Section 11. Any plan approved by the executive office and council or the e–Health institute, including every grantee and implementing organization that receives monies funded in whole or in part from the e–Health Institute Fund established in section 6E of chapter 40J or the Massachusetts Health Information Exchange Fund established under section 10, shall:

(1) establish a mechanism to allow patients to opt-in to the health information exchange and to opt-out at any time;

(2) maintain identifiable health information in physically and technologically secure environments by means including, but not limited to: prohibiting the storage or transfer of unencrypted and non-password protected identifiable health information on portable data storage devices; requiring data encryption, unique alpha-numerical identifiers and password protection; and other methods to prevent unauthorized access to identifiable health information;

(3) provide patients the option of, upon request to a provider, obtaining a list of individuals and entities that have accessed their identifiable health information from that provider;

(4) develop and distribute to authorized users of the health information exchange and to prospective exchange participants, written guidelines addressing privacy, confidentiality and security of health information and inform individuals: the information available through the exchange, who may access their information and the purposes for which their information may be accessed; and

(5) ensure compliance with all state and federal privacy requirements, including those imposed by the Health Insurance Portability and Accountability Act of 1996, P.L. 104–191, the American Recovery and Reinvestment Act of 2009, P.L. 111–5, 42 C.F.R. §§ 2.11 et seq. and 45 C.F.R. §§ 160, 162 and 164.