GENERAL ASSEMBLY OF NORTH CAROLINA
SESSION 2025
S 1
SENATE BILL 509
Short Title: Health Information Exchange Act Revisions. (Public)
Sponsors: Senators Hise, Burgin, and Adcock (Primary Sponsors).
Referred to: Rules and Operations of the Senate
March 26, 2025
*S509 -v-1*
A BILL TO BE ENTITLED 1
AN ACT REVISING THE STATEWIDE HEALTH INF ORMATION EXCHANGE AC T; 2
AND AUTHORIZING THE IMPOSITION OF NEW CI VIL PENALTIES FOR 3
VIOLATIONS OF THE ACT AND A NEW STATE HEALTH DATA ASSESSMENT FEE. 4
The General Assembly of North Carolina enacts: 5
SECTION 1. Article 29B of Chapter 90 of the General Statutes reads as rewritten: 6
"Article 29B. 7
"Statewide Health Information Exchange Act. 8
"§ 90-414.1. Title. 9
This act Article shall be known and may be cited as the "Statewide Health Information 10
Exchange Act." 11
"§ 90-414.2. Purpose. 12
This Article is intended to improve the quality of health care delivery within this State by 13
facilitating and regulating the use of a voluntary, statewide health information exchange network 14
for the secure electronic transmission of individually identifiable health information among 15
health care providers, health plans, and health care clearinghouses clearinghouses, and the State 16
in a manner that is consistent with the Health Insurance Portability and Accountability Act, 17
Privacy Rule and Security Rule, 45 C.F.R. §§ 160, 164. 18
"§ 90-414.3. Definitions. 19
The following definitions apply in this Article: 20
(1) Annual compliance report. – The annual report required by G.S. 90-414.13. 21
(1a) Business associate. – As defined in 45 C.F.R. § 160.103. 22
(2) Business associate contract. – The documentation required by 45 C.F.R. § 23
164.502(e)(2) that meets the applicable requirements of 45 C.F.R. § 24
164.504(e). 25
(3) Covered entity. – Any entity described in 45 C.F.R. § 160.103 or any other 26
facility or practitioner licensed by the State to provide health care services. 27
(3a) Data transfer systems. – Electronic systems or platforms that (i) facilitate the 28
submission of any combination of clinical, demographic, or claims data to the 29
HIE Network and (ii) are maintained, controlled, directed, or licensed by, or 30
on behalf of, a covered entity or hybrid entity subject to this Article. Data 31
transfer systems may be comprised of health information technology or claims 32
processing technology, or both, including hardware, software, integrated 33
technologies and related licenses, or packaged solutions sold as services. Data 34
transfer systems include, but are not limited to, electronic systems or platforms 35
related to electronic health records, pharmacy benefits and claims, claims 36 General Assembly Of North Carolina Session 2025
Page 2 Senate Bill 509-First Edition
processing, or care management. Data transfer systems do not include any 1
information technology systems that are directly maintained, controlled, or 2
licensed by the State Health Plan for Teachers and State Employees. 3
(4) Department. – North Carolina Department of Health and Human Services. 4
(5) Disclose or disclosure. – The release, transfer, provision of access to, or 5
divulging in any other manner an individual's protected health information 6
through the HIE Network. 7
(6) Repealed by Session Laws 2017-57, s. 11A.5(f), effective July 1, 2017. 8
(7) GDAC. – The North Carolina Government Data Analytics Center. 9
(8) HIE Network. – The voluntary, statewide health information exchange 10
network network, which is a health data utility overseen and administered by 11
the Authority. 12
(9) HIPAA. – Sections 261 through 264 of the federal Health Insurance 13
Portability and Accountability Act of 1996, P.L. 104-191, as amended, and 14
any federal regulations adopted to implement these sections, as amended. 15
(10) Individual. – As defined in 45 C.F.R. § 160.103. 16
(11) North Carolina Health Information Exchange Advisory Board or Advisory 17
Board. – The Advisory Board established under G.S. 90-414.8. 18
(12) North Carolina Health Information Exchange Authority or Authority. – The 19
entity established pursuant to G.S. 90-414.7. 20
(13) Opt out. – An individual's affirmative decision communicated to the Authority 21
in writing to disallow his or her protected health information from being 22
disclosed by the Authority to covered entities or other persons or entities 23
through the HIE Network. 24
(13a) Organization National Provider Identifier or Organization NPI. – The HIPAA 25
Administrative Simplification Standard that utilizes a 10-position all-numeric 26
identification number assigned by the federal National Provider System to 27
uniquely identify a health care provider that is an entity other than an 28
individual human being that furnishes health care. 29
(14) Protected health information. – As defined in 45 C.F.R. § 160.103. 30
(15) Public health purposes. – The public health activities and purposes described 31
in 45 C.F.R. § 164.512(b). 32
(16) Qualified organization. – An entity with which the Authority has contracted 33
for the sole purpose of facilitating the exchange of data with or through the 34
HIE Network. 35
(17) Research purposes. – Research purposes referenced in and subject to the 36
standards described in 45 C.F.R. § 164.512(i). 37
(18) State CIO. – The State Chief Information Officer. 38
(19) State-funded health care. – Means all of the following: 39
a. The North Carolina Medicaid program. 40
b. The State Health Plan for Teachers and State Employees. 41
c. Health care facilities and health care programs administered or 42
operated by the Department of Health and Human Services, the 43
Department of Public Safety, or the Department of Adult Correction, 44
and their employees, agents, or grantees. 45
(20) State health care funds. – Monies paid to providers or entities for the provision 46
of health care services to recipients of State-funded health care. The term 47
includes both (i) direct payments from the State to providers and entities and 48
(ii) payments that providers and entities receive from third parties, or the 49
agents of third parties, that are retained by the State for the administration or 50 General Assembly Of North Carolina Session 2025
Senate Bill 509-First Edition Page 3
delivery, or both, of State-funded health care, including prepaid health plans 1
as defined in G.S. 108D-1 and claims processors as defined in G.S. 135-48.1. 2
"§ 90-414.4. Required participation in HIE Network for some providers. 3
(a) Findings. – The General Assembly makes the following findings: 4
(1) That controlling escalating health care costs of the Medicaid program and 5
other State-funded health care services is of significant importance to the 6
State, its taxpayers, its Medicaid recipients, and other recipients beneficiaries 7
of State-funded health care services.care. 8
(2) That the State and covered entities in North Carolina need timely access to 9
certain demographic and clinical information pertaining to services rendered 10
to Medicaid and other beneficiaries of State-funded health care program 11
beneficiaries and paid for with Medicaid or other State-funded State health 12
care funds in order to assess performance, improve health care outcomes, 13
pinpoint medical expense trends, identify beneficiary health risks, and 14
evaluate how the State is spending money on Medicaid and other State-funded 15
health care services. The care. To that end, the Department of Information 16
Technology, the Department of State Treasurer, State Health Plan Division, 17
and the Department of Health and Human Services, Division of Health 18
Benefits, have an affirmative duty to facilitate and support participation by 19
covered entities in the statewide health information exchange network. 20
(3) That making demographic and clinical information available to the State and 21
covered entities in North Carolina by secure electronic means as set forth in 22
subsection (b) of this section will improve care coordination within and across 23
health systems, increase care quality for such beneficiaries, beneficiaries of 24
State-funded health care, enable more effective population health 25
management, reduce duplication of medical services, augment syndromic 26
surveillance, allow more accurate measurement of care services and 27
outcomes, increase strategic knowledge about the health of the population, 28
and facilitate health care cost containment. 29
(a1) Mandatory Connection to HIE Network. – Notwithstanding the voluntary nature of 30
