RI
Rhode Island Senate Bill S0824

Rhode Island 2025 Regular Session

Rhode Island Senate Bill S0824 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11
22
33
44
55 2025 -- S 0824
66 ========
77 LC002361
88 ========
99 S T A T E O F R H O D E I S L A N D
1010 IN GENERAL ASSEMBLY
1111 JANUARY SESSION, A.D. 2025
1212 ____________
1313
1414 A N A C T
1515 RELATING TO HEALTH AND SAFETY -- REPRODUCTIVE FREEDOM AND GENDER
1616 AFFIRMING CARE HEALTH DATA PRIVACY ACT
1717 Introduced By: Senators LaMountain, Lawson, Murray, DiPalma, Gu, Sosnowski, Urso,
1818 Bissaillon, McKenney, and Vargas
1919 Date Introduced: March 14, 2025
2020 Referred To: Senate Judiciary
2121
2222
2323 It is enacted by the General Assembly as follows:
2424 SECTION 1. Title 23 of the General Laws entitled "HEALTH AND SAFETY" is hereby 1
2525 amended by adding thereto the following chapter: 2
2626 CHAPTER 101.1 3
2727 REPRODUCTIVE FREEDOM AND GENDER -AFFIRMING CARE HEALTH DATA 4
2828 PRIVACY ACT 5
2929 23-101.1-1. Title. 6
3030 This act shall be known and may be cited as the “Reproductive Freedom and Gender-7
3131 Affirming Care Data Privacy Act.” 8
3232 23-101.1-2. Definitions. 9
3333 As used in this chapter: 10
3434 (1) "Abortion" means the termination of a pregnancy for purposes other than producing a 11
3535 live birth. 12
3636 (2) "Affiliate" means a legal entity that shares common branding with another legal entity 13
3737 and controls, is controlled by, or is under common control with another legal entity. For the 14
3838 purposes of this definition, "control" or "controlled" means: 15
3939 (i) Ownership of, or the power to vote, more than fifty percent (50%) of the outstanding 16
4040 shares of any class of voting security of a company; 17
4141 (ii) Control in any manner over the election of a majority of the directors or of individuals 18
4242
4343
4444 LC002361 - Page 2 of 17
4545 exercising similar functions; or 1
4646 (iii) The power to exercise controlling influence over the management of a company. 2
4747 (3) "Authenticate" means to use reasonable means to determine that a request to exercise 3
4848 any of the rights afforded in this chapter is being made by, or on behalf of, the consumer who is 4
4949 entitled to exercise such consumer rights with respect to the consumer health data at issue. 5
5050 (4) "Biometric data" means data that is generated from the measurement or technological 6
5151 processing of an individual's physiological, biological, or behavioral characteristics and that 7
5252 identifies a consumer, whether individually or in combination with other data. Biometric data 8
5353 includes, but is not limited to: 9
5454 (i) Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice 10
5555 recordings, from which an identifier template can be extracted; or 11
5656 (ii) Keystroke patterns or rhythms and gait patterns or rhythms that contain identifying 12
5757 information. 13
5858 (5) "Collect" means to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise 14
5959 process consumer health data in any manner, including receiving the data from the individual, either 15
6060 actively or passively, or by observing or tracking the individual’s online activity or precise location. 16
6161 (6)(i) "Consent" means a clear affirmative act that signifies a consumer's freely given, 17
6262 specific, informed, opt-in, voluntary, and unambiguous agreement, which may include written 18
6363 consent provided by electronic means, provided: 19
6464 (A) The request is provided to the consumer in a clear and conspicuous stand-alone 20
6565 disclosure; 21
6666 (B) The request includes a description of the processing purpose for which the consumer’s 22
6767 consent is sought and clearly states the specific categories of personal data that the regulated entity 23
6868 intends to collect, process, or transfer; 24
6969 (C) The request is made available to the consumer in each language in which the regulated 25
7070 entity provides a product or service for which authorization is sought and, in a manner, reasonably 26
7171 accessible to consumers with disabilities. 27
7272 (ii) "Consent" may not be obtained by: 28
7373 (A) A consumer's acceptance of a general or broad terms of use agreement or a similar 29
7474 document that contains descriptions of personal data processing along with other unrelated 30
7575 information; 31
7676 (B) A consumer hovering over, muting, pausing, or closing a given piece of content; 32
7777 (C) A consumer's agreement obtained through the use of deceptive designs; or, 33
7878 (D) Inference from the inaction of a consumer or the consumer’s continued use of a service 34
7979
8080
8181 LC002361 - Page 3 of 17
8282 or product provided by the regulated entity. 1
8383 (7) "Consumer" means a natural person who is: 2
8484 (i) A Rhode Island resident, or a natural person whose consumer health data is collected 3
8585 while present in Rhode Island; and 4
8686 (ii) Is acting only in an individual or household context, however identified, including by 5
8787 any unique identifier. "Consumer" does not include an individual acting in an employment context. 6
8888 (8) "Consumer health data" means: 7
8989 (i)(A) A consumer’s gender-affirming care information; 8
9090 (B) A consumer’s reproductive or sexual health information; or 9
9191 (ii) Any information that a regulated entity or a small business, or their respective 10
