The Rhode Island Department of Health’s (DOH) statewide health information exchange (HIE) must be more transparent and offer patients more privacy protections, according to a settlement between the DOH and the Rhode Island chapter of the American Civil Liberties Union (ACLU).
In 2010, the ACLU filed a lawsuit against the Rhode Island DOH, challenging the adequacy of rules the agency had adopted to implement a centralized database of patient healthcare records. The HIE, called CurrentCare, authorized by the General Assembly in 2008, allows medical personnel to routinely access a patient’s entire medical file, including mental health records and other sensitive medical information.
When the DOH first adopted regulations to implement the HIE, the ACLU objected that they provided virtually no details as to how the system would actually work, or how it would protect the privacy, confidentiality, and informed consent interests of patients. At the time, the DOH responded that those issues would be dealt with through internal “policies” that would not be subject to the public notice and comment requirement that agency regulations must normally undergo, according to an ACLU announcement.
The ACLU’s lawsuit, filed in R.I. Superior Court, argued that the Department’s position violated the Administrative Procedures Act (APA), “since all department policies that have general application and which implement, interpret or prescribe law” are subject to the APA’s public vetting process. Noting the significant privacy issues raised by the HIE, the ACLU had called it crucial that regulations setting up the system be as detailed as possible, explaining, for example, the rights patients have to opt out of the system, to correct information contained in it, and to ensure appropriate confidentiality of the data.
Under the settlement agreement, the DOH agreed it would halt its practice of “adopting unofficially promulgated policies to implement” its obligations under the HIE law. In their place, the DOH has unveiled significantly revised regulations that specify how patients can, among other things, revoke their participation in the HIE, limit healthcare providers’ access to their HIE information, and correct errors in their medical records. The proposed revisions to the regulations were the subject of a public hearing, and patients remain free not to have their medical information submitted to the HIE.
Michael Fine, the director of the Rhode Island Department of Health, told Rhode Island Public Radio that he welcomed the ACLU's help in protecting patient privacy.
