Chapter
466
2008 -- H 7409 SUBSTITUTE A AS AMENDED
Enacted 07/10/08
A N A C T
RELATING TO BUSINESS
AND PROFESSIONS - THE RHODE ISLAND HEALTH INFORMATION EXCHANGE ACT OF 2008
Introduced By: Representatives Kilmartin, and Sullivan
Date Introduced: February
12, 2008
It is
enacted by the General Assembly as follows:
SECTION
1. Legislative findings:
WHEREAS,
The people of Rhode Island expect health care services to be high quality,
safe
and of high value; and
WHEREAS,
The implementation of health information technology including electronic
medical
records and the use of electronic prescribing increases the quality of health
care delivery
and the
prevention of medication errors; and
WHEREAS,
The implementation of health information technology will support a
transformed
health care system in Rhode Island that is safe, effective, patient-centered,
timely,
efficient
and equitable; and
WHEREAS,
The General Assembly has endorsed the adoption of an electronic medical
records
and health information exchange system in Rhode Island to improve the quality,
safety
and
value of health care through a Resolution adopted in 2007; and
WHEREAS,
The State of Rhode Island has an interest in encouraging the implementation
of a
statewide health information exchange system to allow the widespread
utilization of
electronic
health records by health care providers; and
WHEREAS,
The State of Rhode Island has an interest in popularizing the use of a
statewide
Health Information Exchange system ("HIE") in order to improve the
quality, safety
and
value of health care, keep confidential health information secure and
confidential and use the
HIE
system to progress toward meeting public health goals; and
WHEREAS,
The State of Rhode Island desires to establish the authority for the
Department
of Health to regulate the statewide HIE system.
SECTION
2. Title 5 of the General Laws entitled "BUSINESSES AND PROFESSIONS"
is
hereby amended by adding thereto the following chapter:
CHAPTER 37.7
RHODE ISLAND HEALTH INFORMATION EXCHANGE ACT OF 2008
5-37.7-1.
Short title. -- This chapter shall be known and may be cited as the
"Rhode
Island
Health Information Exchange Act of 2008."
5-37.7-2.
Statement of purpose. -- The purpose of this chapter is to establish
safeguards
and
confidentiality protections for the HIE in order to improve the quality, safety
and value of
health
care, keep confidential health information secure and confidential and use the
HIE to
progress
toward meeting public health goals.
5-37.7-3.
Definitions. -- As used in this chapter:
(a)
"Agency" means the Rhode Island department of health.
(b)
"Authorized representative" means:
(1)
A person empowered by the patient participant to assert or to waive the
confidentiality,
or to disclose or authorize the disclosure of confidential information, as
established
by this chapter. That person is not, except by explicit authorization,
empowered to
waive
confidentiality or to disclose or consent to the disclosure of confidential
information; or
(2)
A person appointed by the patient participant to make health care decisions on
his or
her
behalf through a valid durable power of attorney for health care as set forth
in Rhode Island
general
laws section 23-4.10-2; or
(3)
A guardian or conservator, with authority to make health care decisions, if the
patient
participant
is decisionally impaired; or
(4)
Another legally appropriate medical decision maker temporarily if the patient
participant
is decisionally impaired and no health care agent, guardian or conservator is
available;
or
(5)
If the patient participant is deceased, his or her personal representative or,
in the
absence
of that representative, his or her heirs-at-law; or
(6)
A parent with the authority to make health care decisions for the parent's
child.
(c)
"Authorization form" means the form described in section 5-37.7-7 of
this chapter and
by
which a patient participant provides authorization for the RHIO to allow access
to, review of,
and/or
disclosure of the patient participant's confidential health care information by
electronic,
written
or other means.
(d)
"Business associate" means a business associate as defined by HIPAA.
(e)
"Confidential health care information" means all information relating
to a patient
participant's
health care history, diagnosis, condition, treatment, or evaluation.
(f)
"Coordination of care" means the process of coordinating, planning,
monitoring,
and/or
sharing information relating to and assessing a care plan for treatment of a
patient.
(g)
"Data submitting partner" means an individual, organization or entity
that has entered
into
a business associate agreement with the RHIO and submits patient participants'
confidential
health
care information through the HIE.
(h)
"Department of health" means the Rhode Island department of health.
(i)
"Disclosure report" means a report generated by the HIE relating to
the record of
access
to, review of and/or disclosure of a patient's confidential health care
information received,
accessed
or held by the HIE.
(j)
"Electronic mobilization" means the capability to move clinical
information
electronically
between disparate health care information systems while maintaining the
accuracy
of
the information being exchanged.
