Bill Sponsors
Burke, and Sosnowski
Committee
Senate Health & Human Services
Summary
Select
This bill creates the "Public Health Data Privacy and Protection Act" to protect the confidentiality of disease data collected by the Rhode Island Department of Health. It makes this data, including individual-level disease records, confidential and exempt from public records requests. The Department of Health is made the sole authority over releasing this data. The bill allows the release of de-identified data for specific public health purposes, like disease surveillance and outbreak control, to health authorities, labs, and researchers. It specifically prohibits releasing individual-level data for lawsuits, commercial use, or general public requests.
Sponsor
Analysis
Pros for Progressives
- Ensures strong privacy protections for individuals' sensitive medical and disease data, preventing discrimination or stigmatization of vulnerable populations.
- Supports robust public health responses by allowing data sharing with researchers and health agencies to track and stop disease outbreaks effectively.
- Prevents the commercialization and exploitation of personal health data by explicitly banning its release for corporate or commercial purposes.
Cons for Progressives
- Exempts disease data from public records requests, which could reduce government transparency and limit the public's ability to hold the health department accountable.
- Concentrates sole authority over data release within a single state department, potentially allowing political appointees to suppress important health information from the public.
- Permits data sharing with federal health authorities and other states, which might raise concerns about federal overreach or the sharing of sensitive data of marginalized groups (like undocumented immigrants) across state lines.
Pros for Conservatives
- Strongly protects individual privacy by shielding personal health and disease records from public disclosure and unauthorized access.
- Prevents personal medical data from being subpoenaed for unrelated litigation, protecting citizens from legal fishing expeditions and protecting their personal liberties.
- Establishes strict guidelines and limits on how government agencies can use citizen data, ensuring it is only used for specific, authorized public health purposes.
Cons for Conservatives
- Grants the state health department unchecked, sole authority over health data, removing oversight and potentially allowing the government to hide information from the public.
- Allows the state to share immunization and disease records with various government agencies, schools, and health plans without requiring explicit opt-in consent from the individual.
- Permits the state to enter into collaborative agreements to share citizen health data with registries in other states and the federal government, raising concerns about a national health tracking database.
Constitutional Concerns
There is a slight constitutional risk regarding due process and the separation of powers. By explicitly prohibiting the data from being subpoenaed (except as authorized by the department or federal law), the bill could potentially interfere with a defendant's right to access exculpatory evidence in a legal proceeding or limit the judicial branch's subpoena power.
Impact Overview
Groups Affected
- Patients with reportable diseases
- Healthcare providers
- Public health researchers
- School nurses
- State health department employees
Towns Affected
All
Cost to Taxpayers
None
Revenue Generated
None
BillBuddy Impact Ratings
Importance
Measures population affected and overall level of impact.
Freedom Impact
Level of individual freedom impacted by the bill.
Public Services
How much the bill is likely to impact one or more public services.
Regulatory
Estimated regulatory burden imposed on the subject(s) of the bill.
Clarity of Bill Language
How clear the language of the bill is. Higher ambiguity equals a lower score.
Enforcement Provisions
Measures enforcement provisions and penalties for non-compliance (if applicable).
Environmental Impact
Impact the bill will have on the environment, positive or negative.
Privacy Impact
Impact the bill is likely to have on the privacy of individuals.
Bill Status
Current Status
Held
Comm Passed
Floor Passed
Law
History
• 05/05/2026 Introduced, referred to Senate Health and Human Services
Bill Text
SECTION 1. Title 23 of the General Laws entitled "HEALTH AND SAFETY" is hereby amended by adding thereto the following chapter: CHAPTER 106 PUBLIC HEALTH DATA PRIVACY AND PROTECTION ACT
23-106-1. Definitions.
For purposes of this chapter:
(1) “De-identified data” means data from which identifiers have been removed in accordance with applicable state and federal standards such that the data cannot reasonably be used to identify an individual.
(2) “Line-level data” means reportable disease data that includes direct or indirect identifiers, or that can reasonably be used to identify an individual case, contact, or reporting entity. Individual-level or line-level data can also be known as record-level data.
