6.1Authority
These Regulations are promulgated pursuant to the authority conferred under R.I. Gen. Laws § 5-37.7-5 for the purpose of establishing safeguards and confidentiality protections for the Health Information Exchange (HIE) in order to improve the quality, safety and value of health care, keep confidential health information secure and confidential and use the HIE to prevent disease and protect and promote the health and safety of the people of Rhode Island.
6.2Definitions
A.Wherever used in this Part, the following terms shall be construed as follows:
1.“Act” means R.I. Gen. Laws Chapter 5-37.7 entitled, “The Rhode Island Health Information Exchange Act of 2008.”
2.“Administrative review” means the administrative processes contained in Practices and Procedures Before the Rhode Island Department of Health (Subchapter 05 Part 4 of this Chapter), and as otherwise permitted by the Administrative Procedures Act.
3."Authorized representative" means:
a.A person empowered by the patient participant to assert or to waive confidentiality, or to disclose or authorize the disclosure of confidential information, as established by this Part. That person is not, except by explicit authorization, empowered to waive confidentiality or to disclose or consent to the disclosure of confidential information; or
b.A person appointed by the patient participant to make health care decisions on his or her behalf through a valid durable power of attorney for health care as set forth in R.I. Gen. Laws § 23-4.10-2; or
c.A guardian or conservator, with authority to make health care decisions, if the patient participant is decisionally impaired; or
d.Another legally appropriate medical decision maker, temporarily, if the patient participant is decisionally impaired and no health care agent, guardian or conservator is available; or
e.If the patient participant is deceased, his or her personal representative or, in the absence of that representative, his or her heirs-at-law; or
f.A parent with the authority to make health care decisions for the parent's child; or
g.A person authorized by the patient participant or their authorized representative to access their confidential health information from the HIE, including family members or other proxies as designated by the patient, to assist patient participant with the coordination of their care.
4."Business associate" means a business associate as defined by HIPAA, and its implementing Regulations (45 C.F.R. Parts 160 through 164).
5."Confidential health information" means all identifiable information relating to a patient participant's health care history, diagnosis, condition, treatment, or evaluation.
6."Data submitting partner" means an individual, organization or entity that has entered into a business associate agreement with the RHIO and submits patient participants' confidential health information through the HIE.
7."Department" means the Rhode Island Department of Health.
8.“Director” means the Director of the Rhode Island Department of Health or his or her designee(s).
9."Disclosure report" means a report generated by the HIE relating to the record of access to, review of and/or disclosure of a patient's confidential health information received, accessed or held by the HIE.
10."Electronic mobilization" means the capability to move clinical information electronically between disparate health information systems while maintaining the accuracy of the information being exchanged.
11."Emergency" means the sudden onset of a medical, mental, or substance use, or other condition manifesting itself by acute symptoms of severity (e.g., severe pain) where the absence of medical attention could reasonably be expected, by a prudent layperson, to result in placing the patient's health in serious jeopardy, serious impairment to bodily or mental functions, or serious dysfunction of any bodily organ or part.
12."Gender markers" means the sex or gender designation recorded in a patient's medical records.
13."Health care provider" means any person or entity licensed by this State to provide or lawfully providing health care services, including, but not limited to, a physician, hospital, intermediate care facility or other health care facility, dentist, nurse, optometrist, podiatrist, physical therapist, psychiatric social worker, pharmacist or psychologist, and any officer, employee, or agent of that provider acting in the course and scope of his or her employment or agency related to or supportive of health care services.
14."Health care services" means acts of diagnosis, treatment, medical evaluation, referral or counseling or any other acts that may be permissible under the health care licensing statutes of this State.
15."Health Information Exchange" or "HIE" means the technical system operated by the RHIO under State authority allowing for the statewide electronic mobilization of confidential health information, pursuant to the Act and this Part.
16."Health plan" means an individual plan or a group plan that provides, or pays the cost of, health care services for patient participants.
