2019 -- H 6026 | |
======== | |
LC002432 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2019 | |
____________ | |
A N A C T | |
RELATED TO BUSINESSES AND PROFESSIONS - RHODE ISLAND HEALTH | |
INFORMATION EXCHANGE ACT OF 2008 | |
| |
Introduced By: Representative Patricia A. Serpa | |
Date Introduced: April 25, 2019 | |
Referred To: House Finance | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Sections 5-37.7-2, 5-37.7-3, 5-37.7-4, 5-37.7-5, 5-37.7-6, 5-37.7-7, 5-37.7- |
2 | 8, 5-37.7-10 and 5-37.7-12 of the General Laws in Chapter 5-37.7 entitled "Rhode Island Health |
3 | Information Exchange Act of 2008" are hereby amended to read as follows: |
4 | 5-37.7-2. Statement of purpose. |
5 | The purpose of this chapter is to establish safeguards and confidentiality protections for |
6 | the HIE in order to improve the quality, safety and value of health care, keep confidential health |
7 | information secure and confidential and use the HIE to progress toward meeting public health |
8 | goals by promoting interoperability, enhancing electronic communication between providers, and |
9 | supporting public health goals, while keeping confidential health care information secure. |
10 | 5-37.7-3. Definitions. |
11 | As used in this chapter: |
12 | (a) "Agency" means the Rhode Island department of health. |
13 | (b) "Authorized representative" means: |
14 | (1) A person empowered by the patient participant to assert or to waive the |
15 | confidentiality, or to disclose or authorize the disclosure of confidential information, as |
16 | established by this chapter. That person is not, except by explicit authorization, empowered to |
17 | waive confidentiality or to disclose or consent to the disclosure of confidential information; or |
18 | (2) A person appointed by the patient participant to make health care decisions on his or |
| |
1 | her behalf through a valid durable power of attorney for health care as set forth in Rhode Island |
2 | general laws § 23-4.10-2; or |
3 | (3) A guardian or conservator, with authority to make health care decisions, if the patient |
4 | participant is decisionally impaired; or |
5 | (4) Another legally appropriate medical decision maker temporarily if the patient |
6 | participant is decisionally impaired and no health care agent, guardian or conservator is available; |
7 | or |
8 | (5) If the patient participant is deceased, his or her personal representative or, in the |
9 | absence of that representative, his or her heirs-at-law; or |
10 | (6) A parent with the authority to make health care decisions for the parent's child; or |
11 | (7) A person authorized by the patient participant or their authorized representative to |
12 | access their confidential health care information from the HIE, including family members or other |
13 | proxies as designated by the patient, to assist patient participant with the coordination of their |
14 | care. |
15 | (c) "Authorization form" means the form described in § 5-37.7-7 of this chapter and by |
16 | which a patient participant provides authorization for the RHIO to allow access to, review of, |
17 | and/or disclosure of the patient participant's confidential health care information by electronic, |
18 | written, or other means. |
19 | (d) "Business associate" means a business associate as defined by HIPAA. |
20 | (e) "Confidential health care information" means all information relating to a patient |
21 | participant's patient's health care history, diagnosis, condition, treatment, or evaluation. |
22 | (f) "Coordination of care" means the process of coordinating, planning, monitoring, |
23 | and/or sharing information relating to, and assessing a care plan for, treatment of a patient. |
24 | (g) "Data-submitting partner" means an individual, organization, or entity that has entered |
25 | into a business associate agreement with the RHIO and submits patient participants' patients' |
26 | confidential health care information through the HIE. |
27 | (h) "Department of health" means the Rhode Island department of health. |
28 | (i) "Disclosure report" means a report generated by the HIE relating to the record of |
29 | access to, review of, and/or disclosure of a patient's confidential health care information received, |
30 | accessed, or held by the HIE. |
31 | (j) "Electronic mobilization" means the capability to move clinical information |
32 | electronically between disparate health care information systems while maintaining the accuracy |
33 | of the information being exchanged. |
34 | (k) "Emergency" means the sudden onset of a medical, mental or substance abuse, or |
| LC002432 - Page 2 of 10 |
1 | other condition manifesting itself by acute symptoms of severity (e.g. severe pain) where the |
2 | absence of medical attention could reasonably be expected, by a prudent lay person, to result in |
3 | placing the patient's health in serious jeopardy, serious impairment to bodily or mental functions, |
4 | or serious dysfunction of any bodily organ or part. |
5 | (l) "Health care provider" means any person or entity licensed by this state to provide or |
