Chapter 403
2013 -- S 0459 SUBSTITUTE A
Enacted 07/15/13
A N A C T
RELATING TO
BUSINESSES AND PROFESSIONS -- CONFIDENTIALITY OF HEALTH CARE COMMUNICATIONS AND
INFORMATION ACT
Introduced By: Senators Jabour, McCaffrey, Archambault, and Lombardi
Date Introduced: February 28, 2013
It is enacted by the
General Assembly as follows:
`SECTION 1. Section 5-37.3-4 of the General Laws in Chapter
5-37.3 entitled
"Confidentiality of
Health Care Communications and Information Act" is hereby amended to read
as follows:
5-37.3-4.
Limitations on and permitted disclosures. -- (a)
(1) Except as provided in
subsection (b) of this section or as specifically provided by
the law, a patient's confidential health
care information shall not be released or transferred
without the written consent of the patient or
his or her authorized representative, on a consent form
meeting the requirements of subsection (d)
of this section. A copy of any notice used pursuant to
subsection (d) of this section, and of any
signed consent shall, upon request, be provided to the
patient prior to his or her signing a consent
form. Any and all managed care entities and managed care
contractors writing policies in the state
shall be prohibited from providing any information related
to enrollees which is personal in
nature and could reasonably lead to identification of an
individual and is not essential for the
compilation of statistical data related to enrollees, to any
international, national, regional, or local
medical information data base. This provision shall not
restrict or prohibit the transfer of
information to the department of health to carry out its
statutory duties and responsibilities.
(2) Any person who
violates the provisions of this section may be liable for actual and
punitive damages.
(3) The court may award
a reasonable attorney's fee at its discretion to the prevailing
party in any civil action under this section.
(4) Any person who
knowingly and intentionally violates the provisions of this section
shall, upon conviction, be fined not more than five
thousand ($5,000) dollars for each violation,
or imprisoned not more than six (6) months for each
violation, or both.
(5) Any contract or
agreement which purports to waive the provisions of this section
shall be declared null and void as against public policy.
(b) No consent for
release or transfer of confidential health care information shall be
required in the following situations:
(1) To a physician,
dentist, or other medical personnel who believes, in good faith, that
the information is necessary for diagnosis or treatment
of that individual in a medical or dental
emergency;
(2) To medical and
dental peer review boards, or the board of medical licensure and
discipline, or board of examiners in dentistry;
(3) To qualified
personnel for the purpose of conducting scientific research, management
audits, financial audits, program evaluations, actuarial,
insurance underwriting, or similar studies;
provided, that personnel shall not identify, directly or
indirectly, any individual patient in any
report of that research, audit, or evaluation, or otherwise
disclose patient identities in any manner;
(4) (i) By a health care provider
to appropriate law enforcement personnel, or to a
person if the health care provider believes that person or
his or her family is in danger from a
patient; or to appropriate law enforcement personnel if the
patient has or is attempting to obtain
narcotic drugs from the health care provider illegally; or to
appropriate law enforcement
personnel or appropriate child protective agencies if the
patient is a minor child or the parent or
guardian of said child and/or the health care provider
believes, after providing health care
services to the patient, that the child is or has been
physically, psychologically or sexually abused
and neglected as reportable pursuant to section 40-11-3;
or to law enforcement personnel in the
case of a gunshot wound reportable under section 11-47-48;
(ii) A health care
provider may disclose protected health information in response to a law
enforcement official's request for such information for the
purpose of identifying or locating a
suspect, fugitive, material witness, or missing person,
provided that the health care provider may
disclose only the following information:
(A) Name and address;
(B) Date and place of
birth;
(C) Social security number;
(D) ABO blood type
and rh factor;
(E) Type of injury;
(F) Date and time of
treatment;
(G) Date and time of
death, if applicable; and
(H) A description of
distinguishing physical characteristics, including height, weight,
gender, race, hair and eye color, presence or absence of
facial hair (beard or moustache), scars,
and tattoos.
(I) Except as permitted by this subsection, the health care
provider may not disclose for
the purposes of identification or location under this
subsection any protected health information
related to the patient’s DNA or DNA analysis, dental records,
or typing, samples or analysis of
body fluids or tissue.
(iii) A health care
provider may disclose protected health information in response to a law
enforcement official's request for such information about a
patient who is or is suspected to be a
victim of a crime, other than disclosures that are subject
to subsection (b)(4)(vii) of this section,
if:
(A) The patient
agrees to the disclosure; or
(B) The health care
provider is unable to obtain the patient’s agreement because of
incapacity or other emergency circumstances provided that:
(1) The law
enforcement official represents that such information is needed to determine
whether a violation of law by a person other than the victim
has occurred, and such information is
not intended to be used against the victim;
(2) The law
enforcement official represents that immediate law enforcement activity that
depends upon the disclosure would be materially and adversely
affected by waiting until the
patient is able to agree to the disclosure; and
(3) The disclosure is
in the best interests of the patient as determined by the health care
provider, in the exercise of professional judgment.