9292 processor, processes to associate or identify a consumer with the data described in subsection (8)(i) 11
9393 of this section that is derived or extrapolated from information that is not consumer health data to 12
9494 include, but not limited to, as proxy, derivative, inferred, or emergent data by any means, including 13
9595 algorithms or machine learning. 14
9696 (iii) "Consumer health data" does not include personal information that is used to engage 15
9797 in public or peer-reviewed scientific, historical, or statistical research in the public interest that 16
9898 adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed 17
9999 by an institutional review board, human subjects research ethics review board, or a similar 18
100100 independent oversight entity that determines that the regulated entity or the small business has 19
101101 implemented reasonable safeguards to mitigate privacy risks associated with research, including 20
102102 any risks associated with reidentification. 21
103103 (9) "Deceptive design" means a user interface designed or manipulated with the effect of 22
104104 subverting or impairing user autonomy, decision making, or choice. 23
105105 (10) "Deidentified data" means data that cannot reasonably be used to infer information 24
106106 about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such 25
107107 consumer, if the regulated entity or the small business that possesses such data: 26
108108 (i) Takes reasonable measures to ensure that such data cannot be associated with a 27
109109 consumer; 28
110110 (ii) Publicly commits to process such data only in a deidentified fashion and not attempt to 29
111111 reidentify such data; and 30
112112 (iii) Contractually obligates any recipients of such data to satisfy the criteria set forth in 31
113113 this chapter. 32
114114 (11) "Gender-affirming care information" means personal information relating to seeking 33
115115 or obtaining past, present, or future gender-affirming care services. "Gender-affirming care 34
116116
117117
118118 LC002361 - Page 4 of 17
119119 information" includes, but is not limited to: 1
120120 (i) Precise location information that could reasonably indicate a consumer's attempt to 2
121121 acquire or receive gender-affirming care services; 3
122122 (ii) Efforts to research or obtain gender-affirming care services; or 4
123123 (iii) Any gender-affirming care information that is derived, extrapolated, or inferred, 5
124124 including from information that is not consumer health data, such as proxy, derivative, inferred, 6
125125 emergent, or algorithmic data. 7
126126 (12) "Gender-affirming care services" means health services or products that support and 8
127127 affirm an individual's gender identity including, but not limited to, psychological, behavioral, 9
128128 cosmetic, medical, or surgical interventions. "Gender-affirming care services" includes, but is not 10
129129 limited to, treatments for gender dysphoria, gender-affirming hormone therapy, and gender-11
130130 affirming surgical procedures. 12
131131 (13) "Genetic data" means any data, regardless of its format, that concerns a consumer's 13
132132 genetic characteristics. "Genetic data" includes, but is not limited to: 14
133133 (i) Raw sequence data that result from the sequencing of a consumer's complete extracted 15
134134 deoxyribonucleic acid (DNA) or a portion of the extracted DNA; 16
135135 (ii) Genotypic and phenotypic information that results from analyzing the raw sequence 17
136136 data; and 18
137137 (iii) Self-reported health data that a consumer submits to a regulated entity or a small 19
138138 business and that is analyzed in connection with consumer's raw sequence data. 20
139139 (14) "Geofence" means technology that uses global positioning coordinates, cell tower 21
140140 connectivity, cellular data, radio frequency identification, Wifi data, and/or any other form of 22
141141 spatial or location detection to establish a virtual boundary around a specific physical location, or 23
142142 to locate a consumer within a virtual boundary. For purposes of this definition, "geofence" means 24
143143 a virtual boundary that is two thousand feet (2,000 ft.) or less from the perimeter of the physical 25
144144 location. 26
145145 (15) "Health care services" means any service provided to a person to assess, measure, 27
146146 improve, or learn about a person's mental or physical health including, but not limited to: 28
147147 (1) Individual health conditions, status, diseases, or diagnoses; 29
148148 (ii) Psychological, behavioral, and medical interventions; 30
149149 (iii) Health-related surgeries or procedures; 31
150150 (iv) Use or purchase of medication; 32
151151 (v) Bodily functions, vital signs, symptoms, or measurements of the information described 33
152152 in this subsection; 34
153153
154154
155155 LC002361 - Page 5 of 17
156156 (vi) Diagnoses or diagnostic testing, treatment, or medication; 1
157157 (vii) Reproductive health care services; or 2
158158 (viii) Gender-affirming care services. 3
159159 (16) "Homepage" means the introductory page of an Internet website and any Internet 4
160160 webpage where personal information is collected. In the case of an online service, such as a mobile 5
161161 application, homepage means the application's platform page or download page, and a link within 6
