These regulations are promulgated pursuant to the authority conferred under R.I. Gen. Laws § 5-37.7-5 for the purpose of establishing safeguards and confidentiality protections for the Health Information Exchange (HIE) in order to improve the quality, safety and value of health care, keep confidential health information secure and confidential and use the HIE to progress toward meeting public health goals.

A. Wherever used in this Part, the following terms shall be construed as follows:

1. “Act” means R.I. Gen. Laws Chapter 5-37.7 entitled, “The Rhode Island Health Information Exchange Act of 2008.”

2. “Administrative review” means the administrative processes contained in rules and regulations pertaining to Practices and Procedures Before the Rhode Island Department of Health (Subchapter 05 Part 4 of this Chapter), and as otherwise permitted by the Administrative Procedures Act.

3. "Authorized representative" means:

a. A person empowered by the patient participant to assert or to waive confidentiality, or to disclose or authorize the disclosure of confidential information, as established by this Part. That person is not, except by explicit authorization, empowered to waive confidentiality or to disclose or consent to the disclosure of confidential information; or

b. A person appointed by the patient participant to make health care decisions on his or her behalf through a valid durable power of attorney for health care as set forth in R.I. Gen. Laws § 23-4.10-2; or

c. A guardian or conservator, with authority to make health care decisions, if the patient participant is decisionally impaired; or

d. Another legally appropriate medical decision maker, temporarily, if the patient participant is decisionally impaired and no health care agent, guardian or conservator is available; e. If the patient participant is deceased, his or her personal representative or, in the absence of that representative, his or her heirs-at-law;

e. A parent with the authority to make health care decisions for the parent's child; or

f. A person authorized by the patient participant or their authorized representative to access their confidential health information from the HIE, including family members or other proxies as designated by the patient, to assist patient participant with the coordination of their care.

4. "Authorization form" means the form described in § 6.5.4 of this Part and by which a patient participant provides authorization for the RHIO to allow access to, review of, and/or disclosure of the patient participant's confidential health information by electronic, written or other means.

5. "Business associate" means a business associate as defined by HIPAA, and its implementing regulations (45 C.F.R. §§ 160 through 164).

6. "Confidential health information" means all identifiable information relating to a patient participant's health care history, diagnosis, condition, treatment, or evaluation.

7. "Data submitting partner" means an individual, organization or entity that has entered into a business associate agreement with the RHIO and submits patient participants' confidential health information through the HIE.

8. "Department" means the Rhode Island Department of Health.

9. “Director” means the Director of the Rhode Island Department of Health or his/her designee(s).

10. "Disclosure report" means a report generated by the HIE relating to the record of access to, review of and/or disclosure of a patient's confidential health information received, accessed or held by the HIE.

11. "Electronic mobilization" means the capability to move clinical information electronically between disparate health information systems while maintaining the accuracy of the information being exchanged.

12. "Health care provider" means any person or entity licensed by this state to provide or lawfully providing health care services, including, but not limited to, a physician, hospital, intermediate care facility or other health care facility, dentist, nurse, optometrist, podiatrist, physical therapist, psychiatric social worker, pharmacist or psychologist, and any officer, employee, or agent of that provider acting in the course and scope of his or her employment or agency related to or supportive of health care services.

13. "Health care services" means acts of diagnosis, treatment, medical evaluation, referral or counseling or any other acts that may be permissible under the health care licensing statutes of this state.

14. "Health Information Exchange" or "HIE" means the technical system operated by the RHIO under state authority allowing for the statewide electronic mobilization of confidential health information, pursuant to the Act and this Part.

15. "Health plan" means an individual plan or a group plan that provides, or pays the cost of, health care services for patient participants.

16. "HIE Advisory Commission" means the advisory body established by the Department in order to provide community input and policy recommendations regarding the use of the confidential health information of the HIE.

17. "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (45 C.F.R. §§ 160 through 164).

18. “HIPAA Final Omnibus Rule” means the HIPAA regulations promulgated and effective March 25, 2013.

19. “HITECH” means the Health Information Technology for Economic and Clinical Health Act of 2009, Public Law 111-5 and its implementing regulations.

20. "Participant" means a patient participant, a patient participant's authorized representative, a provider participant, a data submitting partner, the regional health information organization and the Department, that has agreed to authorize, submit, access and/or disclose confidential health information via the HIE in accordance with the Act and this Part.

21. "Participation" means a participant's authorization, submission, access and/or disclosure of confidential health information in accordance with the Act and this Part.

