New Mexico legislation update: analysis and draft consent language

To follow up on the post New Mexico legislature acts to protect patients’ access to care in Texas from February 26, the legislation states that New Mexico will enforce choice of law and jurisdiction agreements between patients and health care professionals that are signed before treatment. Otherwise, the provisions of the statute will not apply.

Below are documents related to this legislation

TAPA’s summary of HB 270
Page 2 of the summary contains recently revised sample language for potential use in a patient agreement form, along with footnoted explanations for the wording used. This generic language was compiled with assistance from multiple resources, including counsel for the Texas Alliance for Patient Access (TAPA), TMLT, and TMA. The footnotes explain why language was included or excluded.

Choice of law and forum clause language without footnotes.

HB 270 — the final signed bill

Neither TMLT, TAPA, nor TMA can give legal advice nor seek to do so. This information is provided to use only in consultation with your own attorney, who will advise you on how the language should be crafted for and used by your specific practice. 




New Mexico legislature acts to protect patients’ access to care in Texas

Texas doctors will continue to receive a full range of liability protections even when treating New Mexico patients. That issue was in doubt until the New Mexico Legislature took decisive action February 17.

The legislation preserves vital access to Texas physicians and hospitals for residents of Eastern New Mexico who routinely cross the state line for care.

Clearly, the New Mexico legislature recognized that access to health care is a public policy priority. Without legislation, thousands of patients would lose ready access to primary and specialized care, said Dr. Howard Marcus, chairman of Texas Alliance for Patient Access.

The medical liability laws of the state in which care was delivered now will govern cases involving New Mexicans seeking medical care across state lines, provided that the patient signs a written consent before receiving treatment. Both the House and Senate passed the bill unanimously. Governor Susana Martinez has signaled her intention to sign the measure into law.

The new law forbids New Mexico courts from accepting lawsuits for care rendered out-of-state, if the patient has consented to choice of law and jurisdiction. This law, HB 270, applies to out-of-state physicians, physician groups, health care providers, hospitals, outpatient facilities and their employees.

Lawmakers deemed the bill necessary to protect access to medical care for the residents of Eastern and Southern New Mexico. Thirty-two of New Mexico’s counties are, entirely or in part, designated as health care provider shortage areas. The shortage is especially acute in 13 counties on or near the Texas border. Residents of these New Mexico border counties have long-relied on Texas doctors and hospitals for a full range of sophisticated medical care.

Among those pleased with the new law is Lovington resident Sammy Murphy. Suffering from renal failure and a host of other maladies, Murphy was transported by ambulance from Lovington to Lubbock for intensive care.

“The doctors and nurses at Covenant gave me a fighting chance and for that I am eternally grateful,” he said. “Lots of people I know here in Lovington, rely on the availability of medical care in Lubbock. I like our local hospital but Lubbock is our lifeline,” Murphy said.

In recent months, Texas doctors and hospitals have expressed a reluctance to treat visiting New Mexico patients. That followed a New Mexico court ruling that questioned where and under whose state laws a suit can be filed if an alleged medical mishap occurs. That case, Montano v. Frezza, is pending before the New Mexico Supreme Court.

For Texas doctors, this meant accepting increased liability risk and costs when treating New Mexico patients. Consequently, many Texas doctors and hospitals were reconsidering their willingness to the accept the transfer or referral of a New Mexico patient for elective care.

An earlier version of HB 270 passed the House but was defeated in committee in the Senate. With only a few days remaining in the legislative session, scores of lawmakers and hundreds of their constituents urged that the Senate find a fix to the access to care problem. Senate Majority Leader Michael Sanchez, urged the New Mexico doctors and hospitals and the state’s trial lawyers to meet and agree on compromise language. Ultimately, retired University of New Mexico School of Law Professor Ted Occhialano crafted language on which both parties could agree. The key point is that a New Mexico patient must be informed of his or her rights before treatment, and that the patient must agree in writing that any legal remedy would be in Texas; and that any suit must be filed in Texas.

“This legislation makes clear that New Mexico public policy favors enforcing contractual agreements. It also recognizes the validity of Texas doctors and hospitals to enter into contractual agreements with their visiting patients from New Mexico, said Randy Marshall, Executive Director of the New Mexico Medical Society. “HB 270 addresses the coverage concerns of Texas physicians. Plus, it enables New Mexico patients to continue to receive specialized care that may be more accessible in a neighboring state,” he said.

