Background:

Confidentiality of Health Care Information.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, storage, and transfer of protected health information. Entities covered by HIPAA must have a patient's authorization to use or disclose health care information, unless there is a specified exception. In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees. The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or a written authorization by the patient. Under the UHCIA, state and local agencies that are not health care facilities or providers and obtain patient health care information must have rules related to record acquisition, retention, and security.

Comprehensive Hospital Abstract Reporting System (CHARS).

The Department of Health (Department) maintains the CHARS database in which hospitals submit financial data and patient discharge information to the Department. The information collected includes information related to patient identification, provider identification, admission information, discharge information, units of service, and procedure codes. The Department and its contractors must maintain the confidentiality of any individually identifiable health information. The Department must have security and system safeguards to prevent unauthorized access to individually identifiable health information, including procedures for handling information, physical safeguards, protections from unauthorized access, and encryption protections.

Individually identifiable information may not be released to the public. Confidential data sets, however, may be released for a research project if it has been approved by the Washington State Institutional Review Board, a data sharing agreement has been signed, and the data set includes the minimum elements necessary for the research project. A confidential data set may be released to a government agency if a data sharing agreement has been signed, the data set includes the minimum elements necessary for the project requirements, and it is to research quality assurance, hospital payment rate setting, program evaluation, or public health surveillance.

Data sharing agreements for confidential data must include provisions related to users and recipients of data, not using the data to identify individuals, safeguards for the data, permitted uses of the data, notification to the Department of security breaches, reports to the Department of improper uses or disclosures of data, penalties for violations, the destruction or return of data, and requirements that all users of the data read the data sharing agreement.

Navigator Program.

The Affordable Care Act requires marketplaces such as the Washington Health Benefit Exchange (Exchange) to establish a navigator program to help consumers understand new coverage options and find the most affordable coverage that meets their health care needs. Navigators must be certified by the Exchange after successfully passing a certification exam and must sign confidentiality and non-disclosure agreements and agree to comply with a code of ethics that requires them to maintain their duty to the consumer.

Summary of Bill:

Health Care Information Received by a Government Agency.

In addition to their rules regarding record acquisition, retention, and security, state and local agencies that are not health care facilities or providers must adopt rules related to the destruction of records and policies regarding the notification of persons whose health care information has been improperly disclosed. The rules and policies must be posted on each agency's website.

State and local agencies that are not health care facilities or providers, have not requested health care information, and are not authorized to receive such information may not use or disclose the information and must either destroy the information in accordance with its rules or return it to the entity that provided the information. If an agency improperly discloses the information, it must inform the person who is the subject of the information in accordance with its notification policy.

Hospital Discharge Data.

The Department of Health (Department) must maintain the confidentiality of patient discharge data. Patient discharge data that include direct and indirect identifiers are not subject to public inspection. "Direct patient identifiers" are defined as information that identifies a patient. "Indirect patient identifiers" are defined as information that may identify a patient when combined with other information.

The Department may release patient discharge data that include direct and indirect patient identifiers to government agencies upon receipt of a signed data use agreement and to researchers with approval of the Washington Institutional Review Board and a signed data use agreement. Data that does not contain direct patient identifiers, but may include indirect patient identifiers, may be released to agencies, researchers, and other persons upon receipt of a signed data use agreement. Data that does not contain direct or indirect patient identifiers may be released on request.

Data use agreements must require the requestor to take steps to protect direct and indirect patient identifying information and not re-disclose the data except as authorized and consistent with the purpose of the agreement. Recipients of data may not attempt to determine the identity of persons whose information is included in the data set or use the information in a way that identifies individuals or their families.

Health Care Information Received by a Navigator.

Navigators are only allowed to request health care information that is relevant to a specific assessment and recommendation of health plan options. Health care information received by a navigator may not be disclosed to a third party and must be destroyed once enrollment has been completed. If a navigator improperly discloses information to a third party, the navigator must notify the person of the breach. The Washington Health Benefit Exchange must develop a policy related to reasonable notification and make the policy available on its web site.