2020 -- S 2238 | |
======== | |
LC004184 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2020 | |
____________ | |
A N A C T | |
RELATING TO BUSINESSES AND PROFESSIONS - RHODE ISLAND HEALTH | |
INFORMATION EXCHANGE ACT OF 2008 | |
| |
Introduced By: Senators Miller, Goldin, Valverde, Crowley, and Sheehan | |
Date Introduced: February 04, 2020 | |
Referred To: Senate Health & Human Services | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Sections 5-37.7-2, 5-37.7-3, 5-37.7-4, 5-37.7-5, 5-37.7-6, 5-37.7-7, 5-37.7- |
2 | 8, 5-37.7-10 and 5-37.7-12 of the General Laws in Chapter 5-37.7 entitled "Rhode Island Health |
3 | Information Exchange Act of 2008" are hereby amended to read as follows: |
4 | 5-37.7-2. Statement of purpose. |
5 | The purpose of this chapter is to establish safeguards and confidentiality protections for |
6 | the HIE in order to improve the quality, safety and value of health care, keep confidential health |
7 | information secure and confidential and use the HIE to progress toward meeting public health |
8 | goals by promoting interoperability, enhancing electronic communication between providers, and |
9 | supporting public health goals, while keeping confidential health care information secure. |
10 | 5-37.7-3. Definitions. |
11 | As used in this chapter: |
12 | (a) "Agency" means the Rhode Island department of health. |
13 | (b) "Authorization form" means the form described in § 5-37.7-7 and by which a patient |
14 | participant provides authorization for the RHIO to allow access to, review of, and/or disclosure of |
15 | the patient participant's confidential healthcare information by electronic, written, or other means. |
16 | (c)(a) "Authorized representative" means: |
17 | (1) A person empowered by the patient participant to assert or to waive confidentiality, or |
18 | to disclose or authorize the disclosure of confidential information, as established by this chapter. |
| |
1 | That person is not, except by explicit authorization, empowered to waive confidentiality or to |
2 | disclose or consent to the disclosure of confidential information; or |
3 | (2) A person appointed by the patient participant to make healthcare decisions on his or |
4 | her behalf through a valid durable power of attorney for healthcare as set forth in § 23-4.10-2; or |
5 | (3) A guardian or conservator, with authority to make healthcare decisions, if the patient |
6 | participant is decisionally impaired; or |
7 | (4) Another legally appropriate medical decision maker temporarily if the patient |
8 | participant is decisionally impaired and no healthcare agent, guardian, or conservator is available; |
9 | or |
10 | (5) If the patient participant is deceased, his or her personal representative or, in the |
11 | absence of that representative, his or her heirs-at-law; or |
12 | (6) A parent with the authority to make healthcare decisions for the parent's child; or |
13 | (7) A person authorized by the patient participant or his or her authorized representative |
14 | to access their confidential healthcare information from the HIE, including family members or |
15 | other proxies as designated by the patient, to assist the patient participant with the coordination of |
16 | their care. |
17 | (d)(b) "Business associate" means a business associate as defined by HIPAA. |
18 | (e)(c) "Confidential healthcare information" means all information relating to a patient |
19 | participant's patient's healthcare history, diagnosis, condition, treatment, or evaluation. |
20 | (f)(d) "Coordination of care" means the process of coordinating, planning, monitoring, |
21 | and/or sharing information relating to, and assessing a care plan for, treatment of a patient. |
22 | (g)(e) "Data-submitting partner" means an individual, organization, or entity who or that |
23 | has entered into a business associate agreement with the RHIO and submits patient participants' |
24 | patient's confidential healthcare information through the HIE. |
25 | (h)(f) "Department of health" means the Rhode Island department of health. |
26 | (i)(g) "Disclosure report" means a report generated by the HIE relating to the record of |
27 | access to, review of, and/or disclosure of a patient's confidential healthcare information received, |
28 | accessed, or held by the HIE. |
29 | (j)(h) "Electronic mobilization" means the capability to move clinical information |
30 | electronically between disparate healthcare information systems while maintaining the accuracy |
31 | of the information being exchanged. |
32 | (k)(i) "Emergency" means the sudden onset of a medical, mental, or substance abuse, or |
33 | other condition manifesting itself by acute symptoms of severity (e.g. severe pain) where the |
34 | absence of medical attention could reasonably be expected, by a prudent layperson, to result in |
| LC004184 - Page 2 of 10 |
1 | placing the patient's health in serious jeopardy, serious impairment to bodily or mental functions, |
2 | or serious dysfunction of any bodily organ or part. |
3 | (l)(j) "Healthcare provider" means any person or entity licensed by this state to provide or |