22. "Patient participant" means a person who receives health care services from a provider participant and has agreed to participate in the HIE through the mechanisms established in the Act and this Part.

23. “Protected health information” means individually identifiable health information including demographic information that is collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

24. "Provider participant" means a pharmacy, laboratory, health care provider, or health plan that is providing health care services or pays for the cost of health care services for a patient participant and/or is submitting or accessing health information through the HIE and has executed an electronic and/or written agreement regarding disclosure, access, receipt, retention or release of confidential health information to the HIE.

25. "Regional health information organization" or "RHIO" means the organization designated as the RHIO by the State of Rhode Island to provide administrative and operational support to the HIE.

26. “Unanticipated events” means instances in which the provider participant is unavailable and another health care provider is providing coverage to treat the patient participant.

27. “Unsecured protected health information” means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the United States Secretary of Health and Human Services in guidance issued under section 13402(h)(2) of Public Law 111-5.

6.3.1 Participation in the Health Information Exchange (HIE)

A. A statewide Health Information Exchange (HIE) has been established pursuant to R.I. Gen. Laws Chapter 5-37.7. Confidential health information shall only be accessed, released or transferred from the HIE pursuant to R.I. Gen. Laws Chapter 5-37.7. In addition to the requirements set forth in R.I. Gen. Laws 5-37.7:

1. Participation in the HIE is voluntary; and may be terminated at any time. Patients and health care providers shall have the choice to participate in the HIE, as defined by the Act and this Part. Patient participants shall agree to participate by signing an authorization form provided by the HIE. Patient participants may terminate their participation in the RI HIE pursuant to § 6.5.1(A)(6) of this Part.

2. Individuals shall be informed about the opportunity to enroll in the HIE through provider participants and other publicly available means. Individuals will be informed about the HIE through materials that explain the context and process of HIE enrollment, including any and all choices available to the individual such as identifying which provider participants will be able to view their health care information through the HIE.

3. Individuals will be informed that by enrolling in the HIE, at a minimum, they are authorizing health care providers that care for them in emergencies or other unscheduled events, to access their health information through the RI HIE on a temporary basis. Individuals will also be informed that in addition to the ability to terminate enrollment in the HIE, they have the ability to revoke authorization of a provider participant to further access their health information through the HIE consistent with § 6.5.1 of this Part.

4. The RHIO shall maintain a dedicated telephone number staffed with qualified personnel who can respond to individuals’ questions related to enrollment choices and processes. If there are remaining concerns or complaints after contacting the RHIO, individuals can contact the Department of Health “Health Information Line.”

5. The RHIO shall maintain a process for reviewing and resolving complaints related to it, and to assist patient participants in resolving complaints.

a. The RHIO and all provider participants will accept complaints pertaining to the RI HIE. Provider participants will forward complaints to the RHIO.

b. The RHIO will appoint a Privacy Officer who will review all complaints. Complaints will not be public and will be kept confidential as permitted by law. Any confidential health information contained in the complaint will be protected in accordance with applicable state and federal law.

c. Neither the RHIO nor provider participants will retaliate, discriminate against, intimidate, coerce or otherwise reprise patient participants or patient advocates relating to the filing of a complaint or for filing a complaint.

d. The RHIO will contractually require provider participants to comply with HIPAA, including establishing and implementing HIPAA compliant policies and procedures.

e. Patient participants may lodge a complaint with the provider participant directly, with the RHIO or with the Department of Health. If a complaint is lodged directly with the RHIO and the RHIO refers the patient participant to the provider participant and the provider participant cannot directly resolve the complaint or believes the complaint is in error, the patient participant may then submit it to the RHIO Privacy Officer for review and assistance as requested by the patient participant.

f. All patient participants lodging complaints directly with the RHIO will be directed to fill out a patient complaint form and will be given assistance if requested. If the complaint involves a provider participant, the RHIO will notify the provider participant if it addresses actions by the provider participant.

g. Any complaint regarding breach of security, if appropriate, may invoke the response to breach procedures by the RHIO.

h. The RHIO shall maintain copies of all written patient complaint forms.

i. The disposition of the complaint shall be documented by the RHIO Privacy Officer as part of the complaint process.

j. For complaints lodged directly to the Department, the Department will follow its usual process for investigating complaints and the complaint shall remain confidential to the public until it has been resolved. If applicable, once it is resolved, the Department will notify the RHIO Privacy Officer and/or provider participant. Any patient participant wishing to lodge a verbal complaint may do so by calling the Department of Health “Health Information Line.”

k. Any complaint lodged by a patient participant with the provider participant, the RHIO or the Department shall be resolved within thirty (30) days of submission.

l. The Department reserves the right to access the records of complaints received by the RHIO and the resolution of such complaints.

