1. Governing Texts

Maine has a comprehensive set of data protection laws and regulations governing the health sector and health care information.  The same is not true for the pharmaceutical sector or scientific research. Although Maine's law places restrictions on the use of certain prescription drug information for marketing purposes, Maine generally permits the use of health care information for scientific research purposes, provided that the information is used in a manner that protects the identification of individuals. Maine generally defers to federal regulations in the area of human subject research. 

1.1. Legislation

The key Maine statute governing the health sector and confidentiality of health care information is §1711-C of Chapter 401 of Part 4 of Subtitle 2 of Title 22 of the Maine Revised Statutes ('M.R.S.').

In addition, the Code of Maine Rules ('CMR') contains rules regarding the release to the public of confidential health information submitted to the Maine Health Data Organization ('MHDO'). The MHDO is charged with making data publicly available and accessible to the broadest extent consistent with the laws protecting individual privacy and proprietary information. The rules are contained within 90-590 CMR, Chapter 120, Release of Data to the Public.

Finally, 22 M.R.S. §1711-C(11) goes so far as to state that health care information that is subject to 'other provisions of state or federal law, rule or regulation is governed solely by those provisions'. Read strictly, this could mean that any health care information that is subject to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') is governed solely by HIPAA and not by 22 M.R.S. §1711-C, which would significantly undercut the importance of 22 M.R.S. §1711-C.  

M.R.S. §1711-C is intended to serve as a general framework, from which more specific laws, rules, and regulations may deviate to address particular concepts. 

This interpretation finds support in 22 M.R.S. §1711-C's identification of a number of such specific laws, rules, and regulations, including the following: 

• §290dd-2 of Title 42 of the U.S. Code, as part of the Public Health Service Act - federal law protecting the confidentiality of records containing the identity, diagnosis, prognosis, or treatment of any patient that are maintained in connection with the performance of any federally assisted program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation or research; 
• Maine's Revised Uniform Anatomical Gift Act (§§2941 et seq. of Chapter 710-B of Part 6 of Subtitle 2 of Title 22 M.R.S.), which governs organ donation and other anatomical gifts; 
• Maine's Medical Examiner Act (§3021 et seq. of Chapter 711 of Part 6 of Subtitle 2 of Title 22 M.R.S.);
• §200-E of Chapter 9 of Part 1 of Title 5 M.R.S. on medical records furnished to prosecutor in certain cases, which authorises state prosecutors, in any criminal proceeding or investigation, to obtain medical records pertaining to medical examination or treatment provided to a victim;
• Maine law on Medical Conditions (§§19201 et seq. of Chapter 501 of Part 23 of Title 5 M.R.S.) imposing more stringent restrictions on disclosure of the results of an HIV test or any other medical records concerning information relating to a person's HIV infection status, violators of which are subject to liability to the individual whose test/status is at issue for actual damages and costs plus a civil penalty of up to $1,000 for a negligent violation and up to $5,000 for an intentional violation; 
• Maine's insurance laws under Titles 24 and 24-A MRS, which includes the Insurance Information and Privacy Protection Act (§§2201 et seq. of Chapter 24 of Title 24-A M.R.S.) which establishes standards for the collection, use, and disclosure of information gathered in connection with insurance transactions;
• §1207 of Subchapter 2 of Chapter 1 of Title 34-B M.R.S., which governs the confidentiality of information commitment, namely medical and administrative records, applications and reports, and facts contained in them, pertaining to any person receiving behavioural and developmental services from certain state agencies and institutions, including the Maine Department of Health and Human Services ('HHS'), certain specified state institutions, and any agency licensed or funded to provided services falling under the jurisdiction of the HHS; and 
• Maine Workers' Compensation Act of 1992 (Title 39-A M.R.S.), pursuant to which the Maine Workers' Compensation Board has established procedures to safeguard the confidentiality of agency workers' compensation records pertaining to individual injured employees (39-A M.R.S. §152(2)).

1.2. Supervisory authorities

In the health and pharmaceutical sector in Maine, the competent supervisory authorities are:

• the Maine Attorney General ('AG'); and
• the MHDO.

The AG

Pursuant to 22 M.R.S. §1711-C(13), the AG may bring an action to enjoin unlawful disclosure of health care information if he/she has reason to believe that a person has intentionally violated a provision of 22 M.R.S. §1711-C.  

In addition, an individual aggrieved by conduct in violation of 22 M.R.S. §1711-C may bring a civil action against a person who has intentionally unlawfully disclosed health care information.  In the action, the aggrieved individual may seek to enjoin the person's unlawful disclosure, recover costs and impose a forfeiture or penalty. 

