Limitations on and permitted disclosures - R.I. Gen. Laws Ann. § 5-37.3-4

Patients must consent, in writing, to the release of their health information unless otherwise provided in this section. Forms that authorize disclosure of confidential health information must (1) identify the need for the information; (2) identify proposed uses for the information; (3) state that all information will be released or identify the “extent of the information to be released;” and (3) state that the individual may withdraw the authorization at any time unless the authorization pertains to a life or health insurance application or claim for benefits. Authorizations in such contexts will remain valid, respectively, for 2 years following the issuance of a policy or while a benefits claim is pending. Patients must receive a copy of the consent form upon request.

Disclosure of confidential health care information is permitted without consent in the following circumstances:

• To physicians and other medical professionals that need the information to treat an individual during a medical or dental emergency.
• “To medical and dental peer review boards, or the board of medical licensure and discipline, or board of examiners in dentistry.”
• To “qualified personnel” for research, auditing, or underwriting purposes. Reports issued using the information may not identify individuals and recipient personnel may not “otherwise disclose patient identities in any manner.”
• Health care providers may disclose information to law enforcement if they believe that a patient is endangering a person, attempting to illegally obtain narcotics, is the victim of child abuse, or has suffered a gunshot wound. Providers must limit disclosure to the minimum amount necessary to achieve their purpose.
• Health care providers and other qualified personnel may disclose information while coordinating a patient’s care or conducting training or education.
• To third party health insurers, utilization review agents, third party administrators, and “other entities that provide operational support to adjudicate health insurance claims or administer health benefits.”
• To malpractice insurance carriers or lawyers in anticipation of a medical malpractice action.
• A health care provider may disclose patient information to their own medical liability insurance carrier or lawyer if they are named in a medical malpractice action.
• To public health officials that need the information to carry out their statutory and regulatory duties (e.g. disease investigation, sanitary law enforcement).
• To state medical examiners that have jurisdiction over a fatality.
• During a worker’s compensation proceeding.
• When a health care provider believes that disclosure to their attorney is “necessary in order to receive adequate legal representation.”
• Health care providers may disclose immunization information to appropriate school officials.
• To law enforcement officials as necessary to protect against insurance fraud.
• When a health care provider is being investigated or prosecuted for criminal wrongdoing, information may be disclosed, subject to certain procedural and evidentiary limitations, to a grand jury or court pursuant.
• The state board of elections may subpoena health information to determine an individual’s eligibility to vote.
• To certify that an individual’s illness or disability necessitates the use of a mail ballot for voting.
• “To the central cancer registry.”
• To the attorney general in relation to the investigation and/or prosecution of Medicaid fraud.
• Health information may be disclosed to the department of children, youth, and families regarding any child in the department’s custody.
• Foster parents may receive health information regarding the children in their custody.
• Hospitals “may release the fact of a patient’s admission and a general description of a patients condition to….relatives or friends of the patient or [representatives] of the news media.”
• “To the workers’ compensation fraud prevention unit for purposes of investigation…”
• “To a probate court of competent jurisdiction, petitioner, respondent, and/or their attorneys, when the information is contained within a decision-making assessment tool which conforms to the provisions of § 33-15-47” (regarding guardianship proceedings).

Persons and entities that maintain confidential patient health information must comply, at minimum, with the following security procedures:

• Limit access to personally identifiable health information to persons that “need” to access the information.
• Assign responsibility for maintaining security procedures to an individual or individuals.
• Provide all employees or agents with a statement regarding the need to safeguard confidential personal health information and the penalties for improperly disclosing such information. Employees and agents must sign and retain a copy of the statement.
• Prohibit the discipline of employees or agents in response to their reporting of violations of the Confidentiality of Health Care Communications and Information Act.

Rhode Island establishes the following prohibitions:

• Managed care entities and contractors may not provide identifying information about enrollees “to any international, national, regional, or local medical information database.”

• Unless otherwise provided by law, confidential health information may not be gifted, sold, or transferred without consent.
• Individuals may not waive the provisions of this section

Persons that violate this section may be subject to actual and punitive damages. A judge presiding over litigation under this section may award attorney’s fees to the prevailing party. Persons that knowingly or intentionally violate this section may receive a maximum $5,000 fine and/or 6 months imprisonment per violation.