Difference between revisions of "Rhode Island"

From Privacy Wiki
Jump to navigation Jump to search
(Creating Rhode Island)
 
(Replaced content with "{|class="wikitable sortable collapsible" !Name of Article !Specific Clauses or the Law !Scope !Mapping |- |Rhode Island 2019 S234 | |Business |6-48.1-5- (a)-exclusion,...")
Tag: Replaced
Line 5: Line 5:
 
!Mapping
 
!Mapping
 
|-
 
|-
|Rhode Island 2019 S234
+
|[[Rhode Island 2019 S234]]
|6-48.1-5. Information disclosed upon request. (a) A consumer shall have the right to request that a business that collects, maintains or sells personal information about the consumer disclose to the consumer the following: (1) The categories of personal information it has collected about that consumer; (2) The categories of sources from which the personal information is collected; (3) The business or commercial purpose for collecting or selling personal information; (4) The categories of third parties with whom the business shares personal information; (5) The specific pieces of personal information it has collected about that consumer. (b) A business that collects personal information about a consumer shall disclose to the consumer the information specified in subsection (a) of this section upon receipt of a verifiable request from the consumer. (c) This section does not require a business to do the following: (1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained;  (2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
+
|
6-48.1-6. Businesses that sell information. (a) A consumer shall have the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to that consumer: (1) The categories of personal information that the business collected about the consumer; (2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold; 3) The categories of personal information that the business disclosed about the consumer for a business purpose. (b) A business that sells personal information about a consumer, or that discloses a consumer's personal information for a business purpose, shall disclose, the information specified in subsection (a) of this section to the consumer upon receipt of a verifiable request from the consumer. (c) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out pursuant to this chapter.
 
6-48.1-7. Opt-out. (a) A consumer shall have the right, at any time, to direct a business that sells personal  information about the consumer to third parties not to sell the consumer's personal information. This right may be referred to as the right to opt out. (b) A business that sells consumers' personal information to third parties shall provide notice to consumers, that this information may be sold and that consumers have the right to opt out of the sale of their personal information. (c) A business that has received direction from a consumer not to sell the consumer's personal information or, in the case of a minor consumer's personal information has not received  consent to sell the minor consumer's personal information shall be prohibited from selling the consumer's personal information after its receipt of the consumer's direction, unless the consumer subsequently provides express authorization for the sale of the consumer's personal information. (d) Notwithstanding subsection (a) of this section, a business shall not sell the personal  information of consumers if the business has actual knowledge that the consumer is less than  sixteen (16) years of age, unless the consumer, in the case of consumers between thirteen (13) and sixteen (16) years of age, or the consumer's parent or guardian, in the case of consumers who are less than thirteen (13) years of age, has affirmatively authorized the sale of the consumer's personal information. A business that willfully disregards the consumer's age shall be deemed to  have had actual knowledge of the consumer's age. This right may be referred to as the "right to opt in."
 
 
|Business
 
|Business
 
|6-48.1-5- (a)-exclusion, surveillance, (b)-surveillance, exclusion, (c)-(1)-surveillance,(2)-secondary use, 6-48.1-6-(a)-exclusion, (1)-surveillance, (2)-secondary use, (b)-secondary use, aggregation, disclosure, (c)-decisional interference, secondary use, 6.-48.1-7-(a)-decisional interference, (b)-exclusion, (c)-insecurity, (d)-?
 
|6-48.1-5- (a)-exclusion, surveillance, (b)-surveillance, exclusion, (c)-(1)-surveillance,(2)-secondary use, 6-48.1-6-(a)-exclusion, (1)-surveillance, (2)-secondary use, (b)-secondary use, aggregation, disclosure, (c)-decisional interference, secondary use, 6.-48.1-7-(a)-decisional interference, (b)-exclusion, (c)-insecurity, (d)-?
 
|-
 
|-
|RIGL §§27-18-52
+
|[[RIGL §§27-18-52]]
|(a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.
+
|
(b) No individual or group health insurance contract, plan, or policy delivered, issued for delivery, or renewed in this state which provides health insurance medical coverage that includes coverage for physician services in a physician's office, and every policy which provides major medical or similar comprehensive-type coverage excluding disability income, long term care and insurance supplemental policies which only provide coverage for specified diseases or other supplemental policies, shall:
 
(1) Use a genetic test or request for genetic tests or the results of a genetic test to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or an individual health insurance policy, contract, or plan;
 
(2) Request or require a genetic test for the purpose of determining whether or not to issue or renew an individual's health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services;
 
(3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format whereby individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose this information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure; an exception shall exist for participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule").
 
