Rhode Island Code of Regulations
Title 216 - Department of health
Chapter 10 - Public Health Administration
Subchapter 10 - Registries
Part 6 - Regional Health Information Organization and Health Information Exchange
Section 216-RICR-10-10-6.6 - Security Requirements

Universal Citation: 216 RI Code of Rules 10 10 6.6

Current through September 18, 2024

6.6.1 Minimum Security Requirements

The RHIO and HIE shall implement security procedures pursuant to R.I. Gen. Laws § 5-37.7-8.

6.6.2 Safeguards and Security Measures

The RHIO shall have in place appropriate physical, technical and procedural safeguards and security measures to ensure the technical integrity, physical safety, and confidentiality of any confidential health information in the HIE. These safeguards and security measures shall be in place at all times and at any location at which the RHIO, its workforce members, or its contractors hold or access confidential health information. Such safeguards and security measures shall comply with State and Federal confidentiality laws and Regulations including, without limitation, the Health Insurance Portability and Accountability Act of 1996 and its implementing Regulations (45 C.F.R. Parts 160 through 164), HITECH and the HIPAA Final Omnibus Rule.

6.6.3 Security Framework

The RHIO shall develop appropriate and scalable security standards, policies, and procedures in compliance with the Rhode Island Division of Information Technology Enterprise Strategy and Services policies which are developed and align with the National Institute of Standards and Technology (NIST) security policies and controls.

6.6.4 Security Management

A. The RHIO shall:
1. Maintain and effectively implement written policies and procedures that conform to the requirements of this Section to protect the confidentiality, integrity, and availability of the confidential health information that is processed, stored, and transmitted; to protect against any reasonably anticipated threats or hazards to the security or integrity of the confidential health information and to monitor, modify and improve the effectiveness of such policies and procedures, and

2. Train the RHIO workforce who access or hold confidential health information regarding the requirements of the Act, this Part and the RHIO's policies and procedures regarding the confidentiality and security of confidential health information. The RHIO will secure written acknowledgement of training of its employees.

6.6.5 Separation of Systems

A. The RHIO shall:
1. Maintain confidential health information, whether in electronic or other media, physically and functionally separate from any other system of records;

2. Protect the media, whether in electronic, paper, or other format, that contain confidential health information, limiting access to authorized users and sanitizing and destroying such media before disposal or release for reuse; and

3. Establish physical and environmental protections, to control and limit physical and virtual access to places and equipment where confidential health information is stored or used.

6.6.6 Security Control and Monitoring

A. The RHIO shall:
1. Identify those authorized to have access to confidential health information and an audit capacity to detect unlawful, unauthorized or inappropriate access to confidential health information, and

2. Establish measures to prevent unauthorized removal, transmission or disclosure of confidential health information in the HIE.

6.6.7 Security Assessment

A. The RHIO shall:
1. Perform periodic assessments of security risks and controls, as determined appropriate by the RHIO, to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.

2. Address system and communications protection, to monitor, control, and protect RHIO uses, communications, and transmissions involving confidential health information to and from entities authorized to access the HIE.

3. Inform the Department of any security incidents or potential security incidents including credible complaints of potential security incidents, as soon possible but no later than twenty-four (24) hours after the occurrence.

Disclaimer: These regulations may not be the most recent version. Rhode Island may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.