Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I ensure that my company is compliant with expanding privacy protections in Rhode Island? What are the requirements?

To ensure that your company is compliant with expanding privacy protections in Rhode Island, you must follow the requirements outlined in the following documents:

  • 230 RICR 20-60-7.10: Privacy Notices to Group Policyholders
  • 230 RICR 20-60-7.7: Information To Be Included In Privacy Notices
  • 216 RICR 10-10-6.6: Security Requirements
  • 230 RICR 20-60-7.9: Revised Privacy Notices
  • 230 RICR 20-60-7.5: Initial Privacy Notice to Consumers Required
  • 230 RICR 20-60-7.6: Annual Privacy Notice to Customers Required

Privacy Notices

According to 230 RICR 20-60-7.10, if your company is providing privacy notices to group policyholders, you must provide initial, annual, and revised notices to the plan sponsor, group or blanket insurance policyholder or group annuity contractholder, or workers’ compensation policyholder. These notices must describe your company’s privacy practices with respect to nonpublic personal information about individuals covered under the policies, contracts, or plans.

The information that must be included in these notices is outlined in 230 RICR 20-60-7.7. This includes the categories of nonpublic personal financial information that your company collects and discloses, the categories of affiliates and nonaffiliated third parties to whom your company discloses nonpublic personal financial information, and an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties.

Revised Privacy Notices

Revised privacy notices must be provided to consumers in accordance with 230 RICR 20-60-7.9. A licensee shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under § 7.5 of this Part, unless the licensee has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices. The licensee must also provide a new opt-out notice and give the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure.

Initial and Annual Privacy Notices

Initial and annual privacy notices must be provided to consumers in accordance with 230 RICR 20-60-7.5 and 230 RICR 20-60-7.6, respectively. A licensee shall provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to the customer and consumer. The initial notice must be provided not later than when the licensee establishes a customer relationship, and the annual notice must be provided not less than annually during the continuation of the customer relationship. The notices must describe the licensee’s privacy policies and practices with respect to nonpublic personal financial information about the consumer and the customer, respectively.

Security Requirements

To ensure the confidentiality, integrity, and availability of confidential health information, your company must implement security procedures pursuant to R.I. Gen. Laws § 5-37.7-8, as outlined in 216 RICR 10-10-6.6. Your company must have in place appropriate physical, technical, and procedural safeguards and security measures to ensure the technical integrity, physical safety, and confidentiality of any confidential health information in the HIE. These safeguards and security measures must comply with State and Federal confidentiality laws and Regulations including, without limitation, the Health Insurance Portability and Accountability Act of 1996 and its implementing Regulations (45 C.F.R. Parts 160 through 164), HITECH and the HIPAA Final Omnibus Rule.

Your company must also develop appropriate and scalable security standards, policies, and procedures in compliance with the Rhode Island Division of Information Technology Enterprise Strategy and Services policies which are developed and align with the National Institute of Standards and Technology (NIST) security policies and controls. Additionally, your company must perform periodic assessments of security risks and controls to establish if its controls are effective, to correct any deficiency identified, and to reduce or eliminate any vulnerabilities.

In summary, to ensure compliance with expanding privacy protections in Rhode Island, your company must provide initial, annual, and revised privacy notices to group policyholders, implement appropriate physical, technical, and procedural safeguards and security measures to ensure the confidentiality, integrity, and availability of confidential health information, and comply with the requirements outlined in the relevant documents.

Jurisdiction

Rhode Island