the HIE Network under G.S. 90-414.2, the following providers and entities shall be connected to 31
the HIE Network and begin submitting data through the HIE Network pertaining to services 32
rendered to Medicaid beneficiaries and to other of State-funded health care program beneficiaries 33
and paid for with Medicaid or other State-funded State health care funds in accordance with the 34
following time line: 35
(1) The following providers of Medicaid services licensed to operate in the State 36
that have an electronic health record system shall begin submitting, at a 37
minimum, demographic and clinical data by June 1, 2018: 38
a. Hospitals as defined in G.S. 131E-176(13). 39
b. Physicians licensed to practice under Article 1 of Chapter 90 of the 40
General Statutes, this Chapter, except for licensed physicians whose 41
primary area of practice is psychiatry. 42
c. Physician assistants as defined in 21 NCAC 32S.0201. 43
d. Nurse practitioners as defined in 21 NCAC 36.0801. 44
(2) Except as provided in subdivisions (3), (4), and (5) of this subsection, all other 45
providers of Medicaid and State-funded health care services and their 46
affiliated entities shall begin submitting demographic and clinical data by 47
January 1, 2023. 48
(3) The following entities shall submit encounter and claims data, as appropriate, 49
in accordance with the following time line: 50 General Assembly Of North Carolina Session 2025
Page 4 Senate Bill 509-First Edition
a. Prepaid Health Plans, as defined in G.S. 108D-1, by the 1
commencement date of a capitated contract with the Division of 2
Health Benefits for the delivery of Medicaid services as specified in 3
Article 4 of Chapter 108D of the General Statutes. 4
b. Local management entities/managed care organizations, as defined in 5
G.S. 122C-3, by June 1, 2020. 6
If authorized by the Authority in accordance with this Article, the Department 7
of Health and Human Services may submit the data required by this subsection 8
on behalf of the entities specified in this subdivision. 9
(4) The following entities shall begin submitting demographic and clinical data 10
by January 1, 2023: 11
a. Physicians who perform procedures at ambulatory surgical centers as 12
defined in G.S. 131E-146. 13
b. Dentists licensed under Article 2 of Chapter 90 of the General Statutes. 14
c. Licensed physicians whose primary area of practice is psychiatry. 15
d. The State Laboratory of Public Health operated by the Department of 16
Health and Human Services. 17
(5) The following entities shall begin submitting claims data by January 1, 2023: 18
a. Pharmacies registered with the North Carolina Board of Pharmacy 19
under Article 4A of Chapter 90 of the General Statutes.this Chapter. 20
b. State health care facilities operated under the jurisdiction of the 21
Secretary of the Department of Health and Human Services, including 22
State psychiatric hospitals, developmental centers, alcohol and drug 23
treatment centers, neuro-medical treatment centers, and residential 24
programs for children such as the Wright School and the Whitaker 25
Psychiatric Residential Treatment Facility. 26
c. Dentists licensed under Article 2 of this Chapter. 27
(a2) Extensions of Time for Establishing Connection to the HIE Network. – The 28
Department of Information Technology, in consultation with the Department of Health and 29
Human Services and the State Health Plan for Teachers and State Employees, may establish a 30
process to grant limited extensions of the time for providers and entities to connect to the HIE 31
Network and begin submitting data as required by this section upon the request of a provider or 32
entity that demonstrates an ongoing good-faith effort to take necessary steps to establish such 33
connection and begin data submission as required by this section. The process for granting an 34
extension of time must include a presentation by the provider or entity to the Department of 35
Information Technology, the Department of Health and Human Services, and the State Health 36
Plan for Teachers and State Employees on the expected time line for connecting to the HIE 37
Network and commencing data submission as required by this section. Neither the Department 38
of Information Technology, the Department of Health and Human Services, nor the State Health 39
Plan for Teachers and State Employees shall grant an extension of time (i) to any provider or 40
entity that fails to provide this information to both Departments, and the State Health Plan for 41
Teachers and State Employees, (ii) that would result in the provider or entity connecting to the 42
HIE Network and commencing data submission as required by this section later than January 1, 43
2023. The Department of Information Technology shall consult with the Department of Health 44
and Human Services and the State Health Plan for Teachers and State Employees to review and 45
decide upon a request for an extension of time under this section within 30 days after receiving 46
a request for an extension. 47
(a3) Exemptions from Connecting to the HIE Network. – The Secretary of Health and 48
Human Services, or the Secretary's designee, shall have the authority to grant exemptions to 49
classes of providers of Medicaid and other State-funded health care services for whom acquiring 50
and implementing an electronic health record system and connecting to the HIE Network as 51 General Assembly Of North Carolina Session 2025
Senate Bill 509-First Edition Page 5
required by this section would constitute an undue hardship. The Secretary, or the Secretary's 1
designee, shall promptly notify the Department of Information Technology of classes of 2
providers granted hardship exemptions under this subsection. Neither the Secretary nor the 3
Secretary's designee shall grant any hardship exemption that would result in any class of provider 4
connecting to the HIE Network and submitting data later than December 31, 2022. 5
(a4) Connected Status. – A provider or entity identified in subsection (a1) of this section 6
is deemed connected to the HIE Network when the covered entity that provides, maintains, 7
controls, directs, or licenses that provider's or entity's data transfer system has done all of the 8
following: 9
(1) Established an operable technical connection with the HIE Network approved 10
by the Authority that supports the submission of required patient data 11
generated by the provider or entity. 12
(2) Provided its Organization NPI to the Authority. 13
(3) Executed with the Authority a valid, written participation agreement pursuant 14
to subdivision (b)(6) of G.S. 90-414.7. 15
(4) Communicated to the Authority, in writing, the identity of all providers and 16
entities on whose behalf it maintains a data transfer system. 17
(5) Either has met or is making reasonable efforts to meet data quality standards 18
established by the Authority that are published on its website. 19
(b) Mandatory Submission of Demographic and Clinical Data. – Notwithstanding the 20
voluntary nature of the HIE Network under G.S. 90-414.2 and, except as otherwise provided in 21
subsection subsections (c) and (c1) of this section, as a condition of receiving State funds, 22
including Medicaid funds, the following entities shall submit at least twice daily, through the 23
HIE network, demographic and clinical information pertaining to services rendered to Medicaid 24
and other beneficiaries of State-funded health care program beneficiaries and paid for with 25
Medicaid or other State-funded State health care funds, solely for the purposes set forth in 26
subsection (a) of this section: 27
(1) Each hospital, as defined in G.S. 131E-176(13) that has an electronic health 28
record system. 29
(2) Each Medicaid provider, unless the provider is an ambulatory surgical center 30
as defined in G.S. 131E-146; however, a physician who performs a procedure 31
at the ambulatory surgical center must be connected to the HIE Network. 32
(3) Each provider that receives State health care funds for the provision of health 33
services, State-funded health care, unless the provider is an ambulatory 34
surgical center as defined in G.S. 131E-146; however, a physician who 35
performs a procedure at the ambulatory surgical center must be connected to 36
the HIE Network. 37
(4) Each prepaid health plan, as defined in G.S. 58-93-5, that is under a capitated 38
contract with the Department for the delivery of Medicaid services, or a local 39
management entity/managed care organization, as defined in 40
