2021 -- S 0495

========

LC001479

========

     STATE OF RHODE ISLAND

IN GENERAL ASSEMBLY

JANUARY SESSION, A.D. 2021

____________

A N   A C T

RELATING TO BUSINESSES AND PROFESSIONS -- RHODE ISLAND HEALTH

INFORMATION EXCHANGE ACT OF 2008

     

     Introduced By: Senators Miller, Valverde, Goldin, and DiMario

     Date Introduced: March 04, 2021

     Referred To: Senate Health & Human Services

     It is enacted by the General Assembly as follows:

1

     SECTION 2. Sections 5-37.7-2, 5-37.7-3, 5-37.7-4, 5-37.7-5, 5-37.7-6, 5-37.7-7, 5-37.7-

2

8, 5-37.7-10 and 5-37.7-12 of the General Laws in Chapter 5-37.7 entitled "Rhode Island Health

3

Information Exchange Act of 2008" are hereby amended to read as follows:

4

     5-37.7-2. Statement of purpose.

5

     The purpose of this chapter is to establish safeguards and confidentiality protections for

6

the HIE in order to improve the quality, safety, and value of health care, keep confidential health

7

information secure and confidential, and use the HIE to progress toward meeting public-health

8

goals by promoting interoperability, enhancing electronic communication between providers, and

9

supporting public health goals, while keeping confidential health care information secure.

10

     5-37.7-3. Definitions.

11

     As used in this chapter:

12

     (a) "Agency" means the Rhode Island department of health.

13

     (b) "Authorization form" means the form described in § 5-37.7-7 and by which a patient

14

participant provides authorization for the RHIO to allow access to, review of, and/or disclosure of

15

the patient participant's confidential healthcare information by electronic, written, or other means.

16

     (c)(a) "Authorized representative" means:

17

     (1) A person empowered by the patient participant to assert or to waive confidentiality, or

18

to disclose or authorize the disclosure of confidential information, as established by this chapter.

 

1

That person is not, except by explicit authorization, empowered to waive confidentiality or to

2

disclose or consent to the disclosure of confidential information; or

3

     (2) A person appointed by the patient participant to make healthcare decisions on his or her

4

behalf through a valid durable power of attorney for healthcare as set forth in § 23-4.10-2; or

5

     (3) A guardian or conservator, with authority to make healthcare decisions, if the patient

6

participant is decisionally impaired; or

7

     (4) Another legally appropriate medical decision maker temporarily if the patient

8

participant is decisionally impaired and no healthcare agent, guardian, or conservator is available;

9

or

10

     (5) If the patient participant is deceased, his or her personal representative or, in the absence

11

of that representative, his or her heirs-at-law; or

12

     (6) A parent with the authority to make healthcare decisions for the parent's child; or

13

     (7) A person authorized by the patient participant or his or her authorized representative to

14

access their confidential healthcare information from the HIE, including family members or other

15

proxies as designated by the patient, to assist the patient participant with the coordination of their

16

care.

17

     (d)(b) "Business associate" means a business associate as defined by HIPAA.

18

     (e)(c) "Confidential healthcare information" means all information relating to a patient

19

participant's patient's healthcare history, diagnosis, condition, treatment, or evaluation.

20

     (f)(d) "Coordination of care" means the process of coordinating, planning, monitoring,

21

and/or sharing information relating to, and assessing a care plan for, treatment of a patient.

22

     (g)(e) "Data-submitting partner" means an individual, organization, or entity who or that

23

has entered into a business associate agreement with the RHIO and submits a patient participant's

24

patient's confidential healthcare information through the HIE.

25

     (h)(f) "Department of health" means the Rhode Island department of health.

26

     (i)(g) "Disclosure report" means a report generated by the HIE relating to the record of

27

access to, review of, and/or disclosure of a patient's confidential healthcare information received,

28

accessed, or held by the HIE.

29

     (j)(h) "Electronic mobilization" means the capability to move clinical confidential health

30

information electronically between disparate healthcare information systems while maintaining the

31

accuracy of the information being exchanged.

