SECTION 2. Sections 5-37.7-2, 5-37.7-3, 5-37.7-4, 5-37.7-5, 5-37.7-6, 5-37.7-7, 5-37.7- 8, 5-37.7-10 and 5-37.7-12 of the General Laws in Chapter 5-37.7 entitled "Rhode Island Health Information Exchange Act of 2008" are hereby amended to read as follows:
5-37.7-2. Statement of purpose.
The purpose of this chapter is to establish safeguards and confidentiality protections for the HIE in order to improve the quality, safety, and value of health care, keep confidential health information secure and confidential, and use the HIE to progress toward meeting public-health goals by promoting interoperability, enhancing electronic communication between providers, and supporting public health goals, while keeping confidential health care information secure.
As used in this chapter:
(a) "Agency" means the Rhode Island department of health.
(b) "Authorization form" means the form described in § 5-37.7-7 and by which a patient participant provides authorization for the RHIO to allow access to, review of, and/or disclosure of the patient participant's confidential healthcare information by electronic, written, or other means.
(c)(a) "Authorized representative" means:
(1) A person empowered by the patient participant to assert or to waive confidentiality, or to disclose or authorize the disclosure of confidential information, as established by this chapter. That person is not, except by explicit authorization, empowered to waive confidentiality or to disclose or consent to the disclosure of confidential information; or
(2) A person appointed by the patient participant to make healthcare decisions on his or her behalf through a valid durable power of attorney for healthcare as set forth in § 23-4.10-2; or
(3) A guardian or conservator, with authority to make healthcare decisions, if the patient participant is decisionally impaired; or
(4) Another legally appropriate medical decision maker temporarily if the patient participant is decisionally impaired and no healthcare agent, guardian, or conservator is available; or
(5)Ifthepatientparticipantisdeceased,hisorherpersonalrepresentativeor,intheabsence of that representative, his or her heirs-at-law; or
(6) A parent with the authority to make healthcare decisions for the parent's child; or
(7) A person authorized by the patient participant or his or her authorized representative to access their confidential healthcare information from the HIE, including family members or other proxies as designated by the patient, to assist the patient participant with the coordination of their care.
(d)(b) "Business associate" means a business associate as defined by HIPAA.
(e)(c) "Confidential healthcare information" means all information relating to a patient participant's patient's healthcare history, diagnosis, condition, treatment, or evaluation.
(f)(d) "Coordination of care" means the process of coordinating, planning, monitoring, and/or sharing information relating to, and assessing a care plan for, treatment of a patient.
(g)(e) "Data-submitting partner" means an individual, organization, or entity who or that has entered into a business associate agreement with the RHIO and submits a patient participant's patient's confidential healthcare information through the HIE.
(h)(f) "Department of health" means the Rhode Island department of health.
(i)(g) "Disclosure report" means a report generated by the HIE relating to the record of access to, review of, and/or disclosure of a patient's confidential healthcare information received, accessed, or held by the HIE.
(j)(h) "Electronic mobilization" means the capability to move clinical confidential health information electronically between disparate healthcare information systems while maintaining the accuracy of the information being exchanged.
(k)(i) "Emergency" means the sudden onset of a medical, mental, or substance abuse use, or other condition manifesting itself by acute symptoms of severity (e.g. severe pain) where the absence of medical attention could reasonably be expected, by a prudent layperson, to result in placing the patient's health in serious jeopardy, serious impairment to bodily or mental functions, or serious dysfunction of any bodily organ or part.
(l)(j) "Healthcare provider" means any person or entity licensed by this state to provide or lawfully providing healthcare services, including, but not limited to, a physician, hospital, intermediate-care facility or other healthcare facility, dentist, nurse, optometrist, podiatrist, physical therapist, psychiatric social worker, pharmacist, or psychologist, and any officer, employee, or agent of that provider acting in the course and scope of his or her employment or agency related to or supportive of healthcare services.
(m)(k) "Healthcare services" means acts of diagnosis, treatment, medical evaluation, referral, or counseling, or any other acts that may be permissible under the healthcare licensing statutes of this state.
(n)(l) "Health Information Exchange" or "HIE" means the technical system operated, or to be operated, by the RHIO under state authority allowing for the statewide electronic mobilization of confidential healthcare information, pursuant to this chapter.
(o)(m) "Health plan" means an individual plan or a group plan that provides, or pays the cost of, healthcare services for a patient participant.
