[Filed July 5, 2018, 2:44 p.m., effective August 5, 2018]
Effective Date of Rule: Thirty-one days after filing.
Purpose: The purpose of the rule is to establish the penalties for the inappropriate disclosure or use of direct patient identifiers, indirect patient identifiers, or proprietary financial information from the Washington all payer claims database (WA-APCD), and the procedures for filing a complaint, investigation and finding of a violation, along with how to appeal a finding of a violation
Citation of Rules Affected by this Order: New WAC 82-75-600, 82-75-605, 82-75-610, 82-75-615, 82-75-620, 82-75-625, 82-75-630, 82-75-635, 82-75-640, 82-75-645, 82-75-650, 82-75-655, 82-75-660 and 82-75-665; and amending WAC 82-75-030.
Statutory Authority for Adoption: RCW 43.371.070
Adopted under notice filed as WSR 18-08-030 on March 27, 2018.
Changes Other than Editing from Proposed to Adopted Version: In WAC 82-75-600(1), language was added to make clear that penalties may be imposed for inappropriate disclosure or use of the information not only received from, but also provided to or contained in WA-APCD. In WAC 82-75-610 (6)(b), language was added to make clear that notice that a complaint has been closed without action will include the basis for that determination. In WAC 82-75-630(1), to make it clear that the office of financial management (OFM) director would not direct the lead organization, when it is the alleged violator, to do a review of its own contract to determine whether it breached that contract, language was added that the lead would not be directed to do the review if it is the violator and that WA-APCD program director would do the review. In WAC 82-75-630(2), language was added to clarify that demand for the destruction of data includes all WA-APCD data, "whether stand alone or combined with other data, all data products, and derivatives produced from WA-APCD data, …" and finally in WAC 82-75-635, language was changed to reflect that the OFM director will look at culpability levels in determining the penalty.
Number of Sections Adopted in Order to Comply with Federal Statute: New 0, Amended 0, Repealed 0; Federal Rules or Standards: New 0, Amended 0, Repealed 0; or Recently Enacted State Statutes: New 14, Amended 1, Repealed 0.
Number of Sections Adopted at the Request of a Nongovernmental Entity: New 0, Amended 0, Repealed 0.
Number of Sections Adopted on the Agency's own Initiative: New 14, Amended 1, Repealed 0.
Number of Sections Adopted in Order to Clarify, Streamline, or Reform Agency Procedures: New 0, Amended 0, Repealed 0.
Number of Sections Adopted using Negotiated Rule Making: New 0, Amended 0, Repealed 0; Pilot Rule Making: New 0, Amended 0, Repealed 0; or Other Alternative Rule Making: New 14, Amended 1, Repealed 0.
Date Adopted: July 5, 2018.
Legal and Legislative Affairs
AMENDATORY SECTION(Amending WSR 17-22-121, filed 10/31/17, effective 12/1/17)
WAC 82-75-030Additional definitions authorized by chapter 43.371 RCW.
The following additional definitions apply throughout this chapter unless the context clearly indicates another meaning.
"Capitation payment" means a payment model where providers receive a payment on a per "covered person" basis, for specified calendar periods, for the coverage of specified health care services regardless of whether the patient obtains care. Capitation payments include, but are not limited to, global capitation arrangements that cover a comprehensive set of health care services, partial capitation arrangements for subsets of services, and care management payments.
"Claim" means a request or demand on a carrier, third-party administrator, or the state labor and industries program for payment of a benefit.
"Coinsurance" means the percentage or amount an enrolled member pays towards the cost of a covered service.
"Copayment" means the fixed dollar amount a member pays to a health care provider at the time a covered service is provided or the full cost of a service when that is less than the fixed dollar amount.
"Data management plan" or "DMP" means a formal document that outlines how a data requestor will handle the WA-APCD data to ensure privacy and security both during and after the project.
"Data policy committee" or "DPC" is the advisory committee required by RCW 43.371.020 (5)(h) to provide advice related to data policy development.