162162 the application, such as from the application configuration, "about," "information," or settings page. 7
163163 (17) "Person" means, where applicable, natural persons, corporations, trusts, 8
164164 unincorporated associations, and partnerships. "Person" does not include government agencies, 9
165165 tribal nations, or contracted service providers when processing consumer health data on behalf of 10
166166 a government agency. 11
167167 (18) "Personal information" means information that identifies or is reasonably capable of 12
168168 being associated or linked, directly or indirectly, with a particular consumer. "Personal 13
169169 information" includes, but is not limited to, data associated with a persistent unique identifier, such 14
170170 as a cookie ID, an IP address, a device identifier, or any other form of persistent unique identifier. 15
171171 "Personal information" does not include publicly available information or deidentified data. 16
172172 (19) "Precise location information" means information derived from technology including, 17
173173 but not limited to, global positioning system level latitude and longitude coordinates or other 18
174174 mechanisms, that directly identifies the specific location of an individual with precision and 19
175175 accuracy within a radius of one thousand seven hundred and fifty feet (1,750 ft.). "Precise location 20
176176 information" does not include the content of communications, or any data generated by or 21
177177 connected to advanced utility metering infrastructure systems or equipment for use by a utility. 22
178178 (20) "Process" or "processing" means any operation or set of operations performed on 23
179179 consumer health data. 24
180180 (21) "Processor" means a person that processes consumer health data on behalf of a 25
181181 regulated entity or a small business. 26
182182 (22) "Publicly available information" means information that: 27
183183 (i)(A) Is made available through federal, state, or municipal government records or widely 28
184184 distributed media; 29
185185 (B) Is released in a disclosure to the general public as required by federal, state, or local 30
186186 law; or 31
187187 (C) A regulated entity or a small business has a reasonable basis to believe a consumer has 32
188188 made available in such a way that the consumer no longer maintains a reasonable expectation of 33
189189 privacy in the information. 34
190190
191191
192192 LC002361 - Page 6 of 17
193193 (ii) "Publicly available information" does not include any biometric data collected about a 1
194194 consumer by a business without the consumer's consent or publicly available information combined 2
195195 or intermixed with personal information. 3
196196 (23) "Regulated entity" means any legal entity that: 4
197197 (i) Provides health care services in Rhode Island, or produces or provides health care 5
198198 services that are targeted to consumers in Rhode Island; 6
199199 (ii) Alone or jointly with others, determines the purpose and means of collecting, 7
200200 processing, sharing, or selling of consumer health data; 8
201201 (iii) Collects consumer health data directly from consumers. "Regulated entity" does not 9
202202 mean government agencies, tribal nations, or contracted service providers when processing 10
203203 consumer health data on behalf of the government agency. 11
204204 (24) "Reproductive or sexual health information" means personal information relating to 12
205205 seeking or obtaining past, present, or future reproductive or sexual health services. "Reproductive 13
206206 or sexual health information" includes, but is not limited to: 14
207207 (i) Precise location information that could reasonably indicate a consumer's attempt to 15
208208 acquire or receive reproductive or sexual health services; 16
209209 (ii) Efforts to research or obtain reproductive or sexual health services; or 17
210210 (iii) Any reproductive or sexual health information that is derived, extrapolated, or inferred, 18
211211 including from nonhealth information (such as proxy, derivative, inferred, emergent, or algorithmic 19
212212 data). 20
213213 (25) "Reproductive or sexual health services" means health services or products that 21
214214 support or relate to a consumer's reproductive system or sexual well-being including, but not limited 22
215215 to: 23
216216 (i) Individual health conditions, status, diseases, or diagnoses; 24
217217 (ii) Psychological, behavioral, and medical interventions; 25
218218 (iii) Health-related surgeries or procedures including, but not limited to, abortions; 26
219219 (iv) Use or purchase of medication including, but not limited to, medications for the 27
220220 purposes of abortion; 28
221221 (v) Bodily functions, vital signs, symptoms, or measurements of the information described 29
222222 in this subsection; 30
223223 (vi) Diagnoses or diagnostic testing, treatment, or medication; and 31
224224 (vii) Medical or nonmedical services related to and provided in conjunction with an 32
225225 abortion including, but not limited to, associated diagnostics, counseling, supplies, and follow-up 33
226226 services. 34
227227
228228
229229 LC002361 - Page 7 of 17
230230 (26)(i) "Sell" or "sale" means the exchange of consumer health data for monetary or other 1
231231 valuable consideration. 2
232232 (ii) "Sell" or "sale" does not include the exchange of consumer health data for monetary or 3
