Rhode Island

From Privacy Wiki
Revision as of 10:23, 13 March 2020 by Eg (talk | contribs) (Creating Rhode Island)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Name of Article Specific Clauses or the Law Scope Mapping
Rhode Island 2019 S234 6-48.1-5. Information disclosed upon request. (a) A consumer shall have the right to request that a business that collects, maintains or sells personal information about the consumer disclose to the consumer the following: (1) The categories of personal information it has collected about that consumer; (2) The categories of sources from which the personal information is collected; (3) The business or commercial purpose for collecting or selling personal information; (4) The categories of third parties with whom the business shares personal information; (5) The specific pieces of personal information it has collected about that consumer. (b) A business that collects personal information about a consumer shall disclose to the consumer the information specified in subsection (a) of this section upon receipt of a verifiable request from the consumer. (c) This section does not require a business to do the following: (1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained; (2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

6-48.1-6. Businesses that sell information. (a) A consumer shall have the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to that consumer: (1) The categories of personal information that the business collected about the consumer; (2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold; 3) The categories of personal information that the business disclosed about the consumer for a business purpose. (b) A business that sells personal information about a consumer, or that discloses a consumer's personal information for a business purpose, shall disclose, the information specified in subsection (a) of this section to the consumer upon receipt of a verifiable request from the consumer. (c) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out pursuant to this chapter. 6-48.1-7. Opt-out. (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information. This right may be referred to as the right to opt out. (b) A business that sells consumers' personal information to third parties shall provide notice to consumers, that this information may be sold and that consumers have the right to opt out of the sale of their personal information. (c) A business that has received direction from a consumer not to sell the consumer's personal information or, in the case of a minor consumer's personal information has not received consent to sell the minor consumer's personal information shall be prohibited from selling the consumer's personal information after its receipt of the consumer's direction, unless the consumer subsequently provides express authorization for the sale of the consumer's personal information. (d) Notwithstanding subsection (a) of this section, a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than sixteen (16) years of age, unless the consumer, in the case of consumers between thirteen (13) and sixteen (16) years of age, or the consumer's parent or guardian, in the case of consumers who are less than thirteen (13) years of age, has affirmatively authorized the sale of the consumer's personal information. A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age. This right may be referred to as the "right to opt in."

Business 6-48.1-5- (a)-exclusion, surveillance, (b)-surveillance, exclusion, (c)-(1)-surveillance,(2)-secondary use, 6-48.1-6-(a)-exclusion, (1)-surveillance, (2)-secondary use, (b)-secondary use, aggregation, disclosure, (c)-decisional interference, secondary use, 6.-48.1-7-(a)-decisional interference, (b)-exclusion, (c)-insecurity, (d)-?
RIGL §§27-18-52 (a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.

(b) No individual or group health insurance contract, plan, or policy delivered, issued for delivery, or renewed in this state which provides health insurance medical coverage that includes coverage for physician services in a physician's office, and every policy which provides major medical or similar comprehensive-type coverage excluding disability income, long term care and insurance supplemental policies which only provide coverage for specified diseases or other supplemental policies, shall: (1) Use a genetic test or request for genetic tests or the results of a genetic test to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or an individual health insurance policy, contract, or plan; (2) Request or require a genetic test for the purpose of determining whether or not to issue or renew an individual's health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services; (3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format whereby individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose this information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure; an exception shall exist for participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule"). (4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes. (c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, proteins and certain metabolites in order to detect heritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. Those purposes include predicting risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, as well as testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess of deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis or a test for drugs or for HIV infections.

Genetic (b)(1)-interrogation, (b)(2)-interrogation, (b)(3)-disclosure, exclusion, (b)(4)-interrogation, secondary use, (c)-?(definitions)
RIGL §§27-18-52.1 (a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.

(b) No individual or group health insurance contract, plan, or policy delivered, issued for delivery, or renewed in this state, which provides medical coverage that includes coverage for physician services in a physician's office, and every policy which provides major medical or similar comprehensive-type coverage excluding disability income, long term care and insurance supplemental policies which only provide coverage for specified diseases or other supplemental policies, shall: (1) Use genetic information or request for genetic information or the results of genetic information or other genetic information to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or otherwise affect a group or an individual's health insurance policy, contract, or plan; (2) Request or require genetic information for the purpose of determining whether or not to issue or renew an individual's health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services; (3) Release the results of genetic information without the prior written authorization of an individual from whom the information was obtained, except in a format where individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose the information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure. An exception shall exist for participation in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule"); (4) Request or require information as to whether an individual has genetic information, or participated in genetic information of any kind, whether for clinical or research purposes. (c) For the purposes of this section, "genetic information" is information about genes, gene product, or inherited characteristics that may derive from the individual or a family member.

