underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
SENATE BILL 404
57
TH LEGISLATURE
-
STATE
OF
NEW
MEXICO
-
FIRST SESSION
,
2025
INTRODUCED BY
Mimi Stewart
AN ACT
RELATING TO PRIVACY; STRENGTHENING PRIVACY PROTECTIONS FOR
PATIENT RECORDS BY REQUIRING SEGREGATION OF CERTAIN HEALTH CARE
INFORMATION; PROHIBITING DISCLOSURE OF CERTAIN HEALTH CARE
INFORMATION; REPEALING SECTION 24-14-18 NMSA 1978 (BEING LAWS
1977, CHAPTER 206, SECTION 2, AS AMENDED) THAT REQUIRES THE
REPORTING OF INDUCED ABORTION.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
SECTION 1. Section 24-14B-1 NMSA 1978 (being Laws 2009,
Chapter 69, Section 1) is amended to read:
"24-14B-1. SHORT TITLE.--[This act ] Chapter 24, Article
14B NMSA 1978 may be cited as the "[Electronic Medical ] Patient
Records Privacy Act"."
SECTION 2. Section 24-14B-2 NMSA 1978 (being Laws 2009,
Chapter 69, Section 2) is amended to read:
.229583.2 underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
"24-14B-2. PURPOSE.--The purpose of the [Electronic
Medical] Patient Records Privacy Act is to provide for the
secure use, disclosure and protection of an individual's
electronic [medical] patient records."
SECTION 3. Section 24-14B-3 NMSA 1978 (being Laws 2009,
Chapter 69, Section 3) is amended to read:
"24-14B-3. DEFINITIONS.--As used in the [Electronic
Medical] Patient Records Privacy Act:
A. "demographic information" means information that
identifies the individual who is the subject of the health care
information, including the individual's name, date of birth and
address and other information necessary to identify the
individual, that may be used to identify the individual or that
associates the individual with the individual's electronic
[medical] patient record;
B. "disclose" means to release, transfer, provide,
give access to or otherwise divulge in any other manner
information outside the entity holding the information;
C. "electronic" means relating to technology having
electrical, digital, magnetic, wireless, optical,
electromagnetic or similar capabilities;
D. "electronic [medical ] patient record" means an
electronic record of an individual patient's health care
information that may contain demographic information;
E. "electronic patient record system" means a
.229583.2
- 2 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
system used to process, store and maintain the patient records
of individuals, including an individual's health care
information;
[E.] F. "electronic signature" means an electronic
sound, symbol or process attached to or logically associated
with a record and executed or adopted by an individual with the
intent to sign the record;
G. "gender-affirming health care" means
psychological, behavioral, surgical, pharmaceutical or medical
health care, services, procedures or supplies provided to an
individual in support of the individual's gender identity;
[F.] H. "health care" means care, services or
supplies related to the health of an individual and includes:
(1) preventive, diagnostic, therapeutic,
rehabilitative, maintenance or palliative care and counseling;
(2) services, tests, assessments or procedures
that are concerned with the physical or mental condition or
functional status of an individual or that affect the structure
or function of the body of an individual; and
(3) the sale or dispensing of a drug, a
device, a piece of equipment or other item in accordance with a
prescription;
[G.] I. "health care group purchaser" means a
person who is licensed, certified or otherwise authorized or
permitted by the New Mexico Insurance Code to pay for or
.229583.2
- 3 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
purchase health care on behalf of an identified individual or
group of individuals, regardless of whether the cost of
coverage or services is paid for by the purchaser or the
persons receiving coverage or services and includes contractors
or employees of the health care group purchaser ;
[H.] J. "health care information" means any
information, whether oral or recorded in any form or medium,
related to the past, present or future physical or mental
health or condition of an individual or the provision of health
care to an individual [or the past, present or future payment
for the provision of health care to an individual ] and includes
the individual's patient records, health care claims and
records of payments for health care or other administrative
data from a provider, health care service plan or
pharmaceutical company ;
[I.] K. "health care institution" means an
institution, a facility or an agency licensed, certified or
otherwise authorized or permitted by law to provide health care
in the ordinary course of business and includes a contractor or
an employee of a health care institution;
L. "health care service plan" means a plan that
arranges for the provision of health care services to
subscribers or enrollees, or to pay for or to reimburse any
part of the cost for those services, in return for a prepaid or
periodic charge paid by or on behalf of the subscribers or
.229583.2
- 4 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
enrollees and includes a contractor or an employee of the
health care service plan;
[J.] M. "health information exchange" means an
arrangement among persons participating in a defined secure
electronic network service, such as a regional health
information organization, that allows the sharing of health
care information about individual patients among different
health care institutions or unaffiliated providers, and
includes a contractor or an employee of a health information
exchange. The use of an electronic [medical ] patient record
system by a health care provider, by or within a health care
institution or by an organized health care arrangement as
defined by the federal Health Insurance Portability and
Accountability Act of 1996 does not constitute a health
information exchange;
[K.] N. "information" means data, including text,
images, sounds and codes and computer programs, software and
databases;
[L.] O. "provider" means an individual [who ] or
entity that is licensed, certified or otherwise authorized or
permitted by law in this state to provide health care,
including reproductive health care and gender-affirming health
care, and to access health care information in the ordinary
course of business or practice of a profession;
[M.] P. "record" means information that is
