State of Washington | 59th Legislature | 2005 Regular Session |
READ FIRST TIME 02/14/05.
AN ACT Relating to making certain provisions in the uniform health care information act consistent with the health insurance portability and accountability act privacy regulation, by addressing the period of validity of an authorization, accounting for disclosures, reporting of criminal activities, sharing quality improvement information, and modifying provisions on payment for health care, health care operations, and related definitions; and amending RCW 70.02.010, 70.02.020, 70.02.030, and 70.02.050.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
Sec. 1 RCW 70.02.010 and 2002 c 318 s 1 are each amended to read
as follows:
The definitions in this section apply throughout this chapter
unless the context clearly requires otherwise.
(1) "Audit" means an assessment, evaluation, determination, or
investigation of a health care provider by a person not employed by or
affiliated with the provider to determine compliance with:
(a) Statutory, regulatory, fiscal, medical, or scientific
standards;
(b) A private or public program of payments to a health care
provider; or
(c) Requirements for licensing, accreditation, or certification.
(2) "Directory information" means information disclosing the
presence, and for the purpose of identification, the name, ((residence,
sex)) location within a health care facility, and the general health
condition of a particular patient who is a patient in a health care
facility or who is currently receiving emergency health care in a
health care facility.
(3) "General health condition" means the patient's health status
described in terms of "critical," "poor," "fair," "good," "excellent,"
or terms denoting similar conditions.
(4) "Health care" means any care, service, or procedure provided by
a health care provider:
(a) To diagnose, treat, or maintain a patient's physical or mental
condition; or
(b) That affects the structure or any function of the human body.
(5) "Health care facility" means a hospital, clinic, nursing home,
laboratory, office, or similar place where a health care provider
provides health care to patients.
(6) "Health care information" means any information, whether oral
or recorded in any form or medium, that identifies or can readily be
associated with the identity of a patient and directly relates to the
patient's health care, including a patient's deoxyribonucleic acid and
identified sequence of chemical base pairs. The term includes any
((record)) required accounting of disclosures of health care
information.
(7) "Health care operations" means any of the following activities
of a health care provider, health care facility, or third-party payor
to the extent that the activities are related to functions that make an
entity a health care provider, a health care facility, or a third-party
payor:
(a) Conducting: Quality assessment and improvement activities,
including outcomes evaluation and development of clinical guidelines,
if the obtaining of generalizable knowledge is not the primary purpose
of any studies resulting from such activities; population-based
activities relating to improving health or reducing health care costs,
protocol development, case management and care coordination, contacting
of health care providers and patients with information about treatment
alternatives; and related functions that do not include treatment;
(b) Reviewing the competence or qualifications of health care
professionals, evaluating practitioner and provider performance and
third-party payor performance, conducting training programs in which
students, trainees, or practitioners in areas of health care learn
under supervision to practice or improve their skills as health care
providers, training of nonhealth care professionals, accreditation,
certification, licensing, or credentialing activities;
(c) Underwriting, premium rating, and other activities relating to
the creation, renewal, or replacement of a contract of health insurance
or health benefits, and ceding, securing, or placing a contract for
reinsurance of risk relating to claims for health care, including stop-loss insurance and excess of loss insurance, if any applicable legal
requirements are met;
(d) Conducting or arranging for medical review, legal services, and
auditing functions, including fraud and abuse detection and compliance
programs;
(e) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and
operating the health care facility or third-party payor, including
formulary development and administration, development, or improvement
of methods of payment or coverage policies; and
(f) Business management and general administrative activities of
the health care facility, health care provider, or third-party payor
including, but not limited to:
(i) Management activities relating to implementation of and
compliance with the requirements of this chapter;
(ii) Customer service, including the provision of data analyses for
policy holders, plan sponsors, or other customers, provided that health
care information is not disclosed to such policy holder, plan sponsor,
or customer;
(iii) Resolution of internal grievances;
(iv) The sale, transfer, merger, or consolidation of all or part of
a health care provider, health care facility, or third-party payor with
another health care provider, health care facility, or third-party
payor or an entity that following such activity will become a health
care provider, health care facility, or third-party payor, and due
diligence related to such activity; and
(v) Consistent with applicable legal requirements, creating
deidentified health care information or a limited dataset and
fund-raising for the benefit of the health care provider, health care
facility, or third-party payor.