Genetic (a)-exclusion, (b)(1)-interrogation, (b)(2)-interrogation, (b)(3)-decisional interference, (b)(4)- interrogation, (c)-?
RIGL §§27-19-44 (a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.

(b) No nonprofit health service corporation subject to the provisions of this chapter shall: (1) Use a genetic test or request for a genetic test or the results of a genetic test or other genetic information to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or an individual's health insurance policy, contract, or plan; (2) Request or require a genetic test for the purpose of determining whether or not to issue or renew a group, individual health benefits coverage to set reimbursement/co-pay levels or determine covered benefits and services; (3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format by which individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose the information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure. An exception shall exist for participation in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"); (4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes. (c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, proteins and certain metabolites in order to detect heritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. These purposes include predicating risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, as well as testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess of deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis, or a test for drugs or for HIV infection.

Genetic (a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use
RIGL §§27-20-39 (a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.

(b) No nonprofit health insurer subject to the provisions of this chapter shall: (1) Use a genetic test or request for a genetic test or the results of a genetic test to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or individual's health insurance policy, contract, or plan; (2) Request or require a genetic test for the purpose of determining whether or not to issue or renew health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services; (3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format by which individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose the information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure. An exception shall exist for participation in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"); or (4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes. (c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, proteins and certain metabolites in order to detect heritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. Those purposes include predicting risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, as well as testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess of deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis or a test for drugs or for HIV infections.

Genetic (a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use
RIGL §§27-41-53 (a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.

(b) No health maintenance organization subject to the provisions of this chapter shall: (1) Use a genetic test or request for genetic test the results of a genetic test to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or an individual's health insurance policy contract, or plan; (2) Request or require a genetic test for the purpose of determining whether or not to issue or renew an individual's health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services; (3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format where individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose the information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each re-disclosure. An exception shall exist for participation in research settings governed by the federal policy for the protection of human research subjects (also known as "The Common Rule"); or (4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes. (c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, protein and certain metabolites in order to detect heritable inheritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. Those purposes include predicting risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, and testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess or deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis or a test for drugs or for HIV infections.

Genetic (a)-decisional interference, (b)-(1)surveillance, interrogation, (2)-interrogation, identification?, decisional interference, (3)-decisional interference, disclosure, secondary use, (4)-interrogation, (c)-secondary use
Rhode Island Gen. Laws Ann. §11-49.3-2(a) (a) A municipal agency, state agency, or person who or that stores, collects, processes, maintains, acquires, uses, owns, or licenses personal information about a Rhode Island resident shall implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected in order to protect the personal information from unauthorized access, use, modification, destruction, or disclosure and to preserve the confidentiality, integrity, and availability of such information. A municipal agency, state agency, or person shall not retain personal information for a period longer than is reasonably required to provide the services requested; to meet the purpose for which it was collected; or in accordance with a written retention policy or as may be required by law. A municipal agency, state agency, or person shall destroy all personal information, regardless of the medium that such information is in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or erasure. Agency §11-49.3-2-(a)-insecurity
R.I. Gen. Laws §28-56-1 to -6 § 28-56-2. Social media password requests prohibited.

No employer shall: (1) Require, coerce, or request an employee or applicant to disclose the password or any other means for accessing a personal social media account; (2) Require, coerce, or request an employee or applicant to access a personal social media account in the presence of the employer or representative; (3) Require or coerce an employee or applicant to divulge any personal social media account information, except when reasonably believed to be relevant to an investigation of allegations of employee misconduct or workplace-related violation of applicable laws and regulations and when not otherwise prohibited by law or constitution; provided that the information is accessed and used solely to the extent necessary for purposes of that investigation or a related proceeding. § 28-56-3. Social media access requests prohibited.

No employer shall compel an employee or applicant to add anyone, including the employer or their agent, to their list of contacts associated with a personal social media account or require, request, or cause an employee or applicant to alter settings that affect a third party's ability to view the contents of a personal social media account. § 28-56-4. Disciplinary actions prohibited.

