Brief Summary of Engrossed Substitute Bill

(As Amended by House)

Prohibits government agencies that are not health care facilities or providers from using or disclosing health care information that it is not authorized to receive.
Establishes disclosure standards related to patient discharge data according to the characterization of the data as containing "direct patient identifiers" or "indirect patient identifiers."
Prohibits navigators from disclosing health care information to third parties and requires that the information be destroyed once enrollment for a client has been completed.

Background:

Confidentiality of Health Care Information.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, storage, and transfer of protected health information. Entities covered by the HIPAA must have a patient's authorization to use or disclose health care information, unless there is a specified exception. In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees. The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or a written authorization by the patient. Under the UHCIA, state and local agencies that are not health care facilities or providers and obtain patient health care information must have rules related to record acquisition, retention, and security.

Comprehensive Hospital Abstract Reporting System.

The Department of Health (Department) maintains the Comprehensive Hospital Abstract Reporting System database in which hospitals submit financial data and patient discharge information to the Department. The information collected includes information related to patient identification, provider identification, admission information, discharge information, units of service, and procedure codes. The Department and its contractors must maintain the confidentiality of any individually identifiable health information. The Department must have security and system safeguards to prevent unauthorized access to individually identifiable health information, including procedures for handling information, physical safeguards, protections from unauthorized access, and encryption protections.

Individually identifiable information may not be released to the public. Confidential data sets, however, may be released for a research project if it has been approved by the Washington State Institutional Review Board, a data sharing agreement has been signed, and the data set includes the minimum elements necessary for the research project. A confidential data set may be released to a government agency if a data sharing agreement has been signed, the data set includes the minimum elements necessary for the project requirements, and it is to research quality assurance, hospital payment rate setting, program evaluation, or public health surveillance.

Data sharing agreements for confidential data must include: provisions related to users and recipients of data; not using the data to identify individuals; safeguards for the data; permitted uses of the data; notification to the Department of security breaches; reports to the Department of improper uses or disclosures of data; penalties for violations; the destruction or return of data; and requirements that all users of the data read the data sharing agreement.

Navigator Program.

The Affordable Care Act requires marketplaces such as the Washington Health Benefit Exchange (Exchange) to establish a navigator program to help consumers understand new coverage options and find the most affordable coverage that meets their health care needs. Navigators must be certified by the Exchange after successfully passing a certification exam and must sign confidentiality and non-disclosure agreements and agree to comply with a code of ethics that requires them to maintain their duty to the consumer.

Summary of Bill:

Health Care Information Received by a Government Agency.

In addition to rules regarding record acquisition, retention, and security, state and local agencies that are not health care facilities or providers must adopt rules related to the destruction of records and policies regarding the notification of persons whose health care information has been improperly disclosed. The rules and policies must be posted on each agency's website.

State and local agencies that are not health care facilities or providers, have not requested health care information, and are not authorized to receive such information may not use or disclose the information and must either destroy the information in accordance with its rules or return it to the entity that provided the information. If an agency improperly discloses the information, it must inform the person who is the subject of the information in accordance with its notification policy.

Hospital Discharge Data.

The Department must maintain the confidentiality of patient discharge data. Patient discharge data that include direct and indirect identifiers are not subject to public inspection. A "direct patient identifier" is defined as information that identifies a patient. An "indirect patient identifier" is defined as information that may identify a patient when combined with other information.

The Department may release patient discharge data that include direct and indirect patient identifiers to government agencies upon receipt of a signed data use agreement and to researchers with approval of the Washington Institutional Review Board and a signed data use agreement. Data that does not contain direct patient identifiers, but may include indirect patient identifiers, may be released to agencies, researchers, and other persons upon receipt of a signed data use agreement. Data that does not contain direct or indirect patient identifiers may be released on request.

Data use agreements must require the requestor to take steps to protect direct and indirect patient identifying information and not re-disclose the data except as authorized and consistent with the purpose of the agreement. Recipients of data may not attempt to determine the identity of persons whose information is included in the data set or use the information in a way that identifies individuals or their families.

Health Care Information Received by a Navigator.

Navigators that are not covered by the Health Insurance Portability and Accountability Act are only allowed to request health care information that is relevant to a specific assessment of health plan options and eligibility. Health care information received by a navigator may not be disclosed to a third party and must be destroyed once enrollment has been completed. If a navigator improperly discloses information to a third party, the navigator or the navigator's employer must notify the person of the breach. The Washington Health Benefit Exchange must develop a policy related to reasonable notification and make the policy available on its website.

Staff Summary of Public Testimony:

(In support) This bill establishes protocols and procedures for entities not covered by the (HIPAA) if they inadvertently receive patient health information and prohibits them from disclosing the information. This bill fills in a gap in current state law. Doctors and patients are concerned about patient privacy in many forms, including the inadvertent transfer of information, which this bill covers. The bill simply directs government agencies that are not covered by the HIPAA to establish record destruction policies. The state should take a leadership role in protecting patient health care information.

This bill strengthens the protection of patient health care information collected from hospitals. Recently, a news organization identified a risk to patient privacy by using hospital discharge data that is publicly available to identify patients and their health care information through combining the data with other public data. This bill will prohibit the use of non-confidential data to identify patients and the redisclosure of the data. This bill maintains broad public access to data while increasing protections for private patient information. The data use agreements were drafted with the intent of trying to share information with the appropriate protections for researchers and others for quality purposes. This bill provides additional protections around patient discharge data, including prohibiting deliberate efforts to identify patients from the data.

(In support with concerns) This legislation is not an adequate answer to the problem because it allows for the public disclosure of data that is not fully de-identified. Partially identifiable data allows a person to fairly easily identify a patient or narrow it down substantially and this should not be released to the public. There is no way to enforce data use agreement provisions prohibiting the use of data to locate or identify a patient. There is no public value in releasing partially identifiable information.

(Opposed) None.