(3) “Public health purpose” means activities necessary to prevent or control disease, injury, or disability including, but not limited to public health surveillance, investigation, outbreak response, intervention, and evaluation.
(4) “Reportable disease data” means any information, record, laboratory result, medical record, or other data collected or maintained by Rhode Island department of health (“department”) pursuant to state law or regulation for the purpose of disease reporting, surveillance, investigation, control, or prevention.
23-106-2. Confidentiality of reportable disease data.
(a) All reportable disease data, including line-level data, in the possession or control of the department shall be confidential and shall not be considered a public record.
(b) Such data shall not be disclosed, subpoenaed, or otherwise released except as expressly authorized in § 23-106-3 or as required by federal law.
(c) The confidentiality protections in this section apply regardless of the format of the data, including paper records, electronic records, and databases.
23-106-3. Authority and permitted releases.
(a) The Rhode Island department of health is the sole authority responsible for determining access to, confidentiality of, and release of reportable disease data. No other state agency, political subdivision, or entity shall release reportable disease line-level data without written authorization by the department.
(b) The department may release de-identified reportable disease line-level data only when necessary for a public health purpose, including:
(1) Sharing with other local, state, tribal, territorial, or federal public health authorities (including the Centers for Disease Control and Prevention) for surveillance, investigation, or control activities;
(2) Sharing with healthcare facilities, laboratories, or providers as needed for case management, outbreak control, or prevention;
(3) Sharing with researchers or partners pursuant to a department-approved data use agreement that limits use to a public health purpose and prohibits re-identification or re-disclosure; or
(4) As otherwise required by federal law.
(c) The department may release de-identified data or aggregate statistical reports when the department determines such release is in the public interest and does not create a reasonable risk of re-identification.
23-106-4. Limitations on disclosure.
(a) Line-level reportable disease data shall not be released for purposes unrelated to public health, including litigation, commercial purposes, or general public records requests.
(b) Any recipient of line-level data must comply with department conditions for use, security, retention, and destruction, as set forth in a department data use agreement or equivalent written instrument.
(c) Persons authorized by the director may conduct research studies pursuant to 216 RICR LC005968 - Page 2 of 4 30-05-1; provided, however, that the researcher shall submit a written request for information, shall execute a research agreement that protects the confidentiality of the information provided and obtain any relative human subjects approval.
(d) The department may enter into collaborative agreements with registries of states and exchange individual or group information provided that maximum protections are afforded the confidentiality of citizens of Rhode Island in accordance with state law.
(e) Immunization information, obtained pursuant to § 23-1-44, shall only be released from the immunization registry to the following individuals and agencies, unless the registrant, or the parent or guardian if the registrant is a minor, objects to such disclosure. All such disclosures shall comply with the privacy protections of chapter 37.3 of title 5 and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (HIPAA), as amended and all other applicable state and federal laws:
(1) Licensed health care providers providing direct care to the registrant-patient;
(2) Elementary and secondary school nurses and institutions of higher education, and registration officials who require proof of immunization for school enrollment and disease control;
(3) State Women Infants and Children, or WIC, nutrition program staff who administer WIC benefits to eligible infants and children;
(4) Staff of state agencies or state programs whose duties include education and outreach related to the improvement of immunization coverage rates;
(5) Health plans for immunization rate improvement and quality improvement efforts; and
(6) Any other entity with the express written consent of the registrant or the registrant’s parent or guardian if the registrant is a minor.
(f) Notwithstanding the provisions of subsection (e) of this section;
(1) Persons authorized by the director may conduct research studies pursuant to § 23-1- 18(10); provided, however, the researcher shall submit a written request for information, shall execute a research agreement that protects the confidentiality of the information provided, and obtain any relative human subject’s approval.
(2) The department may enter into collaborative agreements with registries of other states and exchange individual or group information provided that maximum protections are afforded the confidentiality of registrant information in accordance with state and federal law.
SECTION 2. This act shall take effect upon passage.
23-106-1. Definitions.
For purposes of this chapter:
(1) “De-identified data” means data from which identifiers have been removed in accordance with applicable state and federal standards such that the data cannot reasonably be used to identify an individual.