No employer shall: (1) Discharge, discipline, or otherwise penalize or threaten to discharge, discipline, or otherwise penalize any employee for an employee's refusal to disclose or provide access to any information specified in § 28-56-2, or for refusal to add the employer to his or her list of contacts associated with a personal social media account, or to alter the settings associated with a personal social media account, as specified in § 28-56-3; or (2) Fail or refuse to hire any applicant as a result of the applicant's refusal to disclose or provide access to any information specified in § 28-56-2, or for refusal to add the employer or their agent to their list of contacts associated with a personal social media account, or to alter the settings associated with a personal social media account, as specified in § 28-56-3. § 28-56-5. Exceptions.

(a) This chapter shall not apply to information about an applicant or employee that is publicly available. (b) This chapter shall not prohibit or restrict an employer from complying with a duty to screen employees or applicants before hiring or to monitor or retain employee communications that is established by a self-regulatory organization as defined by the Securities and Exchange Act of 1934, 15 U.S.C. § 78c(a)(26) or under state or federal law or regulation to the extent necessary to supervise communications of regulated financial institutions insurance or securities licensees for banking insurance or securities related business purposes.

Employment 28-56-2-(1)-interrogation, (2)-interrogation, (3)-interrogation, 28-56-3-interrogation, appropriation, 28-56-4-(1)-blackmail, interrogation, (2)-interrogation, blackmail, 28-56-5-(2)-surveillance, 28-56-6-?
R.I. Gen. Laws §16-103-1 to -6 § 16-103-2 Social media password requests prohibited. – No educational institution shall:

(1) Require, coerce, or request a student or prospective student to disclose the password or any other means for accessing a personal social media account; (2) Require, coerce, or request a student or prospective student to access a personal social media account in the presence of the educational institution's employee or representative; or (3) Require or coerce a student or prospective student to divulge any personal social media account information. § 16-103-3. Social media access requests prohibited.

No educational institution shall compel a student or applicant, as a condition of acceptance or participation in curricular or extracurricular activities, to add anyone, including a coach, teacher, school administrator, or other school employee or school volunteer, to his or her list of contacts associated with a personal social media account or require, request, or cause a student or applicant to alter settings that affect a third party's ability to view the contents of a personal social media account. § 16-103-4. Disciplinary action prohibited.

No educational institution shall: (1) Discharge, discipline, or otherwise penalize or threaten to discharge, discipline, or otherwise penalize any student for a student's refusal to disclose or provide access to any information specified in § 16-103-2, or for refusal to add a coach, teacher, administrator, or other school employee or school volunteer to his or her list of contacts associated with a personal social media account, or to alter settings associated with a personal social media account, as specified in § 16-103-3; or (2) Fail or refuse to admit any applicant as a result of the applicant's refusal to disclose or provide access to any information specified in § 16-103-2 or for refusal to add a coach, teacher, school administrator, or other school employee or school volunteer to his or her list of contacts associated with a personal social media account or to alter settings associated with a personal social media account, as specified in § 16-103-3.

Education 16-103-2-(1)-interrogation, (2)-interrogation, (3)-interrogation, 106-103-3-interrogation, blackmail, 16-103-4-(1)-blackmail, interrogation, (2)-blackmail, interrogation
Genetic Testing (2017) 2017 Rhode Island General Laws

Title 27 - Insurance Chapter 27-18 - Accident and Sickness Insurance Policies Section 27-18-52 - Genetic testing.:§ 27-18-52. Genetic testing.

(a) Except as provided in chapter 37.3 of title 5, insurance administrators, health plans and providers shall be prohibited from releasing genetic information without prior written authorization of the individual. Written authorization shall be required for each disclosure and include to whom the disclosure is being made. An exception shall exist for those participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule"). Tests conducted purely for research are excluded from the definition, as are tests for somatic (as opposed to heritable) mutations, and testing for forensic purposes.

(b) No individual or group health insurance contract, plan, or policy delivered, issued for delivery, or renewed in this state which provides health insurance medical coverage that includes coverage for physician services in a physician's office, and every policy which provides major medical or similar comprehensive-type coverage excluding disability income, long term care and insurance supplemental policies which only provide coverage for specified diseases or other supplemental policies, shall:

(1) Use a genetic test or request for genetic tests or the results of a genetic test to reject, deny, limit, cancel, refuse to renew, increase the rates of, affect the terms or conditions of, or affect a group or an individual health insurance policy, contract, or plan;

(2) Request or require a genetic test for the purpose of determining whether or not to issue or renew an individual's health benefits coverage, to set reimbursement/co-pay levels or determine covered benefits and services;

(3) Release the results of a genetic test without the prior written authorization of the individual from whom the test was obtained, except in a format whereby individual identifiers are removed, encrypted, or encoded so that the identity of the individual is not disclosed. A recipient of information pursuant to this section may use or disclose this information solely to carry out the purpose for which the information was disclosed. Authorization shall be required for each redisclosure; an exception shall exist for participating in research settings governed by the Federal Policy for the Protection of Human Research Subjects (also known as "The Common Rule").

