Chapter 08-171

Chapter 171

2008 -- S 2679 SUBSTITUTE A AS AMENDED

Enacted 07/02/08

A N A C T

RELATING TO BUSINESSES AND PROFESSIONS - THE RHODE ISLAND HEALTH

INFORMATION EXCHANGE ACT OF 2008

Introduced By: Senators Paiva-Weed, Perry, C Levesque, Blais, and Bates

Date Introduced: February 26, 2008

It is enacted by the General Assembly as follows:

SECTION 1. Legislative findings:

WHEREAS, the people of Rhode Island expect health care services to be high quality,

safe and of high value; and

WHEREAS, the implementation of health information technology including electronic

medical records and the use of electronic prescribing increases the quality of health care delivery

and the prevention of medication errors; and

WHEREAS, the implementation of health information technology will support a

transformed health care system in Rhode Island that is safe, effective, patient-centered, timely,

efficient and equitable; and

WHEREAS, the General Assembly has endorsed the adoption of an electronic medical

records and health information exchange system in Rhode Island to improve the quality, safety

and value of health care through a Resolution adopted in 2007; and

WHEREAS, the State of Rhode Island has an interest in encouraging the implementation

of a statewide health information exchange system to allow the widespread utilization of

electronic health records by health care providers; and

WHEREAS, the State of Rhode Island has an interest in popularizing the use of a

statewide Health Information Exchange system ("HIE") in order to improve the quality, safety

and value of health care, keep confidential health information secure and confidential and use the

HIE system to progress toward meeting public health goals; and

WHEREAS, the State of Rhode Island desires to establish the authority for the

Department of Health to regulate the statewide HIE system.

SECTION 2. Title 5 of the General Laws entitled "BUSINESSES AND PROFESSIONS"

is hereby amended by adding thereto the following chapter:

CHAPTER 37.7

RHODE ISLAND HEALTH INFORMATION EXCHANGE ACT OF 2008

5-37.7-1. Short title. -- This chapter shall be known and may be cited as the "Rhode

Island Health Information Exchange Act of 2008."

5-37.7-2. Statement of purpose. -- The purpose of this chapter is to establish safeguards

and confidentiality protections for the HIE in order to improve the quality, safety and value of

health care, keep confidential health information secure and confidential and use the HIE to

progress toward meeting public health goals.

5-37.7-3. Definitions. -- As used in this chapter:

(a) "Agency" means the Rhode Island department of health.

(b) "Authorized representative" means:

(1) A person empowered by the patient participant to assert or to waive the

confidentiality, or to disclose or authorize the disclosure of confidential information, as

established by this chapter. That person is not, except by explicit authorization, empowered to

waive confidentiality or to disclose or consent to the disclosure of confidential information; or

(2) A person appointed by the patient participant to make health care decisions on his or

her behalf through a valid durable power of attorney for health care as set forth in Rhode Island

general laws section 23-4.10-2; or

(3) A guardian or conservator, with authority to make health care decisions, if the patient

participant is decisionally impaired; or

(4) Another legally appropriate medical decision maker temporarily if the patient

participant is decisionally impaired and no health care agent, guardian or conservator is available;

(5) If the patient participant is deceased, his or her personal representative or, in the

absence of that representative, his or her heirs-at-law; or

(6) A parent with the authority to make health care decisions for the parent's child.

by which a patient participant provides authorization for the RHIO to allow access to, review of,

and/or disclosure of the patient participant's confidential health care information by electronic,

written or other means.

(d) "Business associate" means a business associate as defined by HIPAA.

(e) "Confidential health care information" means all information relating to a patient

participant's health care history, diagnosis, condition, treatment, or evaluation.

(f) "Coordination of care" means the process of coordinating, planning, monitoring,

and/or sharing information relating to and assessing a care plan for treatment of a patient.

(g) "Data submitting partner" means an individual, organization or entity that has entered

into a business associate agreement with the RHIO and submits patient participants' confidential

health care information through the HIE.

(h) "Department of health" means the Rhode Island department of health.

(i) "Disclosure report" means a report generated by the HIE relating to the record of

access to, review of and/or disclosure of a patient's confidential health care information received,

accessed or held by the HIE.

(j) "Electronic mobilization" means the capability to move clinical information

electronically between disparate health care information systems while maintaining the accuracy

of the information being exchanged.

