Rhode Island Healthcare Data Privacy Laws: What Providers Need to Know

Overview of Rhode Island Healthcare Data Privacy Laws

Rhode Island’s privacy framework for providers sits on four pillars: the Confidentiality of Health Care Communications and Information Act, the Health Information Exchange Act of 2008, the 2024 Healthcare Provider Shield Act, and the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) taking effect January 1, 2026. Together, these laws interact with HIPAA to protect patient information, define disclosure limits, and establish consumer data safeguards beyond traditional medical records. ([law.justia.com](https://law.justia.com/codes/rhode-island/title-5/chapter-5-37-7/section-5-37-7-7/))

Practically, you should treat HIPAA as your floor and Rhode Island law as additional guardrails: HIE participation is opt-out with mandated patient notice; shield protections limit cooperation with out-of-state actions targeting lawful reproductive and gender-affirming care; and RIDTPPA adds consumer-facing duties for non-PHI data you collect online. ([law.justia.com](https://law.justia.com/codes/rhode-island/title-5/chapter-5-37-7/section-5-37-7-7/))

Reproductive Freedom and Gender Affirming Care Data Requirements

Rhode Island’s Healthcare Provider Shield Act (effective June 25, 2024) protects providers who lawfully deliver reproductive and gender-affirming care in-state. It restricts cooperation with out-of-state investigations, bars adverse credentialing or malpractice actions based solely on such lawful care, and affirms that Rhode Island licensure or discipline cannot hinge on out-of-state hostility to these services. Ensure your intake, records, and legal-response procedures reflect these protections. ([dbr.ri.gov](https://dbr.ri.gov/sites/g/files/xkgbur696/files/2024-09/INS_Insurance%20Bulletin%202024-9%20-%202024%20Legislative%20Changes.pdf))

On geolocation and marketing, understand the difference between “geofencing prohibitions” and consent duties. A 2025 bill to ban geofencing around facilities providing reproductive or gender-affirming care did not pass, so no statewide geofencing ban is in force. However, RIDTPPA classifies precise geolocation as sensitive data—processing it requires explicit consent. Disable location-based tracking around care sites unless you have clear, affirmative opt-in. ([riaclu.org](https://www.riaclu.org/legislation/reproductive-freedom-and-gender-affirming-care-health-data-privacy-act-h-5857-s-824/))

Healthcare Workforce Data Confidentiality

Under the Rhode Island Healthcare Workforce Data Collection Act, individual workforce data you submit to the state must remain confidential. Public releases are limited to de-identified, aggregate reporting to support planning and policy. Align any workforce surveys or license-renewal data workflows with this rule and document your de-identification methods. ([webserver.rilegislature.gov](https://webserver.rilegislature.gov/Statutes/TITLE23/23-100/23-100-4.htm))

Health Insurer Confidential Communications

Insurers must honor “Confidential Communications Requests” so insured individuals can direct explanations of benefits and other communications containing confidential healthcare information to an alternate address, email, or phone. Carriers must implement requests within 10 calendar days, offer an easily readable request form on their website, and cannot condition coverage on waiving these rights. Train front-desk and care teams to explain and, when asked, submit requests on a patient’s behalf. ([law.justia.com](https://law.justia.com/codes/rhode-island/title-5/chapter-5-37-3/section-5-37-3-12/))

Health Information Exchange Opt-Out Provisions

Rhode Island’s HIE is “opt-out.” You must notify patients that their information may be shared through the HIE to support care and inform them of their right to opt out. Even if a patient opts out, disclosures may still occur for emergencies, specified public health purposes, HIE operations, and certain health plan functions. Subpoenas to the HIE face additional procedural hurdles. Keep your acknowledgments, brochures, and portal content aligned with these mandates. ([law.justia.com](https://law.justia.com/codes/rhode-island/title-5/chapter-5-37-7/section-5-37-7-7/))

Data Transparency and Privacy Protection Act Compliance

RIDTPPA (effective January 1, 2026) applies to for-profit entities doing business in Rhode Island that meet thresholds (e.g., 35,000 consumers; or 10,000 consumers plus ≥20% revenue from data sales). It exempts PHI processed under HIPAA, but it likely covers consumer data on your websites, apps, and marketing tools. The Attorney General has sole enforcement; there is no private right of action and no cure period. ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/07/26/rhode-island-enacts-data-privacy-law))