17."HIE Advisory Commission" means the advisory body established by the Department in order to provide community input and policy recommendations regarding the use of the confidential health information of the HIE.
18."HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (45 C.F.R. Parts 160 through 164).
19.“HIPAA Final Omnibus Rule” means the HIPAA Regulations promulgated and effective March 25, 2013.
20.“HITECH” means the Health Information Technology for Economic and Clinical Health Act of 2009, Pub. Law 111-5 and its implementing Regulations.
21."Opt-out form" means the form described in § 6.5.4 of this Part and by which a patient participant revokes permission for the RHIO to allow provider participants access to, review of, and/or disclosure of the patient participant's confidential health information by electronic, written or other means.
22."Participant" means a patient participant, a patient participant's authorized representative, a provider participant, a data submitting partner, the regional health information organization, and the Department that has stored, submitted, accessed, and/or disclosed confidential health information via the HIE in accordance with the Act and this Part.
23."Participation" means a participant's authorization, submission, access and/or disclosure of confidential health information in accordance with the Act and this Part.
24."Patient matching" means the process of identification and linking of one (1) patient's data within and across the health systems at the RHIO in order to obtain a comprehensive view of that patient's health care record.
25."Patient participant" means a person who receives health care services from a provider participant and whose protected health information is included in the HIE through the mechanisms established in the Act and this Part.
26.“Protected health information” means individually identifiable health information including demographic information that is collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
27."Provider participant" means a pharmacy, laboratory, health care provider, or health plan that is providing health care services or pays for the cost of health care services for a patient participant and/or is submitting or accessing health information through the HIE and has executed an electronic and/or written agreement regarding disclosure, access, receipt, retention or release of confidential health information to the HIE.
28."Public Health Authorities" means an agency or authority of the United States Government, a State, a Territory, a Political Subdivision of a State or Territory, or an Indian Tribe, that is responsible for public health matters as a part of its official mandate. With regards to this Regulation, this includes: the Rhode Island Department of Health (RIDOH), Executive Office of Health and Human Services (EOHHS), the Department of Children, Youth and Families (DCYF), and the Department of Behavioral Healthcare, Developmental Disabilities and Hospitals (BHDDH).
29."Regional health information organization" or "RHIO" means the organization designated as the RHIO by the State of Rhode Island to provide administrative and operational support to the HIE.
30."Security incident" means a security event that results in a compromise to the confidentiality, integrity, or availability of RHIO network resources, including information system damage, network disruptions, or significant loss of vital business assets. A security event that results in the unauthorized disclosure of confidential data is also known as a security breach.
31.“Unanticipated events” means instances in which the provider participant is unavailable and another health care provider is providing coverage to treat the patient participant.
32.“Unsecured protected health information” means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the United States Secretary of Health and Human Services in guidance issued under §13402(h)(2) of Pub. Law 111-5.
6.3General Provisions
6.3.1Participation in the Health Information Exchange (HIE)
A.A statewide Health Information Exchange (HIE) has been established pursuant to R.I. Gen. Laws Chapter 5-37.7. Confidential health information shall only be accessed, released or transferred from the HIE pursuant to R.I. Gen. Laws Chapter 5-37.7. In addition to the requirements set forth in R.I. Gen. Laws 5-37.7:
1.Patients and health care providers shall have the choice to participate in records-sharing via the HIE, as defined by the Act and this Part. Patient participants shall be able to rescind permission for disclosure to health care providers via the HIE ("opt out") by signing an opt-out form provided by the HIE. Patient participants may indicate his or her desire to opt out pursuant to § 6.5.1(A) of this Part and may subsequently reverse an opt-out decision pursuant to § 6.5.1(A)(5) of this Part.
2.Individuals shall be informed about the opportunity to opt out through provider participants and other publicly available means, and provider participants shall offer the opportunity to discuss HIE participation and consent options at the request of an individual patient. Individuals will be informed about the HIE through materials that explain the context and process of disclosure of health information through the HIE, including any and all choices available to the individual. The RHIO shall provide examples or templates of educational materials and any needed technical assistance to provider participants on patient education about the HIE.