"Data release committee" or "DRC" is the advisory
committee required by RCW 43.371.020
(5)(h) to establish a data release process and to provide advice regarding formal data release requests.
"Data submission guide" means the document that contains data submission requirements including, but not limited to, required fields, file layouts, file components, edit specifications, instructions and other technical specifications.
"Data use agreement" or "DUA" means the legally binding document signed by the lead organization and the data requestor that defines the terms and conditions under which access to and use of the WA-APCD data is authorized, how the data will be secured and protected, and how the data will be destroyed at the end of the agreement term.
"Days" means calendar days.
"Deductible" means the total dollar amount an enrolled member pays on an incurred claim toward the cost of specified covered services designated by the policy or plan over an established period of time before the carrier or third-party administrator makes any payments under an insurance policy or health benefit plan.
"Director" means the director of the office of financial management.
"Fee-for-service payment" means a payment model where providers receive a negotiated or payer-specified rate for a specific health care service provided to a patient.
"Health benefits plan" or "health plan" has the same meaning as in RCW 48.43.005
"Health care" means care, services, or supplies related to the prevention, cure or treatment of illness, injury or disease of an individual, which includes medical, pharmaceutical or dental care. Health care includes, but is not limited to:
(a) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(b) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
"Lead organization" means the entity selected by the office of financial management to coordinate and manage the database as provided in chapter 43.371
"Malicious intent" means the person acted willfully or intentionally to cause harm, without legal justification.
"Member" means a person covered by a health plan including an enrollee, subscriber, policyholder, beneficiary of a group plan, or individual covered by any other health plan.
"Office" means the Washington state office of financial management.
"Person" means an individual; group of individuals however organized; public or private corporation, including profit and nonprofit corporations; a partnership; joint venture; public and private institution of higher education; a state, local, and federal agency; and a local or tribal government.
"PFI" means the proprietary financial information as defined in RCW 43.371.010
"PHI" means protected health information as defined in the Health Insurance Portability and Accountability Act (HIPAA). Incorporating this definition from HIPAA, does not, in any manner, intend or incorporate any other HIPAA rule not otherwise applicable to the WA-APCD.
"Subscriber" means the insured individual who pays the premium or whose employment makes him or her eligible for coverage under an insurance policy or member of a health benefit plan.
"WA-APCD" means the statewide all payer health care claims database authorized in chapter 43.371
"WA-APCD program director" means the individual designated by the office as responsible for the oversight and management of the operations of the statewide all payer health care claims database authorized in chapter 43.371 RCW.
"Washington covered person" means any eligible member and all covered dependents where the state of Washington has primary jurisdiction, and whose laws, rules and regulations govern the members' and dependents' insurance policy or health benefit plan.
PENALTIES FOR INAPPROPRIATE DISCLOSURES OR USES
WAC 82-75-600Causes for penalties.
(1) The office may impose penalties for the inappropriate disclosure or use of direct patient identifiers, indirect patient identifiers, and proprietary financial information received from, provided to, or contained in the WA-APCD.
(2) Any penalty imposed pursuant to this subchapter and in accordance with RCW 43.371.050
shall be in addition to and does not prevent the assessment of penalties authorized by state or federal law, contract, or court order.
(3) The following definitions apply to WAC 82-75-600 through 82-75-665.
(a) "Inappropriate disclosures" or "uses" are those that are inconsistent or in violation of the requirements in RCW 43.371.050
. In addition, inappropriate disclosure or uses also include defamatory or malicious use and disclosure or use and disclosure with the intent to cause harm.
(b) "Protected information" is direct patient identifiers, indirect patient identifiers and proprietary financial information.
WAC 82-75-605Alleging a violation.
(1) Any person, as defined in WAC 82-75-030, may bring to the attention of the lead organization or the office information concerning the inappropriate disclosure or use of protected information as set forth in RCW 43.371.050
and WAC 82-75-600.
(2) The office must conduct an investigation unless it determines that the complaint is without merit or is frivolous, regardless of how the office has received the information that led to that belief, including information derived from any audit conducted by or at the direction of the office.