G.S. 122C-3.G.S. 122C-3, that is under a capitated prepaid health plan 41
contract with the Department. 42
(b1) Balance Billing Prohibition. – An in-network provider or entity who that (i) renders 43
health care services, including prescription drugs and durable medical equipment, under a 44
contract with the State Health Plan for Teachers and State Employees and who (ii) is not 45
connected to the HIE Network in accordance with this Article, is prohibited from billing the State 46
Health Plan or a Plan member more than either party would be billed if the entity or provider was 47
connected to the HIE Network. Balance billing because the provider or entity did not connect to 48
the HIE Network is prohibited. 49
(c) Exemption for Certain Records. – Providers with patient records that are subject to 50
the disclosure restrictions of 42 C.F.R. § 2 are exempt from the requirements of subsection (b) 51 General Assembly Of North Carolina Session 2025
Page 6 Senate Bill 509-First Edition
of this section but only with respect to the patient records subject to these disclosure restrictions. 1
Providers shall comply with the requirements of subsection (b) of this section with respect to all 2
other patient records. A pharmacy shall only be Pharmacies registered with the North Carolina 3
Board of Pharmacy under Article 4A of this Chapter and dentists licensed under Article 2 of this 4
Chapter are only required to submit claims data pertaining to services rendered to Medicaid and 5
other State-funded health care program beneficiaries of State-funded health care and paid for 6
with Medicaid or other State-funded State health care funds. 7
(c1) Exemption from Twice Daily Submission. – A pharmacy shall only be The following 8
entities are required to submit claims data only once daily through the HIE Network Network: 9
(1) Pharmacies registered with the North Carolina Board of Pharmacy under 10
Article 4A of this Chapter, using pharmacy industry standardized formats. 11
(2) Dentists licensed under Article 2 of this Chapter. 12
(c2) 42 C.F.R. § 2 Records. – Notwithstanding subsection (b) of this section, patient 13
records protected by 42 C.F.R. § 2 shall be disclosed through the HIE Network only if the 14
Authority has provided written notice to the participating entity that data protected by 42 C.F.R. 15
§ 2 can be disclosed for a specific purpose. 16
(d) Method of Data Submissions. – The Any provider or entity required to submit data 17
submissions required under this section shall be make the submission by connection to the HIE 18
Network periodic asynchronous secure structured file transfer or any other secure electronic 19
means commonly used in the industry and consistent with document exchange and data 20
submission standards established by the Office Assistant Secretary for Technology Policy/Office 21
of the National Coordinator for Information Technology within the U.S. Department of Health 22
and Human Services. 23
(e) Voluntary Connection for Certain Providers. – Notwithstanding the mandatory 24
connection and data submission requirements in of subsections (a1) and (b) of this section, the 25
following providers of Medicaid services or other State-funded health care services are not 26
required to connect to the HIE Network or submit data but may connect to the HIE Network and 27
submit data voluntarily: 28
(1) Community-based long-term services and supports providers, including 29
personal care services, private duty nursing, home health, and hospice care 30
providers. 31
(2) Intellectual and developmental disability services and supports providers, 32
such as day supports and supported living providers. 33
(3) Community Alternatives Program waiver services (including CAP/DA, 34
CAP/C, and Innovations) providers. 35
(4) Eye and vision services providers. 36
(5) Speech, language, and hearing services providers. 37
(6) Occupational and physical therapy providers. 38
(7) Durable medical equipment providers. 39
(8) Nonemergency medical transportation service providers. 40
(9) Ambulance (emergency medical transportation service) providers. 41
(10) Local education agencies and agencies, school-based health 42
providers.providers, and student health centers that primarily serve students 43
matriculating at public or private institutions of higher education in this State. 44
(11) Chiropractors licensed under Article 8 of this Chapter. 45
(12) Dentists licensed under Article 2 of this Chapter. 46
Connection to the HIE Network by any other covered entities that are not required by 47
subsections (a1) and (b) of this section to connect to the HIE Network or submit data is voluntary. 48
(e1) Mandatory and Voluntary Connection and Submissions by the Same Covered Entity. 49
– A covered entity that provides, maintains, controls, directs, or licenses a data transfer system 50
on behalf of providers and entities that are required to connect to, and submit data through, the 51 General Assembly Of North Carolina Session 2025
Senate Bill 509-First Edition Page 7
HIE Network under this Article, as well as on behalf of providers and entities that voluntarily 1
connect to, and submit data through, the HIE Network may elect not to submit through the HIE 2
Network clinical, demographic, or claims data generated by the providers and entities that 3
voluntarily connect to, and submit data through, the HIE Network. However, the covered entity 4
is required to submit through the HIE Network clinical, demographic, or claims data generated 5
by providers and entities that are required to connect to, and submit data through, the HIE 6
Network. 7
(f) Confidentiality of Data. – All data submitted to or through the HIE Network 8
containing protected health information, personally identifying information, or a combination of 9
these, that are in the possession of the Department of Information Technology or any other 10
agency of the State are confidential and shall not be defined as public records under G.S. 132-1. 11
This subsection shall not be construed to prohibit the disclosure of any such data as otherwise 12
permitted under federal law. 13
(g) Time-Limited Exceptions for Connecting to, and Submitting Data Through, the HIE 14
Network. – All of the following apply to any exception granted by the Authority for connecting 15
to, and submitting data through, the HIE Network: 16
(1) A covered entity that provides, maintains, controls, directs, or licenses a data 17
transfer system on behalf of providers or entities identified in subsection (a1) 18
of this section may seek to obtain from the Authority a time-limited exception 19
for those providers or entities to connect to, and begin submitting required 20
data through, the HIE Network. 21
(2) The Authority shall administer the process by which a covered entity seeks a 22
time-limited exception for providers or entities to connect to, and begin 23
submitting required data through, the HIE Network. The Authority shall make 24
the final determination about whether to grant or deny requests for a 25
time-limited exception. Any exception authorized by the Authority may not 26
exceed a one-year period. However, a covered entity may seek to renew an 27
exception. 28
(3) In order for a covered entity to obtain a time-limited exception for the 29
providers and entities on whose behalf it provides, maintains, controls, directs, 30
or licenses a data transfer system, the covered entity must demonstrate 31
eligibility for the exception by meeting at least one of the following criteria: 32
a. During the previous year, the covered entity and the providers and 33
entities on whose behalf it maintained, controlled, directed, or licensed 34
a data transfer system received in the aggregate less than one million 35
dollars ($1,000,000) in State health care funds for providing health 36
care services to beneficiaries of State-funded health care. 37
b. The covered entity and the providers and entities on whose behalf it 38
provides, maintains, controls, directs, or licenses a data transfer system 39
operated in whole or in part in a geographic area with limited or 40
emergent broadband availability. The Department of Information 41
Technology, Division of Broadband, shall identify these geographic 42
areas and the Authority shall publish a list of the identified geographic 43
areas to its website. Alternatively, the Authority, after consultation 44
with the Department of Information Technology, Division of 45
Broadband, may, in its discretion, grant a time-limited exception after 46