6.3.2 Rhode Island Regional Health Information Organization (RHIO)

A. The RHIO shall function pursuant to R.I. Gen. Laws Chapter 5-37.7. Additionally, the RHIO shall develop and implement current policies and procedures including, but not limited to, the following topics:

1. Participant enrollment (health care provider, health plan, and individual) that is consistent with § 6.3.1(A)(1) of this Part;

2. Patient participant’s termination of enrollment that is consistent with §§ 6.3.1(A)(1) and 6.5 of this Part;

3. Termination of patient participant authorization for provider participant access that is consistent with § 6.5.1(A)(5) of this Part;

4. Handling patient participant complaints and inquiries that is consistent with § 6.3.1(A)(2) of this Part;

5. The process through which a patient participant can obtain a copy of his or her confidential health information from the HIE that is consistent with § 6.5.1(A)(1) of this Part;

6. The process through which a patient participant can obtain a copy of the disclosure report pertaining to his or her confidential health information consistent with § 6.5.1(A)(4) of this Part;

7. Patient participant requests to amend his or her own information through the provider participant consistent with § 6.3.3(A)(2) of this Part;

8. Tiered access to confidential health information (i.e., criteria and controls to obtain varying degrees of access to data maintained by the HIE) consistent with § 6.3.3 of this Part;

9. Privacy, confidentiality and security pertaining to access and maintenance of patient participant confidential health information consistent with §§ 6.5 and 6.6 of this Part;

10. Temporary access to HIE data by provider participants that need to treat a person in emergencies or other unanticipated events consistent with § 6.3.1(A)(1) of this Part; and

11. Patient participant notification, if required by either R.I. Gen. Laws Chapter 11-49.3 [Rhode Island Identity Theft Protection Act of 2015] or the HIPAA Final Omnibus Rule, regarding a detected breach of the security of the system of the HIE that may have resulted in the unauthorized access, use or disclosure of protected health information, personal information or Unsecured Protected Health Information consistent with § 6.5.1(A)(5) of this Part.

B. The RHIO shall utilize a committee structure that encourages community involvement and transparency in the process of the development and implementation of its policies.

C. Patient participants have the right to access the RHIO’s notice of privacy practices which will be posted on the RHIO’s websites, www.riqi.org and www.currentcareri.org. The Notice of Privacy Practices will be written in plain language and will contain applicable information such as: the uses and disclosures of PHI through the HIE, patient participants’ individual rights, the RHIO’s responsibilities regarding the privacy of patient participants’ information and the complaint process.

D. In the event that the RHIO fails to comply with this Part or has policies that do not comply with federal and state laws, rules and regulations, the Director may notify the RHIO by certified or registered mail or by personal service setting forth the failure(s) and the RHIO shall be given the opportunity to cure such failure within the time designated by the Director. If the RHIO does not cure the failure, the Department may invoke contractual remedies, require specific monitoring or supervision to occur, or limit or suspend actions of the RHIO until such time as the corrective action has cured the failure. The Department may also notify the Secretary of the United State Department of Health and Human Services and the Rhode Island Department of Attorney General if the Department of Health believes the failure to comply with this Part amounts to a HIPAA violation. The RHIO, or the Department may request a prompt and fair hearing in accordance with R.I. Gen. Laws § 42-35-9. Nothing in this Part shall limit the authority of the jurisdiction conferred upon the Department of Attorney General to bring an action against the RHIO pursuant to § 6.8 of this Part for a violation of this Part and/or HITECH.

E. In the event of the insolvency or involuntary dissolution of the RHIO, the assets and operations comprising the HIE, including the protection of the protected health information of the enrollees of the HIE, shall be transitioned or transferred in accordance with an Order of a court of proper jurisdiction.

F. In the event of a voluntary dissolution of the RHIO, the RHIO will give the Department thirty (30) days’ notice. The Department has a contractual right of first refusal to purchase only the assets comprising the HIE at the appraised value.

G. In the event of either of the above, the RHIO shall be responsible to safeguard the protected health information in its care, custody and control until the PHI has been transferred to another entity.

