Section 1.

Makes technical changes to GS 90-414.1 (title).  Expands the scope of the Statewide Health Information Exchange Act (Act,) Article 29B of GS Chapter 90, set forth in GS 90-414.2 to include the State as an entity involved in the sharing of health information. Adds five new terms to the definitions provisions of the Act and makes technical changes. Defines State-funded health care to mean (1) the NC Medicaid Program, (2) the State Health Plan for Teachers and State Employees, and (3) health care facilities and health care programs administered or operated by the Department of Health and Human Services (DHHS), the Department of Public Safety (DPS), or the Department of Adult Correction (DAC), and their employees, agents, or grantees. Defines state health care funds as monies providers or entities for the provision of health care services to recipients of State-funded health care, including both (i) direct payments from the State to providers and entities and (ii) payments that providers and entities receive from third parties, or the agents of third parties, that are retained by the State for the administration or delivery, or both, of State-funded health care, including prepaid health plans as defined in GS 108D-1 and claims processors as defined in GS 135-48.1.

Removes licensed dentists from those individuals who are required to submit demographic and clinical data to the Health Information Exchange (HIE) network under GS 90-414.4; instead now requires dentists to only submit claims data for State-funded health plans to the HIE Network once daily. Deems a provider as connected to the HIE Network when the covered entity that provides, maintains, controls, directs, or licenses that provider's or entity's data transfer system has met the five requirements, including communicating to the NC HIE Authority (Authority), in writing, the identity of all providers and entities on whose behalf it maintains a data transfer system and providing its organizational national provider identifier (NPI) required under HIPAA.

Removes provisions pertaining to extensions of time and undue hardship exemptions for connection to the HIE Network. Expands the entities required to submit demographic and clinical data to the HIE Network at least twice per day to include each prepaid health plan that is under a capitated contract with DHHS for the delivery of Medicaid services. Now limits the type of Medicaid local management entity/managed care organization (LME/MCO) that is required to submit information to the HIE Network twice daily to those LME/MCO’s that are under a capitated prepaid health plan contract with DHHS. Requires pharmacies to submit claims information for State-funded health plans to the HIE Network once daily. Removes the blanket exemption for substance abuse records protected under 47 CFR § 2 and instead requires disclosure to the HIE Network if the Authority has provided written notice to the participating entity that data protected by 42 C.F.R. § 2 can be disclosed for a specific purpose. Expands the providers that can voluntarily connect to the HIE Network and submit data to include college student health centers and dentists. Clarifies that a covered entity which provides, maintains, controls, directs, or licenses a data transfer system on behalf of providers and entities that are required to connect to, and submit data through, the HIE Network, as well as on behalf of providers and entities that voluntarily  do the same may elect not to submit through the HIE  Network clinical, demographic, or claims data generated by the providers and entities that voluntarily connect to, and submit data through, the HIE Network. Specifies four conditions that apply to any exception granted by the Authority for connecting to and submitting data through the HIE Network, including authorizing a time-limited exception process administered by the Authority for providers and entities to connect to and begin submitting data to the HIE Network, as described. Updates the federal agency information that establishes document exchange and data submission standards. Makes conforming and technical changes.

Permits the Authority, if it participates in the Trusted Exchange Framework and Common Agreement (Agreement), to provide individual access services through the Agreement in GS 90-414.6 (State ownership of NIE Network data). Makes conforming changes. Modifies the Authority’s powers and duties under GS 90-414.7, as follows. Exempts federal agencies that access the HIE Network solely to review patient data for treatment purposes and exchanges made through eHealth Exchange or the Trusted Exchange Framework and Common Agreement from the statute’s requirement that the Authority enter into a HIPAA compliant business arrangement agreement with such an entity, so long as the Authority enters into the agreements that are required to participate in each of these respective national networks. Extends its obligations to facilitate and promote the use of HIE Networks to covered entities to include business associates acting on their behalf. Adds three new duties, including to enforce the Act, provide data related services as allowed under the Act, and adopt rules to implement the appeals process established by GS 90-414.15 (discussed below). Adds another ex officio voting member to the Authority’s Advisory Board established under GS 90-414.8. Makes conforming changes to GS 90-414.9 (participation by covered entities). Expands the types of civil or criminal penalties and civil remedies that may be imposed for violations under GS 90-414.12 to include those applicable under any federal law or regulation (currently, just the HITECH act and regulations). Makes it unlawful for any person or entity to knowingly present or cause to be presented to the Authority a false record in its annual report (discussed below) to avoid full payment of the State health data assessment (described below). Subjects those persons or entities to a fine of at least $5,000 but not more than $10,000 per violation, plus three times the amount of damages sustained by the Authority as a result of that person's or entity's actions. Allows for the Authority to assess daily penalties capped at $50 per day or each day after the required reporting period or deadline that the annual compliance report remains out of compliance with the requirements prescribed by GS 90-414.13.