6 | lawfully providing health care services, including, but not limited to, a physician, hospital, |
7 | intermediate care facility or other health care facility, dentist, nurse, optometrist, podiatrist, |
8 | physical therapist, psychiatric social worker, pharmacist or psychologist, and any officer, |
9 | employee, or agent of that provider acting in the course and scope of his or her employment or |
10 | agency related to or supportive of health care services. |
11 | (m) "Health care services" means acts of diagnosis, treatment, medical evaluation, |
12 | referral or counseling or any other acts that may be permissible under the health care licensing |
13 | statutes of this state. |
14 | (n) "Health Information Exchange" or "HIE" means the technical system operated, or to |
15 | be operated, by the RHIO under state authority allowing for the statewide electronic mobilization |
16 | of confidential health care information, pursuant to this chapter. |
17 | (o) "Health plan" means an individual plan or a group plan that provides, or pays the cost |
18 | of, health care services for patient participants a patients. |
19 | (p) "HIE Advisory Commission" means the advisory body established by the department |
20 | of health in order to provide community input and policy recommendations regarding the use of |
21 | the confidential health care information of the HIE. |
22 | (q) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as |
23 | amended. |
24 | (r) "Participant" means a patient participant, a patient participant's authorized |
25 | representative, a provider participant, a data submitting partner, the regional health information |
26 | organization, and the department of health, that has agreed to authorize, submit, access, and/or |
27 | disclose confidential health care information via the HIE in accordance with this chapter. "Opt |
28 | out" means the ability for a patient to choose to not have their confidential health care |
29 | information disclosed from the HIE in accordance with § 5-37.7-7. |
30 | (s) "Participation" means a patient participant's authorization, submission, access, and/or |
31 | disclosure of confidential health care information via the HIE in accordance with this chapter. |
32 | (t) "Patient participant" means a person who receives health care services from a provider |
33 | participant and has agreed to participate in the HIE through the mechanisms established in this |
34 | chapter. |
| LC002432 - Page 3 of 10 |
1 | (u) "Provider participant" means a pharmacy, laboratory, health care provider, or health |
2 | plan who is providing health care services or pays for the cost of health care services for a patient |
3 | participant and/or is submitting or and/or accessing health care information through the HIE and |
4 | has executed an electronic and/or written agreement regarding disclosure, access, receipt, |
5 | retention, or release of confidential health care information to/from the HIE;. |
6 | (v) "Regional health information organization" or "RHIO" means the organization |
7 | designated as the RHIO by the state to provide administrative and operational support to the HIE. |
8 | 5-37.7-4. Participation in the health information exchange. Use of the health |
9 | information exchange. |
10 | (a) There shall be established a statewide HIE under state authority to allow for the |
11 | electronic mobilization of confidential health care information in Rhode Island. Confidential |
12 | health care information may only be accessed, released, or transferred from the HIE in |
13 | accordance with this chapter. |
14 | (b) The state of Rhode Island has an interest in encouraging participation in use of the |
15 | HIE by all interested parties, including, but not limited to, health care providers, patients, health |
16 | plans, entities submitting information to the HIE, entities obtaining information from the HIE, |
17 | and the RHIO. The Rhode Island department of health is also considered a participant for public |
18 | health purposes. |
19 | (c) Patients and health care providers Except as provided in § 5-37.7-7(b), patients shall |
20 | have the choice to participate in opt out of having their confidential health care information |
21 | disclosed from the HIE, as through the process defined by in regulations in accordance with § 5- |
22 | 37.7-3; provided, however, that provider § 5-37.7-5. |
23 | (d) Provider participants must continue to maintain their own medical record meeting the |
24 | documentation and other standards imposed by otherwise applicable law. |
25 | (e) The department of health may submit to the HIE and/or receive from the HIE |
26 | applicable confidential health care information for public health purposes. |
27 | (d)(f) Participation in the HIE Nothing contained herein shall have no an impact on the |
28 | content of, or use or disclosure of, confidential health care information of patient participants |
29 | patients that is held in locations other than the HIE. Nothing in this chapter shall be construed to |