(k) "Emergency" means the sudden onset of a medical, mental or substance abuse or

other condition manifesting itself by acute symptoms of severity (e.g. severe pain) where the

absence of medical attention could reasonably be expected, by a prudent lay person, to result in

placing the patient's health in serious jeopardy, serious impairment to bodily or mental functions,

or serious dysfunction of any bodily organ or part.

(l) "Health care provider" means any person or entity licensed by this state to provide or

lawfully providing health care services, including, but not limited to, a physician, hospital,

intermediate care facility or other health care facility, dentist, nurse, optometrist, podiatrist,

physical therapist, psychiatric social worker, pharmacist or psychologist, and any officer,

employee, or agent of that provider acting in the course and scope of his or her employment or

agency related to or supportive of health care services.

(m) "Health care services" means acts of diagnosis, treatment, medical evaluation,

referral or counseling or any other acts that may be permissible under the health care licensing

statutes of this state.

(n) "Health Information Exchange" or "HIE" means the technical system operated, or to

be operated, by the RHIO under state authority allowing for the statewide electronic mobilization

of confidential health care information, pursuant to this chapter.

(o) "HIE Advisory Commission" means the advisory body established by the department

of health in order to provide community input and policy recommendations regarding the use of

the confidential health care information of the HIE.

(p) "HIPAA" means the health insurance portability and accountability act of 1996, as

amended.

(q) "Participant" means a patient participant, a patient participant's authorized

representative, a provider participant, a data submitting partner, the regional health information

organization and the department of health, that has agreed to authorize, submit, access and/or

disclose confidential health care information via the HIE in accordance with this chapter.

(r) "Participation" means a participant's authorization, submission, access and/or

disclosure of confidential health care information in accordance with this chapter.

(s) "Patient participant" means a person who receives health care services from a provider

participant and has agreed to participate in the HIE through the mechanisms established in this

chapter.

(t) "Provider participant" means a pharmacy, laboratory or health care provider who is

providing health care services to a patient participant and/or is submitting or accessing health care

information through the HIE and has executed an electronic and/or written agreement regarding

disclosure, access, receipt, retention or release of confidential health care information to the HIE;

(u) "Regional health information organization" or "RHIO" means the organization

designated as the RHIO by the state to provide administrative and operational support to the HIE.

5-37.7-4. Participation in the health information exchange. -- (a) There shall be

established a statewide HIE under state authority to allow for the electronic mobilization of

confidential health care information in Rhode Island. Confidential health care information may

only be accessed, released or transferred from the HIE in accordance with this chapter.

(b) The state of Rhode Island has an interest in encouraging participation in the HIE by

all interested parties, including, but not limited to, health care providers, patients, entities

submitting information to the HIE, entities obtaining information from the HIE and the RHIO.

The Rhode Island department of health is also considered a participant for public health purposes.

defined by regulations in accordance with section 5-37.7-3 provided however that provider

participants must continue to maintain their own medical record meeting the documentation and

other standards imposed by otherwise applicable law.

(d) Participation in the HIE shall have no impact on the content of or use or disclosure of

confidential health care information of patient participants that is held in locations other than the

HIE. Nothing in this chapter shall be construed to limit, change or otherwise affect entities' rights

or obligations to exchange confidential health care information in accordance with other

applicable laws.

(e) The state of Rhode Island hereby imposes on the HIE and the RHIO as a matter of

state law, the obligation to maintain, and abide by the terms of, HIPAA complaint business

associate agreements, including, without limitation, the obligations to use appropriate safeguards

to prevent use or disclosure of confidential health care information in accordance with HIPAA

and this chapter, not to use or disclose confidential health care information other than as

permitted by HIPAA and this chapter, or to make any amendment to a confidential health care

record that a provider participant so directs and to respond to a request by a patient participant to

make an amendment to the patient participant's confidential health care record.

5-37.7-5. Regulatory oversight. -- (a) The director of the department of health shall

develop regulations regarding the confidentiality of patient participant information received,

accessed or held by the HIE and is authorized to promulgate such other regulations as the director

deems necessary or desirable to implement the provisions of this chapter, in accordance with the

provisions set forth in chapter 17 of title 23 and chapter 35 of title 42 of the general laws.