evaluating materials provided by a covered entity regarding its level 47
of broadband connectivity. 48
c. The covered entity will close, dissolve, or be acquired by another 49
entity within the next 12 months. 50 General Assembly Of North Carolina Session 2025
Page 8 Senate Bill 509-First Edition
d. The provider or entity has not yet implemented or is in the process of 1
implementing a data transfer system. 2
(4) To request a time-limited exception under this subsection, the covered entity 3
shall submit to the Authority an application and attestation form, which shall 4
both be created by the Authority and made available on its website, containing 5
at least all of the following information: 6
a. Date of request and application period. 7
b. Name, Organization NPI, and location. 8
c. Names of providers and entities on whose behalf the covered entity is 9
applying, as well as their respective Organization NPIs. 10
d. Technical information regarding its data transfer system and vendor, 11
if applicable. 12
e. Provider network information for the State Health Plan for Teachers 13
and State Employees and the North Carolina Medicaid program, as 14
applicable. 15
f. Identification of the bases criterion, or criteria, in subdivision (g)(3) of 16
this section for which the covered entity seeks a time-limited 17
exception. 18
g. Supporting documents and materials determined by the Authority to 19
be necessary to substantiate the covered entity's eligibility for the 20
exception. 21
h. An attestation executed by an authorized representative of the covered 22
entity regarding the validity, truth, and completeness of the application 23
and attestation form submitted by the covered entity to the Authority. 24
"§ 90-414.5. State agency and legislative access to HIE Network data. 25
(a) The Authority shall provide the Department and the State Health Plan for Teachers 26
and State Employees secure, real-time access to data and information disclosed through the HIE 27
Network, solely for the purposes set forth in G.S. 90-414.4(a) and in G.S. 90-414.2. The 28
Authority shall limit access granted to the State Health Plan for Teachers and State Employees 29
pursuant to this section to data and information disclosed through the HIE Network that pertains 30
to services (i) rendered to teachers and State employees and (ii) paid for by the State Health Plan. 31
(b) At the written request of the Director of the Fiscal Research, Legislative Drafting, or 32
Legislative Analysis Division of the General Assembly for an aggregate analysis of the data and 33
information disclosed through the HIE Network, the Authority shall provide the professional 34
staff of these Divisions with the aggregated analysis responsive to the Director's request. Prior to 35
providing the Director or General Assembly's staff with any aggregate data or information 36
submitted through the HIE Network or with any analysis of this aggregate data or information, 37
the Authority shall redact any personal identifying information in a manner consistent with the 38
standards specified for de-identification of health information under the HIPAA Privacy Rule, 39
45 C.F.R. § 164.514, as amended. 40
"§ 90-414.6. State ownership of HIE Network data. 41
Any data pertaining to services rendered to Medicaid and other beneficiaries of State-funded 42
health care program beneficiaries that is submitted through and stored by the HIE Network 43
pursuant to G.S. 90-414.4 or any other provision of this Article shall be and will remain the sole 44
property of the State. Any data or product derived from the aggregated, de-identified data 45
submitted to and stored by the HIE Network pursuant to G.S. 90-414.4 or any other provision of 46
this Article, shall be and will remain the sole property of the State. The Authority shall not allow 47
data it receives pursuant to G.S. 90-414.4 or any other provision of this Article to be used or 48
disclosed by or to any person or entity for commercial purposes or for any other purpose other 49
than those set forth in G.S. 90-414.4(a) or G.S. 90-414.2. To the extent the Authority receives 50
requests for electronic health information as the term is defined in 45 C.F.R. § 171.102, or other 51 General Assembly Of North Carolina Session 2025
Senate Bill 509-First Edition Page 9
medical records from an individual, an individual's personal representative, or an individual or 1
entity purporting to act on an individual's behalf, the Authority (i) shall not fulfill the request and 2
(ii) shall make available to the requester and the public, via the Authority's website, educational 3
materials about how to access such information from other sources. If the Authority participates 4
in the Trusted Exchange Framework and Common Agreement, then it may provide individual 5
access services through the Trusted Exchange Framework and Common Agreement. Patient 6
identifiers created and utilized by the Authority to integrate identity data in the HIE Network, 7
along with the minimum necessary required demographic information related to those patients, 8
shall be released to the GDAC and the Department by the Authority for purposes of entity 9
resolution and master data management. These identifiers shall not be considered public records 10
pursuant to Chapter 132 of the General Statutes. 11
"§ 90-414.7. North Carolina Health Information Exchange Authority. 12
(a) Creation. – There is hereby established the North Carolina Health Information 13
Exchange Authority to oversee and administer the HIE Network in accordance with this Article. 14
The Authority shall be located within the Department of Information Technology and shall be 15
under the supervision, direction, and control of the State CIO. The State CIO shall employ an 16
Authority Director and may delegate to the Authority Director all powers and duties associated 17
with the daily operation of the Authority, its staff, and the performance of the powers and duties 18
set forth in subsection (b) of this section. In making this delegation, however, the State CIO 19
maintains the responsibility for the performance of these powers and duties. 20
(b) Powers and Duties. – The Authority has the following powers and duties: 21
(1) Oversee and administer the HIE Network in a manner that ensures all of the 22
following: 23
a. Compliance with this Article. 24
b. Compliance with HIPAA and any rules adopted under HIPAA, 25
including the Privacy Rule and Security Rule. 26
c. Compliance with the terms of any participation agreement, business 27
associate agreement, or other agreement the Authority or qualified 28
organization or other person or entity enters into with a covered entity 29
participating in submission of data through or accessing the HIE 30
Network. 31
d. Notice to the patient by the healthcare provider or other person or 32
entity about the HIE Network, including information and education 33
about the right of individuals on a continuing basis to opt out or rescind 34
a decision to opt out. 35
e. Opportunity for all individuals whose data has been submitted to the 36
HIE Network to exercise on a continuing basis the right to opt out or 37
rescind a decision to opt out. 38
f. Nondiscriminatory treatment by covered entities of individuals who 39
exercise the right to opt out. 40
g. Facilitation of HIE Network interoperability with electronic health 41
record systems of all covered entities listed in G.S. 90-414.4(b). 42
h. Minimization of the amount of data required to be submitted under 43
G.S. 90-414.4(b) and any use or disclosure of such data to what is 44
determined by the Authority to be required in order to advance the 45
purposes set forth in G.S. 90-414.2 and G.S. 90-414.4(a). 46
(2) In consultation with the Advisory Board, set guiding principles for the 47
development, implementation, and operation of the HIE Network. 48
(3) Employ staff necessary to carry out the provisions of this Article and 49
determine the compensation, duties, and other terms and conditions of 50
employment of hired staff. 51 General Assembly Of North Carolina Session 2025
Page 10 Senate Bill 509-First Edition
(4) Enter into contracts pertaining to the oversight and administration of the HIE 1
Network, including contracts of a consulting or advisory nature. 2
G.S. 143-64.20 does not apply to this subdivision. 3
(5) Establish fees for participation in the HIE Network and report the established 4
fees to the General Assembly, with an explanation of the fee determination 5