(1) Any complaint filed pursuant to WAC 82-75-605 must be in writing and include the following information, if known:
(a) The name and contact information of the complainant;
(b) The specific facts supporting the violation alleged, including the dates, and locations for all events upon which the complaint is made;
(c) The facts upon which the complaint is based; and
(d) The name of the individual(s) and organization the complainant believes has committed an inappropriate disclosure or use of protected information and should be subject to penalties.
(2) If sufficient information is provided as required in subsection (1)(b) through (d) of this section, the office will accept the complaint without the complainant's name and contact information. In cases when the name and contact information is not provided, the complainant waives any future contact or notification from the office regarding the complaint.
(3) The complainant must provide additional information if requested by the lead organization or the office.
(4) Complaints alleging the lead organization made inappropriate disclosure or use of protected information must be filed directly with the office. The complaint must contain the information required in subsection (1) of this section. If a complaint of this nature is filed with the lead organization, the lead organization must forward to the office within one business day of receipt, without further review or action.
(5) Regardless of whether the complaint was filed with the office or the lead organization, except as provided by subsection (4) of this section, the lead organization will review the complaint and compile any information it may have related to the complaint. The lead may review the complaint as to whether the facts as presented support the finding of an inappropriate disclosure or use of protected information. The lead organization must forward the complaint, and all supporting documents to the office, including the result of any initial review the lead may have undertaken.
(6) The office must review the information provided by the lead organization pursuant to subsection (5) of this section.
(a) If the office determines that the facts as presented, if true, support the finding of an inappropriate disclosure or use of protected information, the office will conduct an investigation to substantiate the allegations.
(b) If the office determines that the facts as presented, if true, do not support the finding of an inappropriate disclosure or use of protected information, the office will close the complaint without further action. If closed without further action, the notice will include the basis for that determination.
(c) The office may conduct the investigation, or contract with a third party, other than the lead organization or a subcontractor to the lead organization, to conduct the investigation.
(7) The office will notify the complainant in writing and state whether the complaint will be investigated or closed without action.
(1) If the office accepts a complaint and conducts an investigation, the office will notify the person(s) that is the subject of the complaint in writing.
(2) The notice will include the following information:
(a) The factual allegations supporting each alleged inappropriate disclosure or use of protected information violation in terms sufficient to put the persons on notice of the specific reasons for the investigation;
(b) The statutory and administrative code provisions addressing the allegations, if applicable;
(c) A request that the person provide a written response to the allegations including any documents that support the response, and notice that failure to respond will result in the office making a decision without the person's input; and
(d) A directive to cease using or destroy the data received from the WA-APCD until the investigation has been completed and the person is notified that he/she may again use the data provided. The person shall complete an attestation that the person has complied with this directive. A violation of this directive shall be grounds for finding a separate violation of the inappropriate disclosure or use of protected information.
(3) The lead organization and the data vendor shall cooperate with the investigator and timely respond to requests for information or documents during the course of an investigation.
(4) At the conclusion of the investigation, the investigator will issue a report to the WA-APCD program director that includes the following information:
(a) Facts found by the investigator;
(b) Whether the facts support finding inappropriate disclosures or uses of protected information; and
(c) A recommendation to dismiss the complaint with no further action or to issue an order with a penalty, which recommendation may include a penalty amount and any other actions that the office should take as a result of the violation(s).
(5) A finding that the person inappropriately disclosed or used protected information is a violation for purposes of this section. In the case of a continuing inappropriate disclosure or use of protected information, each day of the inappropriate disclosure or use is a separate violation.
WAC 82-75-620Notice of violation and recommended penalty.
