§ 5-37.3-4. Limitations on and permitted disclosures.
(a)(1) Except as provided in subsection (b), or as specifically provided by the law, a patient's confidential healthcare information shall not be released or transferred without the written consent of the patient, or his or her authorized representative, on a consent form meeting the requirements of subsection (d). A copy of any notice used pursuant to subsection (d) and of any signed consent shall, upon request, be provided to the patient prior to his or her signing a consent form. Any and all managed-care entities and managed-care contractors writing policies in the state shall be prohibited from providing any information related to enrollees that is personal in nature and could reasonably lead to identification of an individual and is not essential for the compilation of statistical data related to enrollees, to any international, national, regional, or local medical-information database. This provision shall not restrict or prohibit the transfer of information to the department of health to carry out its statutory duties and responsibilities.
(2) Any person who violates the provisions of this section may be liable for actual and punitive damages.
(3) The court may award a reasonable attorney's fee at its discretion to the prevailing party in any civil action under this section.
(4) Any person who knowingly and intentionally violates the provisions of this section shall, upon conviction, be fined not more than five thousand ($5,000) dollars for each violation, or imprisoned not more than six (6) months for each violation, or both.
(5) Any contract or agreement that purports to waive the provisions of this section shall be declared null and void as against public policy.
(b) No consent for release or transfer of confidential healthcare information shall be required in the following situations:
(1) To a physician, dentist, or other medical personnel who believes, in good faith, that the information is necessary for diagnosis or treatment of that individual in a medical or dental emergency;
(2) To medical and dental peer-review boards, or the board of medical licensure and discipline, or board of examiners in dentistry;
(3) To qualified personnel for the purpose of conducting scientific research, management audits, financial audits, program evaluations, actuarial, insurance underwriting, or similar studies; provided, that personnel shall not identify, directly or indirectly, any individual patient in any report of that research, audit, or evaluation, or otherwise disclose patient identities in any manner;
(4)(i) By a healthcare provider to appropriate law-enforcement personnel, or to a person if the healthcare provider believes that person, or his or her family, is in danger from a patient; or to appropriate law-enforcement personnel if the patient has, or is attempting to obtain, narcotic drugs from the healthcare provider illegally; or to appropriate law-enforcement personnel, or appropriate child-protective agencies, if the patient is a minor child or the parent or guardian of said child and/or the healthcare provider believes, after providing healthcare services to the patient, that the child is, or has been, physically, psychologically, or sexually abused and neglected as reportable pursuant to § 40-11-3; or to appropriate law-enforcement personnel or the office of healthy aging if the patient is an elder person and the healthcare provider believes, after providing healthcare services to the patient, that the elder person is, or has been, abused, neglected, or exploited as reportable pursuant to § 42-66-8; or to law-enforcement personnel in the case of a gunshot wound reportable under § 11-47-48, or to patient emergency contacts and certified peer recovery specialists notified in the case of an opioid overdose reportable under § 23-17.26-3;
(ii) A healthcare provider may disclose protected health information in response to a law-enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that the healthcare provider may disclose only the following information:
(A) Name and address;
(B) Date and place of birth;
(C) Social security number;
(D) ABO blood type and RH factor;
(E) Type of injury;
(F) Date and time of treatment;
(G) Date and time of death, if applicable; and
(H) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.
(I) Except as permitted by this subsection, the healthcare provider may not disclose for the purposes of identification or location under this subsection any protected health information related to the patient's DNA or DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue;
(iii) A healthcare provider may disclose protected health information in response to a law-enforcement official's request for such information about a patient who is, or is suspected to be, a victim of a crime, other than disclosures that are subject to subsection (b)(4)(vii), if:
(A) The patient agrees to the disclosure; or
(B) The healthcare provider is unable to obtain the patient's agreement because of incapacity or other emergency circumstances provided that:
(1) The law-enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;
(2) The law-enforcement official represents that immediate law-enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the patient is able to agree to the disclosure; and
(3) The disclosure is in the best interests of the patient as determined by the healthcare provider in the exercise of professional judgment;
(iv) A healthcare provider may disclose protected health information about a patient who has died to a law-enforcement official for the purpose of alerting law enforcement of the death of the patient if the healthcare provider has a suspicion that such death may have resulted from criminal conduct;
(v) A healthcare provider may disclose to a law-enforcement official protected health information that the healthcare provider believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the healthcare provider;
(vi)(A) A healthcare provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered healthcare provider, may disclose protected health information to a law-enforcement official if such disclosure appears necessary to alert law enforcement to:
(1) The commission and nature of a crime;
(2) The location of such crime or of the victim(s) of such crime; and
(3) The identity, description, and location of the perpetrator of such crime.
