Can I use third-party collaboration tools that collect personal information in Rhode Island? What are the requirements?

Use of Third-Party Collaboration Tools in Rhode Island

Rhode Island has regulations in place to protect nonpublic personal financial information (NPI) and nonpublic personal health information (NPHI) of consumers. The regulations are outlined in the Rhode Island Code of Regulations, Title 230, Chapter 20-60-7.

Nonpublic Personal Financial Information (NPI)

If a licensee receives NPI from a nonaffiliated financial institution under an exception in §§ 7.16 or 7.17 of this Part, the licensee’s disclosure and use of that information is limited. The licensee may disclose the information to its affiliates, but the licensee’s affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information. The licensee may disclose and use the information pursuant to an exception in §§ 7.16 or 7.17 of this Part, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information. If a licensee receives NPI from a nonaffiliated financial institution other than under an exception in §§ 7.16 or 7.17 of this Part, the licensee may disclose the information only to its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information. The licensee may also disclose the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.

Nonpublic Personal Health Information (NPHI)

A licensee shall not disclose NPHI about a consumer or customer unless an authorization is obtained from the consumer or customer whose NPHI is sought to be disclosed. However, nothing in this Part shall prohibit, restrict or require an authorization for the disclosure of NPHI by a licensee for the performance of certain insurance functions. These functions include claims administration, claims adjustment and management, detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity, underwriting, policy placement or issuance, loss control, ratemaking and guaranty fund functions, reinsurance and excess loss insurance, risk management, case management, disease management, quality assurance, quality improvement, performance evaluation, provider credentialing verification, utilization review, peer review activities, actuarial, scientific, medical or public policy research, grievance procedures, internal administration of compliance, managerial, and information systems, policyholder service functions, auditing, reporting, database security, administration of consumer disputes and inquiries, external accreditation standards, the replacement of a group benefit plan or workers compensation policy or program, activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit, any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services, 45 C.F.R. Part 160 and Subparts A and E of Part 164, disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes, and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process.

Conclusion

Rhode Island has strict regulations in place to protect NPI and NPHI of consumers. If a third-party collaboration tool collects NPI or NPHI, the licensee must ensure that the disclosure and use of that information is limited and complies with the regulations outlined in the Rhode Island Code of Regulations, Title 230, Chapter 20-60-7. If the third-party collaboration tool is used for insurance functions, the licensee may disclose NPHI without obtaining authorization from the consumer or customer.

Based on the information provided, it is unclear what type of personal information the third-party collaboration tool collects. Therefore, it is recommended that the licensee review the regulations outlined in the Rhode Island Code of Regulations, Title 230, Chapter 20-60-7 and ensure that the use of the third-party collaboration tool complies with the regulations.

^{[1.1][1.2][1.3][3.1]}

Source(s):

• [1.1] Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information
• [1.2] Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information
• [1.3] When Authorization Required for Disclosure of Nonpublic Personal Health Information
• [3.1] Magnetic and Electronic Record Requirements

Jurisdiction

Rhode Island

• Privacy