Chapter 171
2008 -- S 2679
SUBSTITUTE A AS AMENDED
Enacted 07/02/08
A N A C T
RELATING
TO BUSINESSES AND PROFESSIONS - THE RHODE ISLAND HEALTH
INFORMATION
EXCHANGE ACT OF 2008
Introduced
By: Senators Paiva-Weed, Perry, C Levesque, Blais, and Bates
Date
Introduced: February 26, 2008
It is enacted by the General Assembly as
follows:
SECTION 1.
Legislative findings:
WHEREAS, the
people of Rhode Island expect health care services to be high quality,
safe and of high value; and
WHEREAS, the
implementation of health information technology including electronic
medical records and the use of electronic
prescribing increases the quality of health care delivery
and the prevention of medication errors; and
WHEREAS, the
implementation of health information technology will support a
transformed health care system in Rhode Island
that is safe, effective, patient-centered, timely,
efficient and equitable; and
WHEREAS, the
General Assembly has endorsed the adoption of an electronic medical
records and health information exchange system
in Rhode Island to improve the quality, safety
and value of health care through a Resolution
adopted in 2007; and
WHEREAS, the State
of Rhode Island has an interest in encouraging the implementation
of a statewide health information exchange
system to allow the widespread utilization of
electronic health records by health care
providers; and
WHEREAS, the State
of Rhode Island has an interest in popularizing the use of a
statewide Health Information Exchange system
("HIE") in order to improve the quality, safety
and value of health care, keep confidential
health information secure and confidential and use the
HIE system to progress toward meeting public
health goals; and
WHEREAS, the State
of Rhode Island desires to establish the authority for the
Department of Health to regulate the statewide
HIE system.
SECTION 2. Title 5
of the General Laws entitled "BUSINESSES AND PROFESSIONS"
is hereby amended by adding thereto the
following chapter:
CHAPTER
37.7
RHODE ISLAND HEALTH
INFORMATION EXCHANGE ACT OF 2008
5-37.7-1.
Short title. -- This chapter shall be known and may be cited as the
"Rhode
Island Health Information Exchange Act of
2008."
5-37.7-2. Statement
of purpose. -- The purpose of this chapter is to establish
safeguards
and confidentiality protections for the HIE in
order to improve the quality, safety and value of
health care, keep confidential health
information secure and confidential and use the HIE to
progress toward meeting public health goals.
5-37.7-3.
Definitions. -- As used in this chapter:
(a)
"Agency" means the Rhode Island department of health.
(b)
"Authorized representative" means:
(1) A person
empowered by the patient participant to assert or to waive the
confidentiality, or to disclose or authorize the
disclosure of confidential information, as
established by this chapter. That person is not,
except by explicit authorization, empowered to
waive confidentiality or to disclose or consent
to the disclosure of confidential information; or
(2) A person
appointed by the patient participant to make health care decisions on his or
her behalf through a valid durable power of
attorney for health care as set forth in Rhode Island
general laws section 23-4.10-2; or
(3) A guardian
or conservator, with authority to make health care decisions, if the patient
participant is decisionally impaired; or
(4) Another
legally appropriate medical decision maker temporarily if the patient
participant is decisionally impaired and no
health care agent, guardian or conservator is available;
or
(5) If the
patient participant is deceased, his or her personal representative or, in the
absence of that representative, his or her
heirs-at-law; or
(6) A parent
with the authority to make health care decisions for the parent's child.
(c)
"Authorization form" means the form described in section 5-37.7-7 of
this chapter and
by which a patient participant provides
authorization for the RHIO to allow access to, review of,
and/or disclosure of the patient participant's
confidential health care information by electronic,
written or other means.
(d)
"Business associate" means a business associate as defined by HIPAA.
(e)
"Confidential health care information" means all information relating
to a patient
participant's health care history, diagnosis,
condition, treatment, or evaluation.
(f)
"Coordination of care" means the process of coordinating, planning,
monitoring,
and/or sharing information relating to and
assessing a care plan for treatment of a patient.
(g) "Data
submitting partner" means an individual, organization or entity that has
entered
into a business associate agreement with the
RHIO and submits patient participants' confidential
health care information through the HIE.
(h)
"Department of health" means the Rhode Island department of health.
(i)
"Disclosure report" means a report generated by the HIE relating to
the record of
access to, review of and/or disclosure of a
patient's confidential health care information received,
accessed or held by the HIE.
(j)
"Electronic mobilization" means the capability to move clinical
information
electronically between disparate health care
information systems while maintaining the accuracy
of the information being exchanged.
