law21364

Chapter 364

2021 -- S 0495 SUBSTITUTE A
Enacted 07/12/2021

A N A C T

RELATING TO BUSINESSES AND PROFESSIONS -- RHODE ISLAND HEALTH INFORMATION EXCHANGE ACT OF 2008

Introduced By: Senators Miller, Valverde, Goldin, and DiMario

Date Introduced: March 04, 2021

It is enacted by the General Assembly as follows:

SECTION 2 (1). Sections 5-37.7-2, 5-37.7-3, 5-37.7-4, 5-37.7-5, 5-37.7-6, 5-37.7-7, 5-

37.7-8, 5-37.7-10 and 5-37.7-12 of the General Laws in Chapter 5-37.7 entitled "Rhode Island

Health Information Exchange Act of 2008" are hereby amended to read as follows:

5-37.7-2. Statement of purpose.

The purpose of this chapter is to establish safeguards and confidentiality protections for

the HIE in order to improve the quality, safety, and value of health care, keep confidential health

information secure and confidential, and use the HIE to progress toward meeting public-health

goals by promoting interoperability, enhancing electronic communication between providers, and

supporting public health goals, while keeping confidential health care healthcare information

secure.

5-37.7-3. Definitions.

As used in this chapter:

(a) "Agency" means the Rhode Island department of health.

(b) "Authorization form" means the form described in § 5-37.7-7 and by which a patient

participant provides authorization for the RHIO to allow access to, review of, and/or disclosure of

the patient participant's confidential healthcare information by electronic, written, or other means.

(c)(a) (1) "Authorized representative" means:

(1) (i) A person empowered by the patient participant to assert or to waive confidentiality,

or to disclose or authorize the disclosure of confidential information, as established by this chapter.

That person is not, except by explicit authorization, empowered to waive confidentiality or to

disclose or consent to the disclosure of confidential information; or

(2) (ii) A person appointed by the patient participant to make healthcare decisions on his

or her behalf through a valid durable power of attorney for healthcare health care as set forth in §

23-4.10-2; or

(3) (iii) A guardian or conservator, with authority to make healthcare decisions, if the

patient participant is decisionally impaired; or

(4) (iv) Another legally appropriate medical decision maker temporarily if the patient

participant is decisionally impaired and no healthcare agent, guardian, or conservator is available;

(5) (v) If the patient participant is deceased, his or her personal representative or, in the

absence of that representative, his or her heirs-at-law; or

(6) (vi) A parent with the authority to make healthcare decisions for the parent's child; or

(7) (vii) A person authorized by the patient participant or his or her authorized

representative to access their confidential healthcare information from the HIE, including family

members or other proxies as designated by the patient, to assist the patient participant with the

coordination of their care.

(d)(b) (2) "Business associate" means a business associate as defined by HIPAA.

(e)(c) (3) "Confidential healthcare information" means all information relating to a patient

participant's patient's healthcare history, diagnosis, condition, treatment, or evaluation.

(f)(d) (4) "Coordination of care" means the process of coordinating, planning, monitoring,

and/or sharing information relating to, and assessing a care plan for, treatment of a patient.

(g)(e) (5) "Data-submitting partner" means an individual, organization, or entity who or

that has entered into a business associate agreement with the RHIO and submits a patient

participant's patient's confidential healthcare information through the HIE.

(h)(f) (6) "Department of health" means the Rhode Island department of health.

(i)(g) (7) "Disclosure report" means a report generated by the HIE relating to the record of

access to, review of, and/or disclosure of a patient's confidential healthcare information received,

accessed, or held by the HIE.

(j)(h) (8) "Electronic mobilization" means the capability to move clinical confidential

health information electronically between disparate healthcare information systems while

maintaining the accuracy of the information being exchanged.

(k)(i) (9) "Emergency" means the sudden onset of a medical, mental, or substance abuse

use, or other condition manifesting itself by acute symptoms of severity (e.g., severe pain) where

the absence of medical attention could reasonably be expected, by a prudent layperson, to result in

placing the patient's health in serious jeopardy, serious impairment to bodily or mental functions,

or serious dysfunction of any bodily organ or part.

(l)(j) (10) "Healthcare provider" means any person or entity licensed by this state to provide

or lawfully providing healthcare services, including, but not limited to, a physician, hospital,

intermediate-care facility or other healthcare facility, dentist, nurse, optometrist, podiatrist,

physical therapist, psychiatric social worker, pharmacist, or psychologist, and any officer,

employee, or agent of that provider acting in the course and scope of his or her employment or

agency related to or supportive of healthcare services.