Any enforcement action commenced by the AG or an aggrieved individual pursuant to 22 M.R.S. §1711-C must be commenced within two years of the date that the unlawful disclosure was or should reasonably have been discovered.  

22 M.R.S. §1711-C(13) expressly provides that a person aggrieved by conduct in violation of this section is not prohibited from pursuing all available common law remedies, including but not limited to an action based on negligence.  

The MHDO

22 M.R.S. §1711-C(1)(E) instructs the MHDO to 'adopt rules to define health care information that directly identifies an individual'.  The purpose of the MHDO, an independent executive agency established by the Maine Legislature in 1995, is to create and maintain a useful, objective, reliable and comprehensive health information database that is used to improve the health of Maine citizens and to issue certain reports (§§8707-8713 of Subchapter 1 of Chapter 1683 Subtitle 6 of Title 22 M.R.S.).

The statute directs the MHDO to collect and analyse certain health care information from health care facilities and providers, as well as payors. The MHDO is required to adopt rules to make such information 'publicly accessible while protecting patient confidentiality and respecting providers of care' (22 M.R.S. §8707). Such rules are contained within 90-590 CMR, Chapter 120, Release of Data to the Public.

See the section on Definitions below for the relevant MHDO rules and definitions.

1.3. Guidelines

Not applicable.

1.4. Definitions

Health care information: Information that directly identifies the individual and that relates to an individual's physical, mental or behavioural condition, personal or family medical history or medical treatment, or the health care provided to that individual. 

'Health care information' does not include information that protects the anonymity of the individual by means of encryption or encoding of individual identifiers or information pertaining to or derived from federally sponsored, authorised, or regulated research governed by the Code of Federal Regulations ('CFR'), specifically the Protection of Human Subjects, 21 Code of Federal Regulations Part 50 and Institutional Review Boards, 21 CFR Part 56, and Protection of Human Subjects, 45 CFR Part 46, to the extent that such information is used in a manner that protects the identity of individuals (22 M.R.S. §1711-C(1)(E)). Thus, records that contain no 'information that directly identifies [an] individual' do not constitute 'health care information,' and are not protected by 22 M.R.S. §1711-C's confidentiality provision.   

Protected health information: Any individually identifiable health information (including any combination of data elements) that relates to (§2(34), 90-590 CMR 120):

• the past, present, or future physical or mental health or condition of an individual; or
• the past, present, or future payment for the provision of health care to an individual;

and:

• identifies an individual; or
• with respect to which there is a reasonable basis to believe that the information can be used to identify an individual patient.

Direct patient identifiers: Information such as name, social security number, and date of birth, that uniquely identifies an individual or that can be combined with other readily available information to uniquely identify an individual (§2(27), 90-590 CMR 120).  

Health care: Preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, services, treatment, procedures or counselling, including appropriate assistance with a disease or symptom management and maintenance, that affects an individual's physical, mental, or behavioural condition, including individual cells or their components or genetic information, or the structure or function of the human body or any part of the human body (22 M.R.S. §1711-C(1)(C)). 

'Health care' includes (22 M.R.S. §1711-C(1)(C)):

• prescribing, dispensing or furnishing to an individual, drugs, biologicals, medical devices or health care equipment and supplies; 
• providing hospice services to an individual; and 
• the banking of blood, sperm, organs or any other tissue.

Health care practitioner: Any person licensed by Maine to provide, or otherwise lawfully providing, health care, as well as any partnership or corporation made up of such persons and any officer, employee, agent or contractor of such persons acting in the course and scope of employment, agency or contract 'related to or supportive of the provision of health care to individuals' (22 M.R.S. §1711-C(1)(F)).

Health care facility: A facility, institution or entity licensed pursuant to Title 22 M.R.S. that offers health care to persons in Maine, including a home health care provider, hospice program and a licensed pharmacy. For the purpose of this section, 'health care facility' does not include a state mental health institution, the Elisabeth Levinson Center, the Aroostook Residential Center, or Freeport Towne Square (22 M.R.S. §1711-C(1)(D)).

2. Clinical Research and Clinical Trials

2.1. Data collection and retention

Not applicable.

2.2. Consent

Please see more information on Consent under the section on Data Management below.

2.3. Data obtained from third parties

Not applicable.

3. Pharmacovigilance

Not applicable.

4. Biobanking

Not applicable.