4 | lawfully providing healthcare services, including, but not limited to, a physician, hospital, |
5 | intermediate-care facility or other healthcare facility, dentist, nurse, optometrist, podiatrist, |
6 | physical therapist, psychiatric social worker, pharmacist, or psychologist, and any officer, |
7 | employee, or agent of that provider acting in the course and scope of his or her employment or |
8 | agency related to or supportive of healthcare services. |
9 | (m)(k) "Healthcare services" means acts of diagnosis, treatment, medical evaluation, |
10 | referral, or counseling, or any other acts that may be permissible under the healthcare licensing |
11 | statutes of this state. |
12 | (n)(l) "Health Information Exchange" or "HIE" means the technical system operated, or |
13 | to be operated, by the RHIO under state authority allowing for the statewide electronic |
14 | mobilization of confidential healthcare information, pursuant to this chapter. |
15 | (o)(m) "Health plan" means an individual plan or a group plan that provides, or pays the |
16 | cost of, healthcare services for patient participants patients. |
17 | (p)(n) "HIE Advisory Commission" means the advisory body established by the |
18 | department of health in order to provide community input and policy recommendations regarding |
19 | the use of the confidential healthcare information of the HIE. |
20 | (q)(o) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, |
21 | as amended. |
22 | (r) "Participant" means a patient participant, a patient participant's authorized |
23 | representative, a provider participant, a data-submitting partner, the regional health information |
24 | organization, and the department of health, that has agreed to authorize, submit, access, and/or |
25 | disclose confidential healthcare information via the HIE in accordance with this chapter. |
26 | (s) "Participation" means a patient participant's authorization, submission, access, and/or |
27 | disclosure of confidential healthcare information via the HIE in accordance with this chapter. |
28 | (p) "Opt out" means the ability of a patient to choose to not have their confidential health |
29 | care information disclosed from HIE in accordance with § 5-37.7-7. |
30 | (t)(q) "Patient participant" means a person who receives healthcare services from a |
31 | provider participant and has agreed to participate in the HIE through the mechanisms established |
32 | in this chapter. |
33 | (u)(r) "Provider participant" means a pharmacy, laboratory, healthcare provider, or health |
34 | plan who or that is providing healthcare services or pays for the cost of healthcare services for a |
| LC004184 - Page 3 of 10 |
1 | patient participant and/or is submitting and/or or accessing healthcare information through the |
2 | HIE and has executed an electronic and/or written agreement regarding disclosure, access, |
3 | receipt, retention, or release of confidential healthcare information to from the HIE. |
4 | (v)(s) "Regional health information organization" or "RHIO" means the organization |
5 | designated as the RHIO by the state to provide administrative and operational support to the HIE. |
6 | 5-37.7-4. Participation in the health information exchange. Use of the health |
7 | information exchange. |
8 | (a) There shall be established a statewide HIE under state authority to allow for the |
9 | electronic mobilization of confidential health care information in Rhode Island. Confidential |
10 | health care information may only be accessed, released, or transferred from the HIE in |
11 | accordance with this chapter. |
12 | (b) The state of Rhode Island has an interest in encouraging participation in use of the |
13 | HIE by all interested parties, including, but not limited to, health care providers, patients, health |
14 | plans, entities submitting information to the HIE, entities obtaining information from the HIE, |
15 | and the RHIO. The Rhode Island department of health is also considered a participant for public |
16 | health purposes. |
17 | (c) Patients and health care providers Except as provided in § 5-37.7-7(b), patients shall |
18 | have the choice to participate in opt out of having their confidential health care information |
19 | disclosed from the HIE, as through the process defined by in regulations in accordance with § 5- |
20 | 37.7-3; provided, however, that provider § 5-37.7-5. |
21 | (d) Provider participants must continue to maintain their own medical record meeting the |
22 | documentation and other standards imposed by otherwise applicable law. |
23 | (e) The department of health may submit to the HIE and/or receive from the HIE |
24 | applicable confidential health care information for public health purposes. |
25 | (d)(f) Participation in the HIE Nothing contained herein shall have no an impact on the |
26 | content of, or use or disclosure of, confidential health care information of patient participants |
27 | patients that is held in locations other than the HIE. Nothing in this chapter shall be construed to |