32

     (k)(i) "Emergency" means the sudden onset of a medical, mental, or substance abuse use,

33

or other condition manifesting itself by acute symptoms of severity (e.g. severe pain) where the

34

absence of medical attention could reasonably be expected, by a prudent layperson, to result in

 

LC001479 - Page 2 of 10

1

placing the patient's health in serious jeopardy, serious impairment to bodily or mental functions,

2

or serious dysfunction of any bodily organ or part.

3

     (l)(j) "Healthcare provider" means any person or entity licensed by this state to provide or

4

lawfully providing healthcare services, including, but not limited to, a physician, hospital,

5

intermediate-care facility or other healthcare facility, dentist, nurse, optometrist, podiatrist,

6

physical therapist, psychiatric social worker, pharmacist, or psychologist, and any officer,

7

employee, or agent of that provider acting in the course and scope of his or her employment or

8

agency related to or supportive of healthcare services.

9

     (m)(k) "Healthcare services" means acts of diagnosis, treatment, medical evaluation,

10

referral, or counseling, or any other acts that may be permissible under the healthcare licensing

11

statutes of this state.

12

     (n)(l) "Health Information Exchange" or "HIE" means the technical system operated, or to

13

be operated, by the RHIO under state authority allowing for the statewide electronic mobilization

14

of confidential healthcare information, pursuant to this chapter.

15

     (o)(m) "Health plan" means an individual plan or a group plan that provides, or pays the

16

cost of, healthcare services for a patient participant.

17

     (p)(n) "HIE Advisory Commission" means the advisory body established by the

18

department of health in order to provide community input and policy recommendations regarding

19

the use of the confidential healthcare information of the HIE.

20

     (q)(o) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996,

21

as amended.

22

     (r) "Participant" means a patient participant, a patient participant's authorized

23

representative, a provider participant, a data-submitting partner, the regional health information

24

organization, and the department of health, that has agreed to authorize, submit, access, and/or

25

disclose confidential healthcare information via the HIE in accordance with this chapter.

26

     (s) "Participation" means a patient participant's authorization, submission, access, and/or

27

disclosure of confidential healthcare information via the HIE in accordance with this chapter.

28

     (p) "Opt out" means the ability of a patient to choose to not have their confidential health

29

care information disclosed from HIE in accordance with § 5-37.7-7.

30

     (t)(q) "Patient participant" means a person who receives healthcare services from a provider

31

participant and has agreed to participate in the HIE through the mechanisms established in this

32

chapter.

33

     (u)(r) "Provider participant" means a pharmacy, laboratory, healthcare provider, or health

34

plan who or that is providing healthcare services or pays for the cost of healthcare services for a

 

LC001479 - Page 3 of 10

1

patient participant and/or is submitting and/or or accessing healthcare information through the HIE

2

and has executed an electronic and/or written agreement regarding disclosure, access, receipt,

3

retention, or release of confidential healthcare information to from the HIE.

4

     (v)(s) "Regional health information organization" or "RHIO" means the organization

5

designated as the RHIO by the state to provide administrative and operational support to the HIE.

6

     5-37.7-4. Participation in the health information exchange. Use of the health

7

information exchange.

8

     (a) There shall be established a statewide HIE under state authority to allow for the

9

electronic mobilization of confidential healthcare information in Rhode Island. Confidential

10

healthcare information may only be accessed, released, or transferred from the HIE in accordance

11

with this chapter.

12

     (b) The state of Rhode Island has an interest in encouraging participation in use of the HIE

13

by all interested parties, including, but not limited to, healthcare providers, patients, health plans,

14

entities submitting information to the HIE, entities obtaining information from the HIE, and the

15

RHIO. The Rhode Island department of health is also considered a participant for public health

16

purposes.

17

     (c) Patients and health care providers Except as provided in § 5-37.7-7(b), patients shall

18

have the choice to participate in opt out of having their confidential health care information

19

disclosed from the HIE, as through the process defined by in regulations in accordance with § 5-

20

37.7-3; provided, however, that provider § 5-37.7-5.

21

     (d) Provider participants must continue to maintain their own medical record meeting the

22

documentation and other standards imposed by otherwise applicable law.