(1) If, based on the investigation, the WA-APCD program director determines that the facts support finding an inappropriate disclosure or use of protected information and imposition of a penalty as set forth in the investigation report, the WA-APCD program director shall notify the alleged violator. The WA-APCD program director shall cause service of the notice of violation and recommended penalty on each alleged violator. The notice shall include the following information:
(a) Date when the recommended penalty and other actions imposed will take effect, if not appealed;
(b) Each inappropriate disclosure or use of protected information found and the facts supporting each inappropriate disclosure or use of protected information;
(c) The recommended penalty, other monetary amounts to be assessed, including the cost of the investigation, and any other action authorized by WAC 82-75-625 and 82-75-630;
(d) If the person will be prohibited from receiving data from the WA-APCD in the future, the period of the recommended prohibition;
(e) Notice that each alleged violator may request a hearing in accordance with WAC 82-75-645 to dispute the finding of a violation, the recommended penalty, or both. The notice shall state that if no hearing is requested within thirty days of the date of issuance of the notice, the office shall issue a final, unappealable order.
(2) In the event the alleged violator or violators do not timely request a hearing, the WA-APCD program director will provide the report and recommendation to the director, who shall issue a final order, which will include the date upon which the order becomes effective.
(3) The WA-APCD program director shall provide a copy of the investigation report and the notice prepared pursuant to subsection (1) of this section to all data suppliers with protected information identified in the report as having been inappropriately disclosed or used. This notice is separate and in addition to any other notice required by law.
WAC 82-75-625Monetary penalties that may be imposed upon finding a violation of inappropriate disclosures or uses.
(1) If a person has been found to have made inappropriate disclosures or uses of direct patient identifiers, indirect patient identifiers, and proprietary financial information received from the WA-APCD, the director may impose one or more of the following monetary penalties:
(a) A civil penalty determined pursuant to the criteria and requirements in this chapter;
(b) Cost, including reasonable investigative costs, that do not exceed the amount of any civil penalty;
(c) The cost of any audit performed that uncovered the violation, or was conducted as a result of investigating an alleged violation; and
(d) Up to three times the amount of financial gain received by the alleged violator or financial loss of any person whose protected information was inappropriately disclosed or used.
(2) The director shall include with the decision regarding the monetary penalty assessment, the director's reasoning for the specific penalty, or lack thereof, that is being assessed.
WAC 82-75-630Nonmonetary penalties that may be imposed upon finding a violation of inappropriate disclosures or uses.
In addition to the monetary penalties set forth in WAC 82-75-625, if a person has been found to have made inappropriate disclosures or uses of direct patient identifiers, indirect patient identifiers, and proprietary financial information received from the WA-APCD, the director may order the following nonmonetary penalties:
(1)(a) Direct WA-APCD program director to review the contract between the person and lead organization to determine whether the finding is a breach of that contract, and take appropriate action including requiring all WA-APCD data provided to be destroyed, termination of the contract, and seeking damages if the contract has been breached; or
(b) In lieu of (a) of this subsection, direct the lead organization to review whether the finding is also a breach of any contract between the person and the lead organization, and take appropriate action including requiring all WA-APCD data provided to be destroyed, termination of the contract, and seeking damages if the contract has been breached, unless the lead organization is the violator, in which case (a) of this subsection shall apply.
(2) Demand the destruction of all WA-APCD data provided, whether stand alone or combined with other data, all data products, and derivatives produced from WA-APCD data, and in the person's custody or contract, including proof of the destruction in the form and manner as prescribed by the office;
(3) Bar the person from receiving any data from the WA-APCD for a designated period of time; and
(4) Notify the funding entity of the violation, when the violation involves research funded by another entity, and any other regulatory agency that has oversight over the person or the data that the person requested.
WAC 82-75-635Penalty ranges based on culpability.
(1) In determining the appropriate sanction, including the amount of any civil penalty, the director will consider the level of culpability associated with the violation. The levels of culpability, in the order of less severe to severe, are as follows:
(a) Did not know. The person did not know and by exercising reasonable diligence, would not have known the violation had occurred.
(b) Reasonable cause. The person knew, or by exercising diligence should have known, that the violation had taken place, but the person did not act with willful negligence.
(c) Willful neglect - Corrected. The violation was due to the person's conscious, intentional failure or reckless indifference, and the violation was corrected within thirty days from the date the person knew or with reasonable diligence should have known of the inappropriate disclosure or use.