(k)
"Emergency" means the sudden onset of a medical, mental or substance
abuse or
other
condition manifesting itself by acute symptoms of severity (e.g. severe pain)
where the
absence
of medical attention could reasonably be expected, by a prudent lay person, to
result in
placing
the patient's health in serious jeopardy, serious impairment to bodily or
mental functions,
or
serious dysfunction of any bodily organ or part.
(l)
"Health care provider" means any person or entity licensed by this
state to provide or
lawfully
providing health care services, including, but not limited to, a physician,
hospital,
intermediate
care facility or other health care facility, dentist, nurse, optometrist,
podiatrist,
physical
therapist, psychiatric social worker, pharmacist or psychologist, and any officer,
employee,
or agent of that provider acting in the course and scope of his or her
employment or
agency
related to or supportive of health care services.
(m)
"Health care services" means acts of diagnosis, treatment, medical
evaluation,
referral
or counseling or any other acts that may be permissible under the health care
licensing
statutes
of this state.
(n)
"Health Information Exchange" or "HIE" means the technical
system operated, or to
be
operated, by the RHIO under state authority allowing for the statewide
electronic mobilization
of
confidential health care information, pursuant to this chapter.
(o)
"HIE Advisory Commission" means the advisory body established by the
department
of
health in order to provide community input and policy recommendations regarding
the use of
the
confidential health care information of the HIE.
(p)
"HIPAA" means the health insurance portability and accountability act
of 1996, as
amended.
(q)
"Participant" means a patient participant, a patient participant's
authorized
representative,
a provider participant, a data submitting partner, the regional health
information
organization
and the department of health, that has agreed to authorize, submit, access
and/or
disclose
confidential health care information via the HIE in accordance with this
chapter.
(r)
"Participation" means a patient participant's authorization,
submission, access and/or
disclosure
of confidential health care information via the HIE in accordance with this
chapter.
(s)
"Patient participant" means a person who receives health care
services from a provider
participant
and has agreed to participate in the HIE through the mechanisms established in
this
chapter.
(t)
"Provider participant" means a pharmacy, laboratory or health care
provider who is
providing
health care services to a patient participant and/or is submitting or accessing
health care
information
through the HIE and has executed an electronic and/or written agreement
regarding
disclosure,
access, receipt, retention or release of confidential health care information
to the HIE;
(u)
"Regional health information organization" or "RHIO" means
the organization
designated
as the RHIO by the state to provide administrative and operational support to
the HIE.
5-37.7-4.
Participation in the health information exchange. -- (a) There shall
be
established
a statewide HIE under state authority to allow for the electronic mobilization
of
confidential
health care information in Rhode Island. Confidential health care information
may
only
be accessed, released or transferred from the HIE in accordance with this
chapter.
(b)
The state of Rhode Island has an interest in encouraging participation in the
HIE by
all
interested parties, including, but not limited to, health care providers,
patients, entities
submitting
information to the HIE, entities obtaining information from the HIE and the
RHIO.
The
Rhode Island department of health is also considered a participant for public
health purposes.
(c)
Patients and health care providers shall have the choice to participate in the
HIE, as
defined
by regulations in accordance with section 5-37.7-3 , provided, however, that
provider
participants
must continue to maintain their own medical record meeting the documentation
and
other
standards imposed by otherwise applicable law.
(d)
Participation in the HIE shall have no impact on the content of or use or
disclosure of
confidential
health care information of patient participants that is held in locations other
than the
HIE.
Nothing in this chapter shall be construed to limit, change or otherwise affect
entities' rights
to
exchange confidential health care information in accordance with other applicable
laws.
(e)
The state of Rhode Island hereby imposes on the HIE and the RHIO as a matter of
state
law, the obligation to maintain, and abide by the terms of, HIPAA complaint
business
associate
agreements, including, without limitation, the obligations to use appropriate
safeguards
to
prevent use or disclosure of confidential health care information in accordance
with HIPAA
and
this chapter, not to use or disclose confidential health care information other
than as
permitted
by HIPAA and this chapter, or to make any amendment to a confidential health
care
record
that a provider participant so directs and to respond to a request by a patient
participant to
make
an amendment to the patient participant's confidential health care record.
5-37.7-5.
Regulatory oversight. -- (a) The director of the department of
health shall
develop
regulations regarding the confidentiality of patient participant information
received,
accessed
or held by the HIE and is authorized to promulgate such other regulations as
the director
deems
necessary or desirable to implement the provisions of this chapter, in
accordance with the
provisions
set forth in chapter 17 of title 23 and chapter 35 of title 42 of the general
laws.
(b)
The department of health has exclusive jurisdiction over the HIE, except with
respect
to
the jurisdiction conferred upon the attorney general in section 5-37.7-13. This
chapter shall not
apply
to any other private and/or public health information systems utilized within a
health care
provider
or other organization that provides health care services.