(4) Request or require information as to whether an individual has ever had a genetic test, or participated in genetic testing of any kind, whether for clinical or research purposes.

(c) For the purposes of this section, "genetic testing" is the analysis of an individual's DNA, RNA, chromosomes, proteins and certain metabolites in order to detect heritable disease-related genotypes, mutations, phenotypes or karyotypes for clinical purposes. Those purposes include predicting risk of disease, identifying carriers, establishing prenatal and clinical diagnosis or prognosis. Prenatal, newborn and carrier screening, as well as testing in high risk families may be included provided there is an approved release by a parent or guardian. Tests for metabolites are covered only when they are undertaken with high probability that an excess of deficiency of the metabolite indicates the presence of heritable mutations in single genes. "Genetic testing" does not mean routine physical measurement, a routine chemical, blood, or urine analysis or a test for drugs or for HIV infections.

Genetic 27-18-52-a-decisional interference, disclosure, 1-interrogation, secondary use, 2-interrogation, 3-decisional interference, disclosure, 4-interrogation
Identity Theft Protection Act of 2015 11-49.3-1. Short title. -- This chapter shall be known and may be cited as the "Rhode

28 Island Identity Theft Protection Act of 2015." 29 11-49.3-2. Risk-based information security program. -- (a) A municipal agency, state 30 agency or person that stores, collects, processes, maintains, acquires, uses, owns or licenses 31 personal information about a Rhode Island resident shall implement and maintain a risk-based 32 information security program which contains reasonable security procedures and practices 33 appropriate to the size and scope of the organization, the nature of the information and the 34 purpose for which the information was collected in order to protect the personal information from LC000486/SUB B/2 - Page 5 of 10 1 unauthorized access, use, modification, destruction or disclosure and to preserve the 2 confidentiality, integrity, and availability of such information. A municipal agency, state agency 3 or person shall not retain personal information for a period longer than is reasonably required to 4 provide the services requested, to meet the purpose for which it was collected, or in accordance 5 with a written retention policy or as may be required by law. A municipal agency, state agency or 6 person shall destroy all personal information, regardless of the medium that such information is 7 in, in a secure manner, including, but not limited to, shredding, pulverization, incineration, or 8 erasure. 9 (b) A municipal agency, state agency or person that discloses personal information about 10 a Rhode Island resident to a nonaffiliated third party shall require by written contract that the 11 third party implement and maintain reasonable security procedures and practices appropriate to 12 the size and scope of the organization, the nature of the information and the purpose for which the 13 information was collected in order to protect the personal information from unauthorized access, 14 use, modification, destruction, or disclosure. The provisions of this section shall apply to 15 contracts entered into after the effective date of this act. 16 11-49.3-3. Definitions. -- (a) The following definitions apply to this section: 17 (1) "Breach of the security of the system" means unauthorized access or acquisition of 18 unencrypted computerized data information that compromises the security, confidentiality, or 19 integrity of personal information maintained by the municipal agency, state agency or person. 20 Good faith acquisition of personal information by an employee or agent of the agency for the 21 purposes of the agency is not a breach of the security of the system; provided, that the personal 22 information is not used or subject to further unauthorized disclosure. 23 (2) "Encrypted" means the transformation of data through the use of a one hundred 24 twenty-eight (128) bit or higher algorithmic process into a form in which there is a low 25 probability of assigning meaning without use of a confidential process or key. Data shall not be 26 considered to be encrypted if it is acquired in combination with any key, security code, or 27 password that would permit access to the encrypted data. 28 (3) "Health Insurance Information" means an individual's health insurance policy number 29 or subscriber identification number, any unique identifier used by a health insurer to identify the 30 individual. 31 (4) "Medical Information" means any information regarding an individual's medical 32 history, mental or physical condition, or medical treatment or diagnosis by a health care 33 professional or provider. 34 (5) "Municipal agency" means any department, division, agency, commission, board, LC000486/SUB B/2 - Page 6 of 10 1 office, bureau, authority, quasi-public authority, or school, fire or water district within Rhode 2 Island other than a state agency and any other agency that is in any branch of municipal 3 government and exercises governmental functions other than in an advisory nature. 4 (6) "Owner" means the original collector of the information. 