(4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes.
 
(c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, proteins and certain metabolites in order to detect heritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. Those purposes include predicting risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, as well as testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess of deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis or a test for drugs or for HIV infections.
 
 
|Genetic
 
|Genetic
 
|(b)(1)-interrogation, (b)(2)-interrogation, (b)(3)-disclosure, exclusion, (b)(4)-interrogation, secondary use, (c)-?(definitions)
 
|(b)(1)-interrogation, (b)(2)-interrogation, (b)(3)-disclosure, exclusion, (b)(4)-interrogation, secondary use, (c)-?(definitions)
 
|-
 
|-
|RIGL §§27-18-52.1
+
|[[RIGL §§27-18-52.1]]
|(a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.
+
|
(b) No individual or group health insurance contract, plan, or policy delivered, issued for delivery, or renewed in this state, which provides medical coverage that includes coverage for physician services in a physician's office, and every policy which provides major medical or similar comprehensive-type coverage excluding disability income, long term care and insurance supplemental policies which only provide coverage for specified diseases or other supplemental policies, shall:
 
(1) Use genetic information or request for genetic information or the results of genetic information or other genetic information to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or otherwise affect a group or an individual's health insurance policy, contract, or plan;
 
(2) Request or require genetic information for the purpose of determining whether or not to issue or renew an individual's health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services;
 
(3) Release the results of genetic information without the prior written authorization of an individual from whom the information was obtained, except in a format where individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose the information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure. An exception shall exist for participation in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule");
 
(4) Request or require information as to whether an individual has genetic information, or participated in genetic information of any kind, whether for clinical or research purposes.
 
(c) For the purposes of this section, "genetic information" is information about genes, gene product, or inherited characteristics that may derive from the individual or a family member.
 
 
|Genetic
 
|Genetic
 
|(a)-exclusion, (b)(1)-interrogation, (b)(2)-interrogation, (b)(3)-decisional interference, (b)(4)- interrogation, (c)-?
 
|(a)-exclusion, (b)(1)-interrogation, (b)(2)-interrogation, (b)(3)-decisional interference, (b)(4)- interrogation, (c)-?
 
|-
 
|-
|RIGL §§27-19-44
+
|[[RIGL §§27-19-44]]
|(a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.
+
|
(b) No nonprofit health service corporation subject to the provisions of this chapter shall:
 
(1) Use a genetic test or request for a genetic test or the results of a genetic test or other genetic information to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or an individual's health insurance policy, contract, or plan;
 
(2) Request or require a genetic test for the purpose of determining whether or not to issue or renew a group, individual health benefits coverage to set reimbursement/co-pay levels or determine covered benefits and services;
 
(3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format by which individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose the information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure. An exception shall exist for participation in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule");
 
(4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes.
 
(c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, proteins and certain metabolites in order to detect heritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. These purposes include predicating risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, as well as testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess of deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis, or a test for drugs or for HIV infection.
 
 
|Genetic
 
|Genetic
 
|(a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use  
 
|(a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use  
 
|-
 
|-
|RIGL §§27-20-39
+
|[[RIGL §§27-20-39]]
|(a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.
+
|
(b) No nonprofit health insurer subject to the provisions of this chapter shall:
 
(1) Use a genetic test or request for a genetic test or the results of a genetic test to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or individual's health insurance policy, contract, or plan;
 
(2) Request or require a genetic test for the purpose of determining whether or not to issue or renew health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services;
 
(3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format by which individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose the information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure. An exception shall exist for participation in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"); or
 
(4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes.
 