3.When entering into a treating relationship with a provider participant or no later than six (6) months after a provider begins submitting records to the HIE, individuals will be clearly informed of their opportunity to opt-out in a distinct written document, whether paper, electronic, or web-based. The notification may be contained within a document detailing other privacy practices, but the HIE shall be specifically discussed. The notification shall include an explanation that due to his or her provider's participation in the HIE, at a minimum, their protected health information may be disclosed to:
a.Health care providers that care for them in emergencies, on a temporary basis;
b.Public health authorities in the process of carrying out their functions, pursuant to R.I. Gen. Laws § 5-37.7-7(b)(2); and
c.Health plans where information is necessary for care management, quality, and performance measure reporting.
4.Individuals shall be notified by provider participants of their opportunity to opt-out of participation in the HIE a minimum of sixty (60) days prior to opt-out policies going into effect ("go live"). This notification shall include all components specified in § 6.3.1(A)(3) of this Part, as well as clearly outline the methods available to complete an opt-out form as specified in § 6.5.1(A)(4) of this Part.
5.Mental health treatment information received from data submitting partners shall be included in the RHIO's repository of protected health information, and shall be subject to any opt-out form completed by a patient participant. Mental health treatment information shall not be stored or disclosed separately except as otherwise required by law or Regulation.
6.The RHIO shall maintain a dedicated telephone number staffed with qualified personnel who can respond to individuals’ questions related to any and all choices and processes available to the individual. If there are remaining concerns or complaints after contacting the RHIO, individuals can contact the Department of Health “Health Information Line.”
7.The RHIO shall maintain a process for reviewing and resolving complaints related to it, and to assist patient participants in resolving complaints.
a.The RHIO and all provider participants will accept complaints pertaining to the RI HIE. Provider participants will forward complaints to the RHIO.
b.The RHIO will appoint a Privacy Officer who will review all complaints. Complaints will not be public and will be kept confidential as required by law. Any confidential health information contained in the complaint will be protected in accordance with applicable State and Federal law.
c.Neither the RHIO nor provider participants will retaliate, discriminate against, intimidate, coerce or otherwise reprise patient participants or patient advocates relating to the filing of a complaint or for filing a complaint.
d.The RHIO will contractually require provider participants to comply with HIPAA, including establishing and implementing HIPAA compliant policies and procedures.
e.Patient participants may lodge a complaint with the provider participant directly, with the RHIO or with the Department of Health. If a complaint is lodged directly with the RHIO and the RHIO refers the patient participant to the provider participant and the provider participant cannot directly resolve the complaint or believes the complaint is in error, the patient participant may then submit it to the RHIO Privacy Officer for review and assistance as requested by the patient participant.
f.All patient participants lodging complaints directly with the RHIO will be directed to fill out a patient complaint form and will be given assistance if requested. If the complaint involves a provider participant, the RHIO will notify the provider participant if it addresses actions by the provider participant.
g.Any complaint regarding breach of security, if appropriate, may invoke the response to breach procedures by the RHIO.
h.The RHIO shall maintain copies of all written patient complaint forms.
i.The disposition of the complaint shall be documented by the RHIO Privacy Officer as part of the complaint process.
j.For complaints lodged directly to the Department, the Department will follow its usual process for investigating complaints and the complaint shall remain confidential to the public until it has been resolved. If applicable, once it is resolved, the Department will notify the RHIO Privacy Officer and/or provider participant. Any patient participant wishing to lodge a verbal complaint may do so by calling the Department of Health “Health Information Line.”
k.Any complaint lodged by a patient participant with the provider participant, the RHIO or the Department shall be resolved within thirty (30) days of submission.
l.The Department reserves the right to access the records of complaints received by the RHIO and the resolution of such complaints.