process. 6
(6) Following consultation with the Advisory Board, develop, approve, and enter 7
into, directly or through qualified organizations acting under the authority of 8
the Authority, written participation agreements with persons or entities that 9
participate in or are granted access or user rights to the HIE Network. The 10
participation agreements shall set forth terms and conditions governing 11
participation in, access to, or use of the HIE Network not less than those set 12
forth in agreements already governing covered entities' participation in the 13
federal eHealth Exchange. The agreement shall also require compliance with 14
policies developed by the Authority pursuant to this Article or pursuant to 15
applicable laws of the state of residence for entities located outside of North 16
Carolina. 17
(7) Receive, access, add, and remove data submitted through and stored by the 18
HIE Network in accordance with this Article. 19
(8) Following consultation with the Advisory Board, enter into, directly or 20
through qualified organizations acting under the authority of the Authority, a 21
HIPAA compliant business associate agreement with each of the persons or 22
entities participating in or granted access or user rights to the HIE 23
Network.Network, except for federal agencies that access the HIE Network 24
solely to review patient data for treatment purposes and exchanges made 25
through eHealth Exchange or the Trusted Exchange Framework and Common 26
Agreement so long as the Authority enters into the agreements that are 27
required to participate in each of these respective national networks. 28
(9) Following consultation with the Advisory Board, grant user rights to the HIE 29
Network to business associates of covered entities participating in the HIE 30
Network (i) at the request of the covered entities and (ii) at the discretion of 31
and subject to contractual, policy, and other requirements of the Authority 32
upon consideration of and consistent with the business associates' legitimate 33
need for utilizing the HIE Network and privacy and security concerns. 34
(10) Facilitate and promote use of the HIE Network by covered entities.entities and 35
business associates acting on their behalf. 36
(11) Actively monitor compliance with this Article by the Department, covered 37
entities, and any other persons or entities participating in or granted access or 38
user rights to the HIE Network or any data submitted through or stored by the 39
HIE Network. 40
(12) Collaborate with the State CIO to ensure that resources available through the 41
GDAC are properly leveraged, assigned, or deployed to support the work of 42
the Authority. The duty to collaborate under this subdivision includes 43
collaboration on data hosting and development, implementation, operation, 44
and maintenance of the HIE Network. 45
(13) Initiate or direct expansion of existing public-private partnerships within the 46
GDAC as necessary to meet the requirements, duties, and obligations of the 47
Authority. Notwithstanding any other provision of law and subject to the 48
availability of funds, the State CIO, at the request of the Authority, shall assist 49
and facilitate expansion of existing contracts related to the HIE Network, 50 General Assembly Of North Carolina Session 2025
Senate Bill 509-First Edition Page 11
provided that such request is made in writing by the Authority to the State 1
CIO with reference to specific requirements set forth in this Article. 2
(14) In consultation with the Advisory Board, develop a strategic plan for 3
achieving statewide participation in the HIE Network by all hospitals and 4
health care providers licensed in this State. 5
(15) In consultation with the Advisory Board, define the following with respect to 6
operation of the HIE Network: 7
a. Business policy. 8
b. Protocols for data integrity, data sharing, data security, HIPAA 9
compliance, and business intelligence as defined in G.S. 143B-1381. 10
To the extent permitted by HIPAA, protocols for data sharing shall 11
allow for the disclosure of data for academic research. 12
c. Qualitative and quantitative performance measures. 13
d. An operational budget and assumptions. 14
(16) Annually report to the Joint Legislative Oversight Committee on Health and 15
Human Services and the Joint Legislative Oversight Committee on 16
Information Technology on the following: 17
a. The operation of the HIE Network. 18
b. Any efforts or progress in expanding participation in the HIE Network. 19
c. Health care trends based on information disclosed through the HIE 20
Network. 21
(17) Ensure that the HIE Network interfaces with the federal level HIE, the eHealth 22
Exchange. 23
(18) Enforce the provisions of this Article. 24
(19) Provide data related services, as allowed by G.S. 90-414.16. 25
(20) Adopt rules as needed to implement the appeal process established by 26
G.S. 90-414.15. 27
"§ 90-414.8. North Carolina Health Information Exchange Advisory Board. 28
(a) Creation and Membership. – There is hereby established the North Carolina Health 29
Information Exchange Advisory Board within the Department of Information Technology. The 30
Advisory Board shall consist of the following 12 13 members: 31
(1) The following four members appointed by the President Pro Tempore of the 32
Senate: 33
a. A licensed physician in good standing and actively practicing in this 34
State. 35
b. A patient representative. 36
c. An individual with technical expertise in health data analytics. 37
d. A representative of a behavioral health provider. 38
(2) The following four members appointed by the Speaker of the House of 39
Representatives: 40
a. A representative of a critical access hospital. 41
b. A representative of a federally qualified health center. 42
c. An individual with technical expertise in health information 43
technology. 44
d. A representative of a health system or integrated delivery network. 45
(3) The following three ex officio, nonvoting members: 46
a. The State Chief Information Officer or a designee. 47
b. The Director of GDAC or a designee. 48
c. The Secretary of Health and Human Services, or a designee. 49
(4) The following ex officio, voting member:members: 50 General Assembly Of North Carolina Session 2025
Page 12 Senate Bill 509-First Edition
a. The Executive Administrator of the State Health Plan for Teachers and 1
State Employees, or a designee. 2
b. The Deputy Secretary for the State's Medicaid program, or a designee. 3
(b) Chairperson. – A chairperson shall be elected from among the members. The 4
chairperson shall organize and direct the work of the Advisory Board. 5
(c) Administrative Support. – The Department of Information Technology shall provide 6
necessary clerical and administrative support to the Advisory Board. 7
(d) Meetings. – The Advisory Board shall meet at least quarterly and at the call of the 8
chairperson. A majority of the Advisory Board constitutes a quorum for the transaction of 9
business. 10
(e) Terms. – In order to stagger terms, in making initial appointments, the President Pro 11
Tempore of the Senate shall designate two of the members appointed under subdivision (1) of 12
subsection (a) of this section to serve for a one-year period from the date of appointment and, the 13
Speaker of the House of Representatives shall designate two members appointed under 14
subdivision (2) of subsection (a) of this section to serve for a one-year period from the date of 15
appointment. The remaining appointed voting members shall serve two-year periods. Future 16
appointees who are voting members shall serve terms of two years, with staggered terms based 17
on this subsection. Appointed voting members may serve up to two consecutive terms, not 18
including the abbreviated two-year terms that establish staggered terms or terms of less than two 19
years that result from the filling of a vacancy. Ex officio, nonvoting and voting members are not 20
subject to these term limits. A vacancy other than by expiration of a term shall be filled by the 21
appointing authority. 22
(f) Expenses. – Members of the Advisory Board who are State officers or employees 23
shall receive no compensation for serving on the Advisory Board but may be reimbursed for their 24
expenses in accordance with G.S. 138-6. Members of the Advisory Board who are full-time 25
salaried public officers or employees other than State officers or employees shall receive no 26
compensation for serving on the Advisory Board but may be reimbursed for their expenses in 27