(c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, proteins and certain metabolites in order to detect heritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. Those purposes include predicting risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, as well as testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess of deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis or a test for drugs or for HIV infections.
 
 
|Genetic
 
|Genetic
 
|(a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use  
 
|(a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use  
 
|-
 
|-
|RIGL §§27-41-53
+
|[[RIGL §§27-41-53]]
|(a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.
+
|
(b) No health maintenance organization subject to the provisions of this chapter shall:
 
(1) Use a genetic test or request for genetic test the results of a genetic test to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or an individual's health insurance policy contract, or plan;
 
(2) Request or require a genetic test for the purpose of determining whether or not to issue or renew an individual's health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services;
 
(3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format where individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose the information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each re-disclosure. An exception shall exist for participation in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"); or
 
(4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes.
 
(c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, protein and certain metabolites in order to detect heritable inheritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. Those purposes include predicting risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, and testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess or deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis or a test for drugs or for HIV infections.
 
 
|Genetic
 
|Genetic
 
|(a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use  
 
|(a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use  
 
|-
 
|-
|Rhode Island Gen. Laws Ann. §11-49.3-2(a)
+
|[[Rhode Island Gen. Laws Ann. §11-49.3-2(a)]]
|(a) A municipal agency, state agency, or person who or that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information. A municipal agency, state agency, or person shall not retain personal information for a period longer than is reasonably required to provide the services requested; to meet the purpose for which it was collected; or in accordance with a written retention policy or as may be required by law. A municipal agency, state agency, or person shall destroy all personal information, regardless of the medium that such information is in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or erasure.
+
|
 
|Agency
 
|Agency
 
|§11-49.3-2-(a)-insecurity
 
|§11-49.3-2-(a)-insecurity
 
|-
 
|-
|R.I. Gen. Laws §28-56-1 to -6
+
|[[R.I. Gen. Laws §28-56-1 to -6]]
|§ 28-56-2. Social media password requests prohibited.
+
|
 
 
No employer shall:
 
(1) Require, coerce, or request an employee or applicant to disclose the password or any other means for accessing a personal social media account;
 
(2) Require, coerce, or request an employee or applicant to access a personal social media account in the presence of the employer or representative;
 
(3) Require or coerce an employee or applicant to divulge any personal social media account information, except when reasonably believed to be relevant to an investigation of allegations of employee misconduct or workplace-related violation of applicable laws and regulations and when not otherwise prohibited by law or constitution; provided that the information is accessed and used solely to the extent necessary for purposes of that investigation or a related proceeding.
 
§ 28-56-3. Social media access requests prohibited.
 
 
 
No employer shall compel an employee or applicant to add anyone, including the employer or their agent, to their list of contacts associated with a personal social media account or require, request, or cause an employee or applicant to alter settings that affect a third party's ability to view the contents of a personal social media account.
 
§ 28-56-4. Disciplinary actions prohibited.
 
 
 
No employer shall:
 
(1) Discharge, discipline, or otherwise penalize or threaten to discharge, discipline, or otherwise penalize any employee for an employee's refusal to disclose or provide access to any information specified in § 28-56-2, or for refusal to add the employer to his or her list of contacts associated with a personal social media account, or to alter the settings associated with a personal social media account, as specified in § 28-56-3; or
 
(2) Fail or refuse to hire any applicant as a result of the applicant's refusal to disclose or provide access to any information specified in § 28-56-2, or for refusal to add the employer or their agent to their list of contacts associated with a personal social media account, or to alter the settings associated with a personal social media account, as specified in § 28-56-3.
 
§ 28-56-5. Exceptions.
 
 
 
(a) This chapter shall not apply to information about an applicant or employee that is publicly available.
 
