Rhode Island Code of Regulations
Title 216 - Department of health
Chapter 10 - Public Health Administration
Subchapter 10 - Registries
Part 5 - Rhode Island All-Payer Claims Database
Section 216-RICR-10-10-5.4 - Confidentiality

Universal Citation: 216 RI Code of Rules 10 10 5.4

Current through September 18, 2024

5.4.1 Access to RIAPCD Information

A. Health Care Claims Data Sets and any other information submitted pursuant to this Part, by and between Insurers, the RIAPCD, the Data Aggregator, and the Encrypted Unique Identifier Vendor:
1. Shall not be a public record as defined pursuant to R.I. Gen. Laws § 38-2-2. No Disclosure of any RIAPCD data set(s) or health information shall be made unless specifically authorized by the Director pursuant to this Part and as otherwise may be prescribed by law or Regulation.

2. Shall be transmitted in accordance with the Rules adopted in HIPAA (45 C.F.R. Parts 160 through 164), Confidentiality of Health Care Communications and Information Act (R.I. Gen. Laws Chapter 5-37.3) and other applicable law(s).

5.4.2 Removal of Direct Personal Identifiers

All Health Care Claims Data Sets submitted to the Department or Data Aggregator pursuant to § 5.5 of this Part shall be protected by the removal or Hashing of all Direct Personal Identifiers. The Department or Data Aggregator shall not collect any data containing Direct Personal Identifiers.

5.4.3 Encrypted Unique Identifier

A. As part of the Health Care Claims Data Set, Insurers shall submit a Member Eligibility File, as specified in the RIAPCD Technical Specification Manual, for each of its Members to the Encrypted Unique Identifier Vendor to effectuate this requirement in accordance with the timeline outlined in § 5.6.2 of this Part. Under no circumstances shall the Insurer submit any Personal Health Information to the Encrypted Unique Identifier Vendor at any time or for any reason. Only Member demographic information, devoid of all Personal Health Information of any kind, shall be submitted to the Encrypted Unique Identifier Vendor.
1. Demographic data elements include but are not limited to: Member name, date of birth, Social Security number if available and date of enrollment.

2. The Encrypted Unique Identifier Vendor shall assign each Member an Encrypted Unique Identifier and transmit that information to the Insurer.

3. The Encrypted Unique Identifier Vendor shall maintain records wholly separately from the Director, the Department, the Data Aggregator and the RIAPCD as defined by R.I. Gen. Laws Chapter 23-17.17 and referenced by R.I. Gen. Laws § 23-17.17-10(b).

4. Notwithstanding any contractual arrangements, any Member's Direct Personal Identifiers sent by an Insurer to the Encrypted Unique Identifier Vendor shall not be shared with any other party including the Department, the Director, the Data Aggregator or with the RIAPCD.

5. Data which is required to be sent to the Encrypted Unique Identifier Vendor by the Insurers shall not be considered data collected by the Department, the Director, the Data Aggregator or the RIAPCD.

5.4.4 Transmission of Encrypted Unique Identifier to Insurers

A. The Encrypted Unique Identifier vendor shall provide the Encrypted Unique Identifier assigned to a Member to the Insurer of record for that Member. Prior to sending data sets to the Data Aggregator, the Insurer shall attach the assigned Encrypted Unique Identifier to each record. Prior to transmitting the data sets and Encrypted Unique Identifier to the Data Aggregator, all Direct Personal Identifiers shall be removed and/or hashed.
1. The Insurer and/or payer shall maintain a record of the assignment of the Encrypted Unique Identifier assigned to each Member in such a way that would permit an audit or ongoing maintenance by the Director if necessary. Under no circumstance shall such audit or ongoing maintenance allow the Department, the Director, the Data Aggregator, or the RIAPCD to re-identify a Member.

2. The Insurer and/or payer being audited may request that such audit include a third (3rd) party review of the Unique Encrypted Identifier Vendor's process for assignment and transmission of the Encrypted Unique Identifier assigned to each Member of that submitter. However, approval of a third (3rd) party review shall be at the sole discretion of the Director.

Disclaimer: These regulations may not be the most recent version. Rhode Island may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.