
887892 principles and may include labor costs of the personnel providing the service, any information 17
888893 technology expense, and any other administrative expense." 18
889894 SECTION 2. The deadline for submitting the first report due under G.S. 90-414.13 19
890895 and the accompanying State health data assessment fee, if applicable, is May 1, 2028. 20
891896 SECTION 3. Pursuant to G.S. 90-414.14(b), the initial State health data assessment 21
892897 fee schedules for annual compliance report periods beginning in 2028, 2029, and 2030 are as 22
893898 follows: 23
894899 (1) For the annual compliance report period beginning in 2028: 24
895900 Amount of State Health Care Funds State Health Data Assessment Fee: Amount 25
896901 received in 2024 Due 26
897902 $1,000,000 + 1.6% of State health care funds received in 2027 27
898903 $750,001 – $1,000,000 $9,000 28
899904 $500,001 – $750,000 $6,000 29
900905 $250,001 – $500,000 $3,000 30
901906 Less than $250,000 (No fee) 31
902907 (2) For the annual compliance report period beginning in 2029: 32
903908 Amount of State Health Care Funds State Health Data Assessment Fee: Amount 33
904909 received in 2025 Due 34
905910 $1,000,000 + 1.6% of State health care funds received in 2028 35
906911 $750,001 – $1,000,000 $12,000 36
907912 $500,001 – $750,000 $8,000 37
908913 $250,001 – $500,000 $4,000 38
909914 Less than $250,000 (No fee) 39
910915 (3) For the annual compliance report period beginning in 2030: 40
911916 Amount of State Health Care Funds State Health Data Assessment Fee: Amount 41
912917 received in 2026 Due 42
913918 $1,000,000 + 1.6% of State health care funds received in 2029 43
914919 $750,001 – $1,000,000 $15,000 44
915920 $500,001 – $750,000 $9,000 45
916921 $250,001 – $500,000 $4,500 46
917922 Less than $250,000 (No fee) 47
918923 SECTION 4. This act becomes effective December 1, 2025. 48