5 (7) "Person" shall include any individual, sole proprietorship, partnership, association, 6 corporation, or joint venture, business or legal entity, trust, estate, cooperative or other 7 commercial entity. 8 (8) "Personal information" means an individual's first name or first initial and last name 9 in combination with any one or more of the following data elements, when the name and the data 10 elements are not encrypted or are in hard copy paper format: 11 (i) Social security number; 12 (ii) Driver's license number, or Rhode Island identification card number or tribal 13 identification number; 14 (iii) Account number, credit or debit card number, in combination with any required 15 security code, access code, password or personal identification number that would permit access 16 to an individual's financial account; 17 (iv) Medical or health insurance information; or 18 (v) E-mail address with any required security code, access code, or password that would 19 permit access to an individual's personal, medical, insurance or financial account. 20 (9) "Remediation service provider" means any person which in its usual course of 21 business provides services pertaining to a consumer credit report including, but not limited to, 22 credit report monitoring and alerts, that are intended to mitigate the potential for identity theft. 23 (10) "State agency" means any department, division, agency, commission, board, office, 24 bureau, authority, or quasi-public authority within Rhode Island, either branch of the Rhode 25 Island general assembly, or an agency or committee thereof, the judiciary, or any other agency 26 that is in any branch of Rhode Island state government and which exercises governmental 27 functions other than in an advisory nature. 28 (b) For purposes of this section, personal information does not include publicly available 29 information that is lawfully made available to the general public from federal, state or local 30 government records. 31 (c) For purposes of this section, "notice" may be provided by one of the following 32 methods: 33 (i) Written notice; 34 (ii) Electronic notice, if the notice provided is consistent with the provisions regarding LC000486/SUB B/2 - Page 7 of 10 1 electronic records and signatures set forth in 15 U.S.C. § 7001; 2 (iii) Substitute notice, if the municipal agency, state agency or person demonstrates that 3 the cost of providing notice would exceed twenty-five thousand dollars ($25,000), or that the 4 affected class of subject persons to be notified exceeds fifty thousand (50,000), or the municipal 5 agency, state agency or person does not have sufficient contact information. Substitute notice 6 shall consist of all of the following: 7 (A) E-mail notice when the municipal agency, state agency or person has an e-mail 8 address for the subject persons; 9 (B) Conspicuous posting of the notice on the municipal agency's, state agency's or 10 person's website page, if the municipal agency, state agency or person maintains one; and 11 (C) Notification to major statewide media. 12 11-49.3-4. Notification of breach. -- (a)(1) Any municipal agency, state agency or 13 person that stores, owns, collects, processes, maintains, acquires, uses or licenses data that 14 includes personal information, shall provide notification as set forth in this section of any 15 disclosure of personal information, or any breach of the security of the system, which poses a 16 significant risk of identity theft to any resident of Rhode Island whose personal information was, 17 or is reasonably believed to have been, acquired by an unauthorized person or entity. 18 (2) The notification shall be made in the most expedient time possible but no later than 19 forty-five (45) calendar days after confirmation of the breach and the ability to ascertain the 20 information required to fulfill the notice requirements contained in subsection (d) of this section 21 and shall be consistent with the legitimate needs of law enforcement as provided in subsection (c) 22 of this section. In the event that more than five hundred (500) Rhode Island residents are to be 23 notified, the municipal agency, state agency or person shall notify the attorney general and the 24 major credit reporting agencies as to the timing, content and distribution of the notices and the 25 approximate number of affected individuals. Notification to the attorney general and the major 26 credit reporting agencies shall be made without delaying notice to affected Rhode Island 27 residents. 28 (b) The notification required by this section may be delayed if a federal, state or local law 29 enforcement agency determines that the notification will impede a criminal investigation. The 30 federal, state or local law enforcement agency must notify the municipal agency, state agency or 31 person of the request to delay notification without unreasonable delay. If notice is delayed due to 32 such determination then as soon as the federal, state or municipal law enforcement agency 33 determines and informs the municipal agency, state agency or person that notification no longer 34 poses a risk of impeding an investigation, notice shall be provided, as soon as practicable LC000486/SUB B/2 - Page 8 of 10 1 pursuant to § 11-49.3-4(a)(2). The municipal agency, state agency or person shall cooperate with 2 federal, state or municipal law enforcement in its investigation of any breach of security or 3 unauthorized acquisition or use, which shall include the sharing of information relevant to the 4 incident; provided however, that such disclosure shall not require the disclosure of confidential 5 business information or trade secrets. 