accordance with G.S. 138-5(b). All other members of the Advisory Board may receive 28
compensation and reimbursement for expenses in accordance with G.S. 138-5. 29
(g) Duties. – The Advisory Board shall provide consultation to the Authority with respect 30
to the advancement, administration, and operation of the HIE Network and on matters pertaining 31
to health information technology and exchange, generally. In carrying out its responsibilities, the 32
Advisory Board may form committees of the Advisory Board to examine particular issues related 33
to the advancement, administration, or operation of the HIE Network. 34
"§ 90-414.9. Participation by covered entities. 35
(a) Each Except for federal agencies that access the HIE Network solely to review patient 36
data for treatment purposes, all covered entity that participates entities that participate in the HIE 37
Network shall enter into a HIPAA compliant business associate agreement described in 38
G.S. 90-414.7(b)(8) and a written participation agreement described in G.S. 90-414.7(b)(6) with 39
the Authority or qualified organization prior to submitting data through or in the HIE Network. 40
Notwithstanding this subsection, the Authority may exchange data in the HIE Network through 41
the national eHealth Exchange and the Trusted Exchange Framework and Common Agreement 42
so long as the Authority enters into the agreements that are necessary to participate in each of 43
these national networks. 44
(b) Each covered entity that participates in the HIE Network may authorize its business 45
associates on behalf of the covered entity to submit data through, or access data stored in, the 46
HIE Network in accordance with this Article and at the discretion of the Authority, as provided 47
in G.S. 90-414.7(b)(8). 48
(c) Notwithstanding any federal or State law or regulation to the contrary, each covered 49
entity that participates in the HIE Network may disclose an individual's protected health 50 General Assembly Of North Carolina Session 2025
Senate Bill 509-First Edition Page 13
information through the HIE Network to other covered entities for any purpose permitted by 1
HIPAA. 2
"§ 90-414.10. Continuing right to opt out; effect of opt out. 3
(a) Each individual has the right on a continuing basis to opt out or rescind a decision to 4
opt out. 5
(b) The Authority or its designee shall enforce an individual's decision to opt out or 6
rescind an opt out prospectively from the date the Authority or its designee receives written notice 7
of the individual's decision to opt out or rescind an opt out in the manner prescribed by the 8
Authority. An individual's decision to opt out or rescind an opt out does not affect any disclosures 9
made by the Authority or covered entities through the HIE Network prior to receipt by the 10
Authority or its designee of the individual's written notice to opt out or rescind an opt out. 11
(c) A covered entity shall not deny treatment, coverage, or benefits to an individual 12
because of the individual's decision to opt out. However, nothing in this Article is intended to 13
restrict a health care provider from otherwise appropriately terminating a relationship with an 14
individual in accordance with applicable law and professional ethical standards. 15
(d) Except as otherwise permitted in G.S. 90-414.11(a)(3), or as required by law, the 16
protected health information of an individual who has exercised the right to opt out may not be 17
made accessible or disclosed to covered entities or any other person or entity through the HIE 18
Network for any purpose. 19
(e) Repealed by Session Laws 2017-57, s. 11A.5(e), effective July 1, 2017. 20
"§ 90-414.11. Construction and applicability. 21
(a) Nothing in this Article shall be construed to do any of the following: 22
(1) Impair any rights conferred upon an individual under HIPAA, including all of 23
the following rights related to an individual's protected health information: 24
a. The right to receive a notice of privacy practices. 25
b. The right to request restriction of use and disclosure. 26
c. The right of access to inspect and obtain copies. 27
d. The right to request amendment. 28
e. The right to request confidential forms of communication. 29
f. The right to receive an accounting of disclosures. 30
(2) Authorize the disclosure of protected health information through the HIE 31
Network to the extent that the disclosure is restricted by federal laws or 32
regulations, including the federal drug and alcohol confidentiality regulations 33
set forth in 42 C.F.R. Part 2. 34
(3) Restrict the disclosure of protected health information through the HIE 35
Network for public health purposes or research purposes, so long as disclosure 36
is permitted by both HIPAA and State law. 37
(4) Prohibit the Authority or any covered entity participating in the HIE Network 38
from maintaining in the Authority's or qualified organization's computer 39
system a copy of the protected health information of an individual who has 40
exercised the right to opt out, as long as the Authority or the qualified 41
organization does not access, use, or disclose the individual's protected health 42
information for any purpose other than for necessary system maintenance or 43
as required by federal or State law. 44
(b) This Article applies only to disclosures of protected health information made through 45
the HIE Network, including disclosures made within qualified organizations. It does not apply to 46
the use or disclosure of protected health information in any context outside of the HIE Network, 47
including the redisclosure of protected health information obtained through the HIE Network. 48
"§ 90-414.12. Penalties and remedies; immunity for covered entities and business associates 49
for good faith participation. 50 General Assembly Of North Carolina Session 2025
Page 14 Senate Bill 509-First Edition
(a) Except as provided in subsection (b) of this section, a covered entity that discloses 1
protected health information in violation of this Article is subject to the following: 2
(1) Any civil penalty or criminal penalty, or both, that may be imposed on the 3
covered entity pursuant to the Health Information Technology for Economic 4
and Clinical Health (HITECH) Act, P.L. 111-5, Div. A, Title XIII, section 5
13001, as amended, and any regulations adopted under the HITECH 6
Act.federal law or regulation. 7
(2) Any civil remedy available under the HITECH Act or any regulations adopted 8
under the HITECH Act that is available to the Attorney General or to an 9
individual who has been harmed by a violation of this Article, including 10
damages, penalties, attorneys' fees, and costs.federal law or regulation. 11
(3) Disciplinary action by the respective licensing board or regulatory agency 12
with jurisdiction over the covered entity. 13
(4) Any penalty authorized under Article 2A of Chapter 75 of the General Statutes 14
if the violation of this Article is also a violation of Article 2A of Chapter 75 15
of the General Statutes. 16
(5) Any other civil or administrative remedy available to a plaintiff by State or 17
federal law or equity. 18
(a1) In connection with the submission of the annual compliance report required by 19
G.S. 90-414.13, it is unlawful for any person or entity to knowingly present or cause to be 20
presented to the Authority a false record to avoid full payment of the State health data assessment 21
under G.S. 90-414.4. The Authority may assess against any person or entity that violates this 22
subsection a civil penalty of not less than five thousand dollars ($5,000) and not more than ten 23
thousand dollars ($10,000), plus three times the amount of damages sustained by the Authority 24
as a result of that person's or entity's actions. The clear proceeds of civil penalties provided for 25
in this subsection shall be remitted to the Civil Penalty and Forfeiture Fund in accordance with 26
G.S. 115C-457.2. 27
(a2) The Authority may assess a civil penalty not to exceed fifty dollars ($50.00) for each 28
day after the required reporting period or deadline that the annual compliance report remains out 29
of compliance with the requirements prescribed by G.S. 90-414.13. 30
(b) To the extent permitted under or consistent with federal law, a covered entity or its 31
business associate that in good faith submits data through, accesses, uses, discloses, or relies 32
upon data submitted through the HIE Network shall not be subject to criminal prosecution or 33