(p)(n) "HIE Advisory Commission" means the advisory body established by the department of health in order to provide community input and policy recommendations regarding the use of the confidential healthcare information of the HIE.
(q)(o) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended.
(r) "Participant" means a patient participant, a patient participant's authorized representative, a provider participant, a data-submitting partner, the regional health information organization, and the department of health, that has agreed to authorize, submit, access, and/or disclose confidential healthcare information via the HIE in accordance with this chapter.
(s) "Participation" means a patient participant's authorization, submission, access, and/or disclosure of confidential healthcare information via the HIE in accordance with this chapter.
(p) "Opt out" means the ability of a patient to choose to not have their confidential health care information disclosed from HIE in accordance with § 5-37.7-7.
(t)(q)"Patientparticipant"meansapersonwhoreceiveshealthcareservicesfromaprovider participant and has agreed to participate in the HIE through the mechanisms established in this chapter.
(u)(r) "Provider participant" means a pharmacy, laboratory, healthcare provider, or health plan who or that is providing healthcare services or pays for the cost of healthcare services for a patient participant and/or issubmittingand/or or accessinghealthcare information through the HIE and has executed an electronic and/or written agreement regarding disclosure, access, receipt, retention, or release of confidential healthcare information to from the HIE.
(v)(s) "Regional health information organization" or "RHIO" means the organization designated as the RHIO by the state to provide administrative and operational support to the HIE.
5-37.7-4. Participation in the health information exchange. Use of the health information exchange.
(a) There shall be established a statewide HIE under state authority to allow for the electronic mobilization of confidential healthcare information in Rhode Island. Confidential healthcare information may only be accessed, released, or transferred from the HIE in accordance with this chapter.
(b) The state of Rhode Island has an interest in encouraging participation in use of the HIE by all interested parties, including, but not limited to, healthcare providers, patients, health plans, entities submitting information to the HIE, entities obtaining information from the HIE, and the RHIO. The Rhode Island department of health is also considered a participant for public health purposes.
(c) Patients and health care providers Except as provided in § 5-37.7-7(b), patients shall have the choice to participate in opt out of having their confidential health care information disclosed from the HIE, as through the process defined by in regulations in accordance with § 5- 37.7-3; provided, however, that provider § 5-37.7-5.
(d) Provider participants must continue to maintain their own medical record meeting the documentation and other standards imposed by otherwise applicable law.
(e) The state agencies may submit to the HIE and/or receive from the HIE applicable confidential health care information for public health purposes.
(d)(f) Participation in the HIE Nothing contained herein shall have no an impact on the content of, or use or disclosure of, confidential healthcare information of patient participants patients that is held in locations other than the HIE. Nothing in this chapter shall be construed to limit, change, or otherwise affect entities' rights to exchange confidential healthcare information in accordance with other applicable laws.
(e)(g) The state of Rhode Island hereby imposes on the HIE and the RHIO as a matter of state law, the obligation to maintain, and abide by the terms of, HIPAA-compliant business associate agreements, including, without limitation, the obligations to use appropriate safeguards to prevent use or disclosure of confidential healthcare information in accordance with HIPAA, other state and federal laws and this chapter; not to use or disclose confidential healthcare information other than as permitted by HIPAA and this chapter; or to make any amendment to a confidential healthcare record that a provider participant so directs; and to respond to a request by a patient participant to make an amendment to the patient participant's confidential patient's healthcare record.
5-37.7-5. Regulatory oversight.
(a) The director of the department of health shall develop regulations regarding the confidentiality of patient participant information received, accessed, or held by the HIE and is authorized to promulgate such other regulations as the director department deems necessary or desirable to implement the provisions of this chapter, in accordance with the provisions set forth in chapter 17 of title 23 and chapter 35 of title 42.
(b) The department of health has exclusive jurisdiction over the HIE, except with respect to the jurisdiction conferred upon the attorney general in § 5-37.7-13. This chapter shall not apply to any other private and/or public-health information systems utilized within a healthcare provider or other organization that provides healthcare services.
(c) The department of health shall promulgate rules and regulations for the establishment ofanHIEadvisorycommission.thatTheHIEadvisorycommission,inconsultationwiththeRHIO, will be responsible for recommendations relating to the department regarding the use of, and appropriate confidentiality protections for, the confidential healthcare information of the HIE, subject to regulatory oversight by the department of health. Said commission members shall be subject to the advice and consent of the senate. The commission shall report annually to the department of health and the RHIO, and such report shall be made public.
