Section 216-RICR-10-10-6.3 - General Provisions6.3.1Participation in the Health Information Exchange (HIE)A. A statewide Health Information Exchange (HIE) has been established pursuant to R.I. Gen. Laws Chapter 5-37.7. Confidential health information shall only be accessed, released or transferred from the HIE pursuant to R.I. Gen. Laws Chapter 5-37.7. In addition to the requirements set forth in R.I. Gen. Laws 5-37.7: 1. Patients and health care providers shall have the choice to participate in records-sharing via the HIE, as defined by the Act and this Part. Patient participants shall be able to rescind permission for disclosure to health care providers via the HIE ("opt out") by signing an opt-out form provided by the HIE. Patient participants may indicate his or her desire to opt out pursuant to §6.5.1(A) of this Part and may subsequently reverse an opt out decision pursuant to §6.5.1(A)(5) of this Part.2. Individuals shall be informed about the opportunity to opt out through provider participants and other publicly available means, and provider participants shall offer the opportunity to discuss HIE participation and consent options at the request of an individual patient. Individuals will be informed about the HIE through materials that explain the context and process of disclosure of health information through the HIE, including any and all choices available to the individual. The RHIO shall provide examples or templates of educational materials and any needed technical assistance to provider participants on patient education about the HIE.3. When entering into a treating relationship with a provider participant or no later than six (6) months after a provider begins submitting records to the HIE, individuals will be clearly informed of their opportunity to opt-out in a distinct written document, whether paper, electronic, or web-based. The notification may be contained within a document detailing other privacy practices, but the HIE shall be specifically discussed. The notification shall include an explanation that due to his or her provider's participation in the HIE, at a minimum, their protected health information may be disclosed to: a. Health care providers that care for them in emergencies, on a temporary basis;b. Public health authorities in the process of carrying out their functions, pursuant to R.I. Gen. Laws § 5-37.7-7(b)(2); andc. Health plans where information is necessary for care management, quality, and performance measure reporting.4. Individuals shall be notified by provider participants of their opportunity to opt-out of participation in the HIE a minimum of sixty (60) days prior to opt out policies going into effect ("go live"). This notification shall include all components specified in §6.3.1(A)(3) of this Part, as well as clearly outline the methods available to complete an opt-out form as specified in §6.5.1(A)(4) of this Part.5. Mental health treatment information received from data submitting partners shall be included in the RHIO's repository of protected health information, and shall be subject to any opt-out form completed by a patient participant. Mental health treatment information shall not be stored or disclosed separately except as otherwise required by law or Regulation.6. The RHIO shall maintain a dedicated telephone number staffed with qualified personnel who can respond to individuals' questions related to any and all choices and processes available to the individual. If there are remaining concerns or complaints after contacting the RHIO, individuals can contact the Department of Health "Health Information Line."7. The RHIO shall maintain a process for reviewing and resolving complaints related to it, and to assist patient participants in resolving complaints.a. The RHIO and all provider participants will accept complaints pertaining to the RI HIE. Provider participants will forward complaints to the RHIO.b. The RHIO will appoint a Privacy Officer who will review all complaints. Complaints will not be public and will be kept confidential as required by law. Any confidential health information contained in the complaint will be protected in accordance with applicable State and Federal law.c. Neither the RHIO nor provider participants will retaliate, discriminate against, intimidate, coerce or otherwise reprise patient participants or patient advocates relating to the filing of a complaint or for filing a complaint.d. The RHIO will contractually require provider participants to comply with HIPAA, including establishing and implementing HIPAA compliant policies and procedures.e. Patient participants may lodge a complaint with the provider participant directly, with the RHIO or with the Department of Health. If a complaint is lodged directly with the RHIO and the RHIO refers the patient participant to the provider participant and the provider participant cannot directly resolve the complaint or believes the complaint is in error, the patient participant may then submit it to the RHIO Privacy Officer for review and assistance as requested by the patient participant.f. All patient participants lodging complaints directly with the RHIO will be directed to fill out a patient complaint form and will be given assistance if requested. If the complaint involves a provider