233233 other valuable consideration: 4
234234 (A) To a third party as an asset that is part of a merger, acquisition, bankruptcy, or other 5
235235 transaction in which the third party assumes control of all or part of the regulated entity's or the 6
236236 small business's assets that complies with the requirements and obligations in this chapter, but only 7
237237 if the regulated entity, in a reasonable time before the exchange, provides the affected consumer 8
238238 with both of the following: 9
239239 (I) A notice describing the transfer, including the name of the entity receiving the 10
240240 individual's consumer health data and the applicable privacy policies of the entity; and 11
241241 (II) A reasonable opportunity to withdraw previously provided consent related to the 12
242242 individual's consumer health data and request the deletion of the individual's consumer health data; 13
243243 or 14
244244 (B) By a regulated entity or a small business to a processor when such exchange is 15
245245 consistent with the purpose for which the consumer health data was collected and disclosed to the 16
246246 consumer. 17
247247 (C) If the exchange is of publicly available information. 18
248248 (27)(i) "Share" or "sharing" means to release, disclose, disseminate, divulge, make 19
249249 available, provide access to, license, or otherwise communicate orally, in writing, or by electronic 20
250250 or other means, consumer health data by a regulated entity or a small business to a third party or 21
251251 affiliate. “Share” includes “sell.” 22
252252 (ii) The term "share" or "sharing" does not include: 23
253253 (A) The disclosure of consumer health data by a regulated entity or a small business to a 24
254254 processor when such sharing is to provide goods or services in a manner consistent with the purpose 25
255255 for which the consumer health data was collected and disclosed to the consumer; 26
256256 (B) The disclosure of consumer health data to a third party with whom the consumer has a 27
257257 direct relationship when: 28
258258 (I) The disclosure is for purposes of providing a product or service requested by the 29
259259 consumer; 30
260260 (II) The regulated entity or the small business maintains control and ownership of the data; 31
261261 and 32
262262 (III) The third party uses the consumer health data only at direction from the regulated 33
263263 entity or the small business and consistent with the purpose for which it was collected and consented 34
264264
265265
266266 LC002361 - Page 8 of 17
267267 to by the consumer; or 1
268268 (C) The disclosure or transfer of personal data to a third party as an asset that is part of a 2
269269 merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all 3
270270 or part of the regulated entity's or the small business's assets and complies with the requirements 4
271271 and obligations in this chapter. 5
272272 (28) "Small business" means a regulated entity that satisfies one or both of the following 6
273273 thresholds: 7
274274 (i) Collects, processes, sells, or shares consumer health data of fewer than one hundred 8
275275 thousand (100,000) consumers during a calendar year; or 9
276276 (b) Derives less than fifty percent (50%) of gross revenue from the collection, processing, 10
277277 selling, or sharing of consumer health data, and controls, processes, sells, or shares consumer health 11
278278 data of fewer than twenty-five thousand (25,000) consumers. 12
279279 (29) "Third party" means an entity other than a consumer, regulated entity, processor, small 13
280280 business, or affiliate of the regulated entity or the small business. 14
281281 23-101.1-3. Consumer health data privacy policy. 15
282282 (a)(1) A regulated entity, by January 1, 2026, and a small business, by April 1, 2026, shall 16
283283 maintain a consumer health data privacy policy that clearly and conspicuously discloses: 17
284284 (i) The categories of consumer health data collected and the purpose for which the data is 18
285285 collected, including how the data will be used; 19
286286 (ii) The categories of sources from which the consumer health data is collected; 20
287287 (iii) The categories of consumer health data that is shared; 21
288288 (iv) A list of the categories of third parties and specific affiliates with whom the regulated 22
289289 entity or the small business shares the consumer health data; and 23
290290 (v) How a consumer can exercise the rights provided in § 23-101.1-5. 24
291291 (2) A regulated entity and a small business shall prominently publish a link to its consumer 25
292292 health data privacy policy on its homepage. 26
293293 (3) A regulated entity or a small business may not collect, use, or share additional 27
294294 categories of consumer health data not disclosed in the consumer health data privacy policy without 28
295295 first disclosing the additional categories and obtaining the consumer's affirmative consent prior to 29
296296 the collection, use, or sharing of such consumer health data. 30
297297 (4) A regulated entity or a small business may not collect, use, or share consumer health 31
298298 data for additional purposes not disclosed in the consumer health data privacy policy without first 32
299299 disclosing the additional purposes and obtaining the consumer's affirmative consent prior to the 33
300300 collection, use, or sharing of such consumer health data. 34