(iv)
A health care provider may disclose protected health information
about a patient who
has died to a law enforcement official for the purpose of
alerting law enforcement of the death of
the patient if the health care provider has a suspicion
that such death may have resulted from
criminal conduct.
(v) A health care
provider may disclose to a law enforcement official protected health
information that the health care provider believes in good faith constitutes
evidence of criminal
conduct that occurred on the premises of the health care
provider.
(vi) (A) A health
care provider providing emergency health care in response to a medical
emergency, other than such emergency on the premises of the covered
health care provider, may
disclose protected health information to a law enforcement
official if such disclosure appears
necessary to alert law enforcement to:
(1) The commission
and nature of a crime;
(2) The location of
such crime or of the victim(s) of such crime; and
(3) The identity,
description, and location of the perpetrator of such crime.
(B) If a health care
provider believes that the medical emergency described in subsection
(b)(vi)(A) of
this section is the result of abuse, neglect, or domestic violence of the
individual in
need of emergency health care, subsection (b)(vi)(A) of
this section does not apply and any
disclosure to a law enforcement official for law enforcement
purposes is subject to subsection
(b)(4)(vii) of this section.
(vii) (A) Except for
reports permitted by subsection (b)(4)(i) of this section, a health care
provider may disclose protected health information about a
patient whom the health care provider
reasonably believes to be a victim of abuse, neglect, or
domestic violence to law enforcement or a
government authority, including a social service or protective
services agency, authorized by law
to receive reports of such abuse, neglect, or domestic
violence:
(1) To the extent the
disclosure is required by law and the disclosure complies with and is
limited to the relevant requirements of such law;
(2) If the patient
agrees to the disclosure; or
(3) To the extent the
disclosure is expressly authorized by statute or regulation and:
(i)
The health care provider, in the exercise of professional judgment, believes
the
disclosure is necessary to prevent serious harm to the patient
or other potential victims; or
(ii) If the patient
is unable to agree because of incapacity, a law enforcement or other
public official authorized to receive the report represents
that the protected health information for
which disclosure is sought is not intended to be used
against the patient and that an immediate
enforcement activity that depends upon the disclosure would be
materially and adversely affected
by waiting until the patient is able to agree to the
disclosure.
(B) A health care
provider that makes a disclosure permitted by subsection (b)(4)(vii)(A)
of this section must promptly inform the patient that
such a report has been or will be made,
except if:
(1) The health care
facility, in the exercise of professional judgment, believes informing
the patient would place the individual at risk of serious
harm; or
(2) The health care
provider would be informing a personal representative, and the health
care provider reasonably believes the personal
representative is responsible for the abuse, neglect,
or other injury, and that informing such person would
not be in the best interests of the individual
as determined by the covered entity, in the exercise of
professional judgment.
(viii) The
disclosures authorized by this subsection being shall be limited
to the minimum
amount of information necessary to accomplish the intended
purpose of the release of
information.
(5) Between or among
qualified personnel and health care providers within the health
care system for purposes of coordination of health care
services given to the patient and for
purposes of education and training within the same health care
facility; or
(6) To third party
health insurers including to utilization review agents as provided by
section 23-17.12-9(c)(4), third party administrators licensed
pursuant to chapter 20.7 of title 27
and other entities that provide operational support to
adjudicate health insurance claims or
administer health benefits;
(7) To a malpractice
insurance carrier or lawyer if the health care provider has reason to
anticipate a medical liability action; or
(8) (i) To the health care provider's
own lawyer or medical liability insurance carrier if
the patient whose information is at issue brings a
medical liability action against a health care
provider.
