On January 3, 2025, a significant lawsuit (Morris v. Rhode Island Quality Institute) was filed against a state health information exchange (HIE). The case was brought by a former employee and whistleblower who alleges that Rhode Island’s HIE, the Rhode Island Quality Institute (RIQI), permitted the unauthorized use of protected health information (PHI) for research purposes in violation of federal and state laws, as well established HIE policies.
The whistleblower, who served as RIQI’s HIPAA Privacy Officer, contends that she repeatedly raised concerns about these unauthorized data practices but was met with internal resistance and eventual termination in what she claims was an act of retaliation. Among other things, this lawsuit raises questions about the possibility of HIPAA violations and the broader implications it could have for HIEs and their participants across the country.
Did RIQI Violate HIPAA?
Whether the access, use, and disclosure of PHI, in this case, complied with HIPAA depends on the specific facts, which are not yet fully known. HIPAA provides clear guidelines for the permissible use and disclosure of PHI for research purposes. Under 45 CFR 164.512(i), PHI generally may be used for research in compliance with HIPAA if:
- The research is approved by an Institutional Review Board (IRB) or Privacy Board (i.e., a waiver is granted to individual authorization/consent);
- The research was preparatory to research, and the researcher provides written or oral assurance that PHI is only used to prepare a research protocol or assess study feasibility, no PHI will be removed from the covered entity, and access to PHI is necessary for the research purpose;
- The research was conducted using only a limited data set (LDS) and pursuant to a Data Use Agreement (DUA);
- The data is de-identified in accordance with HIPAA Safe Harbor or expert determination; or
- The individuals whose PHI was used for research provided explicit authorization for such use.
The facts currently available to the public are not sufficient to conclude one way or another whether HIPAA’s standards applicable to research were met here. If the research was conducted in a manner that meets HIPAA’s requirements—such as obtaining IRB approval, properly de-identifying PHI, or securing patient authorization—then no HIPAA violation would have occurred. As more information becomes available, details will likely clarify whether these measures were followed.
Finally, it is worth noting that the Plaintiff’s Complaint does not directly allege that HIPAA was violated. That was likely purposeful because there is no private right of action under HIPAA. However, this does not eliminate the possibility and risk that OCR could investigate the matter to confirm whether HIPAA’s standards were indeed complied with.
The Impact on Other HIEs
While this case does not directly affect other HIEs unless they were involved in contributing data to RIQI, its implications extend beyond state lines. HIEs across the country operate under similar data-sharing agreements and privacy laws. The outcome of this case, which was filed in the United States District Court for Rhode Island, could offer valuable insight into how courts might interpret applicable federal and state laws, particularly in the context of emerging health data research initiatives.
While a decision by the district court would not be binding outside of its jurisdiction, it could serve as a persuasive precedent for other courts addressing similar issues in the HIE context. In addition, if the case is appealed to the U.S. Court of Appeals for the First Circuit, the appellate court’s ruling would be binding on all federal district courts within its jurisdiction, including Rhode Island, Maine, Massachusetts, New Hampshire, and Puerto Rico. A First Circuit decision would also carry substantial weight as a strong precedent, potentially shaping how other courts, regulators, and healthcare entities approach related requirements nationwide, especially under similar facts.
Things to Think About
This case is a reminder to all HIEs of the importance of carefully structuring user access rights and setting clear rules for uses and disclosures of PHI, especially when PHI is maintained in a centralized data well and can be accessed for purposes like research (but not just that — hello all non-treatment cases, I’m looking at you!). The court’s ruling—and any subsequent appeal to the U.S. Court of Appeals for the First Circuit—could shape the legal landscape for HIEs across multiple states and potentially influence national HIPAA enforcement trends.
HIEs re-evaluating their risks with research and other use cases should consider the following:
☑️ Stronger Enforcement Actions
The Office for Civil Rights (OCR), which enforces HIPAA, may feel pressure to issue more aggressive guidance or impose stricter penalties on HIEs that fail to meet regulatory requirements. Additionally, state attorneys general, who have enforcement authority under the HITECH Act, may see this case as a catalyst to initiate investigations or take action against HIEs that are perceived to be lax in their compliance efforts.
☑️ Policy and Contractual Revisions
HIEs should consider reassessing their internal policies, data use agreements, and participant contracts (including BAAs) to ensure that their research-related (and similar) activities are explicitly permitted and fully compliant with HIPAA. HIEs may strengthen language around Institutional Review Board (IRB) approvals, de-identification processes, and patient authorization requirements. Additionally, they may seek to include stronger indemnification provisions to mitigate liability risks in the event of a legal challenge.
☑️ Increased Transparency Demands
Public perception and trust in HIEs are critical, and this case may amplify calls for greater transparency in how patient data is shared for research. Patients and healthcare organizations may push for more transparent disclosures on when and how PHI is used, with increased emphasis on opt-in rather than opt-out models for research participation. HIEs may find it necessary to revise their consent processes, provide more accessible patient education materials, and establish mechanisms for individuals to monitor or revoke their data-sharing preferences.
Final Thoughts
This lawsuit underscores the complex intersection of federal and state privacy laws, health data sharing, and research. Regardless of the court’s decision, HIEs and their participants would be well-advised to take a proactive approach in reviewing their compliance frameworks, strengthening their contractual and policy safeguards, and engaging with stakeholders to build trust through transparency.
You can download a copy of the case here: Morris v. RIQI US District Court RI (Jan 3 2025).