6.3.2Rhode Island Regional Health Information Organization (RHIO)
A.The RHIO shall function pursuant to R.I. Gen. Laws Chapter 5-37.7. Additionally, the RHIO shall develop, implement, and maintain current policies and procedures including, but not limited to, the following topics:
1.Participant process to opt out (health care provider, health plan, and individual) that is consistent with § 6.3.1(A)(1) of this Part;
2.Termination of a patient participant's opt out status that is consistent with § 6.5.1(A)(5) of this Part;
3.Handling patient participant complaints and inquiries that is consistent with § 6.3.1(A)(2) of this Part;
4.The process through which a patient participant can obtain a copy of his or her confidential health information from the HIE that is consistent with § 6.5.1(A)(1) of this Part;
5.The process through which a patient participant can obtain a copy of the disclosure report pertaining to his or her confidential health information consistent with § 6.5.1(A)(4) of this Part;
6.Patient participant requests to amend his or her own information through the provider participant consistent with § 6.3.3(A)(2) of this Part;
7.Tiered access to confidential health information (i.e., criteria and controls to obtain varying degrees of access to data maintained by the HIE) consistent with § 6.3.3 of this Part;
8.Privacy, confidentiality and security pertaining to access and maintenance of patient participant confidential health information consistent with §§ 6.5 and 6.6 of this Part;
9.Temporary access to HIE data by provider participants that need to treat a person in emergencies consistent with § 6.3.1(A)(3) of this Part. Temporary access procedures should be easily accessible to a variety of health care team members and not present an undue burden during a medical emergency;
10.Patient participant notification, if required by either R.I. Gen. Laws Chapter 11-49.3 [Rhode Island Identity Theft Protection Act of 2015] or the HIPAA Final Omnibus Rule, regarding a detected breach of the security of the system of the HIE that may have resulted in the unauthorized access, use or disclosure of protected health information, personal information or Unsecured Protected Health Information consistent with § 6.5.1(A)(5) of this Part; and
11.Patient matching, including patient participants who have opted out of disclosure to health care providers.
a.RHIO staff shall review each completed opt-out form for completeness, accuracy, and effective matching to previously submitted medical records by provider participants.
b.Additional attention shall be paid to gender markers in patient matching and, wherever practical, effort shall be expended to ensure identity resolution takes into account gender diverse experiences.
12.Ongoing identity management, including a simplified process by which patient or provider participants may notify the RHIO that specific patient records should undergo review.
13.Data integrity, quality, and standardization.
14.Handling of sensitive types of protected health information, including but not limited to behavioral health, Human Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIV/AIDS), treatment for domestic violence or sexual assault, and genetic information.
B.The RHIO shall utilize a committee structure that encourages community involvement and transparency in the process of the development and implementation of its policies.
C.Patient participants have the right to access the RHIO’s notice of privacy practices which will be posted on the RHIO’s websites. The Notice of Privacy Practices will be written in plain language and will contain applicable information such as: the uses and disclosures of PHI through the HIE, patient participants’ individual rights, the RHIO’s responsibilities regarding the privacy of patient participants’ information and the complaint process.
D.In the event that the RHIO fails to comply with this Part or has policies that do not comply with Federal and State laws, Rules and Regulations, the Director may notify the RHIO by certified or registered mail or by personal service setting forth the failure(s) and the RHIO shall be given the opportunity to cure such failure within the time designated by the Director. If the RHIO does not cure the failure, the Department may invoke contractual remedies, require specific monitoring or supervision to occur, or limit or suspend actions of the RHIO until such time as the corrective action has cured the failure. The Department may also notify the Secretary of the United State Department of Health and Human Services and the Rhode Island Department of Attorney General if the Department of Health believes the failure to comply with this Part amounts to a HIPAA violation. The RHIO, or the Department may request a prompt and fair hearing in accordance with R.I. Gen. Laws § 42-35-9. Nothing in this Part shall limit the authority of the jurisdiction conferred upon the Department of Attorney General to bring an action against the RHIO pursuant to § 6.8 of this Part for a violation of this Part and/or HITECH.