participant, the RHIO will notify the provider participant if it addresses actions by the provider participant.g. Any complaint regarding breach of security, if appropriate, may invoke the response to breach procedures by the RHIO.h. The RHIO shall maintain copies of all written patient complaint forms.i. The disposition of the complaint shall be documented by the RHIO Privacy Officer as part of the complaint process.j. For complaints lodged directly to the Department, the Department will follow its usual process for investigating complaints and the complaint shall remain confidential to the public until it has been resolved. If applicable, once it is resolved, the Department will notify the RHIO Privacy Officer and/or provider participant. Any patient participant wishing to lodge a verbal complaint may do so by calling the Department of Health "Health Information Line."k. Any complaint lodged by a patient participant with the provider participant, the RHIO or the Department shall be resolved within thirty (30) days of submission.l. The Department reserves the right to access the records of complaints received by the RHIO and the resolution of such complaints.6.3.2Rhode Island Regional Health Information Organization (RHIO)A. The RHIO shall function pursuant to R.I. Gen. Laws Chapter 5-37.7. Additionally, the RHIO shall develop, implement, and maintain current policies and procedures including, but not limited to, the following topics: 1. Participant process to opt out (health care provider, health plan, and individual) that is consistent with §6.3.1(A)(1) of this Part;2. Termination of a patient participant's opt out status that is consistent with §6.5.1(A)(5) of this Part;3. Handling patient participant complaints and inquiries that is consistent with §6.3.1(A)(2) of this Part;4. The process through which a patient participant can obtain a copy of his or her confidential health information from the HIE that is consistent with §6.5.1(A)(1) of this Part;5. The process through which a patient participant can obtain a copy of the disclosure report pertaining to his or her confidential health information consistent with §6.5.1(A)(4) of this Part;6. Patient participant requests to amend his or her own information through the provider participant consistent with §6.3.3(A)(2) of this Part;7. Tiered access to confidential health information (i.e., criteria and controls to obtain varying degrees of access to data maintained by the HIE) consistent with §6.3.3 of this Part;8. Privacy, confidentiality and security pertaining to access and maintenance of patient participant confidential health information consistent with §§ 6.5 and 6.6 of this Part;9. Temporary access to HIE data by provider participants that need to treat a person in emergencies consistent with §6.3.1(A)(3) of this Part. Temporary access procedures should be easily accessible to a variety of health care team members and not present an undue burden during a medical emergency;10. Patient participant notification, if required by either R.I. Gen. Laws Chapter 11-49.3 [Rhode Island Identity Theft Protection Act of 2015] or the HIPAA Final Omnibus Rule, regarding a detected breach of the security of the system of the HIE that may have resulted in the unauthorized access, use or disclosure of protected health information, personal information or Unsecured Protected Health Information consistent with §6.5.1(A)(5) of this Part; and11. Patient matching, including patient participants who have opted out of disclosure to health care providers. a. RHIO staff shall review each completed opt-out form for completeness, accuracy, and effective matching to previously submitted medical records by provider participants.b. Additional attention shall be paid to gender markers in patient matching and, wherever practical, effort shall be expended to ensure identity resolution takes into account gender diverse experiences.12. Ongoing identity management, including a simplified process by which patient or provider participants may notify the RHIO that specific patient records should undergo review.13. Data integrity, quality, and standardization.14. Handling of sensitive types of protected health information, including but not limited to behavioral health, Human Immunodeficiency Virus/Acquired Immunodeficiency Syndrome (HIV/AIDS), treatment for domestic violence or sexual assault, and genetic information.B. The RHIO shall utilize a committee structure that encourages community involvement and transparency in the process of the development and implementation of its policies.C. Patient participants have the right to access the RHIO's notice of privacy practices which will be posted on the RHIO's websites. The Notice of Privacy Practices will be written in plain language and will contain applicable information such as: the uses and disclosures of PHI through the HIE, patient participants' individual rights, the RHIO's responsibilities regarding the privacy of patient participants' information and the complaint process.D. In the event that the RHIO fails to comply with this Part or has policies that do not comply with Federal and State laws, Rules and Regulations, the Director may notify the RHIO by certified or registered mail or by personal service setting forth the failure(s) and