Brief Description: Modifying the uniform health care information act.

Sponsors: Senate Committee on Health & Long-Term Care (originally sponsored by Senators Keiser, Brandland, Kastama, Parlette and Benson).

Senate Committee on Health & Long-Term Care
House Committee on Health Care

Background: In April 2003, the Health Insurance Portability and Accountability Act (HIPAA) privacy regulation established new federal standards for disclosure of protected health information by hospitals and other covered entities. Because both state law and HIPAA govern disclosure of such information, hospitals have expressed concerns over the additional administrative burdens and the potential for the application of the different laws to result in inconsistent standards and lowered quality of care. There is hope that changing state law to reflect the HIPAA standards can improve patient care and may ease hospital administrative burdens.

Currently, a patient may only authorize disclosure of his or her information for up to 90 days. There is specific concern that this small time window creates barriers to sharing information electronically, particularly in community health networks. State law also requires an accounting of every disclosure of information, including disclosure made for health care operations and quality improvement purposes. Health care facilities, particularly hospitals, have commented that being required to account for disclosures that the patient already expects creates a significant administrative burden and does not assist patients. Patients are currently required to specifically authorize disclosures that will be made for payment purposes. Current state law does not facilitate health care providers sharing quality assurance information when only one of them benefits from the information shared.

Summary: The state's 90-day limit on the length of validity for a health care information disclosure authorization is removed. The bill brings the state law in line with the HIPAA regulations by requiring that an authorization include an expiration date or event that relates to the individual or to the purpose of the use or disclosure. A patient's authorization to disclose health care information is applicable to health care providers or health care facilities. The patient may also designate a particular class of persons to whom information may be disclosed instead of merely designating particular individuals. A patient may authorize the disclosure of health care information to a class of persons that includes researchers who have the patient's informed consent and to third-party payors if the information is only disclosed for payment purposes. A general 90-day expiration is created for an authorization of disclosure to a financial institution or an employer for purposes other than payment.

To further align state law with HIPAA, clarifying language is added to the provision that allows a health care provider or health care facility to disclose information to a law enforcement official that the provider or facility in good faith believes constitutes evidence of criminal conduct that occurred on the premises. The provider or facility may also disclose basic identifying information for a patient brought by a public authority. Additionally, providers and facilities may disclose patient information for payment purposes without receiving specific patient authorization to do so.

Required accounting for routine disclosures is changed to exempt those disclosures made for treatment, payment, and health care operations, as well as other areas where the patient would expect disclosure to be made routinely. A provider or facility is allowed to disclose information to another provider or facility for operational purposes, if each had a relationship with the patient, the information is related to the relationship, and the disclosure is for limited purposes.

Votes on Final Passage:

Senate      47   0
House      94   0   (House amended)
Senate      45   0   (Senate concurred)

Effective: July 24, 2005