6.3.3 Special Requirements Pertaining to the Health Information Exchange (HIE) and the Rhode Island Regional Health Information Organization (RHIO)

A. Pursuant to R.I. Gen. Laws § 5-37.7-4(e), the HIE and the RHIO have an obligation to maintain, and abide by the terms of, HIPAA-compliant business associate agreements, as well as:

1. The RHIO will maintain user access permission profiles to determine which PHI may be accessed by authorized users according to specific role classification and shall implement policies and procedures regarding user authentication;

2. In response to a request by a patient participant to make an amendment to his/her PHI contained in the HIE, the RHIO will provide the patient participant with a “Request to Amend Health Information” form to submit to the originating provider participant and if so directed by the provider participant, will amend the record in accordance with HIPAA, the Act and this Part. The “Request to Amend Health Information” form shall be available from the CurrentCare website (www.currentcareri.org), by calling the RHIO, or by requesting the form in writing.

a. As soon as possible, but no later than sixty (60) days after receipt of a request from a patient participant to amend health information, the provider participant shall either forward the corrected information to the RHIO for processing or notify the patient participant, in writing, why the request to amend health information has been denied.

b. As soon as possible, but no later than thirty (30) days after receipt of a request from a provider participant to amend a confidential health care record, the RHIO/HIE shall process the request and notify the provider participant, in writing, that the requested amendment to health information has been completed.

3. If the patient participant requests a change to his or her CurrentCare record, and the RHIO determines that the change is due to an operational issue, the RHIO will address the error pursuant to its internal error resolution procedures by making the correction and notifying the patient participant within thirty (30) days of the correction that the correction has been made.

4. The RHIO shall have written data sharing agreements in place with provider participants who submit data to the HIE. Such agreements shall, at a minimum, contain all required business associate agreement components.

5. The RHIO shall have written end user agreements in place with provider participants who access data in the HIE. Such agreements shall, at a minimum, describe roles and responsibilities of both the end user and the RHIO regarding appropriate use of the HIE and assuring patient rights in accordance with applicable federal and state law.

6.3.4 Reconciliation with Other Authorities

Reconciliation with other authorities shall be pursuant to R.I. Gen. Laws § 5-37.7-12.

6.3.5 Professional Responsibilities

In accordance with applicable state laws and regulations promulgated thereunder, a provider participant that abandons a patient or denies treatment to a new or existing patient solely on the basis of the patient’s refusal to participate in the HIE, when the patient’s health information can be obtained from other sources, may be subject to administrative review by the Department, including, but not limited to the Department’s Professional Boards, and the Director. The processes contained in rules and regulations pertaining to Practices and Procedures Before the Rhode Island Department of Health (Subchapter 05 Part 4 of this Chapter), and as otherwise permitted by the Administrative Procedures Act, shall apply.

A. Pursuant to R.I. Gen. Laws § 5-37.7-5(c), the Director shall establish an HIE Advisory Commission of no more than nine (9) members that shall be responsible for recommendations relating to the type of and use of, and appropriate confidentiality protection for, the confidential health information of the HIE, subject to regulatory oversight by the Department. The responsibilities of the HIE Advisory Commission shall be pursuant to R.I. Gen. Laws § 5-37.7-5.

B. Pursuant to R.I. Gen. Laws § 5-37.7-5(c), the Director shall recommend prospective HIE Advisory Commission members to the Governor, subject to the advice and consent of the Senate. The membership of the HIE Advisory Commission shall include one (1) person with experience in HIPAA and privacy and security of health care information requirements, one (1) person with experience in operations, maintenance and security of complex electronic databases, one (1) person who is a health care consumer or consumer advocate, one (1) person who represents a minority or underserved population, one (1) person who has experience in epidemiology and the use of data for public health purposes, and no more than three (3) persons employed by a health care delivery organization, at least two (2) of whom shall be a physician licensed pursuant to R.I. Gen. Laws Chapter 5-37. The remaining member(s) shall be selected from business professionals and health care consumers whose experience and expertise will facilitate the work of the Commission.

C. The Director shall appoint a chairperson for the HIE Advisory Commission.

D. HIE Advisory Commission members shall be appointed for a term of two (2) years. A Commission member may be reappointed for an additional term, but shall not be eligible to serve more than three (3) consecutive terms. RHIO staff and board members shall not be eligible for appointment to the Commission.

E. The HIE Advisory Commission shall meet at least annually and shall not vote on any recommendations regarding the use of confidential health information unless a quorum is present.

F. The HIE Advisory Commission shall report annually to the Department and the RHIO, and such report shall be made public.

G. The HIE Advisory Commission shall actively obtain and consider public input on all recommendations prior to submitting them to the Director. All meetings of the HIE Advisory Commission shall be subject to R.I. Gen. Laws Chapter 42-46 (Open Meetings).