28 | limit, change, or otherwise affect entities' rights to exchange confidential health care information |
29 | in accordance with other applicable laws. |
30 | (e)(g) The state of Rhode Island hereby imposes on the HIE and the RHIO as a matter of |
31 | state law, the obligation to maintain, and abide by the terms of, HIPAA complaint business |
32 | associate agreements, including, without limitation, the obligations to use appropriate safeguards |
33 | to prevent use or disclosure of confidential health care information in accordance with HIPAA |
34 | and this chapter; not to use or disclose confidential health care information other than as |
| LC004184 - Page 4 of 10 |
1 | permitted by HIPAA, other state and federal laws and this chapter; or to make any amendment to |
2 | a confidential health care record that a provider participant so directs; and to respond to a request |
3 | by a patient participant to make an amendment to the patient participant's patient's confidential |
4 | health care record. |
5 | 5-37.7-5. Regulatory oversight. |
6 | (a) The director of the department of health shall develop regulations regarding the |
7 | confidentiality of patient participant information received, accessed or held by the HIE and is |
8 | authorized to promulgate such other regulations as the director department deems necessary or |
9 | desirable to implement the provisions of this chapter, in accordance with the provisions set forth |
10 | in chapter 17 of title 23 and chapter 35 of title 42 of the general laws. |
11 | (b) The department of health has exclusive jurisdiction over the HIE, except with respect |
12 | to the jurisdiction conferred upon the attorney general in § 5-37.7-13. This chapter shall not apply |
13 | to any other private and/or public health information systems utilized within a health care |
14 | provider or other organization that provides health care services. |
15 | (c) The department of health shall promulgate rules and regulations for the establishment |
16 | of an HIE advisory commission. that The HIE advisory commission, in consultation with the |
17 | RHIO, will be responsible for recommendations relating to the department regarding the use of, |
18 | and appropriate confidentiality protections for, the confidential health care information of the |
19 | HIE, subject to regulatory oversight by the department of health. Said commission members shall |
20 | be subject to the advice and consent of the senate. The commission shall report annually to the |
21 | department of health and the RHIO, and such report shall be made public. |
22 | 5-37.7-6. Rhode Island health information organization. |
23 | The RHIO shall, subject to and consistent with department regulations and contractual |
24 | obligations it has with the state of Rhode Island, be responsible for implementing recognized |
25 | national standards for interoperability and all administrative, operational, and financial functions |
26 | to support the HIE, including, but not limited to, implementing and enforcing policies for |
27 | receiving, retaining, safeguarding and disclosing confidential health care information as required |
28 | by this chapter. The RHIO is deemed to be the steward of the confidential health care information |
29 | for which it has administrative responsibility. The HIE advisory commission shall be responsible |
30 | for recommendations to the department of health, and in consultation with the RHIO regarding |
31 | the use of the confidential health care information. |
32 | 5-37.7-7. Disclosure. |
33 | (a)(1) Except as provided in subsection (b), a patient participant's or the patient's |
34 | authorized representative may opt out of having their confidential health care information may |
| LC004184 - Page 5 of 10 |
1 | only be accessed, released, or transferred disclosed from the HIE in accordance with an |
2 | authorization form signed by the patient participant or the patient's authorized representative. |
3 | Patients shall be notified of their right to opt out of having their confidential health care |
4 | information disclosed from the HIE through the process provided by regulation in accordance |
5 | with § 5-37.7-5. |
6 | (b) No authorization for release or transfer of confidential health care information from |
7 | the HIE shall be required The opt out does not apply to disclosures in the following situations: |
8 | (1) To a health care provider who believes, in good faith, that the information is |
9 | necessary for diagnosis or treatment of that individual in an emergency; or |
10 | (2) To public health authorities in order to carry out their functions as described in this |
11 | title and titles 21 and 23, and rules promulgated under those titles. These functions include, but |
12 | are not restricted to, investigations into the causes of disease, the control of public health hazards, |
13 | enforcement of sanitary laws, investigation of reportable diseases, certification and licensure of |
14 | health professionals and facilities, review of health care such as that required by the federal |