(k)
"Emergency" means the sudden onset of a medical, mental or substance
abuse or
other condition manifesting itself by acute
symptoms of severity (e.g. severe pain) where the
absence of medical attention could reasonably be
expected, by a prudent lay person, to result in
placing the patient's health in serious
jeopardy, serious impairment to bodily or mental functions,
or serious dysfunction of any bodily organ or
part.
(l)
"Health care provider" means any person or entity licensed by this
state to provide or
lawfully providing health care services,
including, but not limited to, a physician, hospital,
intermediate care facility or other health care
facility, dentist, nurse, optometrist, podiatrist,
physical therapist, psychiatric social worker,
pharmacist or psychologist, and any officer,
employee, or agent of that provider acting in
the course and scope of his or her employment or
agency related to or supportive of health care
services.
(m)
"Health care services" means acts of diagnosis, treatment, medical
evaluation,
referral or counseling or any other acts that may
be permissible under the health care licensing
statutes of this state.
(n)
"Health Information Exchange" or "HIE" means the technical
system operated, or to
be operated, by the RHIO under state authority
allowing for the statewide electronic mobilization
of confidential health care information,
pursuant to this chapter.
(o) "HIE
Advisory Commission" means the advisory body established by the department
of health in order to provide community input
and policy recommendations regarding the use of
the confidential health care information of the
HIE.
(p)
"HIPAA" means the health insurance portability and accountability act
of 1996, as
amended.
(q)
"Participant" means a patient participant, a patient participant's
authorized
representative, a provider participant, a data
submitting partner, the regional health information
organization and the department of health, that
has agreed to authorize, submit, access and/or
disclose confidential health care information
via the HIE in accordance with this chapter.
(r)
"Participation" means a participant's authorization, submission,
access and/or
disclosure of confidential health care
information in accordance with this chapter.
(s)
"Patient participant" means a person who receives health care
services from a provider
participant and has agreed to participate in the
HIE through the mechanisms established in this
chapter.
(t)
"Provider participant" means a pharmacy, laboratory or health care
provider who is
providing health care services to a patient
participant and/or is submitting or accessing health care
information through the HIE and has executed an
electronic and/or written agreement regarding
disclosure, access, receipt, retention or
release of confidential health care information to the HIE;
(u)
"Regional health information organization" or "RHIO" means
the organization
designated as the RHIO by the state to provide
administrative and operational support to the HIE.
5-37.7-4.
Participation in the health information exchange. -- (a) There shall
be
established a statewide HIE under state
authority to allow for the electronic mobilization of
confidential health care information in Rhode
Island. Confidential health care information may
only be accessed, released or transferred from
the HIE in accordance with this chapter.
(b) The state
of Rhode Island has an interest in encouraging participation in the HIE by
all interested parties, including, but not limited
to, health care providers, patients, entities
submitting information to the HIE, entities
obtaining information from the HIE and the RHIO.
The Rhode Island department of health is also
considered a participant for public health purposes.
(c) Patients
and health care providers shall have the choice to participate in the HIE, as
defined by regulations in accordance with
section 5-37.7-3 provided however that provider
participants must continue to maintain their own
medical record meeting the documentation and
other standards imposed by otherwise applicable
law.
(d)
Participation in the HIE shall have no impact on the content of or use or
disclosure of
confidential health care information of patient
participants that is held in locations other than the
HIE. Nothing in this chapter shall be construed
to limit, change or otherwise affect entities' rights
or obligations to exchange confidential health
care information in accordance with other
applicable laws.
(e) The state
of Rhode Island hereby imposes on the HIE and the RHIO as a matter of
state law, the obligation to maintain, and abide
by the terms of, HIPAA complaint business
associate agreements, including, without
limitation, the obligations to use appropriate safeguards
to prevent use or disclosure of confidential
health care information in accordance with HIPAA
and this chapter, not to use or disclose
confidential health care information other than as
permitted by HIPAA and this chapter, or to make
any amendment to a confidential health care
record that a provider participant so directs
and to respond to a request by a patient participant to
make an amendment to the patient participant's
confidential health care record.
5-37.7-5.
Regulatory oversight. -- (a) The director of the department of
health shall
develop regulations regarding the
confidentiality of patient participant information received,
accessed or held by the HIE and is authorized to
promulgate such other regulations as the director
deems necessary or desirable to implement the
provisions of this chapter, in accordance with the
provisions set forth in chapter 17 of title 23
and chapter 35 of title 42 of the general laws.
(b) The department
of health has exclusive jurisdiction over the HIE, except with respect
to the jurisdiction conferred upon the attorney
general in section 5-37.7-13. This chapter shall not
apply to any other private and/or public health information
systems utilized within a health care
provider or other organization that provides
health care services.