5. Data Management

22 M.R.S. §1711-C requires healthcare practitioners and healthcare facilities to treat healthcare information as confidential. 

Records containing information 'pertaining to or derived from federally sponsored, authorised or regulated research' governed by the U.S. Food and Drug Administration ('FDA') (21 CFR Part 50 and 21 CFR Part 56) and the U.S. Department of Health and Human Services ('DHHS') (Common Rule) regulations (Basic HHS Policy for Protection of Human Research Subjects, Subpart A of 45 CFR Part 46) which provide protection for human subjects in research is not protected by 22 M.R.S. §1711-C's confidentiality provision 'to the extent that such information is used in a manner that protects the identity of individuals.'

Disclosure of health care information under 22 M.R.S. §1711-C

Restrictions on Disclosure

22 M.R.S. §1711-C generally prohibits health care practitioners, health care facilities, and state-designated health information exchanges from disclosing an individual's health care information without a valid written authorisation from the individual, except in certain enumerated circumstances. 

Written authorisation must disclose the following (22 M.R.S. §1711-C(3)):

• the name and signature of the individual and the date of signature. If the authorisation is in electronic form, a unique identifier of the individual and the date the individual authenticated the electronic authorisation must be stated in place of the individual's signature and date of signature;   
• the types of persons authorised to disclose health care information and the nature of the health care information to be disclosed;   
• the identity or description of the third party to whom the information is to be disclosed;   
• the specific purpose or purposes of the disclosure and whether any subsequent disclosures may be made pursuant to the same authorisation;
• the duration of the authorisation;
• a statement that the individual may refuse authorisation to disclose all or some health care information, but that refusal may result in improper diagnosis or treatment, denial of coverage or a claim for health benefits or other insurance or other adverse consequences;
• a statement that the authorisation may be revoked at any time by the individual by executing a written revocation, subject to the right of any person who acted in reliance on the authorisation prior to receiving notice of revocation, instructions on how to revoke authorisation and a statement that revocation may be the basis for denial of health benefits or other insurance coverage or benefits; and
• a statement that the individual is entitled to a copy of the authorisation form.

For circumstances where an oral authorisation or an authorisation is provided by a third party other than the individual whose health care information is at issue may be acceptable (see 22 M.R.S. §1711-C(3-A) and (3-B)).

An authorisation to disclose may not extend longer than 30 months, except where the duration of an authorisation for the purposes of insurance coverage is governed by separate statutes (22 M.R.S. §1711-C(4)).  

Prohibition on disclosure for marketing purposes

22 M.R.S. §1711-C(8) prohibits a health care practitioner, facility or state-designated state-wide health information exchange from disclosing health care information 'for the purposes of marketing or sales without written or oral authorisation for the disclosure'.  

In addition, under the Confidentiality of Prescription Drug Information, §1711-E of Chapter 401 of Part 4 of Subtitle 2 of Title 22 M.R.S., insurance companies and other insurance entities (including health maintenance organisations) and prescription drug information intermediaries (including pharmacy benefit managers, health plans and electronic transmission intermediaries) 'may not license, use, sell, transfer or exchange for value, for any marketing purpose, prescription drug information that identifies directly or indirectly the individual who is prescribed the prescription drug'. A violation of 22 M.R.S. §1711-E constitutes a violation of the Maine Unfair Trade Practices Act, §§205-A et seq. of Chapter 10 of Part 1 of Title 5 M.R.S.

Exemptions to disclosure restrictions

Circumstances where disclosure of health care information is permitted without authorisation, are provided for in 22 M.R.S. §1711-C(6). Among such exemptions include the disclosure of health care information for scientific research purposes and for the purpose of state-designated state-wide health information exchange.

In particular, a health care practitioner or facility may disclose health care information without authorisation from the data subject or their authorised representative when necessary to conduct scientific research approved by an institutional review board or by the board of a non-profit health research organisation, or when necessary for a clinical trial sponsored, authorised, or regulated by the FDA. A person conducting research or a clinical trial may not identify any individual patient in any report arising from the research or clinical trial (22 M.R.S. §1711-C(6)(G)). Moreover, 22 M.R.S. §1711-C(6)(G) further provides that individually identifiable health care information disclosed pursuant to the foregoing scientific research exception 'must be returned to the health care practitioner or facility from which was obtained or must be destroyed when it is no longer required for the research or clinical trial'.