E.In the event of the insolvency or involuntary dissolution of the RHIO, the assets and operations comprising the HIE, including the protection of the protected health information of the enrollees of the HIE, shall be transitioned or transferred in accordance with an Order of a court of proper jurisdiction.
F.In the event of a voluntary dissolution of the RHIO, the RHIO will give the Department thirty (30) days’ notice. The Department has a contractual right of first refusal to purchase only the assets comprising the HIE at the appraised value.
G.In the event of either of the above, the RHIO shall be responsible to safeguard the protected health information in its care, custody and control until the PHI has been transferred to another entity.
6.3.3Special Requirements Pertaining to the Health Information Exchange (HIE) and the Rhode Island Regional Health Information Organization (RHIO)
A.Pursuant to R.I. Gen. Laws § 5-37.7-4(e), the HIE and the RHIO have an obligation to maintain, and abide by the terms of, HIPAA-compliant business associate agreements, as well as:
1.The RHIO will maintain user access permission profiles to determine which PHI may be accessed by authorized users according to specific role classification and shall implement policies and procedures regarding user authentication;
2.In response to a request by a patient participant to make an amendment to his or her PHI contained in the HIE, the RHIO will provide the patient participant with a “Request to Amend Health Information” form to submit to the originating provider participant and if so, directed by the provider participant, will amend the record in accordance with HIPAA, the Act and this Part. The “Request to Amend Health Information” form shall be available from the RHIO website, by calling the RHIO, or by requesting the form in writing.
a.As soon as possible, but no later than sixty (60) days after receipt of a request from a patient participant to amend health information, the provider participant shall either forward the corrected information to the RHIO for processing or notify the patient participant, in writing, why the request to amend health information has been denied.
b.As soon as possible, but no later than thirty (30) days after receipt of a request from a provider participant to amend a confidential health care record, the RHIO/HIE shall process the request and notify the provider participant, in writing, that the requested amendment to health information has been completed.
3.If the patient participant requests a change to his or her CurrentCare record, and the RHIO determines that the change is due to an operational issue, the RHIO will address the error pursuant to its internal error resolution procedures by making the correction and notifying the patient participant within thirty (30) days of the correction that the correction has been made.
4.The RHIO shall have written data sharing agreements in place with provider participants who submit data to the HIE. Such agreements shall, at a minimum, contain all required business associate agreement components.
5.The RHIO shall have written end user agreements in place with provider participants who access data in the HIE. Such agreements shall, at a minimum, describe roles and responsibilities of both the end user and the RHIO regarding appropriate use of the HIE and assuring patient rights in accordance with applicable Federal and State law.
6.3.4Reconciliation with Other Authorities
Reconciliation with other authorities shall be pursuant to R.I. Gen. Laws § 5-37.7-12.
6.3.5Professional Responsibilities
In accordance with applicable State laws and Regulations promulgated thereunder, a provider participant that abandons a patient or denies treatment to a new or existing patient solely on the basis of the patient’s decision to opt out of disclosures from the HIE, when the patient’s health information can be obtained from other sources, may be subject to administrative review by the Department, including, but not limited to the Department’s Professional Boards, and the Director. The processes contained in Practices and Procedures Before the Rhode Island Department of Health (Subchapter 05 Part 4 of this Chapter), and as otherwise permitted by the Administrative Procedures Act, shall apply.
6.4HIE Advisory Commission
A.Pursuant to R.I. Gen. Laws § 5-37.7-5(c), the Director shall establish an HIE Advisory Commission of no more than nine (9) members that shall be responsible for recommendations relating to the type of and use of, and appropriate confidentiality protection for, the confidential health information of the HIE, subject to regulatory oversight by the Department. The responsibilities of the HIE Advisory Commission shall be pursuant to R.I. Gen. Laws § 5-37.7-5.