(c)
The department of health shall promulgate rules and regulations for the
establishment
of an
HIE advisory commission that will be responsible for recommendations relating
to the use
of,
and appropriate confidentiality protections for, the confidential health care
information of the
HIE,
subject to regulatory oversight by the department of health. Said commission
members shall
be
subject to the advice and consent of the senate. The commission shall report
annually to the
department
of health and the RHIO, and such report shall be made public.
5-37.7-6.
Rhode Island health information organization. -- The RHIO shall,
subject to
and
consistent with department regulations and contractual obligations it has with
the state of
Rhode
Island, be responsible for implementing recognized national standards for
interoperability
and
all administrative, operational, and financial functions to support the HIE,
including, but not
limited
to, implementing and enforcing policies for receiving, retaining, safeguarding
and
disclosing
confidential health care information as required by this chapter. The RHIO is
deemed
to be
the steward of the confidential health care information for which it has
administrative
responsibility.
The HIE advisory commission shall be responsible for recommendations to the
department
of health, and in consultation with the RHIO regarding the use of the
confidential
health
care information.
5-37.7-7.
Disclosure. -- (a)(1) Except as provided in subsection (b) of this
section, a
patient
participant's confidential health care information may only be accessed,
released or
transferred
from the HIE in accordance with an authorization form signed by the patient
participant
or the patient's authorized representative.
(b)
No authorization for release or transfer of confidential health care
information from
the
HIE shall be required in the following situations:
(1)
To a health care provider who believes, in good faith, that the information is
necessary
for diagnosis or treatment of that individual in an emergency; or
(2)
To public health authorities in order to carry out their functions as described
in this
title
and titles 21 and 23, and rules promulgated under those titles. These functions
include, but
are
not restricted to, investigations into the causes of disease, the control of
public health hazards,
enforcement
of sanitary laws, investigation of reportable diseases, certification and
licensure of
health
professionals and facilities, review of health care such as that required by
the federal
government
and other governmental agencies, and mandatory reporting laws set forth in
Rhode
Island
general laws; and
(3)
To the RHIO in order for it to effectuate the operation and administrative
oversight of
the
HIE.
(c)
The content of the authorization form for access to, or the disclosure, release
or
transfer
of confidential health care information from the HIE shall be prescribed by the
RHIO in
accordance
with applicable department of health regulations, but at a minimum shall
contain the
following
information in a clear and conspicuous manner:
(1)
A statement of the need for and proposed uses of that information; and
(2)
A statement that the authorization for access to, disclosure of and/or release
of
information
may be withdrawn at any future time and is subject to revocation.
(3)
That the patient has the right not to participate in the HIE; and
(4)
The patient's right to choose to: (i) enroll in and participate fully in the
HIE; or (ii)
designate
only specific health care providers that may access the patient participant's
confidential
health
care information.
(d)
Except as specifically provided by law or this chapter, or use for clinical
care, a
patient
participant's confidential health care information shall not be accessed by,
given, sold,
transferred,
or in any way relayed from the HIE to any other person or entity not specified
in the
patient
participant authorization form meeting the requirements of subsection (c) of
this section
without
first obtaining additional authorization.
(e)
Nothing contained in this chapter shall be construed to limit the permitted
access to or
the
release, transfer, access or disclosure of confidential health care information
described in
subsection
(b) of this section or under other applicable law.
(f)
Confidential health care information received, disclosed or held by the HIE
shall not
be
subject to subpoena directed to the HIE or RHIO unless the following procedures
have been
completed:
(i) the person seeking the confidential health care information has already
requested
and
received the confidential health care information from the health care provider
that was the
original
source of the information; and (ii) a determination has been made by the
superior court
upon
motion and notice to the HIE or RHIO and the parties to the litigation in which
the
subpoena
is served that the confidential health care information sought from the HIE is
not
available
from another source and is either relevant to the subject matter involved in
the pending
action
or is reasonably calculated to lead to the discovery of admissible evidence in
such pending
action.
Any person issuing a subpoena to the HIE or RHIO pursuant to this section shall
certify
that
such measures have been completed prior to the issuance of the subpoena.
(g)
Nothing contained herein shall interfere with or impact upon any rights or
obligations
imposed
by the Workers Compensation Act as contained in title 28, chapters 29 – 38, of
the
general
laws.
5-37.7-8.
Security. -- The HIE must be subject to at least the following
security
procedures:
(a)
Authenticate the recipient of any confidential health care information
disclosed by the
HIE
pursuant to this chapter pursuant to rules and regulations promulgated by the
agency.