(b) This chapter shall not prohibit or restrict an employer from complying with a duty to screen employees or applicants before hiring or to monitor or retain employee communications that is established by a self-regulatory organization as defined by the Securities and Exchange Act of 1934, 15 U.S.C. § 78c(a)(26) or under state or federal law or regulation to the extent necessary to supervise communications of regulated financial institutions insurance or securities licensees for banking insurance or securities related business purposes.
 
 
|Employment
 
|Employment
 
|28-56-2-(1)-interrogation, (2)-interrogation, (3)-interrogation, 28-56-3-interrogation, appropriation, 28-56-4-(1)-blackmail, interrogation, (2)-interrogation, blackmail, 28-56-5-(2)-surveillance, 28-56-6-?
 
|28-56-2-(1)-interrogation, (2)-interrogation, (3)-interrogation, 28-56-3-interrogation, appropriation, 28-56-4-(1)-blackmail, interrogation, (2)-interrogation, blackmail, 28-56-5-(2)-surveillance, 28-56-6-?
 
|-
 
|-
|R.I. Gen. Laws §16-103-1 to -6
+
|[[R.I. Gen. Laws §16-103-1 to -6]]
|§ 16-103-2 Social media password requests prohibited. – No educational institution shall:
+
|
(1) Require, coerce, or request a student or prospective student to disclose the password or any other means for accessing a personal social media account;
 
(2) Require, coerce, or request a student or prospective student to access a personal social media account in the presence of the educational institution's employee or representative; or
 
(3) Require or coerce a student or prospective student to divulge any personal social media account information.
 
§ 16-103-3. Social media access requests prohibited.
 
 
 
No educational institution shall compel a student or applicant, as a condition of acceptance or participation in curricular or extracurricular activities, to add anyone, including a coach, teacher, school administrator, or other school employee or school volunteer, to his or her list of contacts associated with a personal social media account or require, request, or cause a student or applicant to alter settings that affect a third party's ability to view the contents of a personal social media account.
 
§ 16-103-4. Disciplinary action prohibited.
 
 
 
No educational institution shall:
 
(1) Discharge, discipline, or otherwise penalize or threaten to discharge, discipline, or otherwise penalize any student for a student's refusal to disclose or provide access to any information specified in § 16-103-2, or for refusal to add a coach, teacher, administrator, or other school employee or school volunteer to his or her list of contacts associated with a personal social media account, or to alter settings associated with a personal social media account, as specified in § 16-103-3; or
 
(2) Fail or refuse to admit any applicant as a result of the applicant's refusal to disclose or provide access to any information specified in § 16-103-2 or for refusal to add a coach, teacher, school administrator, or other school employee or school volunteer to his or her list of contacts associated with a personal social media account or to alter settings associated with a personal social media account, as specified in § 16-103-3.
 
 
|Education
 
|Education
 
|16-103-2-(1)-interrogation, (2)-interrogation, (3)-interrogation, 106-103-3-interrogation, blackmail, 16-103-4-(1)-blackmail, interrogation, (2)-blackmail, interrogation
 
|16-103-2-(1)-interrogation, (2)-interrogation, (3)-interrogation, 106-103-3-interrogation, blackmail, 16-103-4-(1)-blackmail, interrogation, (2)-blackmail, interrogation
 
|-
 
|-
|Genetic Testing (2017)
+
|[[Genetic Testing (2017)]]
|2017 Rhode Island General Laws
+
|
Title 27 - Insurance
 
Chapter 27-18 - Accident and Sickness Insurance Policies
 
Section 27-18-52 - Genetic testing.:§ 27-18-52. Genetic testing.
 
 
 
(a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.
 
 
 
(b) No individual or group health insurance contract, plan, or policy delivered, issued for delivery, or renewed in this state which provides health insurance medical coverage that includes coverage for physician services in a physician's office, and every policy which provides major medical or similar comprehensive-type coverage excluding disability income, long term care and insurance supplemental policies which only provide coverage for specified diseases or other supplemental policies, shall:
 
 
 
(1) Use a genetic test or request for genetic tests or the results of a genetic test to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or an individual health insurance policy, contract, or plan;
 
 
 
(2) Request or require a genetic test for the purpose of determining whether or not to issue or renew an individual's health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services;
 
 
 
(3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format whereby individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose this information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure; an exception shall exist for participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule").
 
 
 
(4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes.
 