B.Pursuant to R.I. Gen. Laws § 5-37.7-5(c), the Director shall recommend prospective HIE Advisory Commission members to the Governor, subject to the advice and consent of the Senate. The membership of the HIE Advisory Commission shall include one (1) person with experience in HIPAA and privacy and security of health care information requirements, one (1) person with experience in operations, maintenance and security of complex electronic databases, one (1) person who is a health care consumer or consumer advocate, one (1) person who represents a minority or underserved population, one (1) person who has experience in epidemiology and the use of data for public health purposes, and no more than three (3) persons employed by a health care delivery organization, at least two (2) of whom shall be a physician licensed pursuant to R.I. Gen. Laws Chapter 5-37. The remaining member(s) shall be selected from business professionals and health care consumers whose experience and expertise will facilitate the work of the Commission.
C.The Director shall appoint a chairperson for the HIE Advisory Commission.
D.HIE Advisory Commission members shall be appointed for a term of two (2) years. A Commission member may be reappointed for an additional term, but shall not be eligible to serve more than three (3) consecutive terms. RHIO staff and board members shall not be eligible for appointment to the Commission.
E.The HIE Advisory Commission shall meet at least annually and shall not vote on any recommendations regarding the use of confidential health information unless a quorum is present.
F.The RHIO shall report at least annually to the HIE Advisory Commission and the Department on topics such as, but not limited to:
1.Usage of the HIE;
2.Security assessment results;
3.Opt-out frequency and characteristics;
4.Patient matching;
5.Education and outreach campaigns regarding public awareness of the HIE;
6.Data requests; and
7.Disclosure report requests.
8.Additionally, the HIE Advisory Commission may request at any time to review the policies and procedures required of the RHIO in §§ 6.3.2 and 6.6 of this Part.
G.The HIE Advisory Commission shall be informed of any newly introduced exchanges of confidential health information from the RHIO to the Department for public health purposes, in order to ensure transparency to the public on uses of data contained within the HIE.
H.The HIE Advisory Commission shall actively obtain and consider public input on all recommendations prior to submitting them to the Director. All meetings of the HIE Advisory Commission shall be subject to R.I. Gen. Laws Chapter 42-46 (Open Meetings).
I.The Director may recommend to the Governor that any HIE Advisory Commission member be removed for cause, including but not limited to, failure to attend Commission meetings on a regular basis.
6.5Confidentiality Protections
6.5.1Patients’ Rights
A.In addition to the requirements of R.I. Gen. Laws Chapter 5-37.7 and this Part, a patient participant who has his or her confidential health information in the HIE shall have the following rights:
1.To obtain a copy of his or her confidential health information from the HIE by:
a.Submitting a valid and authenticated request to access the HIE record via the methods made available by the RHIO.
b.The form and methods shall be publicly available through posting on the HIE website including enrolling in any available patient portal.
c.Requestors may also call the CurrentCare information line to complete and submit the information on the form over the phone. To do so, the requestor must successfully complete the requirements of the identity verification process by supplying identifying information through a series of questions initiated by a RHIO representative over the phone and for the sole purpose of a single occurrence of a telephone request to submit the form.
d.If the requestor prefers, he or she may fill out a form in person at the RHIO offices after identity verification has occurred. The requestor may either obtain an enrollee request to access record form via the website or request a form be mailed to them.
e.If neither is possible, then the requestor may send a letter containing the same information as is required by the form and have it authenticated in the same manner as the written form.
2.To obtain a copy of the disclosure report pertaining to his or her confidential health information by submitting a request for a disclosure report. The forms along with information about where to submit the form shall be publicly available through posting on the HIE website; The RHIO will make every effort to provide disclosure reports in a prompt manner while recognizing that State and Federal law allow up to sixty (60) days to respond. If extenuating circumstances arise, the RHIO may have an additional thirty (30) days to provide the disclosure report to the enrollee. Each request for disclosure history will be addressed in accordance with 45 C.F.R. § 164.528. A charge for a copy of the disclosure report may be imposed if consistent with State law and 45 C.F.R. § 164.528. In accordance with 45 C.F.R. § 164.528(c)(2), the first (1st) disclosure report shall be provided to a patient participant in any twelve (12) month period at no cost to the patient participant.