Core duties affecting providers’ non-PHI data

• Explicit Consent Requirements: Obtain consent before processing sensitive data (including precise geolocation, health status outside PHI, biometrics, and children’s data). Provide an easy way to revoke consent and honor revocations promptly. ([webserver.rilegislature.gov](https://webserver.rilegislature.gov/BillText/BillText24/HouseText24/H7787.pdf))
• Consumer rights and notices: Publish a clear privacy notice describing categories of personal data collected, purposes, sharing, targeted advertising/sale practices, and contact methods; support access, correction, deletion, and opt-outs where required. ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/07/26/rhode-island-enacts-data-privacy-law))
• Data De-Identification Standards: Follow statutory requirements for de-identified data (reasonable measures to prevent re-identification, public commitment not to re-identify, and contractual obligations for recipients). ([webserver.rilegislature.gov](https://webserver.rilegislature.gov/BillText/BillText24/HouseText24/H7787.pdf))
• Risk assessments: Document Data Protection Assessments for targeted advertising, sale, profiling with significant risk, and sensitive data processing. Maintain them for AG review. ([nixonpeabody.com](https://www.nixonpeabody.com/insights/alerts/2024/07/26/rhode-island-enacts-data-privacy-law))

Practical Steps for Provider Compliance

Build a unified privacy operations playbook

• Map data flows: Separate HIPAA PHI from consumer data (websites, apps, analytics). Flag sensitive data (e.g., precise geolocation) to enforce opt-in and easy revocation.
• Tighten tracking: Audit pixels, SDKs, cookies, and CRM integrations. Disable location tracking around facilities unless you have explicit consent; avoid “shadow” data uses.
• HIE readiness: Update patient notices, scripts, and portal copy explaining Health Information Exchange Opt-Out. Ensure staff can process opt-out requests efficiently.
• Confidential communications: Stock request forms, capture patient preferences in the EHR, and confirm insurers’ 10-day implementation timeline when assisting patients.
• Shield-law response plan: Route out-of-state subpoenas/warrants through counsel; use standardized responses reflecting Rhode Island’s Healthcare Provider Shield Act.
• Vendor management: Amend BAAs and service agreements to reflect de-identification commitments, consent revocation handling, and RIDTPPA-aligned processing terms.
• Governance: Assign an owner for state data privacy regulation compliance, schedule DPIAs, and train staff on disclosures, subpoenas, and communications workflows.

Conclusion

Rhode Island law layers strong confidentiality norms with HIE opt-out rights, insurer communications safeguards, shield protections for lawful care, and broad consumer-data duties under RIDTPPA. By mapping data, tightening consent and de-identification practices, and preparing for subpoenas and consumer requests, you can meet today’s obligations and be ready for January 1, 2026.

FAQs

What entities are subject to Rhode Island healthcare data privacy laws?

All Rhode Island-licensed providers must follow the Confidentiality of Health Care Communications and Information Act. HIE participants must meet the Health Information Exchange Act’s notice and opt-out rules. Health insurers must honor confidential communications requests. The Healthcare Provider Shield Act protects in-state provision of lawful reproductive and gender-affirming care. Separately, RIDTPPA applies to for-profit entities meeting thresholds for consumer data; HIPAA-governed PHI is exempt, but your websites, apps, and marketing tools may still be covered. ([law.justia.com](https://law.justia.com/codes/rhode-island/title-5/chapter-5-37-7/section-5-37-7-7/))

How does Rhode Island law regulate geofencing around healthcare facilities?

There is no statewide geofencing prohibition as of March 18, 2026. A 2025 proposal to ban geofencing around reproductive and gender-affirming care facilities died in committee. Still, under RIDTPPA, precise geolocation is sensitive data, so you need explicit consent before processing it—best practice is to avoid geofencing near care sites unless you have opt-in. ([riaclu.org](https://www.riaclu.org/legislation/reproductive-freedom-and-gender-affirming-care-health-data-privacy-act-h-5857-s-824/))

What are the requirements for confidential communications under Rhode Island law?

Insurers must allow “Confidential Communications Requests,” implement them within 10 calendar days, and provide a prominently displayed form on their website. Providers should keep forms on hand and help patients submit them. Coverage cannot be conditioned on waiving these rights. ([law.justia.com](https://law.justia.com/codes/rhode-island/title-5/chapter-5-37-3/section-5-37-3-12/))

How can patients opt out of Health Information Exchange disclosures?

Patients may opt out of having their confidential healthcare information disclosed from the HIE, and you must notify them of this right. Opt-outs do not block emergency treatment disclosures, certain public health uses, HIE operations, or specified health plan functions. Provide clear instructions in your intake materials and portals. ([law.justia.com](https://law.justia.com/codes/rhode-island/title-5/chapter-5-37-7/section-5-37-7-7/))