15 | government and other governmental agencies, and mandatory reporting laws set forth in Rhode |
16 | Island general laws; or |
17 | (3) To the RHIO in order for it to effectuate the operation and administrative oversight of |
18 | the HIE; and. |
19 | (4) To a health plan, if the information is necessary for care management of its plan |
20 | members, or for quality and performance measure reporting. |
21 | (c) The content of the authorization form for access to, or the disclosure, release, or |
22 | transfer of confidential health care information from the HIE, shall be prescribed by the RHIO in |
23 | accordance with applicable department of health regulations, but, at a minimum, shall contain the |
24 | following information in a clear and conspicuous manner: Notification and opt out procedures |
25 | shall be developed in consultation with the HIE advisory commission and provided in regulations |
26 | promulgated in accordance with § 5-37.7-5. Provider participants that share data with the HIE |
27 | shall notify their patients that data is being shared with the HIE to support the provision of care, |
28 | and inform their patients about the ability to opt out. At a minimum, the notification shall contain |
29 | the following information in a clear and concise manner: |
30 | (1) A statement of the need for and proposed uses of that information; and that the |
31 | patient's provider is a provider participant in the HIE, and as such may share the patient's |
32 | confidential health care information through the HIE as permitted by this chapter and all |
33 | applicable state and federal law. |
34 | (2) A statement that the authorization for access to, disclosure of, and/or release of |
| LC004184 - Page 6 of 10 |
1 | information may be withdrawn at any future time and is subject to revocation; patient may opt out |
2 | of having their confidential health care information disclosed from the HIE except as provided |
3 | pursuant to § 5-37.7-7(b). |
4 | (3) That the patient has the right not to participate in the HIE; and A statement that a |
5 | patient's choice to opt out of disclosing their confidential health care information from the HIE |
6 | may be changed at any time. |
7 | (4) The patient's right to choose to: (i) Enroll in and participate fully in the HIE; or (ii) |
8 | Designate only specific health care providers that may access the patient participant's confidential |
9 | health care information. The method for opting out shall be provided by regulation in accordance |
10 | with § 5-37.7-5. |
11 | (d) Except as specifically provided by state or federal law or this chapter, or use for |
12 | clinical care, a patient participant's patient's confidential health care information shall not be |
13 | accessed by, given, sold, transferred, or in any way relayed from the HIE to any other person or |
14 | entity not specified in the patient participant authorization form meeting the requirements of |
15 | subsection (c) without first obtaining additional authorization. |
16 | (e) Nothing contained in this chapter shall be construed to limit the permitted access to, |
17 | or the release, transfer, access or disclosure of, confidential health care information described in |
18 | subsection (b) or under other applicable law. |
19 | (f) Confidential health care information received, disclosed, or held by the HIE shall not |
20 | be subject to subpoena directed to the HIE or RHIO unless the following procedures have been |
21 | completed: (i) The person seeking the confidential health care information has already requested |
22 | and received the confidential health care information from the health care provider that was the |
23 | original source of the information; and (ii) A determination has been made by the superior court, |
24 | upon motion and notice to the HIE or RHIO and the parties to the litigation in which the |
25 | subpoena is served, that the confidential health care information sought from the HIE is not |
26 | available from another source and is either relevant to the subject matter involved in the pending |
27 | action or is reasonably calculated to lead to the discovery of admissible evidence in such pending |
28 | action. Any person issuing a subpoena to the HIE or RHIO pursuant to this section shall certify |
29 | that such measures have been completed prior to the issuance of the subpoena. |
30 | (g) Nothing contained herein shall interfere with, or impact upon, any rights or |
31 | obligations imposed by the Workers Compensation Act as contained in chapters 29-38 29 through |
32 | 38 of title 28. |
33 | (h) Nothing contained herein shall prohibit a health plan from becoming a data- |
34 | submitting partner. A data-submitting partner is not considered a managed care entity or a |
| LC004184 - Page 7 of 10 |
1 | managed care contractor and the HIE is not considered a regional or local medical information |
2 | database pursuant to § 5-37.3-4. |
3 | 5-37.7-8. Security. |
4 | The HIE must be subject to at least the following security procedures: |