(b)
Limit authorized access to personally identifiable confidential health care
information
to
persons having a need to know that information; additional employees or agents
may have
access
to de-identified information;
(c)
Identify an individual or individuals who have responsibility for maintaining
security
procedures
for the HIE;
(d)
Provide an electronic or written statement to each employee or agent as to the
necessity
of maintaining the security and confidentiality of confidential health care
information,
and
of the penalties provided for in this chapter for the unauthorized access,
release, transfer, use,
or
disclosure of this information;
(e)
Take no disciplinary or punitive action against any employee or agent for
bringing
evidence
of violation of this chapter to the attention of any person.
5-37.7-9.
Secondary disclosure. -- Any confidential health care information
obtained by
a
provider participant pursuant to this chapter may be further disclosed by such
provider
participant
with or without authorization of the patient participant to the same extent
that such
information
may be disclosed pursuant to existing state and federal law, without regard to
the
source
of the information.
5-37.7-10.
Patient's rights. -- Pursuant to this chapter, a patient participant
who has his
or
her confidential health care information transferred through the HIE shall have
the following
rights:
(a)
To obtain a copy of his or her confidential health care information from the
HIE;
(b)
To obtain a copy of the disclosure report pertaining to his or her confidential
health
care
information;
(c)
To be notified as required by chapter 49.2 of title 11, the Rhode Island
identity theft
protection
act, of a breach of the security system of the HIE;
(d)
To terminate his or her participation in the HIE in accordance with rules and
regulations
promulgated by the agency; and
(e)
To request to amend his or her own information through the provider
participant.
5-37.7-11.
Immunity. -- Any health care provider who relies in good faith upon
any
information
provided through the HIE in his, her or its treatment of a patient, shall be
immune
from any
criminal or civil liability arising from any damages caused by such good faith
reliance.
This
immunity does not apply to acts or omissions constituting negligence or
reckless, wanton or
intentional
misconduct.
5-37.7-12.
Reconciliation with other authorities. -- (a) This chapter shall
only apply to
the
HIE system, and does not apply to any other private and/or public health
information systems
utilized
in Rhode Island, including other health information systems utilized within or
by a health
care
facility or organization.
(b)
As this chapter provides extensive protection with regard to access to and
disclosure
of
confidential health care information by the HIE, it supplements, with respect
to the HIE only,
any
less stringent disclosure requirements, including, but not limited to, those
contained in
chapter
37.3 of this title, the health insurance portability and accountability act
(HIPAA) and
regulations
promulgated thereunder, and any other less stringent federal or state law.
(c)
This chapter shall not be construed to interfere with any other federal or
state laws or
regulations
which provide more extensive protection than provided in this chapter for the
confidentiality
of health care information. Notwithstanding such provision, because of the
extensive
protections with regard to access to and disclosure of confidential health care
information
by the HIE provided for in this chapter, patient authorization obtained for
access to or
disclosure
of information to or from the HIE or a provider participant shall be deemed the
same
authorization
required by other state or federal laws including information regarding mental
health
(the Rhode Island mental health law, Rhode Island general laws section 40.1-5-1
et seq.);
HIV
(Rhode Island general laws section 23-6-17); sexually transmitted disease
(Rhode Island
general
laws sections 23-6-17 and 23-11-9); alcohol and drug abuse (Rhode Island
general laws
section
23-1.10-1 et seq., 42 U.S.C. section 290dd-2) or genetic information (Rhode
Island
general
laws section 27-41-53, Rhode Island general laws section 27-20-39 and Rhode
Island
general
laws section 27-19-44).
5-37.7-13.
Penalties – Attorneys' fees for violations. -- (a) Civil penalties.
Anyone who
violates
the provisions of this chapter may be held liable for actual and exemplary
damages.
(b)
Criminal penalties. Anyone who intentionally and knowingly violates the
provisions
of
this chapter shall, upon conviction, be fined not more than ten thousand
dollars ($10,000) per
patient,
per violation, or imprisoned for not more than one year, or both.
(c)
Commission of crime. The civil and criminal penalties in this section shall
also be
applicable
to anyone who obtains confidential health care information maintained under the
provisions
of this chapter through the commission of a crime.
(d)
Attorneys' fees. Attorneys' fees may be awarded at the discretion of the court,
to the
successful
party in any action under this chapter.
5-37.7-14.
Waivers void. -- Any agreement purporting to waive the provisions of
this
chapter
is declared to be against public policy and void.
5-37.7-15.
Severability. -- If any provision of this chapter is held by a court
to be invalid,
that
invalidity shall not affect the remaining provisions of the chapter, and to
this end the
provisions
of the chapter are declared severable.
SECTION
3. This act shall take effect on March 1, 2009.
=======
LC01079/SUB A/4
=======