AN ACT Relating to requiring additional security review of the all payer claims database; and amending RCW 43.371.020.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

Sec. 1.  RCW 43.371.020 and 2015 c 246 s 2 are each amended to read as follows:

(1) The office shall establish a statewide all-payer health care claims database to support transparent public reporting of health care information. The database must improve transparency to: Assist patients, providers, and hospitals to make informed choices about care; enable providers, hospitals, and communities to improve by benchmarking their performance against that of others by focusing on best practices; enable purchasers to identify value, build expectations into their purchasing strategy, and reward improvements over time; and promote competition based on quality and cost. The database must systematically collect all medical claims and pharmacy claims from private and public payers, with data from all settings of care that permit the systematic analysis of health care delivery.

(2) The office shall use a competitive procurement process, in accordance with chapter 39.26 RCW, to select a lead organization from among the best potential bidders to coordinate and manage the database.

(a) Due to the complexities of the all payer claims database and the unique privacy, quality, and financial objectives, the office must award extra points in the scoring evaluation for the following elements: (i) The bidder's degree of experience in health care data collection, analysis, analytics, and security; (ii) whether the bidder has a long-term self-sustainable financial model; (iii) the bidder's experience in convening and effectively engaging stakeholders to develop reports; (iv) the bidder's experience in meeting budget and timelines for report generations; and (v) the bidder's ability to combine cost and quality data.

(b) By December 31, 2017, the successful lead organization must apply to be certified as a qualified entity pursuant to 42 C.F.R. Sec. 401.703(a) by the centers for medicare and medicaid services.

(3) As part of the competitive procurement process in subsection (2) of this section, the lead organization shall enter into a contract with a data vendor to perform data collection, processing, aggregation, extracts, and analytics. The data vendor must:

(a) Establish a secure data submission process with data suppliers;

(b) Review data submitters' files according to standards established by the office;

(c) Assess each record's alignment with established format, frequency, and consistency criteria;

(d) Maintain responsibility for quality assurance, including, but not limited to: (i) The accuracy and validity of data suppliers' data; (ii) accuracy of dates of service spans; (iii) maintaining consistency of record layout and counts; and (iv) identifying duplicate records;

(e) Assign unique identifiers, as defined in RCW 43.371.010, to individuals represented in the database;

(f) Ensure that direct patient identifiers, indirect patient identifiers, and proprietary financial information are released only in compliance with the terms of this chapter;

(g) Demonstrate internal controls and affiliations with separate organizations as appropriate to ensure safe data collection, security of the data with state of the art encryption methods, actuarial support, and data review for accuracy and quality assurance;

(h) Store data on secure servers that are compliant with the federal health insurance portability and accountability act and regulations, with access to the data strictly controlled and limited to staff with appropriate training, clearance, and background checks; and

(i) Maintain state of the art security standards for transferring data to approved data requestors.

(4) The lead organization and data vendor must submit detailed descriptions to the office of the chief information officer on an annual basis to ensure robust security methods are in place. The office of the chief information officer may request additional information as needed to ensure the data systems are secure, and the office of the chief information officer must annually report its findings to the office of financial management and the appropriate committees of the legislature.

(5) The lead organization is responsible for internal governance, management, funding, and operations of the database. At the direction of the office, the lead organization shall work with the data vendor to:

(a) Collect claims data from data suppliers as provided in RCW 43.371.030;

(b) Design data collection mechanisms with consideration for the time and cost incurred by data suppliers and others in submission and collection and the benefits that measurement would achieve, ensuring the data submitted meet quality standards and are reviewed for quality assurance;

(c) Ensure protection of collected data and store and use any data in a manner that protects patient privacy and complies with this section. All patient-specific information must be deidentified with an up-to-date industry standard encryption algorithm;

(d) Consistent with the requirements of this chapter, make information from the database available as a resource for public and private entities, including carriers, employers, providers, hospitals, and purchasers of health care;

(e) Report performance on cost and quality pursuant to RCW 43.371.060 using, but not limited to, the performance measures developed under RCW 41.05.690;

(f) Develop protocols and policies, including prerelease peer review by data suppliers, to ensure the quality of data releases and reports;

(g) Develop a plan for the financial sustainability of the database as self-sustaining and charge fees for reports and data files as needed to fund the database. Any fees must be approved by the office and should be comparable, accounting for relevant differences across data requests and uses. The lead organization may not charge providers or data suppliers fees other than fees directly related to requested reports; and

(h) Convene advisory committees with the approval and participation of the office, including: (i) A committee on data policy development; and (ii) a committee to establish a data release process consistent with the requirements of this chapter and to provide advice regarding formal data release requests. The advisory committees must include in-state representation from key provider, hospital, public health, health maintenance organization, large and small private purchasers, consumer organizations, and the two largest carriers supplying claims data to the database.

(6) The lead organization governance structure and advisory committees for this database must include representation of the third-party administrator of the uniform medical plan. A payer, health maintenance organization, or third-party administrator must be a data supplier to the all-payer health care claims database to be represented on the lead organization governance structure or advisory committees.

--- END ---