In addition, 22 M.R.S. §1711-C(6)(A) provides that a health care practitioner or facility is not prohibited from disclosing without authorisation health care information to a state-designated state-wide health information exchange that provides an 'individual protection mechanism by which an individual may opt-out from participation to prohibit the state-designated state-wide health information exchange from disclosing the individual's health care information to a health care practitioner or health care facility'.  However, as noted above, the state-designated state-wide health information exchange is prohibited from disclosing healthcare information for marketing purposes.

22 M.R.S. §1711-C(15) grants immunity to a health care practitioner and facility against '[a] cause of action in the nature of defamation, invasion of privacy or negligence [...] for disclosing health care information in accordance with [the provisions of 22 M.R.S. §1711-C].'  The immunity does not extend to disclosures of information made with malice or willful intent to injure any person.  

Confidentiality Policies

In addition to complying with the restrictions on disclosure described above, health care practitioners, health care facilities, and state-designated health information exchanges must implement 'policies, standards and procedures to protect the confidentiality, security and integrity of health care information to ensure that information is not negligently, inappropriately or unlawfully disclosed' (22 M.R.S. §1711-C(7)).  

22 M.R.S. §1711-C(7) prescribes two particular minimum requirements for inclusion in such policies with respect to individuals admitted for inpatient care by health care facilities; namely, such policies must:

• provide that such admitted individuals are given notice of their right to control the disclosure of health care information; and 
• provide that routine admission forms include clear written notice of an admitted individual's ability to direct that their name is removed from the directory listing of persons cared for at the facility and notice that removal may result in the inability of the facility to direct visitors and telephone calls to the individual.

Disclosure of patient data relating to communicable diseases

Under §822 of Chapter 250 of Subtitle 2 of Part 3 of Title 22 M.R.S., a physician who knows or has reason to believe that a person whom the physician examines or cares for has a communicable disease is required to notify the HHS and make such a report as may be required by the rules of the department. Any person receiving information pursuant to 22 M.R.S. §§801-835 must treat as confidential the names of individuals having or suspected of having a communicable disease, as well as any other information that may identify those individuals (22 M.R.S. §824). Information reasonably required for the purposes of this section may be released to the HHS Office for Child and Family Services for certain statutorily authorised purposes or to other public health officials, agents or agencies, or to officials of a school where a child is enrolled, for public health purposes, provided the release is made in accordance with certain other applicable statutory provisions.  Any person receiving a disclosure of identifying information pursuant to Chapter 250 of Title 22 M.R.S. may not further disclose this information without the consent of the infected individual.

6. Outsourcing

Not applicable.

7. Data Transfers

Other than 22 M.R.S. §1711-C, there are no Maine statutes or regulations governing data transfers generally. 

Maine does, however, have laws and regulations restricting and otherwise governing the disclosure of health care information relating to particular contexts.

Some of these laws and regulations pertain to information contained in the centralised health information registries:

• For example, the Maine Birth Defects Program, established to identify and investigate birth defects in children, includes a central registry for cases of birth defects, which is maintained by the HHS (§8943 of Chapter 1687 of Subtitle 6 of Title 22 M.R.S.). Information within that registry that directly or indirectly identifies individual persons is confidential and may be distributed from the registry only in accordance with rules adopted by the HHS (22 M.R.S. §8943). Those rules provide that such information may be disclosed only to 'qualified organizations with a documented history of scientific research or other researchers determined to be appropriate by the Maine Birth Defects Program', and such recipients may be required to execute appropriate confidentiality agreements (§280.07 of 10-144 CMR, Chapter 280, Maine Birth Defects Program Rule).
• The HHS also maintains the Maine Cancer Registry, which includes statewide information regarding cancer incidence (§1404 of Chapter 255 of Part 3 of Title 22 M.R.S.). Researchers seeking to review individual patient identifying information included in the Maine Cancer Registry must submit a request for approval by the Cancer Registry Subcommittee of the Cancer Prevention and Control Advisory Committee. Such requests must include: 
  • a comprehensive protocol that contains a satisfactory study description that addresses, among other things, informed consent and confidentiality; 
  • a statement that identifies the benefits of the study for Maine residents; and 
  • the submission of an Institution Review Board approval for the study.