5-37.7-6. Regional health information organization.
The RHIO shall, subject to and consistent with department regulations and contractual obligations it has with the state of Rhode Island, be responsible for implementing recognized national standards for interoperability and all administrative, operational, and financial functions to support the HIE, including, but not limited to,implementingand enforcingpolicies forreceiving, retaining, safeguarding, and disclosing confidential healthcare information as required by this chapter.TheRHIOisdeemedtobe thestewardoftheconfidential healthcareinformationforwhich it has administrative responsibility. The HIE advisory commission shall be responsible for recommendations to the department of health, and in consultation with the RHIO regarding the use of the confidential healthcare information.
(a)(1)Except asprovidedinsubsection(b),apatient participant's orthepatient'sauthorized representative may opt out of having their confidential healthcare information may only be accessed, released, or transferred disclosed from the HIE in accordance with an authorization form signed by the patient participant or the patient's authorized representative. Patients shall be notified of their right to opt out of having their confidential health care information disclosed from the HIE through the process provided by regulation in accordance with § 5-37.7-5.
(b) No authorization for release or transfer of confidential health care information from the HIE shall be required The opt out does not apply to disclosures in the following situations:
(1) To a healthcare provider who believes, in good faith, that the information is necessary for diagnosis or treatment of that individual in an emergency; or
(2) To public-health authorities in order to carry out their functions as described in this title and titles 21 and 23, and rules promulgated under those titles. These functions include, but are not restricted to, investigations into the causes of disease, the control of public-health hazards, enforcement of sanitary laws, investigation of reportable diseases, certification and licensure of health professionals and facilities, review of health care such as that required by the federal government and other governmental agencies, and mandatory reporting laws set forth in Rhode Island general laws; or
(3) To the RHIO in order for it to effectuate the operation and administrative oversight of the HIE; and.
(4) To a health plan, if the information is necessary for care management of its plan members, or for quality and performance measure reporting.
(c) The content of the authorizationformfor access to,or the disclosure,release, or transfer ofconfidentialhealthcareinformationfromtheHIE,shallbeprescribedbytheRHIOinaccordance with applicable department of health regulations, but, at a minimum, shall contain the following information in a clear and conspicuous manner: Notification and opt out procedures shall be developed in consultation with the HIE advisory commission and provided in regulations promulgated in accordance with § 5-37.7-5. Provider participants that share data with the HIE shall notify their patients that data is being shared with the HIE to support the provision of care, and inform their patients about the ability to opt out. At a minimum, the notification shall contain the following information in a clear and concise manner:
(1) A statement of the need for and proposed uses of that information; and that the patient's provider is a provider participant in the HIE, and as such may share the patient's confidential health care information through the HIE as permitted by this chapter and all applicable state and federal law.
(2) A statement that the authorization for access to, disclosure of, and/or release of information may be withdrawn at any future time and is subject to revocation; patient may opt out of having their confidential health care information disclosed from the HIE except as provided pursuant to § 5-37.7-7(b).
(3) That the patient has the right not to participate in the HIE; and A statement that a patient's choice to opt out of disclosingtheir confidential health careinformation from the HIE may be changed at any time.
(4) The patient's right to choose to: (i) Enroll in and participate fully in the HIE; or (ii) Designate only specific health care providers that may access the patient participant's confidential health care information. The method for opting out shall be provided by regulation in accordance with § 5-37.7-5.
(d) Except as specifically provided by state or federal law or this chapter, or use for clinical care, a patient participant's patient's confidential healthcare information shall not be accessed by, given, sold, transferred, or in any way relayed from the HIE to any other person or entity not specified in the patient participant authorization form meeting the requirements of subsection (c) without first obtaining additional authorization.
(e) Nothing contained in this chapter shall be construed to limit the permitted access to, or the release, transfer, access, or disclosure of, confidential healthcare information described in subsection (b) or under other applicable law.
(f) Confidential healthcare information received, disclosed, or held by the HIE shall not be subject to subpoena directed to the HIE or RHIO unless the following procedures have been completed: (i) The person seeking the confidential healthcare information has already requested and received the confidential healthcare information from the healthcare provider that was the original source of the information; and (ii) A determination has been made by the superior court, upon motion and notice to the HIE or RHIO and the parties to the litigation in which the subpoena is served, that the confidential healthcare information sought from the HIE is not available from another source and is either relevant to the subject matter involved in the pending action or is reasonably calculated to lead to the discovery of admissible evidence in such pending action. Any person issuing a subpoena to the HIE or RHIO pursuant to this section shall certify that such measures have been completed prior to the issuance of the subpoena.