(B) If a healthcare provider believes that the medical emergency described in subsection (b)(4)(vi)(A) is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, subsection (b)(4)(vi)(A) does not apply and any disclosure to a law-enforcement official for law-enforcement purposes is subject to subsection (b)(4)(vii);
(vii)(A) Except for reports permitted by subsection (b)(4)(i), a healthcare provider may disclose protected health information about a patient the healthcare provider reasonably believes to be a victim of abuse, neglect, or domestic violence to law enforcement or a government authority, including a social-service or protective-services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence:
(1) To the extent the disclosure is required by law and the disclosure complies with, and is limited to, the relevant requirements of such law;
(2) If the patient agrees to the disclosure; or
(3) To the extent the disclosure is expressly authorized by statute or regulation and:
(i) The healthcare provider, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the patient or other potential victims; or
(ii) If the patient is unable to agree because of incapacity, a law-enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the patient and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the patient is able to agree to the disclosure.
(B) A healthcare provider that makes a disclosure permitted by subsection (b)(4)(vii)(A) must promptly inform the patient that such a report has been, or will be, made, except if:
(1) The healthcare facility, in the exercise of professional judgment, believes informing the patient would place the individual at risk of serious harm; or
(2) The healthcare provider would be informing a personal representative, and the healthcare provider reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity in the exercise of professional judgment;
(viii) The disclosures authorized by this subsection shall be limited to the minimum amount of information necessary to accomplish the intended purpose of the release of information;
(5) Between, or among, qualified personnel and healthcare providers within the healthcare system for purposes of coordination of healthcare services given to the patient and for purposes of education and training within the same healthcare facility;
(6) To third-party health insurers, including to utilization review agents as provided by § 23-17.12-9(c)(4), third-party administrators licensed pursuant to chapter 20.7 of title 27, and other entities that provide operational support to adjudicate health insurance claims or administer health benefits;
(7) To a malpractice insurance carrier or lawyer if the healthcare provider has reason to anticipate a medical-liability action;
(8)(i) To the healthcare provider's own lawyer or medical-liability insurance carrier if the patient whose information is at issue brings a medical-liability action against a healthcare provider.
(ii) Disclosure by a healthcare provider of a patient's healthcare information that is relevant to a civil action brought by the patient against any person or persons other than that healthcare provider may occur only under the discovery methods provided by the applicable rules of civil procedure (federal or state). This disclosure shall not be through ex parte contacts and not through informal ex parte contacts with the provider by persons other than the patient or his or her legal representative.
Nothing in this section shall limit the right of a patient, or his or her attorney, to consult with that patient's own physician and to obtain that patient's own healthcare information;
(9) To public-health authorities in order to carry out their functions as described in this title and titles 21 and 23 and rules promulgated under those titles. These functions include, but are not restricted to, investigations into the causes of disease, the control of public-health hazards, enforcement of sanitary laws, investigation of reportable diseases, certification and licensure of health professionals and facilities, review of health care such as that required by the federal government and other governmental agencies;
(10) To the state medical examiner in the event of a fatality that comes under his or her jurisdiction;
(11) In relation to information that is directly related to a current claim for workers' compensation benefits or to any proceeding before the workers' compensation commission or before any court proceeding relating to workers' compensation;
(12) To the attorneys for a healthcare provider whenever that provider considers that release of information to be necessary in order to receive adequate legal representation;
(13) By a healthcare provider to appropriate school authorities of disease, health screening, and/or immunization information required by the school; or when a school-age child transfers from one school or school district to another school or school district;
(14) To a law-enforcement authority to protect the legal interest of an insurance institution, agent, or insurance-support organization in preventing and prosecuting the perpetration of fraud upon them;
(15) To a grand jury, or to a court of competent jurisdiction, pursuant to a subpoena or subpoena duces tecum when that information is required for the investigation or prosecution of criminal wrongdoing by a healthcare provider relating to his, her or its provisions of healthcare services and that information is unavailable from any other source; provided, that any information so obtained, is not admissible in any criminal proceeding against the patient to whom that information pertains;
(16) To the state board of elections pursuant to a subpoena or subpoena duces tecum when that information is required to determine the eligibility of a person to vote by mail ballot and/or the legitimacy of a certification by a physician attesting to a voter's illness or disability;
(17) To certify, pursuant to chapter 20 of title 17, the nature and permanency of a person's illness or disability, the date when that person was last examined and that it would be an undue hardship for the person to vote at the polls so that the person may obtain a mail ballot;
(18) To the central cancer registry;
(19) To the Medicaid fraud-control unit of the attorney general's office for the investigation or prosecution of criminal or civil wrongdoing by a healthcare provider relating to his, her, or its provision of healthcare services to then-Medicaid-eligible recipients or patients, residents, or former patients or residents of long-term residential-care facilities; provided, that any information obtained shall not be admissible in any criminal proceeding against the patient to whom that information pertains;
(20) To the state department of children, youth and families pertaining to the disclosure of healthcare records of children in the custody of the department;
(21) To the foster parent, or parents, pertaining to the disclosure of healthcare records of children in the custody of the foster parent, or parents; provided, that the foster parent or parents receive appropriate training and have ongoing availability of supervisory assistance in the use of sensitive information that may be the source of distress to these children;
(22) A hospital may release the fact of a patient's admission and a general description of a patient's condition to persons representing themselves as relatives or friends of the patient or as a representative of the news media. The access to confidential healthcare information to persons in accredited educational programs under appropriate provider supervision shall not be deemed subject to release or transfer of that information under subsection (a);
(23) To the workers' compensation fraud-prevention unit for purposes of investigation under §§ 42-16.1-12 42-16.1-16. The release or transfer of confidential healthcare information under any of the above exceptions is not the basis for any legal liability, civil or criminal, nor considered a violation of this chapter; or
(24) To a probate court of competent jurisdiction, petitioner, respondent, and/or their attorneys, when the information is contained within a decision-making assessment tool that conforms to the provisions of § 33-15-47.