(c) The
department of health shall promulgate rules and regulations for the
establishment
of an HIE advisory commission that will be
responsible for recommendations relating to the use
of, and appropriate confidentiality protections
for, the confidential health care information of the
HIE, subject to regulatory oversight by the
department of health. Said commission members shall
be subject to the advice and consent of the
senate. The commission shall report annually to the
department of health and the RHIO, and such
report shall be made public.
5-37.7-6.
Rhode Island health information organization. -- The RHIO shall,
subject to
and consistent with department regulations and
contractual obligations it has with the state of
Rhode Island, be responsible for all
administrative, operational, and financial functions to support
the HIE, including, but not limited to,
implementing and enforcing policies for receiving,
retaining, safeguarding and disclosing
confidential health care information as required by this
chapter. The RHIO is deemed to be the steward of
the confidential health care information for
which it has administrative responsibility. The
HIE advisory commission shall be responsible for
recommendations to the department of health, and
in consultation with the RHIO regarding the
use of the confidential health care information.
5-37.7-7.
Disclosure. -- (a)(1) Except as provided in subsection (b) of this
section, a
patient participant's confidential health care
information may only be accessed, released or
transferred from the HIE in accordance with an
authorization form signed by the patient
participant or the patient's authorized
representative.
(b) No
authorization for release or transfer of confidential health care information
from
the HIE shall be required in the following
situations:
(1) To a health
care provider who believes, in good faith, that the information is
necessary for diagnosis or treatment of that
individual in an emergency; or
(2) To public
health authorities in order to carry out their functions as described in this
title and titles 21 and 23, and rules
promulgated under those titles. These functions include, but
are not restricted to, investigations into the
causes of disease, the control of public health hazards,
enforcement of sanitary laws, investigation of
reportable diseases, certification and licensure of
health professionals and facilities, review of
health care such as that required by the federal
government and other governmental agencies, and
mandatory reporting laws set forth in Rhode
Island general laws; and
(3) To the RHIO
in order for it to effectuate the operation and administrative oversight of
the HIE.
(c) The content
of the authorization form for access to, or the disclosure, release or
transfer of confidential health care information
from the HIE shall be prescribed by the RHIO in
accordance with applicable department of health
regulations, but at a minimum shall contain the
following information in a clear and conspicuous
manner:
(1) A statement
of the need for and proposed uses of that information; and
(2) A statement
that the authorization for access to, disclosure of and/or release of
information may be withdrawn at any future time
and is subject to revocation.
(3) That the
patient has the right not to participate in the HIE; and
(4) The patient's
right to choose to: (i) enroll in and participate fully in the HIE; or (ii)
designate only specific health care providers
that may access the patient participant's confidential
health care information.
(d) Except as
specifically provided by law or this chapter, or use for clinical care, a
patient participant's confidential health care
information shall not be accessed by, given, sold,
transferred, or in any way relayed from the HIE
to any other person or entity not specified in the
patient participant authorization form meeting
the requirements of subsection (c) of this section
without first obtaining additional
authorization.
(e) Nothing
contained in this chapter shall be construed to limit the permitted access to
or
the release, transfer, access or disclosure of
confidential health care information described in
subsection (b) of this section or under other
applicable law.
(f)
Confidential health care information received, disclosed or held by the HIE
shall not
be subject to subpoena directed to the HIE or
RHIO unless the following procedures have been
completed: (i) the person seeking the
confidential health care information has already requested
and received the confidential health care
information from the health care provider that was the
original source of the information; and (ii) a
determination has been made by the superior court
upon motion and notice to the HIE or RHIO and
the parties to the litigation in which the
subpoena is served that the confidential health care
information sought from the HIE is not
available from another source and is either
relevant to the subject matter involved in the pending
action or is reasonably calculated to lead to
the discovery of admissible evidence in such pending
action. Any person issuing a subpoena to the HIE
or RHIO pursuant to this section shall certify
that such measures have been completed prior to
the issuance of the subpoena.
(g) Nothing
herein shall interfere with or impact upon any rights or obligations imposed
by the Workers Compensation Act as contained in
title 28, chapters 29 through 38, of these
General Laws.
5-37.7-8.
Security. -- The HIE must be subject to at least the following
security
procedures:
(a)
Authenticate the recipient of any confidential health care information
disclosed by the
HIE pursuant to this chapter pursuant to rules
and regulations promulgated by the agency.