301301
302302
303303 LC002361 - Page 9 of 17
304304 (5) It is a violation of this chapter for a regulated entity or a small business to contract with 1
305305 a processor to process consumer health data in a manner that is inconsistent with the regulated 2
306306 entity's or the small business's consumer health data privacy policy. 3
307307 23-101.1-4. Collection or sharing of consumer health data. 4
308308 (a)(1) A regulated entity, by January 1, 2026, and a small business, by April 1, 2026, shall 5
309309 not collect or share any consumer health data, including the sale of consumer health data, except: 6
310310 (i) With consent from the consumer for such collection for a specified purpose; and 7
311311 (ii) If the consumer health data is collected or shared only for one or more of the following 8
312312 permissible purposes: 9
313313 (A) As necessary to provide a product, service, or service feature to the individual to whom 10
314314 the consumer health data pertains when requested by that individual. 11
315315 (B) To initiate, manage, execute, or complete a financial or commercial transaction or to 12
316316 fulfill an order for a specific product or service requested by an individual to whom the consumer 13
317317 health data pertains including, but not limited to, associated routine administrative, operational, and 14
318318 account servicing activity such as billing, shipping, storage, and accounting. 15
319319 (C) To comply with an obligation under a law of this state or federal law. 16
320320 (D) To protect public safety or public health. 17
321321 (E) To prevent, detect, protect against, or respond to a security incident, identity theft, 18
322322 fraud, harassment, malicious or deceptive activities, or activities that are illegal under the laws of 19
323323 this state. 20
324324 (F) To preserve the integrity or security of systems. 21
325325 (G) To investigate, report, or prosecute persons responsible for activities that are illegal 22
326326 under the laws of this state. 23
327327 (2) Consent required under this section shall be obtained prior to the collection or sharing, 24
328328 as applicable, of any consumer health data, and the request for consent shall clearly and 25
329329 conspicuously disclose: 26
330330 (i) The categories of consumer health data collected or shared; 27
331331 (ii) The purpose of the collection or sharing of the consumer health data, including the 28
332332 specific ways in which it will be used; 29
333333 (iii) The categories of entities with whom the consumer health data is shared; and 30
334334 (iv) How the consumer can withdraw consent from future collection or sharing of the 31
335335 consumer's health data. 32
336336 (3) A regulated entity or a small business shall not unlawfully discriminate against a 33
337337 consumer for exercising any rights included in this chapter. 34
338338
339339
340340 LC002361 - Page 10 of 17
341341 23-101.1-5. Consumer rights and requests -- Refusal -- Appeal. 1
342342 (a)(1) A consumer has the right to confirm whether a regulated entity or a small business 2
343343 is collecting, sharing, or selling consumer health data concerning the consumer and to access such 3
344344 data, including a list of all third parties and affiliates with whom the regulated entity or the small 4
345345 business has shared or sold the consumer health data and an active email address or other online 5
346346 mechanism that the consumer may use to contact these third parties. 6
347347 (2) A consumer has the right to withdraw consent from the regulated entity's or the small 7
348348 business's collection and sharing of consumer health data concerning the consumer. 8
349349 (3) A consumer has the right to have consumer health data concerning the consumer deleted 9
350350 and may exercise that right by informing the regulated entity or the small business of the consumer's 10
351351 request for deletion. 11
352352 (i) A regulated entity or a small business that receives a consumer's request to delete any 12
353353 consumer health data concerning the consumer shall: 13
354354 (A) Delete the consumer health data from its records, including from all parts of the 14
355355 regulated entity's or the small business's network, including archived or backup systems pursuant 15
356356 subsection (a)(3)(B)(iii) of this section; and 16
357357 (B) Notify all affiliates, processors, contractors, and other third parties with whom the 17
358358 regulated entity or the small business has shared consumer health data of the deletion request. 18
359359 (ii) All affiliates, processors, contractors, and other third parties that receive notice of a 19
360360 consumer's deletion request shall honor the consumer's deletion request and delete the consumer 20
361361 health data from its records, subject to the requirements of this chapter. 21
362362 (iii) If consumer health data that a consumer requests to be deleted is stored on archived or 22
363363 backup systems, then the request for deletion may be delayed to enable restoration of the archived 23
364364 or backup systems; provided that, such delay may not exceed six (6) months from authenticating 24
365365 the deletion request. 25
366366 (4) A consumer may exercise the rights set forth in this chapter by submitting a request, at 26
367367 any time, to a regulated entity or a small business. Such a request may be made by a secure and 27