30 | limit, change, or otherwise affect entities' rights to exchange confidential health care information |
31 | in accordance with other applicable laws. |
32 | (e)(g) The state of Rhode Island hereby imposes on the HIE and the RHIO as a matter of |
33 | state law, the obligation to maintain, and abide by the terms of, HIPAA complaint business |
34 | associate agreements, including, without limitation, the obligations to use appropriate safeguards |
| LC002432 - Page 4 of 10 |
1 | to prevent use or disclosure of confidential health care information in accordance with HIPAA |
2 | and this chapter; not to use or disclose confidential health care information other than as |
3 | permitted by HIPAA, other state and federal laws and this chapter; or to make any amendment to |
4 | a confidential health care record that a provider participant so directs; and to respond to a request |
5 | by a patient participant to make an amendment to the patient participant's patient's confidential |
6 | health care record. |
7 | 5-37.7-5. Regulatory oversight. |
8 | (a) The director of the department of health shall develop regulations regarding the |
9 | confidentiality of patient participant information received, accessed or held by the HIE and is |
10 | authorized to promulgate such other regulations as the director department deems necessary or |
11 | desirable to implement the provisions of this chapter, in accordance with the provisions set forth |
12 | in chapter 17 of title 23 and chapter 35 of title 42 of the general laws. |
13 | (b) The department of health has exclusive jurisdiction over the HIE, except with respect |
14 | to the jurisdiction conferred upon the attorney general in § 5-37.7-13. This chapter shall not apply |
15 | to any other private and/or public health information systems utilized within a health care |
16 | provider or other organization that provides health care services. |
17 | (c) The department of health shall promulgate rules and regulations for the establishment |
18 | of an HIE advisory commission. that The HIE advisory commission, in consultation with the |
19 | RHIO, will be responsible for recommendations relating to the department regarding the use of, |
20 | and appropriate confidentiality protections for, the confidential health care information of the |
21 | HIE, subject to regulatory oversight by the department of health. Said commission members shall |
22 | be subject to the advice and consent of the senate. The commission shall report annually to the |
23 | department of health and the RHIO, and such report shall be made public. |
24 | 5-37.7-6. Rhode Island health information organization. |
25 | The RHIO shall, subject to and consistent with department regulations and contractual |
26 | obligations it has with the state of Rhode Island, be responsible for implementing recognized |
27 | national standards for interoperability and all administrative, operational, and financial functions |
28 | to support the HIE, including, but not limited to, implementing and enforcing policies for |
29 | receiving, retaining, safeguarding and disclosing confidential health care information as required |
30 | by this chapter. The RHIO is deemed to be the steward of the confidential health care information |
31 | for which it has administrative responsibility. The HIE advisory commission shall be responsible |
32 | for recommendations to the department of health, and in consultation with the RHIO regarding |
33 | the use of the confidential health care information. |
34 | 5-37.7-7. Disclosure. |
| LC002432 - Page 5 of 10 |
1 | (a)(1) Except as provided in subsection (b), a patient participant's or the patient's |
2 | authorized representative may opt out of having their confidential health care information may |
3 | only be accessed, released, or transferred disclosed from the HIE in accordance with an |
4 | authorization form signed by the patient participant or the patient's authorized representative. |
5 | Patients shall be notified of their right to opt out of having their confidential health care |
6 | information disclosed from the HIE through the process provided by regulation in accordance |
7 | with § 5-37.7-5. |
8 | (b) No authorization for release or transfer of confidential health care information from |
9 | the HIE shall be required The opt out does not apply to disclosures in the following situations: |
10 | (1) To a health care provider who believes, in good faith, that the information is |
11 | necessary for diagnosis or treatment of that individual in an emergency; or |
12 | (2) To public health authorities in order to carry out their functions as described in this |
13 | title and titles 21 and 23, and rules promulgated under those titles. These functions include, but |
14 | are not restricted to, investigations into the causes of disease, the control of public health hazards, |
15 | enforcement of sanitary laws, investigation of reportable diseases, certification and licensure of |
16 | health professionals and facilities, review of health care such as that required by the federal |