 
 
(c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, proteins and certain metabolites in order to detect heritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. Those purposes include predicting risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, as well as testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess of deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis or a test for drugs or for HIV infections.
 
 
|Genetic
 
|Genetic
 
|27-18-52-a-decisional interference, disclosure, 1-interrogation, secondary use, 2-interrogation, 3-decisional interference, disclosure, 4-interrogation
 
|27-18-52-a-decisional interference, disclosure, 1-interrogation, secondary use, 2-interrogation, 3-decisional interference, disclosure, 4-interrogation
 
|-
 
|-
|[http://webserver.rilin.state.ri.us/BillText15/SenateText15/S0134B.pdf Identity Theft Protection Act of 2015]
+
|[http://webserver.rilin.state.ri.us/BillText15/SenateText15/S0134B.pdf Identity Theft Protection Act of 2015] [[Identity Theft Protection Act of 2015]]
|11-49.3-1. Short title. -- This chapter shall be known and may be cited as the "Rhode
+
|
28 Island Identity Theft Protection Act of 2015."
 
29 11-49.3-2. Risk-based information security program. -- (a) A municipal agency, state
 
30 agency or person that stores, collects, processes, maintains, acquires, uses, owns or licenses
 
31 personal information about a Rhode Island resident shall implement and maintain a risk-based
 
32 information security program which contains reasonable security procedures and practices
 
33 appropriate to the size and scope of the organization, the nature of the information and the
 
34 purpose for which the information was collected in order to protect the personal information from
 
LC000486/SUB B/2 - Page 5 of 10
 
1 unauthorized access, use, modification, destruction or disclosure and to preserve the
 
2 confidentiality, integrity, and availability of such information. A municipal agency, state agency
 
3 or person shall not retain personal information for a period longer than is reasonably required to
 
4 provide the services requested, to meet the purpose for which it was collected, or in accordance
 
5 with a written retention policy or as may be required by law. A municipal agency, state agency or
 
6 person shall destroy all personal information, regardless of the medium that such information is
 
7 in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or
 
8 erasure.
 
9 (b) A municipal agency, state agency or person that discloses personal information about
 
10 a Rhode Island resident to a nonaffiliated third party shall require by written contract that the
 
11 third party implement and maintain reasonable security procedures and practices appropriate to
 
12 the size and scope of the organization, the nature of the information and the purpose for which the
 
13 information was collected in order to protect the personal information from unauthorized access,
 
14 use, modification, destruction, or disclosure. The provisions of this section shall apply to
 
15 contracts entered into after the effective date of this act.
 
16 11-49.3-3. Definitions. -- (a) The following definitions apply to this section:
 
17 (1) "Breach of the security of the system" means unauthorized access or acquisition of
 
18 unencrypted computerized data information that compromises the security, confidentiality, or
 
19 integrity of personal information maintained by the municipal agency, state agency or person.
 
20 Good faith acquisition of personal information by an employee or agent of the agency for the
 
21 purposes of the agency is not a breach of the security of the system; provided, that the personal
 
22 information is not used or subject to further unauthorized disclosure.
 
23 (2) "Encrypted" means the transformation of data through the use of a one hundred
 
24 twenty-eight (128) bit or higher algorithmic process into a form in which there is a low
 
25 probability of assigning meaning without use of a confidential process or key. Data shall not be
 
26 considered to be encrypted if it is acquired in combination with any key, security code, or
 
27 password that would permit access to the encrypted data.
 
28 (3) "Health Insurance Information" means an individual's health insurance policy number
 
29 or subscriber identification number, any unique identifier used by a health insurer to identify the
 
30 individual.
 
31 (4) "Medical Information" means any information regarding an individual's medical
 
32 history, mental or physical condition, or medical treatment or diagnosis by a health care
 
33 professional or provider.
 
34 (5) "Municipal agency" means any department, division, agency, commission, board,
 
LC000486/SUB B/2 - Page 6 of 10
 
1 office, bureau, authority, quasi-public authority, or school, fire or water district within Rhode
 
2 Island other than a state agency and any other agency that is in any branch of municipal
 
3 government and exercises governmental functions other than in an advisory nature.
 
4 (6) "Owner" means the original collector of the information.
 
5 (7) "Person" shall include any individual, sole proprietorship, partnership, association,
 
6 corporation, or joint venture, business or legal entity, trust, estate, cooperative or other
 
7 commercial entity.
 