368368 reliable means established by the regulated entity or the small business and described in its 28
369369 consumer health data privacy policy. The method shall take into account the ways in which 29
370370 consumers normally interact with the regulated entity or the small business, the need for secure and 30
371371 reliable communication of such requests, and the ability of the regulated entity or the small business 31
372372 to authenticate the identity of the consumer making the request. A regulated entity or a small 32
373373 business shall not require a consumer to create a new account in order to exercise consumer rights 33
374374 pursuant to this chapter but may require a consumer to use an existing account. 34
375375
376376
377377 LC002361 - Page 11 of 17
378378 (5) If a regulated entity or a small business is unable to authenticate the request using 1
379379 commercially reasonable efforts, the regulated entity or the small business shall not be required to 2
380380 comply with a request to initiate an action under this section and may request that the consumer 3
381381 provide additional information reasonably necessary to authenticate the consumer and the 4
382382 consumer's request. 5
383383 (6) Information provided in response to a consumer request shall be provided by a regulated 6
384384 entity and a small business free of charge, up to twice annually per consumer. If requests from a 7
385385 consumer are manifestly unfounded, excessive, or repetitive, the regulated entity or the small 8
386386 business may charge the consumer a reasonable fee to cover the administrative costs of complying 9
387387 with the request or decline to act on the request. The regulated entity and the small business bear 10
388388 the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the 11
389389 request. 12
390390 (7) A regulated entity and a small business shall comply with the consumer's requests under 13
391391 subsection (a)(1) through (a)(3) of this section within forty-five (45) days of receipt of the request 14
392392 submitted pursuant to the methods described in this section. A regulated entity and a small business 15
393393 shall promptly take steps to authenticate a consumer request, but this does not extend the regulated 16
394394 entity's and the small business's duty to comply with the consumer's request within forty-five (45) 17
395395 days of receipt of the consumer's request. The response period may be extended once by forty-five 18
396396 (45) additional days when reasonably necessary, taking into account the complexity and number of 19
397397 the consumer's requests, so long as the regulated entity or the small business informs the consumer 20
398398 of any such extension within the initial forty-five (45)-day response period, together with the reason 21
399399 for the extension. 22
400400 (b) A regulated entity shall comply with this section by January 1, 2026, and a small 23
401401 business shall comply with this section beginning April 1, 2026. 24
402402 23-101.1-6. Data security practices. 25
403403 A regulated entity, by January 1, 2026, and a small business, by April 1, 2026, shall: 26
404404 (1) Restrict access to consumer health data by the employees, processors, and contractors 27
405405 of such regulated entity or small business to only those employees, processors, and contractors for 28
406406 which access is necessary to further the purposes for which the consumer provided consent or where 29
407407 necessary to provide a product or service that the consumer to whom such consumer health data 30
408408 relates has requested from such regulated entity or small business; and 31
409409 (2) Establish, implement, and maintain administrative, technical, and physical data security 32
410410 practices that, at a minimum, satisfy reasonable standard of care within the regulated entity's or the 33
411411 small business's industry to protect the confidentiality, integrity, and accessibility of consumer 34
412412
413413
414414 LC002361 - Page 12 of 17
415415 health data appropriate to the volume and nature of the consumer health data at issue. 1
416416 23-101.1-7. Processors. 2
417417 (a)(1) Effective January 1, 2026 for a regulated entity, and April 1, 2026 for a small 3
418418 business, a processor may process consumer health data only pursuant to a binding contract 4
419419 between the processor and the regulated entity or the small business that sets forth the processing 5
420420 instructions and limit the actions the processor may take with respect to the consumer health data 6
421421 it processes on behalf of the regulated entity or the small business. 7
422422 (2) A processor may process consumer health data only in a manner that is consistent with 8
423423 the binding instructions set forth in the contract with the regulated entity or the small business. 9
424424 (b) A processor shall assist the regulated entity or the small business by appropriate 10
425425 technical and organizational measures, insofar as this is possible, in fulfilling the regulated entity's 11
426426 and the small business's obligations under this chapter. 12
427427 (c) If a processor fails to adhere to the regulated entity's or the small business's instructions 13
428428 or processes consumer health data in a manner that is outside the scope of the processor's contract 14