17 | government and other governmental agencies, and mandatory reporting laws set forth in Rhode |
18 | Island general laws; or |
19 | (3) To the RHIO in order for it to effectuate the operation and administrative oversight of |
20 | the HIE; and |
21 | (4) To a health plan, if the information is necessary for care management of its plan |
22 | members, or for quality and performance measure reporting. |
23 | (c) The content of the authorization form for access to, or the disclosure, release, or |
24 | transfer of confidential health care information from the HIE, shall be prescribed by the RHIO in |
25 | accordance with applicable department of health regulations, but, at a minimum, shall contain the |
26 | following information in a clear and conspicuous manner: |
27 | Notification and opt out procedures shall be developed in consultation with the HIE |
28 | advisory commission and provided in regulation promulgated in accordance with § 5-37.7-5. |
29 | Provider participants that share data with the HIE shall notify their patients that data is being |
30 | shared with the HIE to support the provision of care, and inform their patients about the ability to |
31 | opt out. At a minimum, the notification shall contain the following information in a clear and |
32 | concise manner: |
33 | (1) A statement of the need for and proposed uses of that information; and that the |
34 | patient's provider is a provider participant in the HIE, and as such may share the patient's |
| LC002432 - Page 6 of 10 |
1 | confidential health care information through the HIE as permitted by this chapter and all |
2 | applicable state and federal law. |
3 | (2) A statement that the authorization for access to, disclosure of, and/or release of |
4 | information may be withdrawn at any future time and is subject to revocation; patient may opt out |
5 | of having their confidential health care information disclosed from the HIE except as provided |
6 | pursuant to § 5-37.7-7(b). |
7 | (3) That the patient has the right not to participate in the HIE; and A statement that a |
8 | patient's choice to opt out of disclosing their confidential health care information from the HIE |
9 | may be changed at any time. |
10 | (4) The patient's right to choose to: (i) Enroll in and participate fully in the HIE; or (ii) |
11 | Designate only specific health care providers that may access the patient participant's confidential |
12 | health care information. The method for opting out shall be provided by regulation in accordance |
13 | with § 5-37.7-5. |
14 | (d) Except as specifically provided by state or federal law or this chapter, or use for |
15 | clinical care, a patient participant's patient's confidential health care information shall not be |
16 | accessed by, given, sold, transferred, or in any way relayed from the HIE to any other person or |
17 | entity not specified in the patient participant authorization form meeting the requirements of |
18 | subsection (c) without first obtaining additional authorization. |
19 | (e) Nothing contained in this chapter shall be construed to limit the permitted access to, |
20 | or the release, transfer, access or disclosure of, confidential health care information described in |
21 | subsection (b) or under other applicable law. |
22 | (f) Confidential health care information received, disclosed, or held by the HIE shall not |
23 | be subject to subpoena directed to the HIE or RHIO unless the following procedures have been |
24 | completed: (i) The person seeking the confidential health care information has already requested |
25 | and received the confidential health care information from the health care provider that was the |
26 | original source of the information; and (ii) A determination has been made by the superior court, |
27 | upon motion and notice to the HIE or RHIO and the parties to the litigation in which the |
28 | subpoena is served, that the confidential health care information sought from the HIE is not |
29 | available from another source and is either relevant to the subject matter involved in the pending |
30 | action or is reasonably calculated to lead to the discovery of admissible evidence in such pending |
31 | action. Any person issuing a subpoena to the HIE or RHIO pursuant to this section shall certify |
32 | that such measures have been completed prior to the issuance of the subpoena. |
33 | (g) Nothing contained herein shall interfere with, or impact upon, any rights or |
34 | obligations imposed by the Workers Compensation Act as contained in chapters 29-38 29 through |
| LC002432 - Page 7 of 10 |
1 | 38 of title 28. |
2 | (h) Nothing contained herein shall prohibit a health plan from becoming a data- |
3 | submitting partner. A data-submitting partner is not considered a managed care entity or a |
4 | managed care contractor and the HIE is not considered a regional or local medical information |
5 | database pursuant to § 5-37.3-4. |
6 | 5-37.7-8. Security. |
7 | The HIE must be subject to at least the following security procedures: |