(8) "Health care provider" means a person who is licensed,
certified, registered, or otherwise authorized by the law of this state
to provide health care in the ordinary course of business or practice
of a profession.
(((8))) (9) "Institutional review board" means any board,
committee, or other group formally designated by an institution, or
authorized under federal or state law, to review, approve the
initiation of, or conduct periodic review of research programs to
assure the protection of the rights and welfare of human research
subjects.
(((9))) (10) "Maintain," as related to health care information,
means to hold, possess, preserve, retain, store, or control that
information.
(((10))) (11) "Patient" means an individual who receives or has
received health care. The term includes a deceased individual who has
received health care.
(((11))) (12) "Payment" means:
(a) The activities undertaken by:
(i) A third-party payor to obtain premiums or to determine or
fulfill its responsibility for coverage and provision of benefits by
the third-party payor; or
(ii) A health care provider, health care facility, or third-party
payor, to obtain or provide reimbursement for the provision of health
care; and
(b) The activities in (a) of this subsection that relate to the
patient to whom health care is provided and that include, but are not
limited to:
(i) Determinations of eligibility or coverage, including
coordination of benefits or the determination of cost-sharing amounts,
and adjudication or subrogation of health benefit claims;
(ii) Risk adjusting amounts due based on enrollee health status and
demographic characteristics;
(iii) Billing, claims management, collection activities, obtaining
payment under a contract for reinsurance, including stop-loss insurance
and excess of loss insurance, and related health care data processing;
(iv) Review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges;
(v) Utilization review activities, including precertification and
preauthorization of services, and concurrent and retrospective review
of services; and
(vi) Disclosure to consumer reporting agencies of any of the
following health care information relating to collection of premiums or
reimbursement:
(A) Name and address;
(B) Date of birth;
(C) Social security number;
(D) Payment history;
(E) Account number; and
(F) Name and address of the health care provider, health care
facility, and/or third-party payor.
(13) "Person" means an individual, corporation, business trust,
estate, trust, partnership, association, joint venture, government,
governmental subdivision or agency, or any other legal or commercial
entity.
(((12))) (14) "Reasonable fee" means the charges for duplicating or
searching the record, but shall not exceed sixty-five cents per page
for the first thirty pages and fifty cents per page for all other
pages. In addition, a clerical fee for searching and handling may be
charged not to exceed fifteen dollars. These amounts shall be adjusted
biennially in accordance with changes in the consumer price index, all
consumers, for Seattle-Tacoma metropolitan statistical area as
determined by the secretary of health. However, where editing of
records by a health care provider is required by statute and is done by
the provider personally, the fee may be the usual and customary charge
for a basic office visit.
(((13))) (15) "Third-party payor" means an insurer regulated under
Title 48 RCW authorized to transact business in this state or other
jurisdiction, including a health care service contractor, and health
maintenance organization; or an employee welfare benefit plan; or a
state or federal health benefit program.
(16) "Treatment" means the provision, coordination, or management
of health care and related services by one or more health care
providers or health care facilities, including the coordination or
management of health care by a health care provider or health care
facility with a third party; consultation between health care providers
or health care facilities relating to a patient; or the referral of a
patient for health care from one health care provider or health care
facility to another.
Sec. 2 RCW 70.02.020 and 1993 c 448 s 2 are each amended to read
as follows:
(1) Except as authorized in RCW 70.02.050, a health care provider,
an individual who assists a health care provider in the delivery of
health care, or an agent and employee of a health care provider may not
disclose health care information about a patient to any other person
without the patient's written authorization. A disclosure made under
a patient's written authorization must conform to the authorization.