civil liability for damages caused by such submission, access, use, disclosure, or reliance. 34
"§ 90-414.13. Annual compliance report. 35
(a) Reporting Requirement. – Each covered entity that provides, maintains, controls, 36
directs, or licenses the data transfer system of a provider or entity subject to G.S. 90-414.4(a1) 37
that provides health care services to beneficiaries of State-funded health care shall submit an 38
annual compliance report to the Authority on a form created by the Authority that meets the 39
requirements of this section. 40
(b) The Authority shall develop and make available to covered entities an annual 41
compliance report form, which the Authority may update from time to time after consultation 42
with the Advisory Board. The annual compliance report form shall include fields for at least all 43
of the following information: 44
(1) Name of the covered entity, its location, and the Organization NPI. 45
(2) Names of providers and entities on whose behalf the covered entity is 46
submitting the annual compliance report, as well as their respective 47
Organization NPIs. 48
(3) Acknowledgment of the provision of health care services to beneficiaries of 49
State-funded health care. 50 General Assembly Of North Carolina Session 2025
Senate Bill 509-First Edition Page 15
(4) Status of technical connection to the HIE Network, as determined under 1
G.S. 90-414.4(a4). 2
(5) The status of data submission through the HIE Network that is in compliance 3
with G.S. 90-414.4. 4
(6) Representations regarding each of the following, as applicable: 5
a. For a covered entity that has executed an agreement with the 6
Authority, a representation regarding that entity's compliance with 7
such agreement. 8
b. For a covered entity that has received a time-limited exception from 9
the Authority, a representation regarding its present intent to connect 10
to, and begin submitting data through, the HIE Network. 11
c. For a covered entity that is required to pay the State health data 12
assessment fee authorized by G.S. 90-414.14, a representation 13
regarding the amount of the fee owed to the State, an explanation of 14
how the fee amount was calculated, and whether the fee was submitted 15
contemporaneously with the annual compliance report as required by 16
G.S. 90-414.14. 17
d. For a covered entity that asserts it is exempt from paying the annual 18
State health data assessment fee, representations regarding why it is 19
eligible to claim the exemption allowed by G.S. 90-414.14(e). 20
(7) Attestation to the completeness and validity of the annual compliance report 21
form and all representations contained on the form. 22
(c) Covered entities shall submit to the Authority all reports and related statements, 23
documents, and payments required by this section by the first of May each year. Covered entities 24
shall be deemed to have submitted timely annual compliance reports if complete reports are 25
postmarked or digitally time-stamped on or before the day the reports are due to the Authority. 26
If an annual compliance report or any related statements, documents, or payments are submitted 27
in a manner that does not comply with this section, the Authority may assess a civil penalty not 28
to exceed fifty dollars ($50.00) for each day after the first of May that the report remains out of 29
compliance with the requirements of this section. The clear proceeds of civil penalties provided 30
for in this subsection shall be remitted to the Civil Penalty and Forfeiture Fund in accordance 31
with G.S. 115C-457.2. 32
(d) A covered entity that provides, maintains, controls, directs, or licenses a data transfer 33
system solely on behalf of a provider or entity that voluntarily connects to the HIE Network 34
pursuant to G.S. 90-414.4(e) is not required to submit an annual compliance report. 35
(e) State agencies are required to submit an abbreviated annual compliance report, on a 36
form provided by the Authority, that shall be made available only to State agencies. 37
(f) At the request of a covered entity, the Authority may waive any requirement in this 38
section for good cause if the covered entity demonstrates to the satisfaction of the Authority that 39
complying with a requirement in this section would cause an undue hardship. 40
(g) The Department's Division of Health Benefits shall assist in administering the annual 41
compliance report process as it pertains to the State's Medicaid providers, as determined 42
necessary by the Authority. At a minimum, the Division of Health Benefits shall annually provide 43
the Authority with a current list of enrolled Medicaid providers, assist with notifying those 44
Medicaid providers about the annual compliance report requirement and reporting deadline 45
established by this section, and provide available information requested by the Authority that is 46
necessary for the Authority to audit or verify the completeness and accuracy of an enrolled 47
Medicaid provider's annual compliance report and related materials submitted to the Authority 48
by or on behalf of that provider. 49
"§ 90-414.14. Annual State health data assessment fee. 50 General Assembly Of North Carolina Session 2025
Page 16 Senate Bill 509-First Edition
(a) Annual Fee Requirement. – Each covered entity that provides, maintains, controls, 1
directs, or licenses a data transfer system on behalf of a provider or entity subject to the 2
mandatory connection and data submission requirements of G.S. 90-414.4 shall pay an annual 3
State health data assessment fee each year if the covered entity meets any of the following 4
criteria: 5
(1) Is not connected to the HIE Network, as determined pursuant to subsection 6
(a4) of G.S. 90-414.4. 7
(2) Is connected to the HIE Network, as determined pursuant to subsection (a4) 8
of G.S. 90-414.4 but is not submitting required data through the HIE Network. 9
(b) Amount of Annual Fee. – The General Assembly shall determine the State health data 10
assessment fee schedules for annual compliance report periods. 11
(c) Fee Due Date. – A covered entity shall pay any required State health data assessment 12
fee contemporaneously with the submission of the annual compliance report required by 13
G.S. 90-414.13. 14
(d) HIE Network Data and Participation Fund; Use of Proceeds. – The HIE Network Data 15
and Participation Fund (Fund) is established as a special fund in the Department of Information 16
Technology under the management and control of the Authority. The Fund shall consist of the 17
fees collected by the Authority pursuant to this section and all other funds received by the 18
Authority pursuant to this Article, except for the clear proceeds of civil penalties collected 19
pursuant to G.S. 90-414.12, 90-414.13, 90-414.16, and subsection (g) of this section. The Fund 20
shall be placed in an interest-bearing account, and any interest or other income derived from the 21
Fund shall be credited to the Fund. The Authority shall not use monies in this Fund for any 22
purpose other than to pay for expenses incurred by the Authority in carrying out its powers and 23
duties as set forth in this Article. Monies in the Fund shall only be available for expenditure upon 24
an act of appropriation of the General Assembly. The Fund is subject to the provisions of the 25
State Budget Act, except that no unexpended surplus of the Fund shall revert to the General Fund. 26
(e) Fee Exemption. – A covered entity that provides, maintains, controls, directs, or 27
licenses a data transfer system for providers or entities subject to the HIE Network connection 28
and data submission requirements of this Article may claim an exemption from the State health 29
data assessment fee during a reporting period by demonstrating to the satisfaction of the 30
Authority that one or more of the following is true: 31
(1) The covered entity has secured a time-limited exception from the Authority 32
under G.S. 90-414.4(g) for the applicable State health data assessment fee 33
reporting period. 34
(2) The covered entity attests, in writing, that it and the providers and entities on 35
whose behalf it provides, maintains, controls, directs, or licenses a data 36
transfer system received less than five hundred thousand dollars ($500,000) 37
in State health care funds for providing health care services to beneficiaries of 38
State-funded health care. 39
(3) The covered entity is acting in good faith to comply with the Statewide Health 40