23

     (e) The state agencies may submit to the HIE and/or receive from the HIE applicable

24

confidential health care information for public health purposes.

25

     (d)(f) Participation in the HIE Nothing contained herein shall have no an impact on the

26

content of, or use or disclosure of, confidential healthcare information of patient participants

27

patients that is held in locations other than the HIE. Nothing in this chapter shall be construed to

28

limit, change, or otherwise affect entities' rights to exchange confidential healthcare information in

29

accordance with other applicable laws.

30

     (e)(g) The state of Rhode Island hereby imposes on the HIE and the RHIO as a matter of

31

state law, the obligation to maintain, and abide by the terms of, HIPAA-compliant business

32

associate agreements, including, without limitation, the obligations to use appropriate safeguards

33

to prevent use or disclosure of confidential healthcare information in accordance with HIPAA,

34

other state and federal laws and this chapter; not to use or disclose confidential healthcare

 

LC001479 - Page 4 of 10

1

information other than as permitted by HIPAA and this chapter; or to make any amendment to a

2

confidential healthcare record that a provider participant so directs; and to respond to a request by

3

a patient participant to make an amendment to the patient participant's confidential patient's

4

healthcare record.

5

     5-37.7-5. Regulatory oversight.

6

     (a) The director of the department of health shall develop regulations regarding the

7

confidentiality of patient participant information received, accessed, or held by the HIE and is

8

authorized to promulgate such other regulations as the director department deems necessary or

9

desirable to implement the provisions of this chapter, in accordance with the provisions set forth in

10

chapter 17 of title 23 and chapter 35 of title 42.

11

     (b) The department of health has exclusive jurisdiction over the HIE, except with respect

12

to the jurisdiction conferred upon the attorney general in § 5-37.7-13. This chapter shall not apply

13

to any other private and/or public-health information systems utilized within a healthcare provider

14

or other organization that provides healthcare services.

15

     (c) The department of health shall promulgate rules and regulations for the establishment

16

of an HIE advisory commission. that The HIE advisory commission, in consultation with the RHIO,

17

will be responsible for recommendations relating to the department regarding the use of, and

18

appropriate confidentiality protections for, the confidential healthcare information of the HIE,

19

subject to regulatory oversight by the department of health. Said commission members shall be

20

subject to the advice and consent of the senate. The commission shall report annually to the

21

department of health and the RHIO, and such report shall be made public.

22

     5-37.7-6. Regional health information organization.

23

     The RHIO shall, subject to and consistent with department regulations and contractual

24

obligations it has with the state of Rhode Island, be responsible for implementing recognized

25

national standards for interoperability and all administrative, operational, and financial functions

26

to support the HIE, including, but not limited to, implementing and enforcing policies for receiving,

27

retaining, safeguarding, and disclosing confidential healthcare information as required by this

28

chapter. The RHIO is deemed to be the steward of the confidential healthcare information for which

29

it has administrative responsibility. The HIE advisory commission shall be responsible for

30

recommendations to the department of health, and in consultation with the RHIO regarding the use

31

of the confidential healthcare information.

32

     5-37.7-7. Disclosure.

33

     (a)(1) Except as provided in subsection (b), a patient participant's or the patient's authorized

34

representative may opt out of having their confidential healthcare information may only be

 

LC001479 - Page 5 of 10

1

accessed, released, or transferred disclosed from the HIE in accordance with an authorization form

2

signed by the patient participant or the patient's authorized representative. Patients shall be notified

3

of their right to opt out of having their confidential health care information disclosed from the HIE

4

through the process provided by regulation in accordance with § 5-37.7-5.

5

     (b) No authorization for release or transfer of confidential health care information from the

6

HIE shall be required The opt out does not apply to disclosures in the following situations:

7

     (1) To a healthcare provider who believes, in good faith, that the information is necessary

8

for diagnosis or treatment of that individual in an emergency; or

9

     (2) To public-health authorities in order to carry out their functions as described in this title

10

and titles 21 and 23, and rules promulgated under those titles. These functions include, but are not

11

restricted to, investigations into the causes of disease, the control of public-health hazards,

12

enforcement of sanitary laws, investigation of reportable diseases, certification and licensure of

13

health professionals and facilities, review of health care such as that required by the federal

14

government and other governmental agencies, and mandatory reporting laws set forth in Rhode

15

Island general laws; or

16

     (3) To the RHIO in order for it to effectuate the operation and administrative oversight of

17

the HIE; and.