.229583.2
- 5 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
inscribed on a tangible medium or that is stored in an
electronic or other medium and is retrievable in perceivable
form;
[N.] Q. "record locator service" means an
information service that contains demographic information and
the location of health care information of a specified
individual across different health care institutions or
unaffiliated providers that participate in the service, and
includes a contractor or an employee of a record locator
service. The use of an electronic [medical ] patient record
system by a health care provider or by an organized health care
arrangement as defined by the federal Health Insurance
Portability and Accountability Act of 1996 does not constitute
a record locator service; [and ]
R. "reproductive health care" means psychological,
behavioral, surgical, pharmaceutical or medical care, services
or supplies that relate to the human reproductive system,
including services related to:
(1) preventing a pregnancy;
(2) abortion;
(3) managing a pregnancy loss;
(4) prenatal, birth, perinatal and postpartum
health;
(5) managing perimenopause and menopause;
(6) managing infertility;
.229583.2
- 6 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(7) treating cancers of the reproductive
system; or
(8) preventing or treating sexually
transmitted infections or diseases; and
[O.] S. "treatment" means the provision,
coordination or management of health care and related services
by one or more providers, including the coordination or
management of health care by a provider with a third party;
consultation between providers relating to an individual; or
the referral of an individual for health care from one provider
to another."
SECTION 4. Section 24-14B-6 NMSA 1978 (being Laws 2009,
Chapter 69, Section 6, as amended) is amended to read:
"24-14B-6. USE AND DISCLOSURE OF ELECTRONIC HEALTH CARE
INFORMATION--SEGREGATED HEALTH CARE INFORMATION--
REQUIREMENTS.--
A. A provider, health care institution, health
information exchange, health care service plan or health care
group purchaser shall not use or disclose health care
information in an individual's electronic [medical ] patient
record to another person without the consent of the individual
except as [allowed] required by state or federal law.
B. A health information exchange or electronic
patient record system operating in the state that
electronically stores or maintains medical information,
.229583.2
- 7 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
electronic patient records, personal health records, health
care claims, payments or other administrative data on behalf of
a provider, health care service plan, pharmaceutical company,
contractor or employer shall:
(1) segregate an individual's health care
information related to reproductive health care, gender-
affirming health care, mental health care, alcohol or substance
use treatment and any other similar health care or health care
service as deemed appropriate for record segregation by the
health care authority;
(2) limit user access privileges to an
individual's segregated health care information to persons or
entities to whom the individual has provided written
authorization for access;
(3) provide a process for an individual to
provide written authorization to disable access to the
individual's segregated health care information by persons or
entities in another state; and
(4) notify an individual whose segregated
health care information is the subject of a civil, criminal or
regulatory inquiry, investigation, subpoena or summons for the
release of the individual's segregated health care information
and notify each provider that rendered health care as
documented in the individual's segregated health care
information at least thirty days prior to complying with the
.229583.2
- 8 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
civil, criminal or regulatory inquiry, investigation, subpoena
or summons for release of the individual's segregated health
care information.
[B.] C. A provider, health care institution,
health care service plan or health care group purchaser may
disclose demographic information and information about the
location of an individual's electronic [medical ] patient
records to a record locator service in accordance with state or
federal law. A provider or health care institution
participating in a health information exchange using a record
locator service shall not have access to demographic
information, information about the location of the individual's
electronic [medical] patient records or information in an
individual's electronic [medical ] patient record except in
connection with the treatment of the individual or as permitted
by the consent of the individual or as otherwise permitted by
state or federal law.
[C.] D. A record locator service shall maintain an
audit log of persons obtaining access to information in the
record locator service, which audit log shall contain, at a
minimum, information on:
(1) the identity of the person obtaining
access to the information;
(2) the identity of the individual whose
information was obtained;
.229583.2
- 9 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
(3) the location from which the information
was obtained;
(4) the specific information obtained; and
(5) the date that the information was
obtained.
[D.] E. The audit log shall be made available by a
health information exchange on the request of an individual
whose health care information is the subject of the audit log;
provided, however, that the audit log made available to the
individual shall include only information related to that
individual. The audit log shall be made available to the
requesting individual annually for a fee not to exceed twenty-
five cents ($.25) per page as established by the [department
of] health care authority .
[E.] F. A record locator service shall provide a
mechanism under which individuals may exclude their demographic
information and information about the location of their
electronic [medical] patient records from the record locator
service. A person operating a record locator service or a
health information exchange that receives an individual's
request to exclude all of the individual's information from the
record locator service is responsible for removing that
information from the record locator service within thirty days.