3.To be notified, if required by either R.I. Gen. Laws Chapter 11-49.2 [Rhode Island Identity Theft Protection Act], or the HIPAA Final Omnibus Rule, of a breach of the security system of the HIE that resulted in the unauthorized access, use or disclosure of personal information or unsecured protected health information.
4.To opt out of having health information disclosed to health care providers through the HIE at any time in accordance with the Act and this Part by submitting an Opt-Out form to the RHIO.
a.Opt-out forms provided by the HIE shall be broadly available and accessible through a variety of methods. At minimum, such methods must include paper forms submitted by fax or mail, and electronic submission by website.
b.Opt-out forms shall be provided with appropriate accommodations to individuals experiencing disabilities, to the extent possible.
c.Opt-out forms provided by the HIE shall be available in a multitude of languages reflecting those most commonly used by Rhode Island patients, including, but not limited to, English, Spanish, and Portuguese.
d.Consent decisions of any type shall be recorded or indicated directly by the patient participant or his or her authorized representative, and not by a provider participant or other intermediary.
5.A completed opt-out form may be revoked at any time ("opting in" again) in accordance with the Act and this Part. The form and methods for reversing an opt-out decision shall be publicly available through posting on the HIE website or the patient participant or authorized representative may call the RHIO to request a form be sent to them.
6.Upon a patient participant’s completed opt-out form the patient’s confidential health information in the HIE will no longer be accessible to a provider participant. Nothing in this Part shall preclude a provider participant from accessing the provider participant’s own record of the patient. A patient's decision to opt-out will not affect the previous disclosures or access to the patient’s health information.
a.A patient participant's opt-out form shall apply to any disclosure of protected health information to health care providers by the RHIO where that protected health information was obtained due to designation as the RHIO, except as otherwise described for temporary access in an emergency.
7.Since the HIE does not create patient confidential health information, but receives confidential health information from provider participants, the patient participant may request to amend his or her own information through provider participants by submitting a request to amend confidential health information form consistent with this Part. The form and methods shall be publicly available through posting on the HIE website or the patient participant or authorized representative may call the RHIO to request a form be sent to them. The RHIO will respond directly to a patient participant request and follow its policies and procedures if there is an administrative error that does not require an amendment to the record received from the provider participant.
8.Following any health care provider's temporary access of a patient participant's protected health information via emergency procedures in the HIE, the health care provider shall notify the patient participant or his or her authorized representative of the temporary access as soon as is feasible. The temporary access shall not extend beyond the duration of the emergency. The health care provider or facility treating the emergency shall determine the existence of a medical emergency, its duration, and which personnel are needed to address the medical emergency.
6.5.2Confidentiality Protections
A.Confidentiality protections for patient participants in the HIE are pursuant to R.I. Gen. Laws Chapter 5-37.7 and this Part. The RHIO shall submit the policies and procedures described in § 6.3.2(A) to the Department upon request and at least annually.
1.Confidentiality protections for patient participants in the HIE are also pursuant to R.I. Gen. Laws § 40.1-5-26, 45 C.F.R. § 164.528 and 42 C.F.R. Part 2.
6.5.3Secondary Disclosure
Secondary disclosure Rules shall be pursuant to those stated in R.I. Gen. Laws § 5-37.7-9.
6.5.4Opt-Out Form
A.The opt-out form for opting out of access to, or the disclosure, release or transfer of, confidential health information from the HIE shall conform with the requirements of R.I. Gen. Laws Chapter 5-37.7; and additionally contain other information required by the RHIO, in consultation with the HIE Advisory Commission and the Director.
B.Except as specifically set forth in R.I. Gen. Laws § 5-37.7-7(b), the RHIO shall not allow access to or disclosure of a patient participant’s confidential health information unless it is in accordance with the patient participant’s authorization.
