Section 216-RICR-10-10-6.6 - Security Requirements6.6.1Minimum Security RequirementsThe RHIO and HIE shall implement security procedures pursuant to R.I. Gen. Laws § 5-37.7-8.
6.6.2Safeguards and Security MeasuresThe RHIO shall have in place appropriate physical, technical and procedural safeguards and security measures to ensure the technical integrity, physical safety, and confidentiality of any confidential health information in the HIE. These safeguards and security measures shall be in place at all times and at any location at which the RHIO, its workforce members, or its contractors hold or access confidential health information. Such safeguards and security measures shall comply with State and Federal confidentiality laws and Regulations including, without limitation, the Health Insurance Portability and Accountability Act of 1996 and its implementing Regulations (45 C.F.R. Parts 160 through 164), HITECH and the HIPAA Final Omnibus Rule.
6.6.3Security FrameworkThe RHIO shall develop appropriate and scalable security standards, policies, and procedures in compliance with the Rhode Island Division of Information Technology Enterprise Strategy and Services policies which are developed and align with the National Institute of Standards and Technology (NIST) security policies and controls.
6.6.4Security ManagementA. The RHIO shall: 1. Maintain and effectively implement written policies and procedures that conform to the requirements of this Section to protect the confidentiality, integrity, and availability of the confidential health information that is processed, stored, and transmitted; to protect against any reasonably anticipated threats or hazards to the security or integrity of the confidential health information and to monitor, modify and improve the effectiveness of such policies and procedures, and2. Train the RHIO workforce who access or hold confidential health information regarding the requirements of the Act, this Part and the RHIO's policies and procedures regarding the confidentiality and security of confidential health information. The RHIO will secure written acknowledgement of training of its employees.6.6.5Separation of SystemsA. The RHIO shall: 1. Maintain confidential health information, whether in electronic or other media, physically and functionally separate from any other system of records;2. Protect the media, whether in electronic, paper, or other format, that contain confidential health information, limiting access to authorized users and sanitizing and destroying such media before disposal or release for reuse; and3. Establish physical and environmental protections, to control and limit physical and virtual access to places and equipment where confidential health information is stored or used.6.6.6Security Control and MonitoringA. The RHIO shall: 1. Identify those authorized to have access to confidential health information and an audit capacity to detect unlawful, unauthorized or inappropriate access to confidential health information, and2. Establish measures to prevent unauthorized removal, transmission or disclosure of confidential health information in the HIE.6.6.7Security AssessmentA. The RHIO shall: 1. Perform periodic assessments of security risks and controls, as determined appropriate by the RHIO, to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.2. Address system and communications protection, to monitor, control, and protect RHIO uses, communications, and transmissions involving confidential health information to and from entities authorized to access the HIE.3. Inform the Department of any security incidents or potential security incidents including credible complaints of potential security incidents, as soon possible but no later than twenty-four (24) hours after the occurrence.216 R.I. Code R. 216-RICR-10-10-6.6
Amended effective 12/8/2022