((Health care providers or facilities shall chart all disclosures,
except to third-party payors, of health care information, such
chartings to become part of the health care information.))
(2) A patient has a right to receive an accounting of disclosures
of health care information made by a health care provider or a health
care facility in the six years before the date on which the accounting
is requested, except for disclosures:
(a) To carry out treatment, payment, and health care operations;
(b) To the patient of health care information about him or her;
(c) Incident to a use or disclosure that is otherwise permitted or
required;
(d) Pursuant to an authorization where the patient authorized the
disclosure of health care information about himself or herself;
(e) Of directory information;
(f) To persons involved in the patient's care;
(g) For national security or intelligence purposes if an accounting
of disclosures is not permitted by law;
(h) To correctional institutions or law enforcement officials if an
accounting of disclosures is not permitted by law; and
(i) Of a limited data set that excludes direct identifiers of the
patient or of relatives, employers, or household members of the
patient.
Sec. 3 RCW 70.02.030 and 2004 c 166 s 19 are each amended to read
as follows:
(1) A patient may authorize a health care provider or health care
facility to disclose the patient's health care information. A health
care provider or health care facility shall honor an authorization and,
if requested, provide a copy of the recorded health care information
unless the health care provider or health care facility denies the
patient access to health care information under RCW 70.02.090.
(2) A health care provider or health care facility may charge a
reasonable fee for providing the health care information and is not
required to honor an authorization until the fee is paid.
(3) To be valid, a disclosure authorization to a health care
provider or health care facility shall:
(a) Be in writing, dated, and signed by the patient;
(b) Identify the nature of the information to be disclosed;
(c) Identify the name((, address,)) and institutional affiliation
of the person or class of persons to whom the information is to be
disclosed;
(d) ((Except for third-party payors,)) Identify the provider or
class of providers who ((is)) are to make the disclosure; ((and))
(e) Identify the patient; and
(f) Contain an expiration date or an expiration event that relates
to the patient or the purpose of the use or disclosure.
(4) Except as provided by this chapter, the signing of an
authorization by a patient is not a waiver of any rights a patient has
under other statutes, the rules of evidence, or common law.
(5) A health care provider or health care facility shall retain the
original or a copy of each authorization or revocation in conjunction
with any health care information from which disclosures are made.
((This requirement shall not apply to disclosures to third-party
payors.)) (6) Where the patient is under the supervision of the
department of corrections, an authorization signed pursuant to this
section for health care information related to mental health or drug or
alcohol treatment expires at the end of the term of supervision, unless
the patient is part of a treatment program that requires the continued
exchange of information until the end of the period of treatment.
(6) Except for authorizations given pursuant to an agreement with
a treatment or monitoring program or disciplinary authority under
chapter 18.71 or 18.130 RCW, when the patient is under the supervision
of the department of corrections, or to provide information to third-party payors, an authorization may not permit the release of health
care information relating to future health care that the patient
receives more than ninety days after the authorization was signed.
Patients shall be advised of the period of validity of their
authorization on the disclosure authorization form. If the
authorization does not contain an expiration date and the patient is
not under the supervision of the department of corrections, it expires
ninety days after it is signed.