Others of these laws and regulations pertain to particularly sensitive health information maintained by health care providers, state health departments or by state-designated, and state-funded and state-licensed health agencies and facilities:

• For example, there are particular requirements applicable to the disclosure by designated agencies of information of persons with a mental illness or disability (where 'person with a disability' means 'a person with a physical or mental impairment that substantially limits one or more of the major life activities of that person and includes, but is not limited to, a person with a developmental disability, a learning disability, or a mental illness'). These include restrictions on the agency's disclosure of such information to a data subject with a mental illness, as well as restrictions on the agency's disclosure of such information to third parties without the data subject's consent (§19507 of Chapter 511 of Part 24 of Title 5 M.R.S.).
• Orders of commitment, medical and administrative records, applications and reports, and facts contained in them, pertaining to mental health clients must be kept confidential and generally may not be disclosed other than pursuant to certain enumerated exceptions (34-B M.R.S. §1207).
• Records of persons with an intellectual disability or autism receiving services must also be kept confidential and generally may not be disclosed other than pursuant to the aforementioned enumerated exceptions (34-B M.R.S. §5605(15)).
• Subject to a few narrow exceptions, the results of an HIV test may be disclosed only to the subject of the test and to a health care provider designated by the subject in writing (§19203(1)-(2) of Chapter 501 of Part 23 of Title 5 M.R.S.). When a patient has authorised the disclosure of HIV test results to a person or organisation providing health care, the patient's health care provider may make these results available only to other health care providers working directly with the patient and only for the purpose of providing direct medical or dental patient care.
• Registration and other records held by substance abuse treatment facilities must be kept confidential and are privileged to the patient (§20047 of Chapter 521 of Part 25 of Title 5 M.R.S). The HHS Commissioner may make available information from patients' records for purposes of research into the causes and treatment of substance use disorders. However, such information may not be published in a way that discloses patients' names or other identifying information.
• Subject to certain exceptions, HHS may not release confidential information in its possession relating to a residential facility for the care, treatment or rehabilitation of drug users, including alcohol users, without a court order or a written release from the person about whom the confidential information has been requested (§7703(2) of Chapter 1661 of Subtitle 6 of Title 22 M.R.S.). Confidential information covered by the law includes (i) information that identifies, directly or indirectly, a recipient of services of the drug treatment facility or a member of their family; and (ii) information about the private life of a person in which there is no legitimate public interest and that would be offensive to a reasonable person if disclosed.  The statute also provides for optional and mandatory releases of confidential information by HHS in specified circumstances. However, information released pursuant to a mandatory or optional disclosure must be used solely for the purpose for which it was provided and may not be further disseminated (22 M.R.S. §7703(5)).

8. Breach Notification

Maine's general data breach notification law, the Notice of Risk to Personal Data Act, §§1346 et seq. of Chapter 210-B of Part 3 of Title 10 M.R.S. ('the Notice of Risk to Personal Data Ac't'), applies to health care practitioners and health care facilities much as it does to any persons or entities within the scope of that law, which governs the unauthorised disclosure of certain types of personal data.  

Note, however, that the foundational definition of 'personal information' in the Notice of Risk to Personal Data Act does not include health care information. In particular, 10 M.R.S. §1347(7) defines 'personal information' to include:

• social security number; 
• driver's license number or state identification card number; 
• account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or password; 
• account passwords or personal identification numbers or other access codes; and 
• any of the data elements contained in foregoing items a) through d) when not in connection with the individual's first name, or first initial, and last name, if the information, if compromised, would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.

For additional information on Data Breach, please see Maine – Data Breach Guidance Note.

9. Data Subject Rights

Other than §1711-C of Title 22 MRS, there are no Maine statutes or regulations governing data subject rights generally.  But note the specialised laws described under the section on Data Transfers above may apply.

10. Penalties

A person who intentionally violates 22 M.R.S. §1711-C is subject to a civil penalty not to exceed $5,000, payable to the State of Maine, plus costs (22 M.R.S. §1711-C(13)(c)).  In addition, if a court finds that intentional violations of this section have occurred with sufficient frequency to constitute a general business practice, the person is subject to a civil penalty not to exceed $10,000 for healthcare practitioners and $50,000 for healthcare facilities, payable to the State. 

A person who knowingly violates the confidentiality provisions regarding communicable diseases is civilly liable for actual damages suffered by a person reported upon and for punitive damages and commits a civil violation for which a fine of not more than $500 may be adjudged (22 M.R.S. §825).

11. Other Areas of Interest

Insurance

The Maine Insurance Data Security Act ('the Insurance Data Security Act'), effective on 1 January  2022, establishes detailed requirements for information security programs based on ongoing risk assessment for protecting consumers' personal information.  The Insurance Data Security Act also establishes requirements for the investigation of and notification to the Superintendent of Insurance regarding cybersecurity events. The Insurance Data Security Act applies to insurance companies, insurance agents and brokers, and other persons operating under or required to operate under a license or registration pursuant to Maine law.