An individual's request for exclusion of information shall be
in writing and shall include a waiver of liability for any harm
.229583.2
- 10 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
caused by the exclusion of the individual's information.
[F.] G. When information in an individual's
electronic [medical] patient record is requested using a record
locator service or a health information exchange:
(1) the requesting provider or health care
institution shall warrant that the request is for the treatment
of the individual, is permitted by the individual's written
authorization or is otherwise permitted by state or federal
law; and
(2) the person disclosing the information may
rely upon the warranty of the person making the request that
the request is for the treatment of the individual, is
permitted with the consent of the individual or is otherwise
permitted by state or federal law.
H. Notwithstanding the provisions of Subsection B
of this section or any other provision of law, a provider, a
contractor or an employee of the provider or a health care
service plan shall not release patient records containing an
individual's health care information related to that individual
seeking or obtaining an abortion in response to a subpoena or
request if that subpoena or request is based on another state's
laws that interfere with a person's rights under the
Reproductive and Gender-Affirming Health Care Freedom Act or
the Reproductive and Gender-Affirming Health Care Protection
Act.
.229583.2
- 11 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[G.] I. Notwithstanding any other provision of law,
information in an individual's electronic [medical ] patient
record may be disclosed:
(1) to a provider that has a need for
information about the individual to treat a condition that
poses an immediate threat to the life of any individual and
that requires immediate medical attention;
(2) except as provided in the [Electronic
Medical] Patient Records Privacy Act, to a record locator
service or a health information exchange for the development
and operation of the record locator service and the health
information exchange; and
(3) to a provider, health care institution or
health care group purchaser for treatment, payment or health
care operation activities, in compliance with the federal
Health Insurance Portability and Accountability Act of 1996 and
the regulations promulgated pursuant to that act, and if
applicable, in compliance with 42 U.S.C. Section 290dd-2 and
the regulations promulgated pursuant to that section.
[H.] J. For the purposes of this section, "health
care operation activities" includes administrative, financial,
legal and quality improvement activities of a covered entity
that are necessary to conduct business and to support the core
functions of treatment and payment and are limited to the
activities listed in the definition of "health care operations"
.229583.2
- 12 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
at 45 C.F.R. 164.501."
SECTION 5. Section 24-14B-7 NMSA 1978 (being Laws 2009,
Chapter 69, Section 7) is amended to read:
"24-14B-7. LIABILITY.--If an individual requests to
exclude all of the individual's information from the record
locator service pursuant to Subsection [E ] F of Section [6 of
the Electronic Medical Records Act ] 24-14B-6 NMSA 1978, the
record locator service, health information exchange, health
care institution or provider shall not be liable for any harm
to the individual caused by the exclusion of the individual's
information."
SECTION 6. Section 24-14B-8 NMSA 1978 (being Laws 2009,
Chapter 69, Section 8) is amended to read:
"24-14B-8. OUT-OF-STATE DISCLOSURES.--A disclosure
otherwise permissible under the [Electronic Medical ] Patient
Records Privacy Act may be made to providers, health care group
purchasers, health care institutions, health information
exchanges or record locator services located or operating
outside of the state."
SECTION 7. Section 24-14B-9 NMSA 1978 (being Laws 2009,
Chapter 69, Section 9) is amended to read:
"24-14B-9. EXCLUSION OF CERTAIN INSURERS.--Nothing in the
[Electronic Medical] Patient Records Privacy Act shall be
construed to apply to a person operating as a property and
casualty insurer, workers' compensation insurer, life insurer,
.229583.2
- 13 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
long-term care insurer or disability income insurer."
SECTION 8. A new section of the Patient Records Privacy
Act, Section 24-14B-11 NMSA 1978, is enacted to read:
"24-14B-11. [NEW MATERIAL ] ENFORCEMENT.--
A. A health information exchange or electronic
patient record system determined to be in violation of the
Patient Records Privacy Act shall be:
(1) subject to injunctive relief to cease or
correct the violation;
(2) liable for a civil penalty of not more
than two thousand five hundred dollars ($2,500) for each
negligent violation; or
(3) liable for a civil penalty of not more
than seven thousand five hundred dollars ($7,500) for each
intentional violation.
B. An individual who claims to have suffered a
deprivation of a right under the Patient Records Privacy Act
may maintain an action to establish liability and recover
damages and equitable or injunctive relief in any New Mexico
district court.
C. The attorney general or a district attorney may
institute a civil action in district court if the attorney
general or district attorney has reasonable cause to believe
that a violation of the Patient Records Privacy Act has
occurred or to prevent a violation of that act."
.229583.2
- 14 - underscored material = new
[bracketed material] = delete
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
SECTION 9. REPEAL.--Section 24-14-18 NMSA 1978 (being
Laws 1977, Chapter 206, Section 2, as amended) is repealed.
SECTION 10. EFFECTIVE DATE.--The effective date of the
provisions of this act is July 1, 2025.
- 15 -
.229583.2