18

     (4) To a health plan, if the information is necessary for care management of its plan

19

members, or for quality and performance measure reporting.

20

     (c) The content of the authorization form for access to, or the disclosure, release, or transfer

21

of confidential health care information from the HIE, shall be prescribed by the RHIO in accordance

22

with applicable department of health regulations, but, at a minimum, shall contain the following

23

information in a clear and conspicuous manner: Notification and opt out procedures shall be

24

developed in consultation with the HIE advisory commission and provided in regulations

25

promulgated in accordance with § 5-37.7-5. Provider participants that share data with the HIE shall

26

notify their patients that data is being shared with the HIE to support the provision of care, and

27

inform their patients about the ability to opt out. At a minimum, the notification shall contain the

28

following information in a clear and concise manner:

29

     (1) A statement of the need for and proposed uses of that information; and that the patient's

30

provider is a provider participant in the HIE, and as such may share the patient's confidential health

31

care information through the HIE as permitted by this chapter and all applicable state and federal

32

law.

33

     (2) A statement that the authorization for access to, disclosure of, and/or release of

34

information may be withdrawn at any future time and is subject to revocation; patient may opt out

 

LC001479 - Page 6 of 10

1

of having their confidential health care information disclosed from the HIE except as provided

2

pursuant to § 5-37.7-7(b).

3

     (3) That the patient has the right not to participate in the HIE; and A statement that a

4

patient's choice to opt out of disclosing their confidential health care information from the HIE may

5

be changed at any time.

6

     (4) The patient's right to choose to: (i) Enroll in and participate fully in the HIE; or (ii)

7

Designate only specific health care providers that may access the patient participant's confidential

8

health care information. The method for opting out shall be provided by regulation in accordance

9

with § 5-37.7-5.

10

     (d) Except as specifically provided by state or federal law or this chapter, or use for clinical

11

care, a patient participant's patient's confidential healthcare information shall not be accessed by,

12

given, sold, transferred, or in any way relayed from the HIE to any other person or entity not

13

specified in the patient participant authorization form meeting the requirements of subsection (c)

14

without first obtaining additional authorization.

15

     (e) Nothing contained in this chapter shall be construed to limit the permitted access to, or

16

the release, transfer, access, or disclosure of, confidential healthcare information described in

17

subsection (b) or under other applicable law.

18

     (f) Confidential healthcare information received, disclosed, or held by the HIE shall not be

19

subject to subpoena directed to the HIE or RHIO unless the following procedures have been

20

completed: (i) The person seeking the confidential healthcare information has already requested

21

and received the confidential healthcare information from the healthcare provider that was the

22

original source of the information; and (ii) A determination has been made by the superior court,

23

upon motion and notice to the HIE or RHIO and the parties to the litigation in which the subpoena

24

is served, that the confidential healthcare information sought from the HIE is not available from

25

another source and is either relevant to the subject matter involved in the pending action or is

26

reasonably calculated to lead to the discovery of admissible evidence in such pending action. Any

27

person issuing a subpoena to the HIE or RHIO pursuant to this section shall certify that such

28

measures have been completed prior to the issuance of the subpoena.

29

     (g) Nothing contained herein shall interfere with, or impact upon, any rights or obligations

30

imposed by the Workers' Compensation Act as contained in chapters 29--38 29 through 38 of title

31

28.

32

     (h) Nothing contained herein shall prohibit a health plan from becoming a data-submitting

33

partner. A data-submitting partner is not considered a managed-care entity or a managed-care

34

contractor, and the HIE is not considered a regional or local medical information database pursuant

 

LC001479 - Page 7 of 10

1

to § 5-37.3-4.

2

     5-37.7-8. Security.