(7)
Sec. 4 RCW 70.02.050 and 1998 c 158 s 1 are each amended to read
as follows:
(1) A health care provider or health care facility may disclose
health care information about a patient without the patient's
authorization to the extent a recipient needs to know the information,
if the disclosure is:
(a) To a person who the provider or facility reasonably believes is
providing health care to the patient;
(b) To any other person who requires health care information for
health care education, or to provide planning, quality assurance, peer
review, or administrative, legal, financial, ((or)) actuarial services
to, or other health care operations for or on behalf of the health care
provider or health care facility; or for assisting the health care
provider or health care facility in the delivery of health care and the
health care provider or health care facility reasonably believes that
the person:
(i) Will not use or disclose the health care information for any
other purpose; and
(ii) Will take appropriate steps to protect the health care
information;
(c) To any other health care provider or health care facility
reasonably believed to have previously provided health care to the
patient, to the extent necessary to provide health care to the patient,
unless the patient has instructed the health care provider or health
care facility in writing not to make the disclosure;
(d) To any person if the health care provider or health care
facility reasonably believes that disclosure will avoid or minimize an
imminent danger to the health or safety of the patient or any other
individual, however there is no obligation under this chapter on the
part of the provider or facility to so disclose;
(e) ((Oral, and made)) To immediate family members of the patient,
or any other individual with whom the patient is known to have a close
personal relationship, if made in accordance with good medical or other
professional practice, unless the patient has instructed the health
care provider or health care facility in writing not to make the
disclosure;
(f) To a health care provider or health care facility who is the
successor in interest to the health care provider or health care
facility maintaining the health care information;
(g) For use in a research project that an institutional review
board has determined:
(i) Is of sufficient importance to outweigh the intrusion into the
privacy of the patient that would result from the disclosure;
(ii) Is impracticable without the use or disclosure of the health
care information in individually identifiable form;
(iii) Contains reasonable safeguards to protect the information
from redisclosure;
(iv) Contains reasonable safeguards to protect against identifying,
directly or indirectly, any patient in any report of the research
project; and
(v) Contains procedures to remove or destroy at the earliest
opportunity, consistent with the purposes of the project, information
that would enable the patient to be identified, unless an institutional
review board authorizes retention of identifying information for
purposes of another research project;
(h) To a person who obtains information for purposes of an audit,
if that person agrees in writing to:
(i) Remove or destroy, at the earliest opportunity consistent with
the purpose of the audit, information that would enable the patient to
be identified; and
(ii) Not to disclose the information further, except to accomplish
the audit or report unlawful or improper conduct involving fraud in
payment for health care by a health care provider or patient, or other
unlawful conduct by the health care provider;
(i) To an official of a penal or other custodial institution in
which the patient is detained;
(j) To provide directory information, unless the patient has
instructed the health care provider or health care facility not to make
the disclosure;
(k) ((In the case of a hospital or health care provider to provide,
in cases reported by)) To fire, police, sheriff, or ((other)) another
public authority, that brought, or caused to be brought, the patient to
the health care facility or health care provider if the disclosure is
limited to the patient's name, residence, sex, age, occupation,
condition, diagnosis, estimated or actual discharge date, or extent and
location of injuries as determined by a physician, and whether the
patient was conscious when admitted;
(l) To federal, state, or local law enforcement authorities and the
health care provider, health care facility, or third-party payor
believes in good faith that the health care information disclosed
constitutes evidence of criminal conduct that occurred on the premises
of the health care provider, health care facility, or third-party
payor;
(m) To another health care provider, health care facility, or
third-party payor for the health care operations of the health care
provider, health care facility, or third-party payor that receives the
information, if each entity has or had a relationship with the patient
who is the subject of the health care information being requested, the
health care information pertains to such relationship, and the
disclosure is for the purposes described in RCW 70.02.010(7) (a) and
(b); or
(n) For payment.
(2) A health care provider shall disclose health care information
about a patient without the patient's authorization if the disclosure
is:
(a) To federal, state, or local public health authorities, to the
extent the health care provider is required by law to report health
care information; when needed to determine compliance with state or
federal licensure, certification or registration rules or laws; or when
needed to protect the public health;
(b) To federal, state, or local law enforcement authorities to the
extent the health care provider is required by law;
(c) To county coroners and medical examiners for the investigations
of deaths;
(d) Pursuant to compulsory process in accordance with RCW
70.02.060.
(3) All state or local agencies obtaining patient health care
information pursuant to this section shall adopt rules establishing
their record acquisition, retention, and security policies that are
consistent with this chapter.