(b) The department of health has exclusive jurisdiction over the HIE, except with respect

to the jurisdiction conferred upon the attorney general in section 5-37.7-13. This chapter shall not

apply to any other private and/or public health information systems utilized within a health care

provider or other organization that provides health care services.

of an HIE advisory commission that will be responsible for recommendations relating to the use

of, and appropriate confidentiality protections for, the confidential health care information of the

HIE, subject to regulatory oversight by the department of health. Said commission members shall

be subject to the advice and consent of the senate. The commission shall report annually to the

department of health and the RHIO, and such report shall be made public.

5-37.7-6. Rhode Island health information organization. -- The RHIO shall, subject to

and consistent with department regulations and contractual obligations it has with the state of

Rhode Island, be responsible for all administrative, operational, and financial functions to support

the HIE, including, but not limited to, implementing and enforcing policies for receiving,

retaining, safeguarding and disclosing confidential health care information as required by this

chapter. The RHIO is deemed to be the steward of the confidential health care information for

which it has administrative responsibility. The HIE advisory commission shall be responsible for

recommendations to the department of health, and in consultation with the RHIO regarding the

use of the confidential health care information.

5-37.7-7. Disclosure. -- (a)(1) Except as provided in subsection (b) of this section, a

patient participant's confidential health care information may only be accessed, released or

transferred from the HIE in accordance with an authorization form signed by the patient

participant or the patient's authorized representative.

(b) No authorization for release or transfer of confidential health care information from

the HIE shall be required in the following situations:

(1) To a health care provider who believes, in good faith, that the information is

necessary for diagnosis or treatment of that individual in an emergency; or

(2) To public health authorities in order to carry out their functions as described in this

title and titles 21 and 23, and rules promulgated under those titles. These functions include, but

are not restricted to, investigations into the causes of disease, the control of public health hazards,

enforcement of sanitary laws, investigation of reportable diseases, certification and licensure of

health professionals and facilities, review of health care such as that required by the federal

government and other governmental agencies, and mandatory reporting laws set forth in Rhode

Island general laws; and

(3) To the RHIO in order for it to effectuate the operation and administrative oversight of

the HIE.

transfer of confidential health care information from the HIE shall be prescribed by the RHIO in

accordance with applicable department of health regulations, but at a minimum shall contain the

following information in a clear and conspicuous manner:

(1) A statement of the need for and proposed uses of that information; and

(2) A statement that the authorization for access to, disclosure of and/or release of

information may be withdrawn at any future time and is subject to revocation.

(3) That the patient has the right not to participate in the HIE; and

(4) The patient's right to choose to: (i) enroll in and participate fully in the HIE; or (ii)

designate only specific health care providers that may access the patient participant's confidential

health care information.

(d) Except as specifically provided by law or this chapter, or use for clinical care, a

patient participant's confidential health care information shall not be accessed by, given, sold,

transferred, or in any way relayed from the HIE to any other person or entity not specified in the

patient participant authorization form meeting the requirements of subsection (c) of this section

without first obtaining additional authorization.

(e) Nothing contained in this chapter shall be construed to limit the permitted access to or

the release, transfer, access or disclosure of confidential health care information described in

subsection (b) of this section or under other applicable law.

(f) Confidential health care information received, disclosed or held by the HIE shall not

be subject to subpoena directed to the HIE or RHIO unless the following procedures have been

completed: (i) the person seeking the confidential health care information has already requested

and received the confidential health care information from the health care provider that was the

original source of the information; and (ii) a determination has been made by the superior court

upon motion and notice to the HIE or RHIO and the parties to the litigation in which the

subpoena is served that the confidential health care information sought from the HIE is not

available from another source and is either relevant to the subject matter involved in the pending

action or is reasonably calculated to lead to the discovery of admissible evidence in such pending

action. Any person issuing a subpoena to the HIE or RHIO pursuant to this section shall certify

that such measures have been completed prior to the issuance of the subpoena.

(g) Nothing herein shall interfere with or impact upon any rights or obligations imposed

by the Workers Compensation Act as contained in title 28, chapters 29 through 38, of these

General Laws.

5-37.7-8. Security. -- The HIE must be subject to at least the following security

procedures:

(a) Authenticate the recipient of any confidential health care information disclosed by the

HIE pursuant to this chapter pursuant to rules and regulations promulgated by the agency.