8 | (1) Authenticate the recipient of any confidential health care information disclosed by the |
9 | HIE pursuant to this chapter pursuant to rules and regulations promulgated by the agency |
10 | department. |
11 | (2) Limit authorized access to personally identifiable confidential health care information |
12 | to persons having a need to know that information; additional employees or agents may have |
13 | access to de-identified information; |
14 | (3) Identify an individual or individuals who have responsibility for maintaining security |
15 | procedures for the HIE; |
16 | (4) Provide an electronic or written statement to each employee or agent as to the |
17 | necessity of maintaining the security and confidentiality of confidential health care information, |
18 | and of the penalties provided for in this chapter for the unauthorized access, release, transfer, use, |
19 | or disclosure of this information; |
20 | (5) Take no disciplinary or punitive action against any employee or agent for bringing |
21 | evidence of violation of this chapter to the attention of any person. |
22 | 5-37.7-10. Patient's rights. |
23 | Pursuant to this chapter, a patient participant who has his or her confidential health care |
24 | information transferred through included in the HIE shall have the following rights: |
25 | (1) To obtain a copy of his or her confidential health care information from the HIE; |
26 | (2) To obtain a copy of the disclosure report pertaining to his or her confidential health |
27 | care information; |
28 | (3) To be notified as required by chapter 49.2 of title 11, the Rhode Island identity theft |
29 | protection act, of a breach of the security system of the HIE; |
30 | (4) To terminate change his or her participation opt out status in the HIE in accordance |
31 | with rules and regulations promulgated by the agency department; |
32 | (5) To request to amend his or her own information through the provider participant; |
33 | (6) To request their confidential health care information from the HIE be disclosed to an |
34 | authorized representative; and |
| LC002432 - Page 8 of 10 |
1 | (7) To request their confidential health care information from the HIE be disclosed to |
2 | health care providers who are not provider participants as defined by this chapter. |
3 | 5-37.7-12. Reconciliation with other authorities. |
4 | (a) This chapter shall only apply to the HIE system, and does not apply to any other |
5 | private and/or public health information systems utilized in Rhode Island, including other health |
6 | information systems utilized within or by a health care facility or organization. |
7 | (b) As this chapter provides extensive protection with regard to access to and disclosure |
8 | of confidential health care information by the HIE, it supplements, with respect to the HIE only, |
9 | any less stringent disclosure requirements, including, but not limited to, those contained in |
10 | chapter 37.3 of this title, the health insurance portability and accountability act (HIPAA) and |
11 | regulations promulgated thereunder, and any other less stringent federal or state law. |
12 | (c) This chapter shall not be construed to interfere with any other federal or state laws or |
13 | regulations which provide more extensive protection than provided in this chapter for the |
14 | confidentiality of health care information. Notwithstanding such provision, because of the |
15 | extensive protections with regard to access to and disclosure of confidential health care |
16 | information by the HIE provided for in this chapter, patient authorization obtained for access to or |
17 | disclosure of information to or from the HIE or a provider participant shall be deemed the same |
18 | authorization required by other state or federal laws including information regarding mental |
19 | health (the Rhode Island mental health law, Rhode Island general laws § 40.1-5-1 et seq.); HIV |
20 | (Rhode Island general laws § 23-6.3-7); sexually transmitted disease (Rhode Island general laws |
21 | §§ 23-6.3-7 and 23-11-9); alcohol and drug abuse (Rhode Island general laws § 23-1.10-1 et seq., |
22 | 42 U.S.C. § 290dd-2) or genetic information (Rhode Island general laws § 27-41-53, Rhode |
23 | Island general laws § 27-20-39 and Rhode Island general laws § 27-19-44). |
24 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC002432 | |
======== | |
| LC002432 - Page 9 of 10 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATED TO BUSINESSES AND PROFESSIONS - RHODE ISLAND HEALTH | |
INFORMATION EXCHANGE ACT OF 2008 | |
*** | |
1 | This act amends the Rhode Island Health Information Exchange Act of 2008. Patient |
2 | health care providers which participate in the "Health Information Exchange" (HIE) shall provide |
3 | their patients with information that the patient may elect to opt out of disclosure of information |
4 | from the HIE in accordance with regulations which shall be promulgated by the department of |
5 | health. |
6 | This act would take effect upon passage. |
======== | |
LC002432 | |
======== | |
| LC002432 - Page 10 of 10 |