The Eastern New Mexico counties of De Baca, Guadalupe, Harding, Quay, Roosevelt and Union have no cardiologist, no neurologist, no plastic surgeon, no orthopedic surgeon, no radiologist, and no ear, nose and throat doctor, according to the American Medical Association. Of those counties, only Roosevelt County has an oncologist.

Recent data from the New Mexico and Texas Departments of Health show that 13 counties in southern and eastern New Mexico send more than 22 percent of their hospitalized patients to Texas for care.

FDA strengthens regulations for surgical mesh used in transvaginal procedures

The U.S. Food and Drug Administration (FDA) is enforcing stricter regulations for surgical mesh products used in transvaginal procedures to repair pelvic organ prolapse (POP). The products are being reclassified from moderate risk (class II) to high risk (class III) when used transvaginally.

The stricter regulations do not apply to surgical mesh for other indications, such as stress urinary incontinence or abdominal repair of POP.

The FDA now requires all manufacturers of mesh products to submit data that supports the effectiveness and safety of the devices. Manufacturers with products currently on the market will have 30 months to comply with the new requirements.

According to the FDA, a significant increase has occurred over the past several years in the number of reported adverse events associated with the use of surgical mesh for transvaginal POP repair, such as severe pelvic pain, infection, and organ perforation.

In 2011, an advisory panel of experts recommended that more data was needed to establish the safety of the device. The FDA has since taken several actions to warn doctors and patients about the use of surgical mesh for transvaginal POP repair.

Read full articles on this news item on the FDA website and Wall Street Journal online.

What you need to know, part three: House Bill 2641 and HIEs

by Andrea I. Schwab, JD, CPA and
John Southrey, CIC, CRM, Manager, Consulting Services, TMLT

Texas House Bill (HB) 2641, which was passed into law in June 2015, provides physicians with some liability protections when using an HIE. While it is advisable to be vigilant in addressing potential liability exposures, HB 2641 has taken some steps to protect providers. HB 2641 states that a provider who sends information to an HIE without malice or gross negligence is not liable for damages if that information is used in violation of federal or state privacy and security laws by the HIE or another provider. It also states that use of an HIE does not create a standard of care for health care providers.

HB 2641’s limitation of liability language is as follows:

  • Unless the health care provider acts with malice or gross negligence, a health care provider who provides patient information to a health information exchange is not liable for any damages, penalties, or other relief related to the obtainment, use, or disclosure of that information in violation of federal or state privacy laws by a health information exchange, another health care provider, or any other person.
  • Nothing in this section may be construed to create a cause of action or to create a standard of care, obligation, or duty that forms the basis for a cause of action.

HB 2641 does not modify a physician’s responsibility for complying with HIPAA nor protect them from liability for damages, penalties, or other relief resulting from such violations. State laws that are contrary to the HIPAA Privacy Rule are preempted by the federal requirements, unless the state law is more stringent and/ or unless specific exceptions apply.1 2

Physicians remain responsible for ensuring that individuals, the media, and the Secretary of the Department of Health and Human Services are notified of breaches of protected health information (PHI) and of the costs incurred by the breaches, even if an HIE is the source of the breach.3 4 But physicians and HIEs can sometimes contractually agree on how they will provide notice to affected patients. The United States Department of Health and Human Services (HHS) states, “With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate.”5

Even if an HIE is compromised in some way, physicians are not relieved of their responsibility to comply with appropriate standards of medical care and the Texas Medical Board (TMB) rules. For example, physicians’ duties of making timely and accurate diagnoses, maintaining accurate medical records, and providing the patient with copies of his or her records, could all be affected if an HIE is compromised.

The Office of Civil Rights and HIEs

 The Office of Civil Rights (OCR), the federal agency that enforces HIPAA compliance, states that “trust in electronic health information exchange can only be achieved if reasonable administrative, technical, and physical safeguards are in place” and the HIPAA Privacy Rule requires covered entities to implement such safeguards.6

The OCR suggests that when covered entities participate in an HIE, the covered entity can agree with the HIE (as its business associate) on appropriate safeguards that would apply to their electronic exchange of information.7 These procedures should be formalized through a business associate agreement, data sharing agreement, or other contract, and may include enforcement mechanisms and penalties for breaches and violations.

A physician should always review a business associate agreement carefully with an attorney, and require the HIE to have appropriate administrative, technical, and physical safeguards in place. The physician should determine the HIE’s procedures for verifying the identity and authority of anyone requesting PHI; the safeguards that are in place to appropriately protect PHI; and procedures to follow in case of a breach.