(m)(k) (11) "Healthcare services" means acts of diagnosis, treatment, medical evaluation,

referral, or counseling, or any other acts that may be permissible under the healthcare licensing

statutes of this state.

(n)(l) (12) "Health Information Exchange" or "HIE" means the technical system operated,

or to be operated, by the RHIO under state authority allowing for the statewide electronic

mobilization of confidential healthcare information, pursuant to this chapter.

(o)(m) (13) "Health plan" means an individual plan or a group plan that provides, or pays

the cost of, healthcare services for a patient participant.

(p)(n) (14) "HIE Advisory Commission" means the advisory body established by the

department of health in order to provide community input and policy recommendations regarding

the use of the confidential healthcare information of the HIE.

(q)(o) (15) "HIPAA" means the Health Insurance Portability and Accountability Act of

1996, as amended.

(r) "Participant" means a patient participant, a patient participant's authorized

representative, a provider participant, a data-submitting partner, the regional health information

organization, and the department of health, that has agreed to authorize, submit, access, and/or

disclose confidential healthcare information via the HIE in accordance with this chapter.

(s) "Participation" means a patient participant's authorization, submission, access, and/or

disclosure of confidential healthcare information via the HIE in accordance with this chapter.

(p) (16) "Opt out" means the ability of a patient to choose to not have their confidential

health care healthcare information disclosed from HIE in accordance with § 5-37.7-7.

(t)(q) (17) "Patient participant" means a person who receives healthcare services from a

provider participant and has agreed to participate in the HIE through the mechanisms established

in this chapter.

(u)(r) (18) "Provider participant" means a pharmacy, laboratory, healthcare provider, or

health plan who or that is providing healthcare services or pays for the cost of healthcare services

for a patient participant and/or is submitting and/or or accessing healthcare information through

the HIE and has executed an electronic and/or written agreement regarding disclosure, access,

receipt, retention, or release of confidential healthcare information to from the HIE.

(v)(s) (19) "Regional health information organization" or "RHIO" means the organization

designated as the RHIO by the state to provide administrative and operational support to the HIE.

5-37.7-4. Participation in the health information exchange. Use of the health

information exchange.

(a) There shall be established a statewide HIE under state authority to allow for the

electronic mobilization of confidential healthcare information in Rhode Island. Confidential

healthcare information may only be accessed, released, or transferred from the HIE in accordance

with this chapter.

(b) The state of Rhode Island has an interest in encouraging participation in use of the HIE

by all interested parties, including, but not limited to, healthcare providers, patients, health plans,

entities submitting information to the HIE, entities obtaining information from the HIE, and the

RHIO. The Rhode Island department of health is also considered a participant for public health

purposes.

have the choice to participate in opt out of having their confidential health care healthcare

information disclosed from the HIE, as through the process defined by in regulations in accordance

with § 5-37.7-3; provided, however, that provider § 5-37.7-5.

(d) Provider participants must continue to maintain their own medical record meeting the

documentation and other standards imposed by otherwise applicable law.

(e) The state agencies may submit to the HIE and/or receive from the HIE applicable

confidential health care healthcare information for public health purposes.

(d)(f) Participation in the HIE Nothing contained herein shall have no an impact on the

content of, or use or disclosure of, confidential healthcare information of patient participants

patients that is held in locations other than the HIE. Nothing in this chapter shall be construed to

limit, change, or otherwise affect entities' rights to exchange confidential healthcare information in

accordance with other applicable laws.

(e)(g) The state of Rhode Island hereby imposes on the HIE and the RHIO as a matter of

state law, the obligation to maintain, and abide by the terms of, HIPAA-compliant business

associate agreements, including, without limitation, the obligations to use appropriate safeguards

to prevent use or disclosure of confidential healthcare information in accordance with HIPAA,

other state and federal laws, and this chapter; not to use or disclose confidential healthcare

information other than as permitted by HIPAA and this chapter; or to make any amendment to a

confidential healthcare record that a provider participant so directs; and to respond to a request by

a patient participant to make an amendment to the patient participant's confidential patient's

healthcare record.

5-37.7-5. Regulatory oversight.

(a) The director of the department of health shall develop regulations regarding the

confidentiality of patient participant information received, accessed, or held by the HIE and is

authorized to promulgate such other regulations as the director department deems necessary or

desirable to implement the provisions of this chapter, in accordance with the provisions set forth in

chapter 17 of title 23 and chapter 35 of title 42.