5 | (1) Authenticate the recipient of any confidential health care information disclosed by the |
6 | HIE pursuant to this chapter pursuant to rules and regulations promulgated by the agency |
7 | department. |
8 | (2) Limit authorized access to personally identifiable confidential health care information |
9 | to persons having a need to know that information; additional employees or agents may have |
10 | access to de-identified information; |
11 | (3) Identify an individual or individuals who have responsibility for maintaining security |
12 | procedures for the HIE; |
13 | (4) Provide an electronic or written statement to each employee or agent as to the |
14 | necessity of maintaining the security and confidentiality of confidential health care information, |
15 | and of the penalties provided for in this chapter for the unauthorized access, release, transfer, use, |
16 | or disclosure of this information; |
17 | (5) Take no disciplinary or punitive action against any employee or agent for bringing |
18 | evidence of violation of this chapter to the attention of any person. |
19 | 5-37.7-10. Patient's rights. |
20 | Pursuant to this chapter, a patient participant who has his or her confidential healthcare |
21 | information transferred through included in the HIE shall have the following rights: |
22 | (1) To obtain a copy of his or her confidential healthcare information from the HIE; |
23 | (2) To obtain a copy of the disclosure report pertaining to his or her confidential |
24 | healthcare information; |
25 | (3) To be notified as required by chapter 49.3 of title 11, the Rhode Island identity theft |
26 | protection act, of a breach of the security system of the HIE; |
27 | (4) To terminate change his or her participation opt out status in the HIE in accordance |
28 | with rules and regulations promulgated by the agency department; |
29 | (5) To request to amend his or her own information through the provider participant; |
30 | (6) To request his or her confidential healthcare information from the HIE be disclosed to |
31 | an authorized representative; and |
32 | (7) To request his or her confidential healthcare information from the HIE be disclosed to |
33 | healthcare providers who are not provider participants as defined by this chapter. |
34 | 5-37.7-12. Reconciliation with other authorities. |
| LC004184 - Page 8 of 10 |
1 | (a) This chapter shall only apply to the HIE system, and does not apply to any other |
2 | private and/or public health information systems utilized in Rhode Island, including other health |
3 | information systems utilized within or by a health care facility or organization. |
4 | (b) As this chapter provides extensive protection with regard to access to and disclosure |
5 | of confidential health care information by the HIE, it supplements, with respect to the HIE only, |
6 | any less stringent disclosure requirements, including, but not limited to, those contained in |
7 | chapter 37.3 of this title, the health insurance portability and accountability act (HIPAA) and |
8 | regulations promulgated thereunder, and any other less stringent federal or state law. |
9 | (c) This chapter shall not be construed to interfere with any other federal or state laws or |
10 | regulations which provide more extensive protection than provided in this chapter for the |
11 | confidentiality of health care information. Notwithstanding such provision, because of the |
12 | extensive protections with regard to access to and disclosure of confidential health care |
13 | information by the HIE provided for in this chapter, patient authorization obtained for access to or |
14 | disclosure of information to or from the HIE or a provider participant shall be deemed the same |
15 | authorization required by other state or federal laws including information regarding mental |
16 | health (the Rhode Island mental health law, Rhode Island general laws § 40.1-5-1 et seq.); HIV |
17 | (Rhode Island general laws § 23-6.3-7); sexually transmitted disease (Rhode Island general laws |
18 | §§ 23-6.3-7 and 23-11-9); alcohol and drug abuse (Rhode Island general laws § 23-1.10-1 et seq., |
19 | 42 U.S.C. § 290dd-2) or genetic information (Rhode Island general laws § 27-41-53, Rhode |
20 | Island general laws § 27-20-39 and Rhode Island general laws § 27-19-44). |
21 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC004184 | |
======== | |
| LC004184 - Page 9 of 10 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO BUSINESSES AND PROFESSIONS - RHODE ISLAND HEALTH | |
INFORMATION EXCHANGE ACT OF 2008 | |
*** | |
1 | This act amends the Rhode Island Health Information Exchange Act of 2008. Patient |
2 | health care providers which participate in the "Health Information Exchange" (HIE) shall provide |
3 | their patients with information that the patient may elect to opt out of disclosure of information |
4 | from the HIE in accordance with regulations which shall be promulgated by the department of |
5 | health. |
6 | This act would take effect upon passage. |
======== | |
LC004184 | |
======== | |
| LC004184 - Page 10 of 10 |