CurrentCare Consent Policy
CurrentCare Opt-Out Consent Model Frequently Asked Questions
In July 2021, the consent model for Rhode Island’s Health Information Exchange (HIE) known as “CurrentCare” was approved by the Rhode Island state general assembly and the Governor’s office to transition to an “Opt-Out” model. This legislative change updates the consent language in the Rhode Island Health Information Exchange Act of 2008 from “opt-in” to “opt-out.” This frequently asked questions (FAQ) document has been prepared based on questions that RIQI has received or anticipates receiving about this legislative change. The document will be continually updated throughout the process of the transition.
-
What is CurrentCare?
- CurrentCare is a centralized “health information exchange” that helps to improve the quality, safety, equity, and value of health care by promoting interoperability, enhancing electronic communication between providers, and supporting public health goals, while keeping confidential healthcare information secure.
- CurrentCare provides a comprehensive record that is used to:
- Gain a better understanding of patients’ healthcare needs.
- Ensure that patients receive equity in healthcare services no matter where they seek care.
- Reduce redundant, costly, and unnecessary testing, which reduces healthcare costs.
- Reduce medical and medication errors.
- CurrentCare increases efficiency by reducing or eliminating unnecessary paperwork.
- CurrentCare improves public health reporting.
-
What is CurrentCare for Me?
- CurrentCare for Me collects medical information from primary care providers, specialists, hospitals, and lab/imaging facilities, and puts it in one secure place that is accessible by the patient. It is different from your doctor’s portal where you may be able to send emails to staff or request appointments.
- CurrentCare for Me gives you the ability to:
- Look up lab test results such as blood work, x-rays, and MRIs
- Track and double-check your medications
- Download and send your records to caregivers
- Assign Designees to help coordinate your care and receive alerts if you have an emergency
- CurrentCare for Me gives you the ability to:
- CurrentCare for Me collects medical information from primary care providers, specialists, hospitals, and lab/imaging facilities, and puts it in one secure place that is accessible by the patient. It is different from your doctor’s portal where you may be able to send emails to staff or request appointments.
-
What is the current CurrentCare consent model (“Opt-In”)?
- Since its inception, CurrentCare has operated under an opt-in consent model. This means that individuals need to sign up for CurrentCare to benefit from the system.
- RI has one of the most restrictive consent models in the nation and is the only state that has required enrollment prior to collecting data. In practice, this means that CurrentCare can be of limited utility for new enrollees and their healthcare team because historic data are not available.
-
What does changing the CurrentCare consent to Opt-Out mean?
- Opt-out will enable access to a complete medical record for all individuals receiving health care in RI. This is beneficial to both the patient and the medical community.
-
What is the value of Opt-Out for those who receive care in Rhode Island?
- Having medical data for all patients regardless of where they receive care is an essential tool for clinicians at the point of care. Having access to a patient’s complete medical record enables clinicians and their organizations to create workflows that improve patient care and better coordinate with other members of the healthcare team. It saves medical teams time from searching for information that may be scattered across multiple care sites.
-
How will patient privacy be protected?
- The privacy and security of the information of those enrolled in CurrentCare is of the utmost concern and importance to RIQI. RIQI has comprehensive privacy and information security policies, procedures, and safeguards to protect health information in accordance with applicable federal and state laws.
- RIQI is bound by all federal and other state privacy laws including the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and state healthcare confidentiality law. These laws allow data to be shared with treating providers, for treatment, payment, and operations (such as coordination of care).
- RIQI has privacy requirements, data sharing agreements, user agreements, role-based access requirements, and audit processes that are in line with industry standards and compliant with applicable laws.
-
What are CurrentCare’s security processes?
- RIQI maintains a robust information security program that is completely compliant with applicable law and commercially reasonable practices to protect the information of CurrentCare participants.
- There will be no difference in protections and security when moving to an opt-out consent model.
- Information security elements and controls are in place to protect CurrentCare information.
- Risk Assessments following National Institute of Standards and Technology (NIST) guidelines are regularly performed.
-
What security processes are in place to ensure patient data is safe?
- In 2021, Compass IT Compliance, LLC (Compass) was engaged by RIQI to perform a Centers for Medicare & Medicaid Services (CMS) Security and Privacy Assessment. The objective of the assessment was to examine and report on the controls put in place by RIQI to protect individually identifiable health information and comply with the requirements of the CMS. Controls were evaluated according to the NIST Special Publication 800‐53 Rev. 4 to include privacy controls for moderate and high systems processing, storing, or transmitting PII and PHI. Compass determined that the overall design and operating effectiveness of the controls in place at RIQI were appropriate to adequately protect individually identifiable health information and comply with the requirements of the CMS. No material findings were identified. Compass IT Compliance, LLC is a leading IT Compliance, Audit, and Security professional services organization in New England.
-
Has there ever been a violation or breach of CurrentCare data?
- No known or identified HIPAA violation or data breach of CurrentCare has occurred in its greater than 10-year history.
-
Do state agencies have access to the information in CurrentCare?