(d) Willful neglect - Uncorrected. The violation was due to the person's conscious, intentional failure or reckless indifference, and the violation was not corrected within thirty days from the date the person knew or with reasonable diligence should have known of the inappropriate disclosure or use.
(2) The penalty ranges for each level of culpability and the yearly cap for violations of a similar nature are as follows:
Yearly Cap for Similar Violations
Did not know
$5,000 - $100,000
$10,000 - $250,000
Willful neglect - Corrected
$50,000 - $500,000
Willful neglect - Not corrected
$100,000 - $1,500,000
(3) Violations that involve malicious intent, as that term is defined in WAC 82-75-030, are not subject to the yearly caps set forth in subsection (2) of this section.
(4) The director may assess a penalty outside the penalty ranges set forth in subsection (2) of this section if the person has previously committed the same violation in the same culpability category.
WAC 82-75-640Other factors that may be considered in determining the penalty for a violation of this chapter.
In addition to the culpability category set forth in WAC 82-75-635, to determine the penalty amount, the director may consider the following factors:
(1) The nature and extent of the violation including, but not limited to, the number of persons affected, the duration of the violation, and whether the violation was done with malicious intent.
(2) The nature and extent of the harm resulting from the violation including, but not limited to:
(a) Whether the violation resulted in physical harm;
(b) Whether the violation resulted in financial harm;
(c) Whether the violation resulted in harm to a person's reputation;
(d) Whether the violation hindered an individual's ability to obtain health care;
(e) Whether the violation resulted in any other actual or potential harm.
(3) The history of compliance with the statutory, regulatory, and contractual provisions related to prior data release from the WA-APCD including, but not limited to:
(a) Whether the current violation is the same or similar to previous noncompliance;
(b) Whether and to what extent the person has attempted to correct previous noncompliance;
(c) How the person has responded to the complaint, investigation and any assistance provided to correct and mitigate any effect from the violation;
(d) How the person has responded to prior complaints for the same or similar violations including, but not limited to, changes in process or procedures for securing the confidentiality of the protected information, changes in recruitment, retention, or training requirements for employees or contractor with access to protected information.
(4) Any other factor relevant to the violation or the impact of the violation including, but not limited to:
(a) The frequency of incidents and/or duration of the wrongdoing;
(b) Whether there is a pattern or prior history of wrongdoing;
(c) Whether the person has accepted responsibility for the wrongdoing and recognizes the seriousness of violation;
(d) Whether the person paid or agreed to pay any criminal, civil, and administrative liabilities for the improper activity, including any investigative or administrative costs incurred by the government, and has made or agreed to make full restitution;
(e) Whether the person has cooperated fully during the investigation and any administrative action. In determining the extent of cooperation, the director may consider when the cooperation began and whether the person disclosed all known pertinent information;
(f) The kind of positions held by the individuals involved in the wrongdoing;
(g) Whether the person fully investigated the circumstances surrounding the violation and, if so, made the result of the investigation available to the reviewing official, and took appropriate corrective action or remedial measures;
(h) Whether effective standards of conduct and internal control systems were in place at the time the violation occurred;
(i) Whether appropriate disciplinary action was taken against the individuals responsible for the activity that constitutes the violation.
WAC 82-75-645Process to appeal determination of a violation and assessed penalties.
(1) Each person to whom a notice of a violation and recommended penalty is issued may request a hearing to be conducted in accordance with WAC 82-75-655.
(2) The request for a hearing must be submitted to the director in writing within thirty days after receipt of written notification of the notice provided pursuant to WAC 82-75-620. The person requesting a hearing must also provide a copy of the request to the WA-APCD program director.
(3) The request for hearing must be in writing and specify:
(a) The name of the person requesting the hearing and the person's or representative's contact information;
(b) The items, facts, or conclusions in the notice of violation being contested; and
(c) The basis for contesting the penalty, if applicable, including any mitigating factors upon which the person relies and the outcome the requestor is seeking.
WAC 82-75-650Informal dispute resolution prior to a hearing.
(1) The following procedures are available for informal dispute resolution prior to a hearing that may make more elaborate proceedings under the Administrative Procedure Act unnecessary.