8 (8) "Personal information" means an individual's first name or first initial and last name
 
9 in combination with any one or more of the following data elements, when the name and the data
 
10 elements are not encrypted or are in hard copy paper format:
 
11 (i) Social security number;
 
12 (ii) Driver's license number, or Rhode Island identification card number or tribal
 
13 identification number;
 
14 (iii) Account number, credit or debit card number, in combination with any required
 
15 security code, access code, password or personal identification number that would permit access
 
16 to an individual's financial account;
 
17 (iv) Medical or health insurance information; or
 
18 (v) E-mail address with any required security code, access code, or password that would
 
19 permit access to an individual's personal, medical, insurance or financial account.
 
20 (9) "Remediation service provider" means any person which in its usual course of
 
21 business provides services pertaining to a consumer credit report including, but not limited to,
 
22 credit report monitoring and alerts, that are intended to mitigate the potential for identity theft.
 
23 (10) "State agency" means any department, division, agency, commission, board, office,
 
24 bureau, authority, or quasi-public authority within Rhode Island, either branch of the Rhode
 
25 Island general assembly, or an agency or committee thereof, the judiciary, or any other agency
 
26 that is in any branch of Rhode Island state government and which exercises governmental
 
27 functions other than in an advisory nature.
 
28 (b) For purposes of this section, personal information does not include publicly available
 
29 information that is lawfully made available to the general public from federal, state or local
 
30 government records.
 
31 (c) For purposes of this section, "notice" may be provided by one of the following
 
32 methods:
 
33 (i) Written notice;
 
34 (ii) Electronic notice, if the notice provided is consistent with the provisions regarding
 
LC000486/SUB B/2 - Page 7 of 10
 
1 electronic records and signatures set forth in 15 U.S.C. § 7001;
 
2 (iii) Substitute notice, if the municipal agency, state agency or person demonstrates that
 
3 the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the
 
4 affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal
 
5 agency, state agency or person does not have sufficient contact information. Substitute notice
 
6 shall consist of all of the following:
 
7 (A) E-mail notice when the municipal agency, state agency or person has an e-mail
 
8 address for the subject persons;
 
9 (B) Conspicuous posting of the notice on the municipal agency's, state agency's or
 
10 person's website page, if the municipal agency, state agency or person maintains one; and
 
11 (C) Notification to major statewide media.
 
12 11-49.3-4. Notification of breach. -- (a)(1) Any municipal agency, state agency or
 
13 person that stores, owns, collects, processes, maintains, acquires, uses or licenses data that
 
14 includes personal information, shall provide notification as set forth in this section of any
 
15 disclosure of personal information, or any breach of the security of the system, which poses a
 
16 significant risk of identity theft to any resident of Rhode Island whose personal information was,
 
17 or is reasonably believed to have been, acquired by an unauthorized person or entity.
 
18 (2) The notification shall be made in the most expedient time possible but no later than
 
19 forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the
 
20 information required to fulfill the notice requirements contained in subsection (d) of this section
 
21 and shall be consistent with the legitimate needs of law enforcement as provided in subsection (c)
 
22 of this section. In the event that more than five hundred (500) Rhode Island residents are to be
 
23 notified, the municipal agency, state agency or person shall notify the attorney general and the
 
24 major credit reporting agencies as to the timing, content and distribution of the notices and the
 
25 approximate number of affected individuals. Notification to the attorney general and the major
 
26 credit reporting agencies shall be made without delaying notice to affected Rhode Island
 
27 residents.
 
28 (b) The notification required by this section may be delayed if a federal, state or local law
 
29 enforcement agency determines that the notification will impede a criminal investigation. The
 
30 federal, state or local law enforcement agency must notify the municipal agency, state agency or
 
31 person of the request to delay notification without unreasonable delay. If notice is delayed due to
 
32 such determination then as soon as the federal, state or municipal law enforcement agency
 
33 determines and informs the municipal agency, state agency or person that notification no longer
 
34 poses a risk of impeding an investigation, notice shall be provided, as soon as practicable
 
LC000486/SUB B/2 - Page 8 of 10
 
1 pursuant to § 11-49.3-4(a)(2). The municipal agency, state agency or person shall cooperate with
 
2 federal, state or municipal law enforcement in its investigation of any breach of security or
 
3 unauthorized acquisition or use, which shall include the sharing of information relevant to the
 
4 incident; provided however, that such disclosure shall not require the disclosure of confidential
 
5 business information or trade secrets.
 