(b) The department of health has exclusive jurisdiction over the HIE, except with respect

to the jurisdiction conferred upon the attorney general in § 5-37.7-13. This chapter shall not apply

to any other private and/or public-health information systems utilized within a healthcare provider

or other organization that provides healthcare services.

of an HIE advisory commission. that The HIE advisory commission, in consultation with the RHIO,

will be responsible for recommendations relating to the department regarding the use of, and

appropriate confidentiality protections for, the confidential healthcare information of the HIE,

subject to regulatory oversight by the department of health. Said The commission members shall

be subject to the advice and consent of the senate. The commission shall report annually to the

department of health and the RHIO, and such the report shall be made public.

5-37.7-6. Regional health information organization.

The RHIO shall, subject to and consistent with department regulations and contractual

obligations it has with the state of Rhode Island, be responsible for implementing recognized

national standards for interoperability and all administrative, operational, and financial functions

to support the HIE, including, but not limited to, implementing and enforcing policies for receiving,

retaining, safeguarding, and disclosing confidential healthcare information as required by this

chapter. The RHIO is deemed to be the steward of the confidential healthcare information for which

it has administrative responsibility. The HIE advisory commission shall be responsible for

recommendations to the department of health, and in consultation with the RHIO regarding the use

of the confidential healthcare information.

5-37.7-7. Disclosure.

(a)(1) Except as provided in subsection (b), a patient participant's or the patient's authorized

representative may opt out of having their the patient’s confidential healthcare information may

only be accessed, released, or transferred disclosed from the HIE in accordance with an

authorization form signed by the patient participant or the patient's authorized representative.

Patients shall be notified of their right to opt out of having their confidential health care healthcare

information disclosed from the HIE through the process provided by regulation in accordance with

§ 5-37.7-5.

(b) No authorization for release or transfer of confidential health care information from the

HIE shall be required The opt out does not apply to disclosures in the following situations:

(1) To a healthcare provider who believes, in good faith, that the information is necessary

for diagnosis or treatment of that individual in an emergency; or

(2) To public-health authorities in order to carry out their functions as described in this title

and titles 21 and 23, and rules promulgated under those titles. These functions include, but are not

restricted to,: investigations into the causes of disease,; the control of public-health hazards,;

enforcement of sanitary laws,; investigation of reportable diseases,; certification and licensure of

health professionals and facilities,; review of health care such as that required by the federal

government and other governmental agencies,; and mandatory reporting laws set forth in Rhode

Island general laws; or

(3) To the RHIO in order for it to effectuate the operation and administrative oversight of

the HIE; and

(4) To a health plan, if the information is necessary for care management of its plan

members, or for quality and performance measure reporting.

of confidential health care information from the HIE, shall be prescribed by the RHIO in accordance

with applicable department of health regulations, but, at a minimum, shall contain the following

information in a clear and conspicuous manner: Notification and opt out procedures shall be

developed in consultation with the HIE advisory commission and provided in regulations

promulgated in accordance with § 5-37.7-5. Provider participants who or that share data with the

HIE shall notify their patients that data is being shared with the HIE to support the provision of

care, and inform their patients about the ability to opt out. At a minimum, the notification shall

contain the following information in a clear and concise manner:

(1) A statement of the need for and proposed uses of that information; and that the patient's

provider is a provider participant in the HIE, and as such may share the patient's confidential health

care healthcare information through the HIE as permitted by this chapter and all applicable state

and federal law.

(2) A statement that the authorization for access to, disclosure of, and/or release of

information may be withdrawn at any future time and is subject to revocation; patient may opt out

of having their confidential health care information disclosed from the HIE except as provided

pursuant to § 5-37.7-7(b) subsection (b) of this section.

(3) That the patient has the right not to participate in the HIE; and A statement that a

patient's choice to opt out of disclosing their confidential health care healthcare information from

the HIE may be changed at any time.

(4) The patient's right to choose to: (i) Enroll in and participate fully in the HIE; or (ii)

Designate only specific health care providers that may access the patient participant's confidential

health care information. The method for opting out shall be provided by regulation in accordance

with § 5-37.7-5.

(d) Except as specifically provided by state or federal law or this chapter, or use for clinical

care, a patient participant's patient's confidential healthcare information shall not be accessed by,

given, sold, transferred, or in any way relayed from the HIE to any other person or entity not

specified in the patient participant authorization form meeting the requirements of subsection (c)

without first obtaining additional authorization.