(2) “Line-level data” means reportable disease data that includes direct or indirect identifiers, or that can reasonably be used to identify an individual case, contact, or reporting entity. Individual-level or line-level data can also be known as record-level data.
(3) “Public health purpose” means activities necessary to prevent or control disease, injury, or disability including, but not limited to public health surveillance, investigation, outbreak response, intervention, and evaluation.
(4) “Reportable disease data” means any information, record, laboratory result, medical record, or other data collected or maintained by Rhode Island department of health (“department”) pursuant to state law or regulation for the purpose of disease reporting, surveillance, investigation, control, or prevention.
23-106-2. Confidentiality of reportable disease data.
(a) All reportable disease data, including line-level data, in the possession or control of the department shall be confidential and shall not be considered a public record.
(b) Such data shall not be disclosed, subpoenaed, or otherwise released except as expressly authorized in § 23-106-3 or as required by federal law.
(c) The confidentiality protections in this section apply regardless of the format of the data, including paper records, electronic records, and databases.
23-106-3. Authority and permitted releases.
(a) The Rhode Island department of health is the sole authority responsible for determining access to, confidentiality of, and release of reportable disease data. No other state agency, political subdivision, or entity shall release reportable disease line-level data without written authorization by the department.
(b) The department may release de-identified reportable disease line-level data only when necessary for a public health purpose, including:
(1) Sharing with other local, state, tribal, territorial, or federal public health authorities (including the Centers for Disease Control and Prevention) for surveillance, investigation, or control activities;
(2) Sharing with healthcare facilities, laboratories, or providers as needed for case management, outbreak control, or prevention;
(3) Sharing with researchers or partners pursuant to a department-approved data use agreement that limits use to a public health purpose and prohibits re-identification or re-disclosure; or
(4) As otherwise required by federal law.
(c) The department may release de-identified data or aggregate statistical reports when the department determines such release is in the public interest and does not create a reasonable risk of re-identification.
23-106-4. Limitations on disclosure.
(a) Line-level reportable disease data shall not be released for purposes unrelated to public health, including litigation, commercial purposes, or general public records requests.
(b) Any recipient of line-level data must comply with department conditions for use, security, retention, and destruction, as set forth in a department data use agreement or equivalent written instrument.
(c) Persons authorized by the director may conduct research studies pursuant to 216 RICR LC005968 - Page 2 of 4 30-05-1; provided, however, that the researcher shall submit a written request for information, shall execute a research agreement that protects the confidentiality of the information provided and obtain any relative human subjects approval.
(d) The department may enter into collaborative agreements with registries of states and exchange individual or group information provided that maximum protections are afforded the confidentiality of citizens of Rhode Island in accordance with state law.
(e) Immunization information, obtained pursuant to § 23-1-44, shall only be released from the immunization registry to the following individuals and agencies, unless the registrant, or the parent or guardian if the registrant is a minor, objects to such disclosure. All such disclosures shall comply with the privacy protections of chapter 37.3 of title 5 and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (HIPAA), as amended and all other applicable state and federal laws:
(1) Licensed health care providers providing direct care to the registrant-patient;
(2) Elementary and secondary school nurses and institutions of higher education, and registration officials who require proof of immunization for school enrollment and disease control;
(3) State Women Infants and Children, or WIC, nutrition program staff who administer WIC benefits to eligible infants and children;
(4) Staff of state agencies or state programs whose duties include education and outreach related to the improvement of immunization coverage rates;
(5) Health plans for immunization rate improvement and quality improvement efforts; and
(6) Any other entity with the express written consent of the registrant or the registrant’s parent or guardian if the registrant is a minor.
(f) Notwithstanding the provisions of subsection (e) of this section;
(1) Persons authorized by the director may conduct research studies pursuant to § 23-1- 18(10); provided, however, the researcher shall submit a written request for information, shall execute a research agreement that protects the confidentiality of the information provided, and obtain any relative human subject’s approval.
(2) The department may enter into collaborative agreements with registries of other states and exchange individual or group information provided that maximum protections are afforded the confidentiality of registrant information in accordance with state and federal law.
SECTION 2. This act shall take effect upon passage.