(ii) Disclosure by a
health care provider of a patient's health care information which is
relevant to a civil action brought by the patient against any
person or persons other than that
health care provider may occur only under the discovery
methods provided by the applicable
rules of civil procedure (federal or state). This
disclosure shall not be through ex parte contacts
and not through informal ex parte contacts with the
provider by persons other than the patient or
his or her legal representative. Nothing in this section
shall limit the right of a patient or his or her
attorney to consult with that patient's own physician and to
obtain that patient's own health care
information;
(9) To public health
authorities in order to carry out their functions as described in this
title and titles 21 and 23, and rules promulgated under
those titles. These functions include, but
are not restricted to, investigations into the causes of
disease, the control of public health hazards,
enforcement of sanitary laws, investigation of reportable
diseases, certification and licensure of
health professionals and facilities, review of health care
such as that required by the federal
government and other governmental agencies;
(10) To the state
medical examiner in the event of a fatality that comes under his or her
jurisdiction;
(11) In relation to
information that is directly related to current claim for workers'
compensation benefits or to any proceeding before the workers'
compensation commission or
before any court proceeding relating to workers'
compensation;
(12) To the attorneys
for a health care provider whenever that provider considers that
release of information to be necessary in order to receive
adequate legal representation;
(13) By a health care
provider to appropriate school authorities of disease, health
screening and/or immunization information required by the
school; or when a school age child
transfers from one school or school district to another school
or school district;
(14) To a law
enforcement authority to protect the legal interest of an insurance
institution, agent, or insurance-support organization in
preventing and prosecuting the
perpetration of fraud upon them;
(15) To a grand jury or
to a court of competent jurisdiction pursuant to a subpoena or
subpoena duces tecum
when that information is required for the investigation or prosecution of
criminal wrongdoing by a health care provider relating to his
or her or its provisions of health
care services and that information is unavailable from any
other source; provided, that any
information so obtained is not admissible in any criminal
proceeding against the patient to whom
that information pertains;
(16) To the state board
of elections pursuant to a subpoena or subpoena duces
tecum
when that information is required to determine the
eligibility of a person to vote by mail ballot
and/or the legitimacy of a certification by a physician
attesting to a voter's illness or disability;
(17) To certify,
pursuant to chapter 20 of title 17, the nature and permanency of a
person's illness or disability, the date when that person was
last examined and that it would be an
undue hardship for the person to vote at the polls so that
the person may obtain a mail ballot;
(18) To the central
cancer registry;
(19) To the Medicaid
fraud control unit of the attorney general's office for the
investigation or prosecution of criminal or civil wrongdoing by a
health care provider relating to
his or her or its provision of health care services to
then Medicaid eligible recipients or patients,
residents, or former patients or residents of long term
residential care facilities; provided, that any
information obtained shall not be admissible in any criminal
proceeding against the patient to
whom that information pertains;
(20) To the state
department of children, youth, and families pertaining to the disclosure
of health care records of children in the custody of the
department;
(21) To the foster
parent or parents pertaining to the disclosure of health care records of
children in the custody of the foster parent or parents;
provided, that the foster parent or parents
receive appropriate training and have ongoing availability of
supervisory assistance in the use of
sensitive information that may be the source of distress to
these children;
(22) A hospital may
release the fact of a patient's admission and a general description of
a patient's condition to persons representing
themselves as relatives or friends of the patient or as
a representative of the news media. The access to
confidential health care information to persons
in accredited educational programs under appropriate
provider supervision shall not be deemed
subject to release or transfer of that information under
subsection (a) of this section; or
(23) To the workers'
compensation fraud prevention unit for purposes of investigation
under sections 42-16.1-12 -- 42-16.1-16. The release or
transfer of confidential health care
information under any of the above exceptions is not the basis
for any legal liability, civil or
criminal, nor considered a violation of this chapter; or
(24) To a probate court
of competent jurisdiction, petitioner, respondent, and/or their
attorneys, when the information is contained within a
decision-making assessment tool which
conforms to the provisions of section 33-15-47.
(c) Third parties
receiving and retaining a patient's confidential health care information
must establish at least the following security procedures:
(1) Limit authorized
access to personally identifiable confidential health care
information to persons having a "need to know" that
information; additional employees or agents
may have access to that information which does not
contain information from which an individual
can be identified;
(2) Identify an
individual or individuals who have responsibility for maintaining security
procedures for confidential health care information;
(3) Provide a written
statement to each employee or agent as to the necessity of
maintaining the security and confidentiality of confidential
health care information, and of the
penalties provided for in this chapter for the unauthorized
release, use, or disclosure of this
information. The receipt of that statement shall be acknowledged
by the employee or agent, who
signs and returns the statement to his or her employer or
principal, who retains the signed
original. The employee or agent shall be furnished with a copy
of the signed statement;
(4) Take no
disciplinary or punitive action against any employee or agent solely for
bringing evidence of violation of this chapter to the
attention of any person.
(d) Consent forms for
the release or transfer of confidential health care information shall
contain, or in the course of an application or claim for
insurance be accompanied by a notice
containing, the following information in a clear and conspicuous
manner:
(1) A statement of the
need for and proposed uses of that information;
(2) A statement that
all information is to be released or clearly indicating the extent of
the information to be released; and
(3) A statement that
the consent for release or transfer of information may be withdrawn
at any future time and is subject to revocation, except
where an authorization is executed in
connection with an application for a life or health insurance
policy in which case the
authorization expires two (2) years from the issue date of the
insurance policy, and when signed
in connection with a claim for benefits under any
insurance policy the authorization shall be valid
during the pendency of that claim. Any revocation shall be
transmitted in writing.
(e) Except as
specifically provided by law, an individual's confidential health care
information shall not be given, sold, transferred, or in any way
relayed to any other person not
specified in the consent form or notice meeting the requirements
of subsection (d) of this section
without first obtaining the individual's additional written
consent on a form stating the need for
the proposed new use of this information or the need for
its transfer to another person.
(f) Nothing contained
in this chapter shall be construed to limit the permitted disclosure
of confidential health care information and
communications described in subsection (b) of this
section.
SECTION 2. This act shall take effect upon passage.
=======
LC01314/SUB A
=======