(b) Limit
authorized access to personally identifiable confidential health care
information
to persons having a need to know that
information; additional employees or agents may have
access to de-identified information;
(c) Identify an
individual or individuals who have responsibility for maintaining security
procedures for the HIE;
(d) Provide an electronic
or written statement to each employee or agent as to the
necessity of maintaining the security and
confidentiality of confidential health care information,
and of the penalties provided for in this chapter
for the unauthorized access, release, transfer, use,
or disclosure of this information;
(e) Take no
disciplinary or punitive action against any employee or agent for bringing
evidence of violation of this chapter to the
attention of any person.
5-37.7-9.
Secondary disclosure. -- Any confidential health care information
obtained by
a provider participant pursuant to this chapter
may be further disclosed by such provider
participant with or without authorization of the
patient participant to the same extent that such
information may be disclosed pursuant to
existing state and federal law, without regard to the
source of the information.
5-37.7-10.
Patient's rights. -- Pursuant to this chapter, a patient participant
who has his
or her confidential health care information
transferred through the HIE shall have the following
rights:
(a) To obtain a
copy of his or her confidential health care information from the HIE;
(b) To obtain a
copy of the disclosure report pertaining to his or her confidential health
care information;
(c) To be
notified as required by chapter 49.2 of title 11, the Rhode Island identity
theft
protection act, of a breach of the security
system of the HIE;
(d) To
terminate his or her participation in the HIE in accordance with rules and
regulations promulgated by the agency; and
(e) To request
to amend his or her own information through the provider participant.
5-37.7-11.
Immunity. -- Any health care provider who relies in good faith upon
any
information provided through the HIE in his, her
or its treatment of a patient, shall be immune
from any criminal or civil liability arising
from any damages caused by such good faith reliance.
This immunity does not apply to acts or
omissions constituting negligence or reckless, wanton or
intentional misconduct.
5-37.7-12.
Reconciliation with other authorities. -- (a) This chapter shall
only apply to
the HIE system, and does not apply to any other
private and/or public health information systems
utilized in Rhode Island, including other health
information systems utilized within or by a health
care facility or organization.
(b) As this
chapter provides extensive protection with regard to access to and disclosure
of confidential health care information by the
HIE, it supplements, with respect to the HIE only,
any less stringent disclosure requirements,
including, but not limited to, those contained in
chapter 37.3 of this title, the health insurance
portability and accountability act (HIPAA) and
regulations promulgated thereunder, and any
other less stringent federal or state law.
(c) This
chapter shall not be construed to interfere with any other federal or state
laws or
regulations which provide more extensive
protection than provided in this chapter for the
confidentiality of health care information.
Notwithstanding such provision, because of the
extensive protections with regard to access to
and disclosure of confidential health care
information by the HIE provided for in this
chapter, patient authorization obtained for access to or
disclosure of information to or from the HIE or
a provider participant shall be deemed the same
authorization required by other state or federal
laws including information regarding mental
health (the Rhode Island mental health law,
Rhode Island general laws section 40.1-5-1 et seq.);
HIV (Rhode Island general laws section 23-6-17);
sexually transmitted disease (Rhode Island
general laws sections 23-6-17 and 23-11-9);
alcohol and drug abuse (Rhode Island general laws
section 23-1.10-1 et seq., 42 U.S.C. section
290dd-2) or genetic information (Rhode Island
general laws section 27-41-53, Rhode Island
general laws section 27-20-39 and Rhode Island
general laws section 27-19-44).
5-37.7-13.
Penalties – Attorneys' fees for violations. -- (a) Civil penalties.
Anyone who
violates the provisions of this chapter may be
held liable for actual and exemplary damages.
(b) Criminal
penalties. Anyone who intentionally and knowingly violates the provisions
of this chapter shall, upon conviction, be fined
not more than ten thousand dollars ($10,000) per
patient, per violation, or imprisoned for not
more than one year, or both.
(c) Commission
of crime. The civil and criminal penalties in this section shall also be
applicable to anyone who obtains confidential
health care information maintained under the
provisions of this chapter through the
commission of a crime.
(d) Attorneys'
fees. Attorneys' fees may be awarded at the discretion of the court, to the
successful party in any action under this
chapter.
5-37.7-14.
Waivers void. -- Any agreement purporting to waive the provisions of
this
chapter is declared to be against public policy
and void.
5-37.7-15.
Severability. -- If any provision of this chapter is held by a court
to be invalid,
that invalidity shall not affect the remaining
provisions of the chapter, and to this end the
provisions of the chapter are declared
severable.
SECTION 3. This
act shall take effect on March 1, 2009.
=======
LC01827/SUB A/2
=======