H. The Director may recommend to the Governor that any HIE Advisory Commission member be removed for cause, including but not limited to, failure to attend Commission meetings on a regular basis.

6.5.1 Patients’ Rights

A. In addition to the requirements of R.I. Gen. Laws Chapter 5-37.7 and this Part, a patient participant who has his or her confidential health information in the HIE shall have the following rights:

1. To obtain a copy of his/her confidential health information from the HIE by:

a. Submitting a valid and authenticated request to access the HIE record via the methods made available by the RHIO.

b. The form and methods shall be publicly available through posting on the HIE website (www.currentcareri.org) including enrolling in CurrentCare for Me.

c. Requestors may also call the CurrentCare information line to complete and submit the information on the form over the phone. To do so, the requestor must successfully complete the requirements of the identity verification process by supplying identifying information through a series of questions initiated by a RHIO representative over the phone and for the sole purpose of a single occurrence of a telephone request to submit the form.

d. If the requestor prefers, he or she may fill out a form in person at the RHIO offices after identity verification has occurred. The requestor may either obtain an enrollee request to access record form via the website or request a form be mailed to them.

e. If neither is possible, then the requestor may send a letter containing the same information as is required by the form and have it authenticated in the same manner as the written form.

2. To designate which provider participant(s) are authorized to access his/her confidential health information through the HIE by completing a valid and authenticated enrollment and authorization form setting forth the provider participants who are authorized to have access to his/her confidential health information through the HIE. The form shall be publicly available through posting on the HIE website (www.currentcareri.org); or the patient participant or their authorized representative may request in writing or over the telephone that a form be sent to them.

3. A patient participant at any time after enrollment may change his or her authorization for a provider participant to access his/her information through the RI HIE by completing a valid and authenticated form requesting an amendment or termination of authorization. The form, along with information about where to submit the form, shall be publicly available through posting on the HIE website (www.currentcareri.org).

4. To obtain a copy of the disclosure report pertaining to his or her confidential health information by submitting a request for a disclosure report. The forms along with information about where to submit the form shall be publicly available through posting on the HIE website (www.currentcareri.org); The RHIO will make every effort to provide disclosure reports in a prompt manner while recognizing that state and federal law allow up to sixty (60) days to respond. If extenuating circumstances arise, the RHIO may have an additional thirty (30) days to provide the disclosure report to the enrollee. Each request for disclosure history will be addressed in accordance with 45 C.F.R. § 164.528(a). A charge for a copy of the disclosure report may be imposed if consistent with state law.

5. To be notified, if required by either R.I. Gen. Laws Chapter 11-49.2 [Rhode Island Identity Theft Protection Act], or the HIPAA Final Omnibus Rule, of a breach of the security system of the HIE that resulted in the unauthorized access, use or disclosure of personal information or unsecured protected health information.

6. To terminate his or her participation in the HIE at any time in accordance with the Act and this Part by submitting a Revocation of Authorization form to the RHIO. The form and methods for termination shall be publicly available through posting on the HIE website (www.currentcareri.org) or the patient participant or authorized representative may call the RHIO to request a form be sent to them.

7. To revoke access of provider participants to the patient participant’s health information at any time in accordance with the Act and this Part by submitting a Revocation of Authorization Form. The form and methods for revocation of access of provider participant to the patient participant’s health information shall be publicly available through posting on the HIE website (www.currentcareri.org) or the patient participant or authorized representative may call the RHIO to request a form be sent to them.

8. Upon a patient participant’s completed termination of enrollment from the HIE, no additional confidential health information for that patient will be collected by the HIE and the patient’s confidential health information in the HIE will no longer be accessible to a provider participant. Nothing in this Part shall preclude a provider participant from accessing the provider participant’s own record of the patient. The revocation of a patient’s authorization will not affect the previous disclosures or access to the patient’s health information while the patient’s authorization and enrollment was in effect.

9. Since the HIE does not create patient confidential health information, but receives confidential health information from provider participants, the patient participant may request to amend his or her own information through provider participants by submitting a request to amend confidential health information form consistent with this Part. The form and methods shall be publicly available through posting on the HIE website (www.currentcareri.org) or the patient participant or authorized representative may call the RHIO to request a form be sent to them. The RHIO will respond directly to a patient participant request and follow its policies and procedures if there is an administrative error that does not require an amendment to the record received from the provider participant.