For more information, please contact John Southrey at

Andrea Schwab may be contacted at

Part one: cyber crime and liability

Part two: health information exchange – benefits and liability


1 U.S. Department of Health & Human Services. HIPAA Privacy Rule. Code of Federal Regulations, Title 45 – Public Welfare. Section 160.202 – Definitions. Available at: Accessed October 14, 2015.

2 U.S. Department of Health & Human Services. Health Information Privacy. Does the HIPAA Privacy Rule preempt State laws? Available at: Accessed October 14, 2015.

3U.S. Department of Health & Human Services. Health Information Privacy. Breach Notification Rule. Available at: Accessd October 15, 2015.

4U.S. Department of Health & Human Services. Health Information Privacy. Breach Notification Rule. Breach Notification Requirements. Available at Accessed October 15, 2015.

5 See 45 C.F.R. section 164.530(c); HIPAA Security Rule at 45 .F.R. sections 164.308, 164.310, and 164.312.

6U.S. Department of Health & Human Services. HIPAA Administrative Simplification. Regulation Text. 45 CFR Part 164, Sections 164.308, 164.310, 164.312. Available at: Accessed October 15, 2015.

7U.S. Department of Health & Human Services. Health Information Privacy. Privacy and Security Framework: Safeguards Principle and FAQs. Available at: Accessed on October 15, 2015.

This article is purely informational and not intended to be legal advice and should not be construed as such.

What you need to know, part two: health information exchange – benefits and liability

by Andrea I. Schwab, JD, CPA and
John Southrey, CIC, CRM, Manager, Consulting Services, TMLT

A health information exchange (HIE) is an electronic network designed to facilitate the secure exchange of patient medical records and information among public health organizations, hospitals, physicians, and payors. These organizations include public HIEs funded through the state’s Local HIE Grant Program, private physician-led HIEs, hospital-based enterprise HIEs, and Accountable Care Organizations, among others. HIEs are designed to facilitate more coordinated patient care and increase efficiency. HIEs also promote the use of standardized data that can be seamlessly integrated with EHRs to improve the speed and quality of patient care.

HIE connectivity:

  • improves patient safety by reducing medication and medical errors;
  • increases efficiency by eliminating unnecessary paperwork and handling;
  • provides caregivers with clinical decision support tools for more effective care and treatment;
  • eliminates redundant or unnecessary testing;
  • improves public health reporting and monitoring;
  • engages health care consumers regarding their own personal health information;
  • improves health care quality and outcomes; and
  • reduces health related costs.

Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, there has been tremendous growth in the adoption of health information technology and HIEs. The U.S. Office of the National Coordinator for Health IT (ONC) has played a critical role in accelerating improvements in HIE and interoperability among EHR systems, including the development of policies and standards to facilitate HIEs, as well as the funding of cooperative agreements and grant programs.

The Texas Health Services Authority (THSA) was charged by the Texas legislature with the implementation and maintenance of a statewide HIE. The THSA is working to identity best practices and successful models that demonstrate HIE financial and business sustainability, as well as providing Texas HIE Accreditation.

HIEs are viewed as the building blocks for a Nationwide Health Information Network (now called “eHealth Exchange”) to provide universal access to electronic health records across jurisdictions and health care systems. The ONC is charged with driving the completion of this nationwide patient data network.

While the benefits are numerous, HIE use also contains areas of potential liability for physicians. Risks can come from physicians reviewing an incomplete or incorrect medical record; failing to review information that may have been accessible; or inadvertently accessing the wrong patient record.

What happens when a patient alleges personal injury stemming from an HIE system breach? Will a physician be held accountable for entering into a contract with an HIE or EHR vendor who later fails to protect data? Will physicians be required to have their own information back ups? There are no simple answers, but all of these questions represent scenarios for physicians to consider.

Contractual liability is another concern. Contracts with HIEs or EHR vendors should be reviewed carefully to avoid any liability that may arise based on the terms of the agreement. Vendors should be properly investigated, and contract negotiations should be robust. Ask vendors any questions you may have about security, access, and the ultimate ownership of data.

Be careful not to enter any agreements that would unfairly shift risks to your practice, relieving your business associate of liability for their own actions. Ensure that you understand the details of the contractual language, and that you agree with its terms, whether they be technical requirements, such as encryption and automatic logoff, or substantive ones, such as rules regarding who will have access to information. Violating contractual terms could create liability risks for you or your practice.

For more information, please contact John Southrey at

Andrea Schwab may be contacted at

Previous: Part one: Cyber crime and liability

Next: Part three: House Bill 2641 and HIEs


This article is purely informational and not intended to be legal advice and should not be construed as such.