the RHIO shall be given the opportunity to cure such failure within the time designated by the Director. If the RHIO does not cure the failure, the Department may invoke contractual remedies, require specific monitoring or supervision to occur, or limit or suspend actions of the RHIO until such time as the corrective action has cured the failure. The Department may also notify the Secretary of the United State Department of Health and Human Services and the Rhode Island Department of Attorney General if the Department of Health believes the failure to comply with this Part amounts to a HIPAA violation. The RHIO, or the Department may request a prompt and fair hearing in accordance with R.I. Gen. Laws § 42-35-9. Nothing in this Part shall limit the authority of the jurisdiction conferred upon the Department of Attorney General to bring an action against the RHIO pursuant to § 6.8 of this Part for a violation of this Part and/or HITECH.E. In the event of the insolvency or involuntary dissolution of the RHIO, the assets and operations comprising the HIE, including the protection of the protected health information of the enrollees of the HIE, shall be transitioned or transferred in accordance with an Order of a court of proper jurisdiction.F. In the event of a voluntary dissolution of the RHIO, the RHIO will give the Department thirty (30) days' notice. The Department has a contractual right of first refusal to purchase only the assets comprising the HIE at the appraised value.G. In the event of either of the above, the RHIO shall be responsible to safeguard the protected health information in its care, custody and control until the PHI has been transferred to another entity.6.3.3Special Requirements Pertaining to the Health Information Exchange (HIE) and the Rhode Island Regional Health Information Organization (RHIO)A. Pursuant to R.I. Gen. Laws § 5-37.7-4(e), the HIE and the RHIO have an obligation to maintain, and abide by the terms of, HIPAA-compliant business associate agreements, as well as: 1. The RHIO will maintain user access permission profiles to determine which PHI may be accessed by authorized users according to specific role classification and shall implement policies and procedures regarding user authentication;2. In response to a request by a patient participant to make an amendment to his or her PHI contained in the HIE, the RHIO will provide the patient participant with a "Request to Amend Health Information" form to submit to the originating provider participant and if so, directed by the provider participant, will amend the record in accordance with HIPAA, the Act and this Part. The "Request to Amend Health Information" form shall be available from the RHIO website, by calling the RHIO, or by requesting the form in writing.a. As soon as possible, but no later than sixty (60) days after receipt of a request from a patient participant to amend health information, the provider participant shall either forward the corrected information to the RHIO for processing or notify the patient participant, in writing, why the request to amend health information has been denied.b. As soon as possible, but no later than thirty (30) days after receipt of a request from a provider participant to amend a confidential health care record, the RHIO/HIE shall process the request and notify the provider participant, in writing, that the requested amendment to health information has been completed.3. If the patient participant requests a change to his or her CurrentCare record, and the RHIO determines that the change is due to an operational issue, the RHIO will address the error pursuant to its internal error resolution procedures by making the correction and notifying the patient participant within thirty (30) days of the correction that the correction has been made.4. The RHIO shall have written data sharing agreements in place with provider participants who submit data to the HIE. Such agreements shall, at a minimum, contain all required business associate agreement components.5. The RHIO shall have written end user agreements in place with provider participants who access data in the HIE. Such agreements shall, at a minimum, describe roles and responsibilities of both the end user and the RHIO regarding appropriate use of the HIE and assuring patient rights in accordance with applicable Federal and State law.6.3.4Reconciliation with Other AuthoritiesReconciliation with other authorities shall be pursuant to R.I. Gen. Laws §5-37.712.
6.3.5Professional ResponsibilitiesIn accordance with applicable State laws and Regulations promulgated thereunder, a provider participant that abandons a patient or denies treatment to a new or existing patient solely on the basis of the patient's decision to opt out of disclosures from the HIE, when the patient's health information can be obtained from other sources, may be subject to administrative review by the Department, including, but not limited to the Department's Professional Boards, and the Director. The processes contained in Practices and Procedures Before the Rhode Island Department of Health (Subchapter 05 Part 4 of this Chapter), and as otherwise permitted by the Administrative Procedures Act, shall apply.
216 R.I. Code R. 216-RICR-10-10-6.3
Amended effective 12/8/2022