Information Exchange Act as evidenced by all of the following: 41
a. Has entered into a participation agreement with the Authority. 42
b. Maintains contact with the Authority. 43
c. Timely responds to direct communications from the Authority 44
regarding matters such as connection status, onboarding, training, and 45
data submission. 46
(4) The covered entity is in its first year of existence, as evidenced by filings with 47
the Office of the Secretary of State. 48
(5) The covered entity attests, in writing, that it is actively transitioning between 49
data transfer systems. 50 General Assembly Of North Carolina Session 2025
Senate Bill 509-First Edition Page 17
(f) Revocation of Exempt Status. – The Authority may revoke a covered entity's 1
exemption from payment of the State health data assessment fee if the covered entity is 2
unresponsive to communications from the Authority or if the covered entity fails to maintain 3
contact with the Authority. The Authority may revoke an exemption from the payment of the 4
State health data assessment fee for good cause after giving the covered entity 30 days' written 5
notice and an opportunity to cure any unresponsiveness to, or failure to maintain contact with, 6
the Authority. 7
(g) Civil Penalty for Submitting a False Record to Avoid the Fee. – It is unlawful for any 8
person or entity to knowingly present or cause to be presented to the Authority a false record to 9
avoid full payment of the State health data assessment fee due under this section. The Authority 10
shall assess against any person or entity that violates this section a civil penalty of not less than 11
five thousand dollars ($5,000) and not more than ten thousand dollars ($10,000), plus three times 12
the amount of damages sustained by the Authority as a result of that person's or entity's actions. 13
The clear proceeds of civil penalties provided for in this subsection shall be remitted to the Civil 14
Penalty and Forfeiture Fund in accordance with G.S. 115C-457.2. 15
"§ 90-414.15. Appeal of Authority's determinations. 16
(a) Determinations and Appeals. – The Authority shall make the following 17
determinations regarding providers' and entities' obligations: (i) grant or deny requests for 18
time-limited exceptions under G.S. 90-414.4 and (ii) assess penalties under G.S. 90-414.14. The 19
Authority shall send these determinations, in writing, to providers and entities via certified mail, 20
return receipt requested, and via email, if known to the Authority. If a provider or entity disagrees 21
with the Authority's determination, it shall deliver a petition for appeal to the Department of 22
Information Technology's registered agent via certified mail, return receipt requested, within 30 23
calendar days after receipt of the Authority's written determination. The petition for appeal shall 24
include an explanation of the specific reasons the provider or entity disagrees with the Authority's 25
determination and shall be supported by documentation and affidavits regarding the petitioner's 26
compliance with this Article along with any other supporting documentation the petitioner deems 27
relevant to the appeal. The Authority shall develop and make available on its website the form to 28
be used by any provider or entity seeking to appeal the Authority's determination. 29
(b) Untimely Appeals. – A petitioner's failure to submit a timely petition for appeal shall 30
result in the dismissal of the appeal with prejudice. The Department of Information Technology 31
shall notify the provider or entity of such dismissal in writing. 32
(c) Review by the State CIO or the State CIO's Designee. – The State CIO or the State 33
CIO's designee shall review all timely petitions for appeal under this section. The State CIO or 34
the State CIO's designee may render a decision on the petition without meeting with the 35
petitioner. If the State CIO or State CIO's designee renders a decision without meeting with the 36
petitioner, then the State CIO or the State CIO's designee shall notify the petitioner of his or her 37
decision, in writing, within 30 calendar days after the date the petition was received by the 38
Department of Information Technology. If the State CIO or the State CIO's designee determines 39
it is necessary to meet with the petitioner prior to rendering a decision, the State CIO or the State 40
CIO's designee and petitioner shall schedule a meeting within 30 calendar days after the date the 41
petition was received by the Department of Information Technology, or as soon as reasonably 42
practical thereafter, or as agreed upon by the parties. Within 30 calendar days after the date of 43
the meeting, the State CIO or the State CIO's designee shall submit a decision, in writing, to the 44
petitioner by certified mail, return receipt requested, and via email, if known. 45
(d) Administrative Review. – If the petitioner disagrees with the decision of the State 46
CIO or the State CIO's designee, the petitioner may commence a contested case under Article 3A 47
of Chapter 150B of the General Statutes. A petition for a contested case shall be filed within 30 48
calendar days after the earlier of either the date the decision of the State CIO or the State CIO's 49
designee is mailed to the petitioner or the date the decision of the State CIO or the State CIO's 50
designee is emailed to the petitioner. Except as otherwise provided by this Article, no other 51 General Assembly Of North Carolina Session 2025
Page 18 Senate Bill 509-First Edition
disputes between the Authority and providers or entities, including disputes involving the terms 1
or conditions of any agreement described in G.S. 90-414.7(b), or a party's performance under 2
any such agreement, are subject to the contested case provisions of Chapter 150B of the General 3
Statutes. 4
"§ 90‑414.16. Data related services. 5
(a) Data Related Services. – The Authority may provide data related services to a covered 6
entity participating in the HIE Network or to a business associate of the participating covered 7
entity that is using the service to perform a function for the participating covered entity. Only 8
covered entities participating in the HIE Network may make a request to the Authority for data 9
related services. Nothing in this section shall be construed to require the Authority to provide 10
data related services to covered entities or their business associates. Data disclosed or used in the 11
Authority's provision of these services to any person or entity shall not be used for commercial 12
purposes. 13
(b) Cost Recovery. – If the Authority voluntarily elects to provide a data related service 14
to a covered entity, then it may charge a reasonable fee that may not exceed the actual cost 15
incurred for the service. The cost recovery shall be based on generally accepted accounting 16
principles and may include labor costs of the personnel providing the service, any information 17
technology expense, and any other administrative expense." 18
SECTION 2. The deadline for submitting the first report due under G.S. 90-414.13 19
and the accompanying State health data assessment fee, if applicable, is May 1, 2028. 20
SECTION 3. Pursuant to G.S. 90-414.14(b), the initial State health data assessment 21
fee schedules for annual compliance report periods beginning in 2028, 2029, and 2030 are as 22
follows: 23
(1) For the annual compliance report period beginning in 2028: 24
Amount of State Health Care Funds State Health Data Assessment Fee: Amount 25
received in 2024 Due 26
$1,000,000 + 1.6% of State health care funds received in 2027 27
$750,001 – $1,000,000 $9,000 28
$500,001 – $750,000 $6,000 29
$250,001 – $500,000 $3,000 30
Less than $250,000 (No fee) 31
(2) For the annual compliance report period beginning in 2029: 32
Amount of State Health Care Funds State Health Data Assessment Fee: Amount 33
received in 2025 Due 34
$1,000,000 + 1.6% of State health care funds received in 2028 35
$750,001 – $1,000,000 $12,000 36
$500,001 – $750,000 $8,000 37
$250,001 – $500,000 $4,000 38
Less than $250,000 (No fee) 39
(3) For the annual compliance report period beginning in 2030: 40
Amount of State Health Care Funds State Health Data Assessment Fee: Amount 41
received in 2026 Due 42
$1,000,000 + 1.6% of State health care funds received in 2029 43
$750,001 – $1,000,000 $15,000 44
$500,001 – $750,000 $9,000 45
$250,001 – $500,000 $4,500 46
Less than $250,000 (No fee) 47
SECTION 4. This act becomes effective December 1, 2025. 48