6 (c) Any municipal agency, state agency or person required to make notification under this 7 section and who fails to do so is liable for a violation as set forth in § 11-49.3-5. 8 (d) The notification to individuals must include the following information to the extent 9 known: 10 (1) A general and brief description of the incident, including how the security breach 11 occurred and the number of affected individuals; 12 (2) The type of information that was subject to the breach; 13 (3) Date of breach, estimated date of breach or the date range within which the breach 14 occurred; 15 (4) Date that the breach was discovered; 16 (5) A clear and concise description of any remediation services offered to affected 17 individuals including toll free numbers and websites to contact: (i) The credit reporting agencies; 18 (ii) Remediation service providers; (iii) The attorney general; and 19 (6) A clear and concise description of: the consumer's ability to file or obtain a police 20 report; how a consumer requests a security freeze and the necessary information to be provided 21 when requesting the security freeze; and that fees may be required to be paid to the consumer 22 reporting agencies. 23 11-49.3-5. Penalties for violation. -- (a) Each reckless violation of this chapter is a civil 24 violation for which a penalty of not more than one hundred dollars ($100) per record may be 25 adjudged against a defendant. 26 (b) Each knowing and willful violation of this chapter is a civil violation for which a 27 penalty of not more than two hundred dollars ($200) per record may be adjudged against a 28 defendant. 29 (c) Whenever the attorney general has reason to believe that a violation of this chapter 30 has occurred and that proceedings would be in the public interest, the attorney general may bring 31 an action in the name of the state against the business or person in violation. 32 11-49.3-6. Agencies or persons with security breach procedures. -- (a) Any municipal 33 agency, state agency or person shall be deemed to be in compliance with the security breach 34 notification requirements of § 11-49.3-4, if: LC000486/SUB B/2 - Page 9 of 10 1 (1) The municipal agency, state agency or person maintains its own security breach 2 procedures as part of an information security policy for the treatment of personal information and 3 otherwise complies with the timing requirements of § 11-49.3-4, and notifies subject persons in 4 accordance with such municipal agency's, state agency's, or person's notification policies in the 5 event of a breach of security; or 6 (2) The person maintains a security breach procedure pursuant to the rules, regulations, 7 procedures or guidelines established by the primary or functional regulator, as defined in 15 8 U.S.C. § 6809(2), and notifies subject persons in accordance with the policies or the rules, 9 regulations, procedures or guidelines established by the primary or functional regulator in the 10 event of a breach of security of the system. 11 (b) A financial institution, trust company, credit union or its affiliates that is subject to 12 and examined for, and found in compliance with the Federal Interagency Guidelines on Response 13 Programs for Unauthorized Access to Customer Information and Customer Notice shall be 14 deemed in compliance with this chapter. 15 (c) A provider of health care, health care service plan, health insurer, or a covered entity 16 governed by the medical privacy and security rules issued by the Federal Department of Health 17 and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, 18 established pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) 19 shall be deemed in compliance with this chapter.

Privacy 11-49.3-2.-insecurity, 11-49.3-4. -disclosure, insecurity
Rules and Regulations For Licensing of Hospitals - Section 27 (1973) § 23-17-27. Disclosure of nonparticipation in hospital service plan.

(a) Any health care facility licensed under this chapter which is not a participant in a hospital service plan shall post a notice, in a conspicuous place where it can be read by its patients which shall read, in substance, as follows:

To our patients:

This facility does not participate in a hospital service plan. You should know that you will be responsible for the payment of the hospital fees which you incur here.

(b) Any licensed health care facility which fails to post a disclosure notice shall not be entitled to charge any of its patients any amount, for hospital fees, in excess of that allowed had the facility participated in a hospital service plan.

Health 23-17-5.2-a-interrogation, 23-17-10.2-disclosure, 23-17-10.3.-disclosure, 23-17-10.4.-disclosure, 23-17-15-disclosure, 23-17-15.1.-disclosure, 23-17-19.1.-6- decisional interference, 23-17-27-disclosure, 23-17-46.-disclosure, 23-17-47-identification