Title: An act relating to making certain provisions in the uniform health care information act consistent with the health insurance portability and accountability act privacy regulation, by addressing the period of validity of an authorization, accounting for disclosures, reporting of criminal activities, sharing quality improvement information, and modifying provisions on payment for health care, health care operations, and related definitions.

Brief Description: Modifying the uniform health care information act.

Sponsors: By Senate Committee on Health & Long-Term Care (originally sponsored by Senators Keiser, Brandland, Kastama, Parlette and Benson).

Brief History:

Health Care: 3/22/05, 3/29/05 [DPA].

Floor Activity:

Passed House - Amended: 4/5/05, 94-0.

HOUSE COMMITTEE ON HEALTH CARE

Majority Report: Do pass as amended. Signed by 13 members: Representatives Cody, Chair; Campbell, Vice Chair; Morrell, Vice Chair; Bailey, Ranking Minority Member; Curtis, Assistant Ranking Minority Member; Alexander, Appleton, Clibborn, Green, Hinkle, Lantz, Moeller and Schual-Berke.

Staff: Chris Blake (786-7392).

Background:

Federal and State Privacy Laws
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, storage, and transfer of protected health information. Entities covered by HIPAA must have a patient's authorization to use or disclose health care information, unless there is a specified exception. Some exceptions pertain to disclosures for treatment, payment, and health care operations; public health activities; judicial proceedings; law enforcement purposes; and research purposes. The HIPAA allows a state to establish standards that are more stringent than its provisions.

In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees. The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or a written authorization by the patient. Some exceptions include disclosures for the provision of health care; quality improvement, legal, actuarial, and administrative services; research purposes; directory information; public health and law enforcement activities as required by law; and judicial proceedings.

Records of Disclosures
Under the UHCIA, health care providers and facilities must chart all disclosures of health care information, except for disclosures to third-party payors. These disclosures become part of the patient's health care information.

The HIPAA provides an individual with the right to an accounting of disclosures made by a covered entity for up to six years. There are several exceptions to this right, including disclosures related to: treatment, payment, or health care operations; the patient's own health care information; uses and disclosures permitted or required by law; authorizations by the patient; directory information; disclosures to people involved in the patient's care; national security; correctional institutions; or deidentified information.

Patient Disclosure Authorizations
Under the UHCIA, health care providers must honor authorizations to disclose health care information. Valid disclosure authorizations must: (1) be in writing, dated, and signed by the patient; (2) identify the nature of the information to be disclosed; (3) identify the name, address, and institutional affiliation of the person to receive the information; (4) identify the provider to make the disclosure; and (5) identify the patient. A disclosure authorization is valid until the expiration date. If the authorization does not have a specified expiration date, it is only valid for 90 days after it is signed. Authorizations to disclose health care information for future health care may only apply to services provided within 90 days of signing the authorization.

A disclosure authorization under HIPAA must have the following core elements: (1) the patient's signature and date of signing; (2) a description of the information to be used or disclosed; (3) an identification of the individuals that may use or disclose the information; (4) an identification of the individuals that may receive the information; (5) a description of the purpose of the use or disclosure; and (6) an expiration date or expiration event.

Summary of Amended Bill:

Definitions
Three new definitions are added to the UHCIA that are closely related to definitions in HIPAA.

"Health care operations" are defined as the activities of a health care provider, health care facility, or third-party payor related to their business, including conducting quality improvement; reviewing the competence and qualifications of health care providers; underwriting and premium-rating; conducting or arranging for medical review, legal, and auditing services; conducting business planning and development; and carrying out business management and administration functions.

"Payment" is defined as the activities of: (1) a third-party payor to obtain premiums or provide coverage and benefits, or (2) a health care provider or facility or third-party payor to obtain or provide reimbursement for health care services.

"Treatment" is defined as the provision, coordination, or management of health care services by health care providers or facilities, including coordination of health care with a third-party and consultation with or referral to another health care provider or facility.

Records of Disclosures
Existing requirements for health care providers and facilities to chart disclosures of health care information and make them a part of the patient's health care information are replaced with a requirement that health care providers and facilities provide an accounting of disclosures made during the six years prior to the patient's request. There are exceptions to the patient's right to receive an accounting when the disclosure is:

• for treatment, payment, and health care operations;
• to the patient regarding his or her own health care information;
• for uses and disclosures permitted or required by law;
• for authorizations by the patient about his or her own health care information;
• of directory information;
• to people involved in the patient's care;
• for national security or intelligence;
• to correctional institutions or law enforcement officials; or
• of a limited data set without direct identifiers.

Patient Disclosure Authorizations
The 90-day limitation on the duration of disclosure authorizations that do not have a specified expiration date is removed. The prohibition on the release of information regarding future health care services more than 90 days after signing an authorization is also removed. An additional element of a valid authorization is added to specify that it must contain an expiration date or an expiration event. Authorizations that permit the disclosure of health care information to financial institutions or employers, for purposes other than payment, expire after 90 days, unless they are renewed.

Health care facilities are required to perform the same functions as health care providers with respect to disclosure authorizations, including disclosing information and providing copies. The exception for health care providers maintaining authorizations and revocations related to third party payors is removed.

Disclosures without Patient Authorization
A health care provider or facility or third-party payor may disclose a patient's health care information for its own health care operations or for the health care operations of another health care provider or facility or third-party payor without the patient's authorization if the other entity had a relationship with the patient. Health care providers and facilities may disclose a patient's health care information without an authorization if it is to law enforcement authorities and the health care provider or facility or third-party payor believes in good faith that the health care information constitutes evidence of criminal conduct. A health care provider or facility may also disclose a patient's health care information without an authorization if it is for purposes of payment.

Appropriation: None.

Fiscal Note: Not requested.

Effective Date of Amended Bill: The bill takes effect 90 days after adjournment of session in which bill is passed.

Testimony For: This bill aligns the state laws with the HIPAA provisions. Having both federal and state privacy laws operating concurrently requires complicated analyses of how health care information can be disclosed under two systems. The 90-day limit on authorizations can be challenging when a health care facility is using electronic medical records and it will give patients greater control over their health care information. It is helpful to be able to authorize disclosure to categories of providers when sharing information with a community of providers at an institution. Requiring patients to sign an authorization for the release of health care information for payment purposes is a burden to both hospitals and patients.

Testimony Against: None.

Persons Testifying: Senator Keiser, prime sponsor; Taya Briley, Washington State Hospital Association; Richard Meeks, University of Washington School of Medicine; and Ellen Rubin, Harborview Medical Center.

Persons Signed In To Testify But Not Testifying: None.