6 (c) Any municipal agency, state agency or person required to make notification under this
 
7 section and who fails to do so is liable for a violation as set forth in § 11-49.3-5.
 
8 (d) The notification to individuals must include the following information to the extent
 
9 known:
 
10 (1) A general and brief description of the incident, including how the security breach
 
11 occurred and the number of affected individuals;
 
12 (2) The type of information that was subject to the breach;
 
13 (3) Date of breach, estimated date of breach or the date range within which the breach
 
14 occurred;
 
15 (4) Date that the breach was discovered;
 
16 (5) A clear and concise description of any remediation services offered to affected
 
17 individuals including toll free numbers and websites to contact: (i) The credit reporting agencies;
 
18 (ii) Remediation service providers; (iii) The attorney general; and
 
19 (6) A clear and concise description of: the consumer's ability to file or obtain a police
 
20 report; how a consumer requests a security freeze and the necessary information to be provided
 
21 when requesting the security freeze; and that fees may be required to be paid to the consumer
 
22 reporting agencies.
 
23 11-49.3-5. Penalties for violation. -- (a) Each reckless violation of this chapter is a civil
 
24 violation for which a penalty of not more than one hundred dollars ($100) per record may be
 
25 adjudged against a defendant.
 
26 (b) Each knowing and willful violation of this chapter is a civil violation for which a
 
27 penalty of not more than two hundred dollars ($200) per record may be adjudged against a
 
28 defendant.
 
29 (c) Whenever the attorney general has reason to believe that a violation of this chapter
 
30 has occurred and that proceedings would be in the public interest, the attorney general may bring
 
31 an action in the name of the state against the business or person in violation.
 
32 11-49.3-6. Agencies or persons with security breach procedures. -- (a) Any municipal
 
33 agency, state agency or person shall be deemed to be in compliance with the security breach
 
34 notification requirements of § 11-49.3-4, if:
 
LC000486/SUB B/2 - Page 9 of 10
 
1 (1) The municipal agency, state agency or person maintains its own security breach
 
2 procedures as part of an information security policy for the treatment of personal information and
 
3 otherwise complies with the timing requirements of § 11-49.3-4, and notifies subject persons in
 
4 accordance with such municipal agency's, state agency's, or person's notification policies in the
 
5 event of a breach of security; or
 
6 (2) The person maintains a security breach procedure pursuant to the rules, regulations,
 
7 procedures or guidelines established by the primary or functional regulator, as defined in 15
 
8 U.S.C. § 6809(2), and notifies subject persons in accordance with the policies or the rules,
 
9 regulations, procedures or guidelines established by the primary or functional regulator in the
 
10 event of a breach of security of the system.
 
11 (b) A financial institution, trust company, credit union or its affiliates that is subject to
 
12 and examined for, and found in compliance with the Federal Interagency Guidelines on Response
 
13 Programs for Unauthorized Access to Customer Information and Customer Notice shall be
 
14 deemed in compliance with this chapter.
 
15 (c) A provider of health care, health care service plan, health insurer, or a covered entity
 
16 governed by the medical privacy and security rules issued by the Federal Department of Health
 
17 and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations,
 
18 established pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
 
19 shall be deemed in compliance with this chapter.
 
 
|Privacy
 
|Privacy
 
|11-49.3-2.-insecurity, 11-49.3-4. -disclosure, insecurity
 
|11-49.3-2.-insecurity, 11-49.3-4. -disclosure, insecurity
 
|-
 
|-
|[http://webserver.rilin.state.ri.us/Statutes/TITLE23/23-17/INDEX.HTM Rules and Regulations For Licensing of Hospitals - Section 27 (1973)]
+
|[http://webserver.rilin.state.ri.us/Statutes/TITLE23/23-17/INDEX.HTM Rules and Regulations for Licensing of Hospitals (1973)] [[Rules and Regulations for Licensing of Hospitals (1973)]]
|§ 23-17-27. Disclosure of nonparticipation in hospital service plan.
+
|
 
 
(a) Any health care facility licensed under this chapter which is not a participant in a hospital service plan shall post a notice, in a conspicuous place where it can be read by its patients which shall read, in substance, as follows:
 
 
 
To our patients:
 
 
 
This facility does not participate in a hospital service plan. You should know that you will be responsible for the payment of the hospital fees which you incur here.
 
