Overview
- Bill: SB 2867
- Session: 2026
- Jurisdiction: Rhode Island
- Title: AN ACT RELATING TO BUSINESSES AND PROFESSIONS -- CONFIDENTIALITY OF HEALTH CARE COMMUNICATIONS AND INFORMATION ACT
- Introduced by: Senator Melissa A. Murray
- Referred to: Senate Health & Human Services
- Effective date: Upon passage
Purpose and intent
- The act amends the Confidentiality of Health Care Communications and Information Act (CHCCIA) to clarify and expand protections for patient confidential health information.
- It adds detailed limitations, permitted disclosures, and security/consent requirements, and it strengthens accountability for violations.
- The measure also addresses information sharing with BHDDH (the Department of Behavioral Healthcare, Developmental Disabilities and Hospitals) upon written demand, aligning BHDDH with health oversight and investigative needs.
Key provisions and changes
(a) Limitations on and permitted disclosures
- Confidential health information generally cannot be released without the patient’s written consent or authorized representative’s consent, using a form meeting subsection (d) requirements.
- Managed care entities/contractors writing policies in RI are prohibited from sharing non-identifying personal information with external health information databases, unless essential for statistical data. Transfer to BHDDH or for statutory duties is permitted.
- Violations of CHCCIA can expose violators to actual and punitive damages; courts may award attorney’s fees to the prevailing party; violations carry penalties up to $5,000 per violation and up to six months imprisonment per violation; waivers attempting to waive CHCCIA rights are void.
(b) Exceptions where consent is not required
Consent is not needed in numerous situations, including:
- For diagnosis/treatment in emergencies to medical personnel.
- To medical/dental peer-review boards and licensing/examining boards.
- For qualified personnel conducting research, audits, program evaluations, actuarial work, or insurance underwriting (with patient identity protections in reports).
- For specified law enforcement disclosures in various scenarios (e.g., identifying suspects, reporting abuse or neglect, gunshot wound reports), with many subsections outlining scope, patient notice requirements, and limits.
- For coordination of care among healthcare providers within the system, and for third-party insurers/administrative entities to adjudicate claims.
- To malpractice carriers or legal representatives related to liability actions, and subject to discovery rules when relevant to civil actions.
- Public health authorities, medical examiners, workers’ compensation processes, school authorities for disease/immunization information, and several other specified state agencies.
- Specific disclosures to protect public safety, investigative, or legal processes, including to central cancer registry, Medicaid fraud control, state departments (children, youth and families; foster parents), and certain electoral/voting-related disclosures.
(c) Security requirements for third parties
- Recipients of confidential health information must implement minimum security controls, including:
- Limiting access to need-to-know individuals.
- Designating responsible personnel for security procedures.
- Providing written notices to employees about confidentiality and penalties.
- Not disciplining individuals who report violations.
(d) Consent forms
- Consent forms must clearly state the need and uses of information, the extent of release, and the ability to revoke consent (with specified exceptions for life/health insurance). Revocation must be in writing.
(e) Additional use provisions
- Generally, confidential health information cannot be given or transferred to others beyond those identified in the consent/notice without new written consent for the new use or transfer.
(f) No limitation on other disclosures
- The act does not limit disclosures already permitted under subsection (b).
Who/what is affected
- Patients and their confidential health information are protected under stricter consent and disclosure rules.
- Healthcare providers and facilities must obtain proper consent and adhere to the broader list of allowed disclosures.
- Managed care entities, insurers, third-party administrators, and other entities providing operational support for claims processing.
- BHDDH and related health oversight, social services, and protective services agencies receive streamlined access under written demand procedures.
- Law enforcement, public health authorities, and various state agencies may access information under defined circumstances.
- Healthcare providers and staff must implement security and reporting procedures to prevent unauthorized disclosures.
Procedural and timeline aspects
- This act takes effect immediately upon passage.
- It was introduced on March 4, 2026, and referred to the Senate Health & Human Services Committee.
- The bill’s action history shows scheduled consideration and potential committee action in June 2026.
Summary in plain language
SB 2867 tightens protections around confidential health care information in Rhode Island. It requires written patient consent (with clear notices and revocation rights) for most releases, while outlining a comprehensive list of permitted exceptions—ranging from emergency medical care to law enforcement, public health, research, and administrative purposes. It imposes penalties for violations, mandates security measures for third-party recipients, and clarifies processes for BHDDH requests for records. The measure aims to balance patient privacy with legitimate public and clinical needs, ensuring transparency, security, and accountability in handling confidential health information.