(e) Nothing contained in this chapter shall be construed to limit the permitted access to, or

the release, transfer, access, or disclosure of, confidential healthcare information described in

subsection (b) or under other applicable law.

(f) Confidential healthcare information received, disclosed, or held by the HIE shall not be

subject to subpoena directed to the HIE or RHIO unless the following procedures have been

completed: (i) The person seeking the confidential healthcare information has already requested

and received the confidential healthcare information from the healthcare provider that was the

original source of the information; and (ii) A determination has been made by the superior court,

upon motion and notice to the HIE or RHIO and the parties to the litigation in which the subpoena

is served, that the confidential healthcare information sought from the HIE is not available from

another source and is either relevant to the subject matter involved in the pending action or is

reasonably calculated to lead to the discovery of admissible evidence in such pending action. Any

person issuing a subpoena to the HIE or RHIO pursuant to this section shall certify that such

measures have been completed prior to the issuance of the subpoena.

(g) Nothing contained herein shall interfere with, or impact upon, any rights or obligations

imposed by the Workers' Compensation Act as contained in chapters 29--38 29 through 38 of title

28.

(h) Nothing contained herein shall prohibit a health plan from becoming a data-submitting

partner. A data-submitting partner is not considered a managed-care entity or a managed-care

contractor, and the HIE is not considered a regional or local medical information database pursuant

to § 5-37.3-4.

5-37.7-8. Security.

The HIE must be subject to at least the following security procedures:

(1) Authenticate the recipient of any confidential healthcare information disclosed by the

HIE pursuant to this chapter pursuant to rules and regulations promulgated by the agency

department;

(2) Limit authorized access to personally identifiable confidential healthcare information

to persons having a need to know that information; additional employees or agents may have access

to de-identified information;

(3) Identify an individual or individuals who have responsibility for maintaining security

procedures for the HIE;

(4) Provide an electronic or written statement to each employee or agent as to the necessity

of maintaining the security and confidentiality of confidential healthcare information, and of the

penalties provided for in this chapter for the unauthorized access, release, transfer, use, or

disclosure of this information; and

(5) Take no disciplinary or punitive action against any employee or agent for bringing

evidence of violation of this chapter to the attention of any person.

5-37.7-10. Patient's rights.

Pursuant to this chapter, a patient participant who has his or her confidential healthcare

information transferred through included in the HIE shall have the following rights:

(1) To obtain a copy of his or her confidential healthcare information from the HIE;

(2) To obtain a copy of the disclosure report pertaining to his or her confidential healthcare

information;

(3) To be notified as required by chapter 49.3 of title 11, the Rhode Island identity theft

protection act, of a breach of the security system of the HIE;

(4) To terminate change his or her participation opt out status in the HIE in accordance

with rules and regulations promulgated by the agency department;

(5) To request to amend his or her own information through the provider participant;

(6) To request his or her confidential healthcare information from the HIE be disclosed to

an authorized representative; and

(7) To request his or her confidential healthcare information from the HIE be disclosed to

healthcare providers who are not provider participants as defined by this chapter.

5-37.7-12. Reconciliation with other authorities.

(a) This chapter shall only apply to the HIE system, and does not apply to any other private

and/or public-health information systems utilized in Rhode Island, including other health

information systems utilized within or by a healthcare facility or organization.

(b) As this chapter provides extensive protection with regard to access to and disclosure of

confidential healthcare information by the HIE, it supplements, with respect to the HIE only, any

less stringent disclosure requirements, including, but not limited to, those contained in chapter 37.3

of this title, the Health Insurance Portability and Accountability Act (HIPAA) and regulations

promulgated thereunder, and any other less stringent federal or state law.

regulations that provide more extensive protection than provided in this chapter for the

confidentiality of healthcare information. Notwithstanding such provision, because of the extensive

protections with regard to access to and disclosure of confidential healthcare information by the

HIE provided for in this chapter, patient authorization obtained for access to or disclosure of

information to or from the HIE or a provider participant shall be deemed the same authorization

required by other state or federal laws including information regarding mental health (the Rhode

Island mental health law, § 40.1-5-1 et seq.); HIV (§ 23-6.3-7); sexually transmitted disease (§§

23-6.3-7 and 23-11-9); alcohol and drug abuse (§ 23-1.10-1 et seq., 42 U.S.C. § 290dd-2), or genetic

information (§ 27-41-53, § 27-20-39, and § 27-19-44).

SECTION 3 2. This act shall take effect upon passage.

========

LC001479/SUB A

========