 
 
(b) Any licensed health care facility which fails to post a disclosure notice shall not be entitled to charge any of its patients any amount, for hospital fees, in excess of that allowed had the facility participated in a hospital service plan.
 
 
|Health
 
|Health
 
|23-17-5.2-a-interrogation, 23-17-10.2-disclosure, 23-17-10.3.-disclosure, 23-17-10.4.-disclosure, 23-17-15-disclosure,  23-17-15.1.-disclosure, 23-17-19.1.-6- decisional interference, 23-17-27-disclosure,  23-17-46.-disclosure, 23-17-47-identification
 
|23-17-5.2-a-interrogation, 23-17-10.2-disclosure, 23-17-10.3.-disclosure, 23-17-10.4.-disclosure, 23-17-15-disclosure,  23-17-15.1.-disclosure, 23-17-19.1.-6- decisional interference, 23-17-27-disclosure,  23-17-46.-disclosure, 23-17-47-identification
 
|-
 
|-
 
|}
 
|}

Revision as of 08:11, 22 March 2020

Name of Article Specific Clauses or the Law Scope Mapping
Rhode Island 2019 S234 Business 6-48.1-5- (a)-exclusion, surveillance, (b)-surveillance, exclusion, (c)-(1)-surveillance,(2)-secondary use, 6-48.1-6-(a)-exclusion, (1)-surveillance, (2)-secondary use, (b)-secondary use, aggregation, disclosure, (c)-decisional interference, secondary use, 6.-48.1-7-(a)-decisional interference, (b)-exclusion, (c)-insecurity, (d)-?
RIGL §§27-18-52 Genetic (b)(1)-interrogation, (b)(2)-interrogation, (b)(3)-disclosure, exclusion, (b)(4)-interrogation, secondary use, (c)-?(definitions)
RIGL §§27-18-52.1 Genetic (a)-exclusion, (b)(1)-interrogation, (b)(2)-interrogation, (b)(3)-decisional interference, (b)(4)- interrogation, (c)-?
RIGL §§27-19-44 Genetic (a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use
RIGL §§27-20-39 Genetic (a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use
RIGL §§27-41-53 Genetic (a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use
Rhode Island Gen. Laws Ann. §11-49.3-2(a) Agency §11-49.3-2-(a)-insecurity
R.I. Gen. Laws §28-56-1 to -6 Employment 28-56-2-(1)-interrogation, (2)-interrogation, (3)-interrogation, 28-56-3-interrogation, appropriation, 28-56-4-(1)-blackmail, interrogation, (2)-interrogation, blackmail, 28-56-5-(2)-surveillance, 28-56-6-?
R.I. Gen. Laws §16-103-1 to -6 Education 16-103-2-(1)-interrogation, (2)-interrogation, (3)-interrogation, 106-103-3-interrogation, blackmail, 16-103-4-(1)-blackmail, interrogation, (2)-blackmail, interrogation
Genetic Testing (2017) Genetic 27-18-52-a-decisional interference, disclosure, 1-interrogation, secondary use, 2-interrogation, 3-decisional interference, disclosure, 4-interrogation
Identity Theft Protection Act of 2015 Identity Theft Protection Act of 2015 Privacy 11-49.3-2.-insecurity, 11-49.3-4. -disclosure, insecurity
Rules and Regulations for Licensing of Hospitals (1973) Rules and Regulations for Licensing of Hospitals (1973) Health 23-17-5.2-a-interrogation, 23-17-10.2-disclosure, 23-17-10.3.-disclosure, 23-17-10.4.-disclosure, 23-17-15-disclosure, 23-17-15.1.-disclosure, 23-17-19.1.-6- decisional interference, 23-17-27-disclosure, 23-17-46.-disclosure, 23-17-47-identification
Retrieved from "https://privacy.wiki/index.php?title=Rhode_Island&oldid=991"