(b) Limit authorized access to personally identifiable confidential health care information

to persons having a need to know that information; additional employees or agents may have

access to de-identified information;

procedures for the HIE;

(d) Provide an electronic or written statement to each employee or agent as to the

necessity of maintaining the security and confidentiality of confidential health care information,

and of the penalties provided for in this chapter for the unauthorized access, release, transfer, use,

or disclosure of this information;

(e) Take no disciplinary or punitive action against any employee or agent for bringing

evidence of violation of this chapter to the attention of any person.

5-37.7-9. Secondary disclosure. -- Any confidential health care information obtained by

a provider participant pursuant to this chapter may be further disclosed by such provider

participant with or without authorization of the patient participant to the same extent that such

information may be disclosed pursuant to existing state and federal law, without regard to the

source of the information.

5-37.7-10. Patient's rights. -- Pursuant to this chapter, a patient participant who has his

or her confidential health care information transferred through the HIE shall have the following

rights:

(a) To obtain a copy of his or her confidential health care information from the HIE;

(b) To obtain a copy of the disclosure report pertaining to his or her confidential health

care information;

protection act, of a breach of the security system of the HIE;

(d) To terminate his or her participation in the HIE in accordance with rules and

regulations promulgated by the agency; and

(e) To request to amend his or her own information through the provider participant.

5-37.7-11. Immunity. -- Any health care provider who relies in good faith upon any

information provided through the HIE in his, her or its treatment of a patient, shall be immune

from any criminal or civil liability arising from any damages caused by such good faith reliance.

This immunity does not apply to acts or omissions constituting negligence or reckless, wanton or

intentional misconduct.

5-37.7-12. Reconciliation with other authorities. -- (a) This chapter shall only apply to

the HIE system, and does not apply to any other private and/or public health information systems

utilized in Rhode Island, including other health information systems utilized within or by a health

care facility or organization.

(b) As this chapter provides extensive protection with regard to access to and disclosure

of confidential health care information by the HIE, it supplements, with respect to the HIE only,

any less stringent disclosure requirements, including, but not limited to, those contained in

chapter 37.3 of this title, the health insurance portability and accountability act (HIPAA) and

regulations promulgated thereunder, and any other less stringent federal or state law.

regulations which provide more extensive protection than provided in this chapter for the

confidentiality of health care information. Notwithstanding such provision, because of the

extensive protections with regard to access to and disclosure of confidential health care

information by the HIE provided for in this chapter, patient authorization obtained for access to or

disclosure of information to or from the HIE or a provider participant shall be deemed the same

authorization required by other state or federal laws including information regarding mental

health (the Rhode Island mental health law, Rhode Island general laws section 40.1-5-1 et seq.);

HIV (Rhode Island general laws section 23-6-17); sexually transmitted disease (Rhode Island

general laws sections 23-6-17 and 23-11-9); alcohol and drug abuse (Rhode Island general laws

section 23-1.10-1 et seq., 42 U.S.C. section 290dd-2) or genetic information (Rhode Island

general laws section 27-41-53, Rhode Island general laws section 27-20-39 and Rhode Island

general laws section 27-19-44).

5-37.7-13. Penalties – Attorneys' fees for violations. -- (a) Civil penalties. Anyone who

violates the provisions of this chapter may be held liable for actual and exemplary damages.

(b) Criminal penalties. Anyone who intentionally and knowingly violates the provisions

of this chapter shall, upon conviction, be fined not more than ten thousand dollars ($10,000) per

patient, per violation, or imprisoned for not more than one year, or both.

applicable to anyone who obtains confidential health care information maintained under the

provisions of this chapter through the commission of a crime.

(d) Attorneys' fees. Attorneys' fees may be awarded at the discretion of the court, to the

successful party in any action under this chapter.

5-37.7-14. Waivers void. -- Any agreement purporting to waive the provisions of this

chapter is declared to be against public policy and void.

5-37.7-15. Severability. -- If any provision of this chapter is held by a court to be invalid,

that invalidity shall not affect the remaining provisions of the chapter, and to this end the

provisions of the chapter are declared severable.

SECTION 3. This act shall take effect on March 1, 2009.

=======

LC01827/SUB A/2

=======