WSR 17-01-140 PROPOSED RULES DEPARTMENT OF HEALTH [Filed December 20, 2016, 4:52 p.m.]
Original Notice.
Title of Rule and Other Identifying Information: WAC 246-08-390 Acquisition, security, retention, disclosure and destruction of health information.
Hearing Location(s): Department of Health, Point Plaza East, Room 139, 310 Israel Road S.E., Tumwater, WA 98501, on February 7, 2017, at 10:00 a.m.
Date of Intended Adoption: February 21, 2017.
Submit Written Comments to: Sean Krier, P.O. Box 47890, Olympia, WA 98504-7890, email https://fortress.wa.gov/doh/policyreview, by February 7, 2017.
Assistance for Persons with Disabilities: Contact Sean Krier by February 1, 2017, TTY (800) 833-6388 or 711.
Purpose of the Proposal and Its Anticipated Effects, Including Any Changes in Existing Rules: Prior to 2014, RCW 70.02.290 requires the agency to adopt rules for health care information acquisition, retention and security. An update to the law in 2014, required state and local agencies to include rules covering how they handle health care information they inadvertently receive. The proposed changes address this change in law.
Reasons Supporting Proposal: The underlying statute was updated to address situations where health care information is inadvertently disclosed to state and local government agencies. This statute requires agencies to adopt rules specifying that they will return or destroy health care information they receive inadvertently and that they will not disclose it.
Statutory Authority for Adoption: RCW 70.02.290.
Statute Being Implemented: RCW 70.02.290.
Rule is not necessitated by federal law, federal or state court decision.
Name of Proponent: Department of health, governmental.
Name of Agency Personnel Responsible for Drafting: Sean Krier, 101 Israel Road S.E., Tumwater, WA 98501, (360) 236-3917; Implementation and Enforcement: Bruce Dempsey, 101 Israel Road S.E., Tumwater, WA 98501, (360) 236-4221.
No small business economic impact statement has been prepared under chapter 19.85 RCW. Under RCW 19.85.025 and 34.05.310 (4)(b), a small business economic impact statement is not required for proposed rules that relate only to internal governmental operations and that are not subject to violation by a nongovernmental party.
A cost-benefit analysis is not required under RCW 34.05.328. The agency did not complete a cost-benefit analysis under RCW 34.05.328. RCW 34.05.328 (5)(b)(ii) exempts rules that relate only to internal governmental operations that are not subject to violation by a nongovernment party.
December 20, 2016
John Wiesman, DrPH, MPH
Secretary
AMENDATORY SECTION (Amending WSR 92-07-080, filed 3/17/92, effective 4/17/92)
WAC 246-08-390 Acquisition, security, retention, disclosure and ((security)) destruction of health ((care)) information.
((This section sets forth the process by which the department of health or disciplining authority obtains and protects health care information under RCW 70.02.050. This section does not apply to health care information obtained by the department through other sources.
(1) Acquisition.
(a) The department shall request health care information in writing.
(b) Health care providers shall provide the requested information pursuant to RCW 70.02.050.
(2) Retention. The department shall maintain health care information obtained under this section as long as necessary to perform agency functions.
(3) Security. The department shall secure the records and protect confidentiality.
(a) The manager of the program within the department that requested the records shall act as the custodian of records, and shall provide access to the information only as necessary to perform agency responsibilities.
(b) The custodian shall monitor the location and security of the information.
(4) The department shall not make health care information obtained under RCW 70.02.050 available for public inspection and copying except as may be required by chapter 42.17 RCW. No health care information containing patient identifying data shall be made available for public inspection and copying under chapter 42.17 RCW. Health care information obtained under this section may be released to public agencies or entities as required by law or upon agreement by the agency or entity that the health care information will be used only for authorized statutory purposes and will not be disclosed further.)) This section establishes how the department acquires, secures, retains, discloses, and destroys health care information under chapter 70.02 RCW and health-related data under RCW 43.70.050.
(1) The department of health (department) is the single department in state government with the primary responsibilities for the preservation of public health, monitoring health care costs, the maintenance of minimal standards for quality in health care delivery, and the general oversight and planning for all the state's activities as they relate to the health of its citizenry. In this capacity, the department regularly obtains individually identifiable health care information and health-related data necessary for the department to carry out public health activities.
(2) For the purposes of this section "health information" means "health care information" as defined in chapter 70.02 RCW and "health-related data" as described in RCW 43.70.050.
(3) Acquisition.
(a) The department may obtain health information as authorized by state and federal law.
(b) The department will identify its statutory authority to obtain health information when the department makes a request for health information.
(c) The department will identify its statutory authority to obtain and to disclose health information when entering into a data sharing agreement.
(4) Privacy and security.
(a) The department protects the privacy of individuals and secures health information consistent with state and federal law and applicable information security standards and guidelines set by the National Institute of Standards and Technologies (NIST).
(b) The department shall appoint a chief information security officer and a privacy officer with delegated agency wide authority to protect the availability, integrity, confidentiality, and privacy of all health information acquired by the department.
(c) Managers of any programs within the department that receive health information act as the primary data steward and assure health information is protected consistent with applicable law and agency privacy, confidentiality and security policies, standards, and practices.
(d) The department will notify a person whose health information is disclosed in violation of state or federal law. The department will make a notification as soon as practicable pursuant to the department's confidential information policy and procedure.
(5) Retention. The department will retain health information in accordance with the department's records retention schedules and copying.
(6) Public inspection and copying.
(i) Health information that identifies or can readily be associated with the identity of a patient and directly relates to the patient's health care is not available for public inspection and copying. Health information that is not individually identifiable is described as "deidentified."
(ii) "Deidentified" has the same meaning as defined in chapter 70.02 RCW.
(iii) The department may consider analogous federal standards for deidentification of protected health information when determining if deidentification of health information is possible.
(b) Permitted disclosures of information and records related to sexually transmitted diseases and information and records related to mental health services are found in chapter 70.02 RCW.
(c) RCW 43.70.050(2) and chapter 42.56 RCW apply to the public inspection and copying of health information as described in RCW 43.70.050(2).
(i) Health information in any form where the patient or provider of health care can be identified shall not be disclosed.
(ii) The department's use of health information shall be in accordance with state and federal confidentiality laws.
(7) Sharing identifiable health information with public health partners. The department may disclose identifiable health information, including information and records related to sexually transmitted diseases and information and records related to mental health services, for public health purposes as described in chapter 70.02 RCW or as otherwise permitted by law.
(8) Health information received by the department that the department has not requested and is not authorized to receive. As required by RCW 70.02.290, the department will not make health information the department has not requested and the department is not authorized to receive available for public inspection and copying. The department will destroy such health care information or the department may securely return such health information to the sender if the sender is a health care facility or health care provider subject to chapter 70.02 RCW.
(9) Destruction. The department shall destroy health information in a manner that reduces it to an illegible condition. Destruction shall take place as soon as practicable after the approved records retention period ends.
|