429429 with the regulated entity or the small business, the processor is considered a regulated entity or a 15
430430 small business with regard to such data and is subject to all the requirements of this chapter with 16
431431 regard to such data. 17
432432 23-101.1-8. Valid authorization to sell -- Defects -- Provision to consumer. 18
433433 (a) Subject to the requirements of § 23-101.1-4, by January 1, 2026 for a regulated entity 19
434434 and April 1, 2026 for a small business, it is unlawful for any person to sell or offer to sell consumer 20
435435 health data concerning a consumer without first obtaining valid authorization from the consumer. 21
436436 The sale of consumer health data shall be consistent with the valid authorization signed by the 22
437437 consumer. This authorization shall be separate and distinct from the consent obtained to collect or 23
438438 share consumer health data, as required under § 23-101.1-4. 24
439439 (b) A valid authorization to sell consumer health data is a document consistent with this 25
440440 section and shall be written in plain language. The valid authorization to sell consumer health data 26
441441 shall contain the following: 27
442442 (1) The specific consumer health data concerning the consumer that the person intends to 28
443443 sell; 29
444444 (2) The name and contact information of the person collecting and selling the consumer 30
445445 health data; 31
446446 (3) The name and contact information of the person purchasing the consumer health data 32
447447 from the seller identified in subsection (b)(2) of this section; 33
448448 (4) A description of the purpose for the sale, including how the consumer health data shall 34
449449
450450
451451 LC002361 - Page 13 of 17
452452 be gathered and how it will be used by the purchaser identified in subsection (b)(3) of this section 1
453453 when sold; 2
454454 (5) A statement that the provision of goods or services may not be conditioned on the 3
455455 consumer signing the valid authorization; 4
456456 (6) A statement that the consumer has a right to revoke the valid authorization at any time 5
457457 and a description on how to submit a revocation of the valid authorization; 6
458458 (7) A statement that the consumer health data sold pursuant to the valid authorization may 7
459459 be subject to redisclosure by the purchaser and may no longer be protected by this section; 8
460460 (8) An expiration date for the valid authorization that expires one year from when the 9
461461 consumer signs the valid authorization; and 10
462462 (9) The signature of the consumer and date. 11
463463 (c) An authorization is not valid if the document has any of the following defects: 12
464464 (i) The expiration date has passed; 13
465465 (ii) The authorization does not contain all the information required under this section; 14
466466 (iii) The authorization has been revoked by the consumer; 15
467467 (iv) The authorization has been combined with other documents to create a compound 16
468468 authorization; or 17
469469 (v) The provision of goods or services is conditioned on the consumer signing the 18
470470 authorization. 19
471471 (d) A copy of the signed valid authorization shall be provided to the consumer. 20
472472 (e) The seller and purchaser of consumer health data shall retain a copy of all valid 21
473473 authorizations for sale of consumer health data for six (6) years from the date of its signature or the 22
474474 date when it was last in effect, whichever is later. 23
475475 23-101.1-10. Geofence restrictions. 24
476476 It is unlawful for any person to implement a geofence around an entity that provides in-25
477477 person health care services where such geofence is used to: 26
478478 (1) Identify or track consumers seeking health care services; or, 27
479479 (2) Collect consumer health data from consumers. 28
480480 23-101.1-11. Application of consumer protection act. 29
481481 The legislature finds that the practices covered by this chapter are matters vitally affecting 30
482482 the public interest for the purpose of applying chapter 13.1 of title 6. A violation of this chapter is 31
483483 not reasonable in relation to the development and preservation of business, and is an unfair or 32
484484 deceptive act in trade or commerce and an unfair method of competition for the purpose of applying 33
485485 chapter 13.1 of title 6. 34
486486
487487
488488 LC002361 - Page 14 of 17
489489 23-101.1-12. Exemptions. 1
490490 (a) This chapter does not apply to: 2
491491 (1) Information that meets the definition of: 3
492492 (i) Protected health information for purposes of the federal Health Insurance Portability 4
493493 and Accountability Act of 1996, as amended, and related regulations; 5
494494 (ii) Health care information collected, used, or disclosed in accordance with chapter 37.3 6
495495 of title 5; 7
496496 (iii) Patient identifying information collected, used, or disclosed in accordance with 42 8
497497 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2; 9
498498 (iv) Identifiable private information for purposes of the federal policy for the protection of 10
499499 human subjects, 45 C.F.R. Part 46; identifiable private information that is otherwise information 11
500500 collected as part of human subjects research pursuant to the good clinical practice guidelines issued 12
501501 by the international council for harmonization; the protection of human subjects under 21 C.F.R. 13