Enacts GS 90-414.13, requiring each covered entity that provides, maintains, controls, directs, or licenses the data transfer system of a provider or entity subject that provides health care services to beneficiaries of State-funded health care to submit an annual compliance report to the Authority by May 1 each year with the daily civil penalty discussed above starting to accrue after the first of May.  Requires the annual report to cover seven prongs of information including the status of technical connection and data submission to the HIE Network and an attestation to the completeness and validity of the annual report. Exempts a covered entity that provides, maintains, controls, directs, or licenses a data transfer system solely on behalf of a provider or entity that voluntarily connects to the HIE Network pursuant from the annual report requirement. Provides for an abbreviated annual report by State agencies. Allows for the Authority to waive any of the annual report requirements upon request and for good cause if compliance would cause an undue hardship. Requires DHHS’s Division of Health Benefits (DHB) to assist in administering the annual report requirement as it pertains to State Medicaid providers, as determined as necessary by the Authority. Nevertheless requires DHB to annually provide the Authority with a current list of enrolled Medicaid providers, assist with notifying those Medicaid providers about the annual compliance report requirement and reporting deadline, and provide available information requested by the Authority that is necessary for the Authority to audit or verify the completeness and accuracy of an enrolled Medicaid provider's annual compliance report and related materials submitted to the Authority by or on behalf of that provider.

Provides for an annual State health data assessment fee due on May 1 in GS 90-414.14 if a covered entity (1) is not connected to the HIE network or (2) is connected to the HIE Network but is not submitting data through the HIE Network. Provides for a fee schedule to be set by the General Assembly. Establishes the HIE Network Data and Participation Fund (Fund) as a special fund in the Department of Information Technology (DIT) under the management and control of the Authority, consisting of the monies described. Prevents the Authority from using monies in the Fund for any  purpose other than to pay for expenses incurred by the Authority in carrying out its powers and duties as set forth in the Act. Specifies that monies in the Fund are only available for expenditure upon an act of appropriation of the General Assembly and that the Fund is subject to the provisions of the State Budget Act, except that no unexpended surplus of the Fund may revert to the General Fund. Allows for a covered entity to claim an exemption from the assessment fee if any of the five listed conditions apply, including that the covered entity attests in writing that it and the providers and entities on whose behalf it provides, maintains, controls, directs, or licenses a data transfer system received less than $500,000 in State health care funds for providing health care services to beneficiaries of State-funded health care. Authorizes the Authority to revoke a covered entity's exemption from payment of the assessment fee if the covered entity is unresponsive to communications from the Authority or if the covered entity fails to maintain contact with the Authority. Provides for notice and an opportunity to cure.

Provides, in GS 90-414.15, for an appeal of the Authority’s determinations to (1) grant or deny requests for time-limited exceptions and (2) assess penalties under for violations of the Act, as described. Allows the Authority, in GS 90-414.16, to provide data related services to a covered entity participating in the HIE Network or to a business associate of the participating covered entity that is using the service to perform a function for the participating covered entity. Clarifies that GS 90-414.16 should not be construed to require the Authority to provide data related services to covered entities or their business associates and that data disclosed or used in the Authority's provision of these services to any person or entity cannot be used for commercial purposes. Allows the Authority to charge a reasonable fee for its services that cannot exceed its actual cost incurred.

Section 2.

Establishes the deadline for the first annual report described under GS 90-414.13 as May 1, 2028.

Section 3.

Establishes initial State health data assessment fee schedules for annual compliance report periods beginning in 2028, 2029, and 2030 based on the amount of State Health Care Funds received, ranging from 1.6% of those funds received in 2027-2029 if the entity received over $1 million in the respective time period to no fee if the entity received less than $250,000.

Section 4.

Sets the act’s effective date at December 1, 2025.