C.Except as set forth in R.I. Gen. Laws § 5-37.7-7(b), the RHIO will not allow access to or disclosure of a patient participant’s confidential health information to a provider participant unless the recipient has entered into a Data Use Agreement with the RHIO.
D.The RHIO shall not accept or respond to any authorization for requesting disclosure of the patient participant’s health information for any purpose other than as set forth by the Act and this Part.
E.Any request to opt-out from the HIE pursuant to § 6.5.1 of this Part shall be on forms which are provided by the RHIO in accordance with § 6.5.1 of this Part. Requests to opt out from the HIE shall be made in accordance with § 6.5.1(A)(6) of this Part.
6.5.5Release of Confidential Health Information in Conjunction with Legal Proceedings
Release of confidential health information in conjunction with legal proceedings shall occur pursuant to R.I. Gen. Laws Chapter 5-37.7.
6.6Security Requirements
6.6.1Minimum Security Requirements
The RHIO and HIE shall implement security procedures pursuant to R.I. Gen. Laws § 5-37.7-8.
6.6.2Safeguards and Security Measures
The RHIO shall have in place appropriate physical, technical and procedural safeguards and security measures to ensure the technical integrity, physical safety, and confidentiality of any confidential health information in the HIE. These safeguards and security measures shall be in place at all times and at any location at which the RHIO, its workforce members, or its contractors hold or access confidential health information. Such safeguards and security measures shall comply with State and Federal confidentiality laws and Regulations including, without limitation, the Health Insurance Portability and Accountability Act of 1996 and its implementing Regulations (45 C.F.R. Parts 160 through 164), HITECH and the HIPAA Final Omnibus Rule.
6.6.3Security Framework
The RHIO shall develop appropriate and scalable security standards, policies, and procedures in compliance with the Rhode Island Division of Information Technology Enterprise Strategy and Services policies which are developed and align with the National Institute of Standards and Technology (NIST) security policies and controls.
6.6.4Security Management
A.The RHIO shall:
1.Maintain and effectively implement written policies and procedures that conform to the requirements of this Section to protect the confidentiality, integrity, and availability of the confidential health information that is processed, stored, and transmitted; to protect against any reasonably anticipated threats or hazards to the security or integrity of the confidential health information and to monitor, modify and improve the effectiveness of such policies and procedures, and
2.Train the RHIO workforce who access or hold confidential health information regarding the requirements of the Act, this Part and the RHIO's policies and procedures regarding the confidentiality and security of confidential health information. The RHIO will secure written acknowledgement of training of its employees.
6.6.5Separation of Systems
A.The RHIO shall:
1.Maintain confidential health information, whether in electronic or other media, physically and functionally separate from any other system of records;
2.Protect the media, whether in electronic, paper, or other format, that contain confidential health information, limiting access to authorized users and sanitizing and destroying such media before disposal or release for reuse; and
3.Establish physical and environmental protections, to control and limit physical and virtual access to places and equipment where confidential health information is stored or used.
6.6.6Security Control and Monitoring
A.The RHIO shall:
1.Identify those authorized to have access to confidential health information and an audit capacity to detect unlawful, unauthorized or inappropriate access to confidential health information, and
2.Establish measures to prevent unauthorized removal, transmission or disclosure of confidential health information in the HIE.
6.6.7Security Assessment
A.The RHIO shall:
1.Perform periodic assessments of security risks and controls, as determined appropriate by the RHIO, to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.
2.Address system and communications protection, to monitor, control, and protect RHIO uses, communications, and transmissions involving confidential health information to and from entities authorized to access the HIE.
3.Inform the Department of any security incidents or potential security incidents including credible complaints of potential security incidents, as soon possible but no later than twenty-four (24) hours after the occurrence.
6.7Immunity and Waivers
Immunity and waiver Rules shall be pursuant to those stated in R.I. Gen. Laws §§ 5-37.7-11 and 5-37.7-14.
6.8Penalties — Attorneys’ Fees for Violations
Penalties shall be pursuant to those stated in R.I. Gen. Laws § 5-37.7-13.