(c) Third parties receiving, and retaining, a patient's confidential healthcare information must establish at least the following security procedures:
(1) Limit authorized access to personally identifiable confidential healthcare information to persons having a "need to know" that information; additional employees or agents may have access to that information that does not contain information from which an individual can be identified;
(2) Identify an individual, or individuals, who have responsibility for maintaining security procedures for confidential healthcare information;
(3) Provide a written statement to each employee or agent as to the necessity of maintaining the security and confidentiality of confidential healthcare information, and of the penalties provided for in this chapter for the unauthorized release, use, or disclosure of this information. The receipt of that statement shall be acknowledged by the employee or agent, who signs and returns the statement to his or her employer or principal, who retains the signed original. The employee or agent shall be furnished with a copy of the signed statement; and
(4) Take no disciplinary or punitive action against any employee or agent solely for bringing evidence of violation of this chapter to the attention of any person.
(d) Consent forms for the release or transfer of confidential healthcare information shall contain, or in the course of an application or claim for insurance be accompanied by a notice containing, the following information in a clear and conspicuous manner:
(1) A statement of the need for and proposed uses of that information;
(2) A statement that all information is to be released or clearly indicating the extent of the information to be released; and
(3) A statement that the consent for release or transfer of information may be withdrawn at any future time and is subject to revocation, except where an authorization is executed in connection with an application for a life or health insurance policy in which case the authorization expires two (2) years from the issue date of the insurance policy, and when signed in connection with a claim for benefits under any insurance policy, the authorization shall be valid during the pendency of that claim. Any revocation shall be transmitted in writing.
(e) Except as specifically provided by law, an individual's confidential healthcare information shall not be given, sold, transferred, or in any way relayed to any other person not specified in the consent form or notice meeting the requirements of subsection (d) without first obtaining the individual's additional written consent on a form stating the need for the proposed new use of this information or the need for its transfer to another person.
(f) Nothing contained in this chapter shall be construed to limit the permitted disclosure of confidential healthcare information and communications described in subsection (b).
(P.L. 1978, ch. 297, § 1; P.L. 1979, ch. 221, § 1; P.L. 1981, ch. 283, § 1; P.L. 1983, ch. 172, § 20; P.L. 1985, ch. 402, § 6; P.L. 1989, ch. 502, § 1; P.L. 1992, ch. 427, § 1; P.L. 1993, ch. 281, § 1; P.L. 1996, ch. 248, § 2; P.L. 1996, ch. 266, § 2; P.L. 1996, ch. 343, § 1; P.L. 1996, ch. 401, § 1; P.L. 1997, ch. 326, § 5; P.L. 1998, ch. 180, § 1; P.L. 1998, ch. 420, § 1; P.L. 1999, ch. 216, § 1; P.L. 1999, ch. 384, § 1; P.L. 2003, ch. 42, § 1; P.L. 2003, ch. 281, § 1; P.L. 2004, ch. 314, § 1; P.L. 2006, ch. 216, § 1; P.L. 2010, ch. 82, § 1; P.L. 2010, ch. 85, § 1; P.L. 2013, ch. 302, § 1; P.L. 2013, ch. 403, § 1; P.L. 2014, ch. 277, § 1; P.L. 2014, ch. 333, § 1; P.L. 2019, ch. 38, § 2; P.L. 2019, ch. 55, § 2.)