Under the Insurance Data Security Act, protected personal information includes ‘[i]nformation or data . . . in any form or medium created by or derived from a health care provider or a consumer and that relates to:

• the past, present or future physical, mental, or behavioural health or condition of a consumer ;
• the provision of health care to a consumer; or
• the payment for the provision of health care to a consumer'.  

Personal information also includes information that, because of 'name, number, personal mark, or other identifier', can be used in combination with biometric records to identify a consumer.

'Cybersecurity event' means 'an event resulting in unauthorised access to, disruption of or misuse of an information system or information stored on an information system'.

Insurance licensees are required to notify the Superintendent of Insurance no later than 72 hours from a determination that a cybersecurity event has occurred if the licensee reasonably believes that the personal information involved concerns 250 or more consumers residing in Maine and that the cybersecurity event has a reasonable likelihood of materially harming any consumer residing in Maine or any material part of the normal operation of the licensee.

Physician-Patient Privilege

In Maine, medical records of non-party patients, even when redacted to remove personally identifiable information, are protected from discovery by the physician-patient privilege in a medical malpractice case Estate of Carol A. Kennelly v. Mid Coast Hospital, 2020 ME 115 (2020) ('Kennelly') The physician-patient privilege is found in Maine Rule of Evidence 503 and protects confidential communications between a patient and the patient's physician.  The Maine Supreme Judicial Court ('the SJC') reached its holding in Kennelly, notwithstanding its finding that non-party patient medical records, when redacted of all personally identifiable information, are not protected by HIPAA and 22 M.R.S. §1711-C. 

Because this was an issue of first impression in Maine, the SJC considered the approaches of other states that have dealt with the issue.  The SJC found that, in a majority of states that have addressed the issue, once such identifying information has been redacted, the physician-patient privilege no longer protects non-party medical records from disclosure.  In other states, however, redaction of a non-party's personally identifying information is deemed insufficient to protect the non-party's privacy interests, so that the physician-patient privilege continues to prevent the disclosure of all portions of non-party patient records even when the records have been significantly redacted.

In adopting the approach taken in a minority of states, other than stating its conclusion 'that the non-party privacy interests at stake are best served by the latter approach,' the SJC provided no explanation or justification for holding that there should be greater privacy protection for de-identified medical records in the context of medical malpractice litigation.  Nor did the SJC attempt to reconcile its holding with the conflicting approaches taken in HIPAA and the Maine statute.  As observed by Justice Jabar in his dissenting opinion, "[i]t does not make sense to hold that HIPAA and the Maine statute provide less protection to a patient's confidential record than a court created rule of evidence pertaining to the same records."

The decision in Kennelly may have patient privacy implications for health care organisations in Maine which extend beyond medical malpractice litigation. 

Telemedicine

In the telemedicine context, the Maine Board of Licensure in Medicine ('the Medicine Licensure Board') and the Maine Board of Osteopathic Licensure ('the Osteopathic Board') have jointly established the following standards for the practice of medicine using telemedicine in providing health care 02-373 CMR, Chapter 6, Telemedicine Standards of Practice ('the Telemedicine Standards').  

Under the Telemedicine Standards, physicians or physician assistants licensed by either the Medicine Licensure or the Osteopathic Boards who use telemedicine in providing health care must ensure that their telemedicine encounters comply with HIPAA's privacy and security requirements and other applicable law (§14(A) of the Telemedicine Standards). Expressly required are written protocols, which must be periodically evaluated for currency, and accessible and readily available for review, that include 'sufficient privacy and security measures to ensure the confidentiality and integrity of patient-identifiable information, including password protection, encryption or other reliable authentication techniques' (§14(A)(2) of the Telemedicine Standards).  

Telemedicine is defined as 'the practice of medicine or the rendering of health care services using electronic audio-visual communications and information technologies or other means, including interactive audio with the asynchronous store-and-forward transmission, between a licensee in one location and a patient in another location with or without an intervening health care provider' (§2(9) of the Telemedicine Standards).  

Telemedicine includes 'asynchronous store-and-forward technologies, remote monitoring, and real-time interactive services, including teleradiology and telepathology,' but does not include 'the provision of medical services only through an audio-only telephone, e-mail, instant messaging, facsimile transmission, or US mail or another parcel service, or any combination thereof' (§2(9) of the Telemedicine Standards).

Peter Guffin Partner
[email protected]
Vivek Rao attorney
[email protected]
Pierce Atwood LLP, Maine