3

     The HIE must be subject to at least the following security procedures:

4

     (1) Authenticate the recipient of any confidential healthcare information disclosed by the

5

HIE pursuant to this chapter pursuant to rules and regulations promulgated by the agency

6

department;

7

     (2) Limit authorized access to personally identifiable confidential healthcare information

8

to persons having a need to know that information; additional employees or agents may have access

9

to de-identified information;

10

     (3) Identify an individual or individuals who have responsibility for maintaining security

11

procedures for the HIE;

12

     (4) Provide an electronic or written statement to each employee or agent as to the necessity

13

of maintaining the security and confidentiality of confidential healthcare information, and of the

14

penalties provided for in this chapter for the unauthorized access, release, transfer, use, or

15

disclosure of this information; and

16

     (5) Take no disciplinary or punitive action against any employee or agent for bringing

17

evidence of violation of this chapter to the attention of any person.

18

     5-37.7-10. Patient's rights.

19

     Pursuant to this chapter, a patient participant who has his or her confidential healthcare

20

information transferred through included in the HIE shall have the following rights:

21

     (1) To obtain a copy of his or her confidential healthcare information from the HIE;

22

     (2) To obtain a copy of the disclosure report pertaining to his or her confidential healthcare

23

information;

24

     (3) To be notified as required by chapter 49.3 of title 11, the Rhode Island identity theft

25

protection act, of a breach of the security system of the HIE;

26

     (4) To terminate change his or her participation opt out status in the HIE in accordance

27

with rules and regulations promulgated by the agency department;

28

     (5) To request to amend his or her own information through the provider participant;

29

     (6) To request his or her confidential healthcare information from the HIE be disclosed to

30

an authorized representative; and

31

     (7) To request his or her confidential healthcare information from the HIE be disclosed to

32

healthcare providers who are not provider participants as defined by this chapter.

33

     5-37.7-12. Reconciliation with other authorities.

34

     (a) This chapter shall only apply to the HIE system, and does not apply to any other private

 

LC001479 - Page 8 of 10

1

and/or public-health information systems utilized in Rhode Island, including other health

2

information systems utilized within or by a healthcare facility or organization.

3

     (b) As this chapter provides extensive protection with regard to access to and disclosure of

4

confidential healthcare information by the HIE, it supplements, with respect to the HIE only, any

5

less stringent disclosure requirements, including, but not limited to, those contained in chapter 37.3

6

of this title, the Health Insurance Portability and Accountability Act (HIPAA) and regulations

7

promulgated thereunder, and any other less stringent federal or state law.

8

     (c) This chapter shall not be construed to interfere with any other federal or state laws or

9

regulations that provide more extensive protection than provided in this chapter for the

10

confidentiality of healthcare information. Notwithstanding such provision, because of the extensive

11

protections with regard to access to and disclosure of confidential healthcare information by the

12

HIE provided for in this chapter, patient authorization obtained for access to or disclosure of

13

information to or from the HIE or a provider participant shall be deemed the same authorization

14

required by other state or federal laws including information regarding mental health (the Rhode

15

Island mental health law, § 40.1-5-1 et seq.); HIV (§ 23-6.3-7); sexually transmitted disease (§§

16

23-6.3-7 and 23-11-9); alcohol and drug abuse (§ 23-1.10-1 et seq., 42 U.S.C. § 290dd-2), or genetic

17

information (§ 27-41-53, § 27-20-39, and § 27-19-44).

18

     SECTION 3. This act shall take effect upon passage.

========

LC001479

========

 

LC001479 - Page 9 of 10

EXPLANATION

BY THE LEGISLATIVE COUNCIL

OF

A N   A C T

RELATING TO BUSINESSES AND PROFESSIONS -- RHODE ISLAND HEALTH

INFORMATION EXCHANGE ACT OF 2008

***

1

     This act amends the Rhode Island Health Information Exchange Act of 2008. Patient health

2

care providers which participate in the "Health Information Exchange" (HIE) shall provide their

3

patients with information that the patient may elect to opt out of disclosure of information from the

4

HIE in accordance with regulations which shall be promulgated by the department of health.

5

     This act would take effect upon passage.

========

LC001479

========

 

LC001479 - Page 10 of 10