- State agencies do not have access to protected healthcare information unless it is for public health purposes. The change of CurrentCare to opt-out would enable RIQI to confidentially share health information that would in most cases already be shared with the RI Department of health (RIDOH).
- Information can be shared with public health authorities for the following reasons to carry out their functions as described in the HIE Act of 2008 and related rules.
- “CurrentCare data can only be shared for treatment purposes, operation, and oversight of system by RIQI, for approved/allowed public health purposes and, care coordination by health plans.”
- Opt-out assures that data RIDOH already has legal access to, is available in a cost efficient, secure, and streamlined manner.
- The same user access controls that are in place for healthcare providers who access protected health information (PHI) apply to any users within EOHHS agencies. A report of data requests is shared with the HIE Advisory Commission, which provides general oversight for CurrentCare.
- The HIE Advisory Commission approves the process for releasing PHI and may review requests for CurrentCare data that include PHI, requiring in all cases that the data disclosures are done in accordance with current laws with the required security protocols in place.
-
Will 42 CFR Part 2 laws change?
- 42 CFR Part 2 restrictions implemented in CurrentCare for access to substance use data will be unchanged as a result of the transition to Opt-Out.
- Furthermore, Rhode Island state law does not permit access to CurrentCare for groups such as law enforcement.
- In accordance with the HIE Act of 2008, the information in CurrentCare is not subject to subpoena unless the requested data cannot be obtained from the original source and a determination to release the information is made by the Superior Court.
-
How will sensitive records be handled?
- Substance use treatment information will remain under an opt-in consent model and will not be disclosed without the patient’s consent. Children’s records are only accessed by their treatment providers; no additional access is provided to parents, guardians, or others.
-
Can researchers access information in CurrentCare?
- Researchers can receive de-identified data. They must submit requests for CurrentCare data through a formal process that has been reviewed and approved by the HIE Advisory Commission and according to the applicable laws. If approved, data are de-identified by RIQI either through the removal of all protected health information (“safe harbor”; § 164.514(b)(2)) or through an expert determined process (§ 14.514(b)(1)) before sharing with the researcher.
-
How will patients’ rights be protected under an opt-out consent model?
- The change to opt-out would ensure equitable healthcare services for all patients who seek medical care, regardless of where care is sought.
- Patients will be able to opt-out of having their data shared, except for the situations where their data is already shared by law, such as for public health purposes and emergencies like COVID-19.
- The use of health data from CurrentCare is restricted to those deemed allowable by applicable laws, such as HIPAA.
- Requirements for consent to share 42 CFR Part 2 (substance use) will remain intact. There are mechanisms in place whereby health data for individuals who choose to opt-out of CurrentCare will not be shared.
-
How does RIQI plan to communicate the change to opt-out to Rhode Islanders?
- We will engage with the community including patients to communicate the changes. RIQI, RIDOH, other state agencies, and consumers will contribute to the development of a carefully constructed opt-out implementation plan.
- The implementation plan will include a major communications component, and the transition to opt-out will not begin until the initial communications have occurred.
-
When will the new consent model be implemented?
- We do not have a definitive timeline or target date at this time. Because this process is going to be so participatory, we are developing the anticipated timeline after consultation with the community and the resulting regulatory changes. There will be a sequence of events that define the regulations that would enact the opt-out consent model. RIQI is also developing a timeline for technical implementation and working with our partners to align our technical changeover with the regulatory process. We will post timelines, target dates, and additional information as they are determined.
-
What are the House Bill details and timeline of events?
House Bill No. 6210 SUB A
By: Donovan, Kazarian, Casimiro, Speakman, Carson, Tanzi, Fogarty, Ajello
Entitled: AN ACT RELATING TO BUSINESSES AND PROFESSIONS — RHODE ISLAND HEALTH INFORMATION EXCHANGE ACT OF 2008
TIMELINE OF EVENTS:
04/07/2021 Introduced, referred to House Health & Human Services
06/16/2021 House passed Sub A
06/17/2021 Referred to Senate Health and Human Services
06/30/2021 Senate passed Sub A in concurrence
07/12/2021 Signed by Governor
-
What are the Senate Bill details and timeline of events?
Senate Bill No. 495 SUB A
By: Miller, Valverde, Goldin, DiMario
Entitled: AN ACT RELATING TO BUSINESSES AND PROFESSIONS – RHODE ISLAND HEALTH INFORMATION EXCHANGE ACT OF 2008
TIMELINE OF EVENTS:
03/04/2021 Introduced, referred to Senate Health and Human Services
06/24/2021 Senate passed Sub A
06/25/2021 Referred to House Health & Human Services
06/30/2021 House passed Sub A in concurrence
07/12/2021 Signed by Governor
-
What is the passed language of the House and Senate Bill?
Senate: 2021-S0495: https://webserver.rilin.state.ri.us/BillText/BillText21/SenateText21/S0495A.pdf
House: 2021-H6210: https://webserver.rilin.state.ri.us/BillText/BillText21/HouseText21/H6210A.pdf