WSR 17-08-014
PERMANENT RULES
DEPARTMENT OF HEALTH
[Filed March 27, 2017, 9:05 a.m., effective April 27, 2017]
Effective Date of Rule: Thirty-one days after filing.
Purpose: WAC 246-08-390 Acquisition, security, retention, disclosure and destruction of health care information. RCW 70.02.290 mandates the agency to adopt rules for health care information acquisition, retention, destruction and security. A 2014 update to this law requires the rule to also cover the destruction of information. The revised rule sets standards for the destruction of information.
Citation of Existing Rules Affected by this Order: Amending WAC 246-08-390.
Statutory Authority for Adoption: RCW 70.02.290.
Adopted under notice filed as WSR 17-01-140 on December 20, 2016.
Changes Other than Editing from Proposed to Adopted Version: Editing changes only were made.
Number of Sections Adopted in Order to Comply with Federal Statute: New 0, Amended 0, Repealed 0; Federal Rules or Standards: New 0, Amended 0, Repealed 0; or Recently Enacted State Statutes: New 0, Amended 1, Repealed 0.
Number of Sections Adopted at Request of a Nongovernmental Entity: New 0, Amended 0, Repealed 0.
Number of Sections Adopted on the Agency's Own Initiative: New 0, Amended 1, Repealed 0.
Number of Sections Adopted in Order to Clarify, Streamline, or Reform Agency Procedures: New 0, Amended 1, Repealed 0.
Number of Sections Adopted Using Negotiated Rule Making: New 0, Amended 0, Repealed 0; Pilot Rule Making: New 0, Amended 0, Repealed 0; or Other Alternative Rule Making: New 0, Amended 1, Repealed 0.
Date Adopted: March 22, 2017.
John Wiesman, DrPH, MPH
Secretary
AMENDATORY SECTION (Amending WSR 92-07-080, filed 3/17/92, effective 4/17/92)
WAC 246-08-390 Acquisition, security, retention, disclosure and ((security)) destruction of health ((care)) information.
((This section sets forth the process by which the department of health or disciplining authority obtains and protects health care information under RCW 70.02.050. This section does not apply to health care information obtained by the department through other sources.
(1) Acquisition.
(a) The department shall request health care information in writing.
(b) Health care providers shall provide the requested information pursuant to RCW 70.02.050.
(2) Retention. The department shall maintain health care information obtained under this section as long as necessary to perform agency functions.
(3) Security. The department shall secure the records and protect confidentiality.
(a) The manager of the program within the department that requested the records shall act as the custodian of records, and shall provide access to the information only as necessary to perform agency responsibilities.
(b) The custodian shall monitor the location and security of the information.
(4) The department shall not make health care information obtained under RCW 70.02.050 available for public inspection and copying except as may be required by chapter 42.17 RCW. No health care information containing patient identifying data shall be made available for public inspection and copying under chapter 42.17 RCW. Health care information obtained under this section may be released to public agencies or entities as required by law or upon agreement by the agency or entity that the health care information will be used only for authorized statutory purposes and will not be disclosed further.)) This section establishes how the department acquires, secures, retains, discloses, and destroys health care information under chapter 70.02 RCW and health-related data under RCW 43.70.050.
(1) The department of health (department) is the single department in state government with the primary responsibilities for the preservation of public health, monitoring health care costs, the maintenance of minimal standards for quality in health care delivery, and the general oversight and planning for all the state's activities as they relate to the health of its citizenry. In this capacity, the department regularly obtains individually identifiable health care information and health-related data necessary for the department to carry out public health activities.
(2) For the purposes of this section "health information" means "health care information" as defined in chapter 70.02 RCW and "health-related data" as described in RCW 43.70.050.
(3) Acquisition.
(a) The department may obtain health information as authorized by state and federal law.
(b) The department will identify its statutory authority to obtain health information when the department makes a request for health information.
(c) The department will identify its statutory authority to obtain and to disclose health information when entering into a data sharing agreement.
(4) Privacy and security.
(a) The department protects the privacy of individuals and secures health information consistent with state and federal law and applicable information security standards and guidelines set by the National Institute of Standards and Technologies (NIST).
(b) The department shall appoint a chief information security officer and a privacy officer with delegated agency wide authority to protect the availability, integrity, confidentiality, and privacy of all health information acquired by the department.
(c) Managers of any programs within the department that receive health information act as the primary data steward and assure health information is protected consistent with applicable law and agency privacy, confidentiality and security policies, standards, and practices.
(d) The department will notify a person whose health information is disclosed in violation of state or federal law. The department will make a notification as soon as practicable pursuant to the department's confidential information policy and procedure.
(5) Retention. The department will retain health information in accordance with the department's records retention schedules.
(6) Public inspection and copying.
(a) Chapters 70.02 and 42.56 RCW apply to the public inspection and copying of health information.
(i) Health information that identifies or can readily be associated with the identity of a patient and directly relates to the patient's health care is not available for public inspection and copying. Health information that is not individually identifiable is described as "deidentified."
(ii) "Deidentified" has the same meaning as defined in chapter 70.02 RCW.
(iii) The department may consider analogous federal standards for deidentification of protected health information when determining if deidentification of health information is possible.
(b) Permitted disclosures of information and records related to sexually transmitted diseases and information and records related to mental health services are found in chapter 70.02 RCW.
(c) RCW 43.70.050(2) and chapter 42.56 RCW apply to the public inspection and copying of health information as described in RCW 43.70.050(2).
(i) Health information in any form where the patient or provider of health care can be identified shall not be disclosed.
(ii) The department's use of health information shall be in accordance with state and federal confidentiality laws.
(7) Sharing identifiable health information with public health partners.
The department may disclose identifiable health information, including information and records related to sexually transmitted diseases and information and records related to mental health services, for public health purposes as described in chapter 70.02 RCW or as otherwise permitted by law.
(8) Health information received by the department that the department has not requested and is not authorized to receive.
As required by RCW 70.02.290, the department will not make health information the department has not requested and the department is not authorized to receive available for public inspection and copying. The department will destroy such health care information or the department may securely return such health information to the sender if the sender is a health care facility or health care provider subject to chapter 70.02 RCW.
(9) Destruction.
The department shall destroy health information in a manner that reduces it to an illegible condition. Destruction shall take place as soon as practicable after the approved records retention period ends.