502502 Parts 50 and 56; or personal data used or shared in research conducted in accordance with one or 14
503503 more of the requirements set forth in this subsection; 15
504504 (v) Information and documents created specifically for, and collected and maintained by: 16
505505 (A) A quality improvement program for purposes of chapter 17.17 of title 23; 17
506506 (B) A peer review committee for purposes of § 23-17-25; 18
507507 (C) A quality assurance committee for purposes of chapter 17.17 of title 23; or 19
508508 (D) A hospital, for reporting of health care-associated adverse events for purposes of § 23-20
509509 17-40. 21
510510 (vi) Information and documents created for purposes of the federal Health Care Quality 22
511511 Improvement Act of 1986, and related regulations; 23
512512 (vii) Patient safety work product for purposes of 42 C.F.R. Part 3, established pursuant to 24
513513 42 U.S.C. Sec. 299b-21 through 299b-26; 25
514514 (viii) Information that is: 26
515515 (A) Deidentified in accordance with the requirements for deidentification set forth in 45 27
516516 C.F.R. Part 164; and 28
517517 (B) Derived from any of the health care-related information listed in subsection (a)(1)(viii) 29
518518 of this section; 30
519519 (2) Information originating from, and intermingled to be indistinguishable with, 31
520520 information under subsection (a)(1) of this section that is maintained by: 32
521521 (i) A covered entity or business associate as defined by the federal Health Insurance 33
522522 Portability and Accountability Act of 1996, as amended, and related regulations; 34
523523
524524
525525 LC002361 - Page 15 of 17
526526 (ii) A health care facility or health care provider; or 1
527527 (iii) A program or a qualified service organization as defined by 42 C.F.R. Part 2, 2
528528 established pursuant to 42 U.S.C. Sec. 290dd-2; 3
529529 (3) Information used only for public health activities and purposes as described in 45 C.F.R. 4
530530 Sec. 164.512 or that is part of a limited data set, as defined, and is used, disclosed, and maintained 5
531531 in the manner required, by 45 C.F.R. Sec. 164.514 or corresponding state law. 6
532532 (b) Personal information that is governed by and collected, used, or disclosed pursuant to 7
533533 the following regulations, parts, titles, or acts, is exempt from this chapter: 8
534534 (i) The Gramm-Leach-Bliley act (15 U.S.C. 6801 et seq.) and implementing regulations; 9
535535 (ii) Part C of Title XI of the Social Security Act (42 U.S.C. 1320d et seq.); 10
536536 (iii) The Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); 11
537537 (iv) The Family Educational Rights and Privacy Act (20 U.S.C. 1232g; Part 99 of Title 34, 12
538538 C.F.R.); 13
539539 (v) The Rhode Island health benefit exchange and applicable statutes and regulations, 14
540540 including 45 C.F.R. Sec. 155.260 and §§ 42-157-1 et seq.; or 15
541541 (vi) Privacy rules adopted by the office of the insurance commissioner. 16
542542 (c) The obligations imposed on regulated entities, small businesses, and processors under 17
543543 this chapter does not restrict a regulated entity's, small businesses, or processor's ability for 18
544544 collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond 19
545545 to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any 20
546546 activity that is illegal under Rhode Island law or federal law; preserve the integrity or security of 21
547547 systems; or investigate, report, or prosecute those responsible for any such action that is illegal 22
548548 under Rhode Island law or federal law. 23
549549 (4) If a regulated entity, small business, or processor processes consumer health data 24
550550 pursuant to subsection (a)(3) of this section, such entity bears the burden of demonstrating that such 25
551551 processing qualifies for the exemption and complies with the requirements of this section. 26
552552 23-101.1-13. Penalties and remedies. 27
553553 (a) A person who alleges a violation of this chapter may bring a civil action for appropriate 28
554554 injunctive relief and compensatory and punitive damages in the superior court for the county where 29
555555 the alleged violation occurred, the county where the complainant resides, or the county where the 30
556556 person against whom the civil complaint is filed resides or has their principal place of business. A 31
557557 prevailing plaintiff shall be entitled to an award of reasonable attorneys’ fees and costs. 32
558558 (b) A violation of this chapter shall also constitute a deceptive trade practice in violation 33
559559 of chapter 13.1 of title 6, and the attorney general may bring an enforcement action over violations 34
560560
561561
562562 LC002361 - Page 16 of 17
563563 of this chapter. 1
564564 SECTION 2. This act shall take effect upon passage. 2
565565 ========
566566 LC002361
567567 ========
568568
569569
570570 LC002361 - Page 17 of 17
571571 EXPLANATION
572572 BY THE LEGISLATIVE COUNCIL
573573 OF
574574 A N A C T
575575 RELATING TO HEALTH AND SAFETY -- REPRODUCTIVE FREEDOM AND GENDER
576576 AFFIRMING CARE HEALTH DATA PRIVACY ACT
577577 ***
578578 This act would create the reproductive freedom and gender affirming care health data 1
579579 privacy act. 2
580580 This act would take effect upon passage. 3
581581 ========
582582 LC002361
583583 ========
584584