Washington State

House of Representatives

Office of Program Research

BILL

ANALYSIS

Health Care & Wellness Committee

HB 2329

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

Background:

Personal information and privacy interests are protected under various provisions of federal and state law. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Uniform Health Care Information Act (UHCIA) are the primary privacy laws with respect to health care information.

The HIPAA establishes nationwide standards for the use, disclosure, storage, and transfer of protected health information. Entities covered by HIPAA must have a patient's authorization to use or disclose health care information, unless there is a specified exception. Entities covered by HIPAA include health care providers that transmit information electronically, health plans, and health clearinghouses. If a covered entity uses a business associate to perform activities using protected health care information, the covered entity must have a business associate agreement and the business associate must comply with HIPAA's provisions. The HIPAA allows a state to establish standards that are more stringent than its provisions.

In Washington, the UHCIA governs the disclosure of health care information by health care providers. The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or a written authorization by the patient. The UHCIA applies broadly to health care providers, including both individual health care professionals and health care facilities, as well as their agents or employees. In addition, third party payors are prohibited from releasing health care information disclosed to them by a health care provider, except to the extent that a health care provider is authorized to release it. Health care providers may also disclose health care information to other persons to perform health care operations on behalf of the health care provider if the health care provider reasonably believes that the person will not use or disclose the health care information for other purposes and will take appropriate steps to protect the health care information.

Summary of Bill:

The term "internet web site analytics" is defined as the analysis of individual web site behaviors and usage, such as recording keystrokes, mouse movements, scrolling behavior, and the contents of the web pages visited by the individual.

Operators of web sites that use internet web site analytics to collect health care information or data that allows for conclusions to be made about a person's health status must obtain the written consent of the individual who is the subject of the information. In addition, the operators must implement reasonable administrative and technical safeguards to protect the privacy of the person's health care information. If the operator uses a contractor to perform the internet web site analytics services, the operator is responsible for ensuring that the contractor complies with the consent and safeguard requirements.

If a web site operator or its contractor does not comply with the consent and safeguard requirements, a person may maintain an action for relief through a court order to comply, actual damages, and reasonable attorneys' fees and expenses.