(g) Nothing contained herein shall interfere with, or impact upon, any rights or obligations imposed by the Workers' Compensation Act as contained in chapters 29–38 29 through 38 of title 28.
(h) Nothing contained herein shall prohibit a health plan from becoming a data-submitting partner. A data-submitting partner is not considered a managed-care entity or a managed-care contractor, and the HIE is not considered a regional or local medical information database pursuant to § 5-37.3-4.
The HIE must be subject to at least the following security procedures:
(1) Authenticate the recipient of any confidential healthcare information disclosed by the HIE pursuant to this chapter pursuant to rules and regulations promulgated by the agency department;
(2) Limit authorized access to personally identifiable confidential healthcare information to persons havinga need toknow that information; additional employees or agentsmayhave access to de-identified information;
(3) Identify an individual or individuals who have responsibility for maintaining security procedures for the HIE;
(4) Provide an electronic or written statement to each employee or agent as to the necessity of maintaining the security and confidentiality of confidential healthcare information, and of the penalties provided for in this chapter for the unauthorized access, release, transfer, use, or disclosure of this information; and
(5) Take no disciplinary or punitive action against any employee or agent for bringing evidence of violation of this chapter to the attention of any person.
5-37.7-10. Patient's rights.
Pursuant to this chapter, a patient participant who has his or her confidential healthcare information transferred through included in the HIE shall have the following rights:
(1) To obtain a copy of his or her confidential healthcare information from the HIE;
(2) To obtain a copy of the disclosure report pertaining to his or her confidential healthcare information;
(3) To be notified as required by chapter 49.3 of title 11, the Rhode Island identity theft protection act, of a breach of the security system of the HIE;
(4) To terminate change his or her participation opt out status in the HIE in accordance with rules and regulations promulgated by the agency department;
(5) To request to amend his or her own information through the provider participant;
(6) To request his or her confidential healthcare information from the HIE be disclosed to an authorized representative; and
(7) To request his or her confidential healthcare information from the HIE be disclosed to healthcare providers who are not provider participants as defined by this chapter.
5-37.7-12. Reconciliation with other authorities.
(a) This chapter shall only apply to the HIE system, and does not apply to any other private and/or public-health information systems utilized in Rhode Island, including other health information systems utilized within or by a healthcare facility or organization.
(b) As this chapter provides extensive protection with regard to access to and disclosure of confidential healthcare information by the HIE, it supplements, with respect to the HIE only, any less stringent disclosure requirements, including, but not limited to, those contained in chapter 37.3 of this title, the Health Insurance Portability and Accountability Act (HIPAA) and regulations promulgated thereunder, and any other less stringent federal or state law.
(c) This chapter shall not be construed to interfere with any other federal or state laws or regulations that provide more extensive protection than provided in this chapter for the confidentialityofhealthcareinformation. Notwithstandingsuchprovision,becauseoftheextensive protections with regard to access to and disclosure of confidential healthcare information by the HIE provided for in this chapter, patient authorization obtained for access to or disclosure of information to or from the HIE or a provider participant shall be deemed the same authorization required by other state or federal laws including information regarding mental health (the Rhode Island mental health law, § 40.1-5-1 et seq.); HIV (§ 23-6.3-7); sexually transmitted disease (§§ 23-6.3-7and23-11-9);alcoholanddrugabuse(§23-1.10-1etseq.,42U.S.C.§290dd-2),orgenetic information (§ 27-41-53, § 27-20-39, and § 27-19-44).
SECTION 3. This act shall take effect upon passage.
BY THE LEGISLATIVE COUNCIL
A N A C T
RELATING TO BUSINESSES AND PROFESSIONS – RHODE ISLAND HEALTH
INFORMATION EXCHANGE ACT OF 2008
Thisact amendstheRhodeIslandHealthInformationExchangeAct of2008.Patient health care providers which participate in the "Health Information Exchange" (HIE) shall provide their patients with information that the patient may elect to opt out of disclosure of information from the HIE in accordance with regulations which shall be promulgated by the department of health.
This act would take effect upon passage. ======== LC002571 ========
NOTE: Electronic voting records are unofficial and may not be accurate. For an official vote tally, check the
House or Senate Journal from the day of the vote.