(2) Settlements. Any appeal of a notice of violation and recommended penalty before the director or director's designee, for which a hearing has not yet been held, may be resolved by settlement. The respondent shall communicate his or her request to the WA-APCD program director, setting forth all pertinent facts and the desired remedy. Settlement negotiations shall be informal and without prejudice to rights of a participant in the negotiations.
(3) Stipulations. The WA-APCD program director and respondent may agree to terms of any stipulation of facts, violations, and/or penalty. If a stipulation is reached, the WA-APCD program director shall prepare the stipulation for presentation to the director.
(a) Any proposed stipulation shall be in writing and signed by each party to the stipulation or his or her representative. The WA-APCD program director shall sign for the office. Any stipulation shall be provided no later than three business days preceding the hearing.
(b) The director has the option of accepting, rejecting, or modifying the proposed stipulation or asking for additional facts to be presented. If the director accepts the stipulation or modifies the stipulation with the agreement of the parties, the director shall enter an order in conformity with the terms of the stipulation. If the director rejects the stipulation or one or both of the parties does not agree to the director's proposed modifications to the stipulation, then the hearing shall be scheduled and held.
(4) Informal dispute resolution negotiations shall be informal and without prejudice to the rights of the participants.
(1) The director may conduct the hearing or delegate to an individual within the office or to an administrative law judge pursuant to chapter 34.12
RCW the authority to conduct the hearing and prepare a proposed decision. The WA-APCD program director, on behalf of the office, shall be the petitioner in the hearing, and the requestor shall be the respondent.
(2) The WA-APCD program director shall have the burden of proving the basis for the finding of a violation and the penalty as set forth in the notice of violation and recommended penalty.
(3) The hearing shall be conducted in accordance with the Administrative Procedure Act, chapter 34.05
RCW and to the extent not covered in this chapter, by the uniform procedural rules in chapter 10-08 WAC.
(4) If the director presides over the hearing, the director shall issue a final written decision that includes findings of fact, conclusions of law, and if appropriate, the penalty. The director shall cause service of the final decision on all parties.
(5) If the director's designee or an administrative law judge presides over the hearing, she or he shall issue a proposed decision that includes findings of fact, conclusions of law and if appropriate the penalty. The proposed decision shall also include instructions on how to file objections and written arguments or briefs with the director. Objections and written arguments and briefs must be filed within twenty days from the date of receipt of the proposed decision.
WAC 82-75-660Final decision.
(1) The director shall review the proposed decision in accordance with the Administrative Procedure Act, chapter 34.05
RCW and any objections, written arguments and briefs timely filed by the parties. The director may:
(a) Allow the parties to present oral arguments;
(b) Allow the parties to submit additional information if circumstances so warrant; or
(c) Remand the matter to the designee or administrative law judge for further proceedings.
(2) The director shall issue a final decision that adopts in whole or in part, modifies, or rejects the proposed decision. If the decision finds a violation and assesses monetary penalties, the decision shall include notice that payment must be made no later than forty-five days after service of the decision or the period to appeal has expired, whichever is later.
(3) The director shall cause service of the final decision on all parties. Any party to whom a violation is found, may file a petition for review of the final decision to superior court. If an appeal is not filed within the period set by RCW 34.05.542
, the director's decision is conclusive and binding on all parties.
WAC 82-75-665Posting of information related to inappropriate disclosure or use of protected information.
(1) Except as provided in subsection (2) of this section, the office will maintain a web site to provide public access to information related to the inappropriate disclosure or use of protected information. For each complaint for which an investigation is conducted, the office will post the complaint, the information that the lead organization provided to the office pursuant to WAC 82-75-610(5), investigation report and final disposition of the complaint. In addition, if the complaint finds a violation, the office will post the notice of violation and the final hearing order, if a hearing is requested.
(2) If any of the records specified for posting in subsection (1) of this section contains confidential or protected information, that information is privileged and not subject to disclosure under the Public Records Act, chapter 42.56
RCW, and will be redacted from any documents posted on the office web site.