6.5.2 Confidentiality Protections

Confidentiality protections for patient participants in the HIE are pursuant to R.I. Gen. Laws Chapter 5-37.7 and this Part; additionally the Department reserves the right to review the policies and procedures applicable to the HIE bi-annually to help assess successes and areas for improvement.

6.5.3 Secondary Disclosure

Secondary disclosure rules shall be pursuant to those stated in R.I. Gen. Laws § 5-37.7-9.

6.5.4 Authorization Form

A. The authorization form for enrollment into the HIE, access to, or the disclosure, release or transfer of, confidential health information from the HIE shall conform with the requirements of R.I. Gen. Laws Chapter 5-37.7; and additionally contain other information required by the RHIO, in consultation with the Director.

B. Except as specifically set forth in R.I. Gen. Laws § 5-37.7-7(b), the RHIO shall not allow access to or disclosure of a patient participant’s confidential health information unless it is in accordance with the patient participant’s authorization on the enrollment form.

C. Except as set forth in R.I. Gen. Laws § 5-37.7-7(b), the RHIO will not allow access to or disclosure of a patient participant’s confidential health information to a provider participant unless the recipient has entered into a Data Use Agreement with the RHIO.

D. The RHIO shall not accept or respond to any authorization for requesting disclosure of the patient participant’s health information for any purpose other than as set forth by the Act and this Part.

E. Any request to enroll in the HIE or to withdraw or terminate enrollment from the HIE pursuant to § 6.5.1 of this Part shall be on forms which are provided by the RHIO in accordance with § 6.5.1 of this Part. Requests to withdraw or terminate enrollment from the HIE shall be made in accordance with § 6.5.1(A)(6) of this Part.

6.5.5 Release of Confidential Health Information in Conjunction with Legal Proceedings

Release of confidential health information in conjunction with legal proceedings shall occur pursuant to R.I. Gen. Laws Chapter 5-37.7.

6.6.1 Minimum Security Requirements

The RHIO and HIE shall implement security procedures pursuant to R.I. Gen. Laws § 5-37.7-8.

6.6.2 Safeguards and Security Measures

The RHIO shall have in place appropriate physical, technical and procedural safeguards and security measures to ensure the technical integrity, physical safety, and confidentiality of any confidential health information in the HIE. These safeguards and security measures shall be in place at all times and at any location at which the RHIO, its workforce members, or its contractors hold or access confidential health information. Such safeguards and security measures shall comply with state and federal confidentiality laws and regulations including, without limitation, the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. §§ 160 through 164), HITECH and the HIPAA Final Omnibus Rule.

6.6.3 Security Framework

The RHIO shall develop appropriate and scalable security standards, policies, and procedures that are suitable for the size and complexity of its organization.

6.6.4 Security Management

A. The RHIO shall:

1. Maintain and effectively implement written policies and procedures that conform to the requirements of this Section to protect the confidentiality, integrity, and availability of the confidential health information that is processed, stored, and transmitted; to protect against any reasonably anticipated threats or hazards to the security or integrity of the confidential health information and to monitor, modify and improve the effectiveness of such policies and procedures, and

2. Train the RHIO workforce who access or hold confidential health information regarding the requirements of the Act, this Part and the RHIO's policies and procedures regarding the confidentiality and security of confidential health information. The RHIO will secure written acknowledgement of training of its employees.

6.6.5 Separation of Systems

A. The RHIO shall:

1. Maintain confidential health information, whether in electronic or other media, physically and functionally separate from any other system of records;

2. Protect the media, whether in electronic, paper, or other format, that contain confidential health information, limiting access to authorized users and sanitizing and destroying such media before disposal or release for reuse; and

3. Establish physical and environmental protections, to control and limit physical and virtual access to places and equipment where confidential health information is stored or used.

6.6.6 Security Control and Monitoring

A. The RHIO shall:

1. Identify those authorized to have access to confidential health information and an audit capacity to detect unlawful, unauthorized or inappropriate access to confidential health information, and

2. Establish measures to prevent unauthorized removal, transmission or disclosure of confidential health information in the HIE.

6.6.7 Security Assessment

A. The RHIO shall address:

1. Periodic assessments of security risks and controls, as determined appropriate by the RHIO, to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.

2. System and communications protection, to monitor, control, and protect RHIO uses, communications, and transmissions involving confidential health information to and from entities authorized to access the HIE.

Immunity and waiver rules shall be pursuant to those stated in R.I. Gen. Laws §§ 5-37.7-11 and 5-37.7-14.

Penalties shall be pursuant to those stated in R.I. Gen. Laws § 5-37.7-13.