HOUSE BILL REPORT
ESSB 6265
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
As Passed House - Amended:
March 11, 2014
Title: An act relating to state and local agencies that obtain patient health care information.
Brief Description: Concerning state and local agencies that obtain patient health care information.
Sponsors: Senate Committee on Health Care (originally sponsored by Senators Frockt, Rivers, Conway, Becker, Kohl-Welles, Bailey, Cleveland, Ranker, Keiser and Tom).
Brief History:
Committee Activity:
Health Care & Wellness: 2/24/14, 2/26/14 [DP].
Floor Activity:
Passed House - Amended: 3/11/14, 65-33.
Brief Summary of Engrossed Substitute Bill (As Amended by House) |
|
HOUSE COMMITTEE ON HEALTH CARE & WELLNESS |
Majority Report: Do pass. Signed by 15 members: Representatives Cody, Chair; Riccelli, Vice Chair; Schmick, Ranking Minority Member; Harris, Assistant Ranking Minority Member; Clibborn, Green, G. Hunt, Jinkins, Manweller, Moeller, Morrell, Rodne, Ross, Tharinger and Van De Wege.
Minority Report: Do not pass. Signed by 1 member: Representative Short.
Staff: Chris Blake (786-7392).
Background:
Confidentiality of Health Care Information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, storage, and transfer of protected health information. Entities covered by the HIPAA must have a patient's authorization to use or disclose health care information, unless there is a specified exception. In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees. The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or a written authorization by the patient. Under the UHCIA, state and local agencies that are not health care facilities or providers and obtain patient health care information must have rules related to record acquisition, retention, and security.
Washington has heightened protections for information related to mental health, human immunodeficiency virus (HIV), and sexually transmitted disease (STD). For mental health information, the fact of admission and all information and records compiled in the course of providing services to patients at public or private mental health agencies is confidential. With respect to HIV and STD information, it is prohibited to disclose the identity of a person who has considered or requested a test for a STD; the identity of the subject of a HIV antibody test or test for any other STD; the results of those tests, and information regarding the diagnosis of or treatment for HIV infection and for any other confirmed STD. Both the protections related to mental health, HIV, and STD information have several exceptions to allow the disclosure of the information without the patient's authorization or consent.
In 2013 legislation was enacted to combine health care information, mental health information, and STD information into a single statutory scheme, while continuing to recognize many of the different standards for information.
Comprehensive Hospital Abstract Reporting System.
The Department of Health (Department) maintains the Comprehensive Hospital Abstract Reporting System database in which hospitals submit financial data and patient discharge information to the Department. The information collected includes information related to patient identification, provider identification, admission information, discharge information, units of service, and procedure codes. The Department and its contractors must maintain the confidentiality of any individually identifiable health information. The Department must have security and system safeguards to prevent unauthorized access to individually identifiable health information, including procedures for handling information, physical safeguards, protections from unauthorized access, and encryption protections.
Individually identifiable information may not be released to the public. Confidential data sets, however, may be released for a research project if it has been approved by the Washington State Institutional Review Board, a data sharing agreement has been signed, and the data set includes the minimum elements necessary for the research project. A confidential data set may be released to a government agency if a data sharing agreement has been signed, the data set includes the minimum elements necessary for the project requirements, and it is to research quality assurance, hospital payment rate setting, program evaluation, or public health surveillance.
Data sharing agreements for confidential data must include: provisions related to users and recipients of data; not using the data to identify individuals; safeguards for the data; permitted uses of the data; notification to the Department of security breaches; reports to the Department of improper uses or disclosures of data; penalties for violations; the destruction or return of data; and requirements that all users of the data read the data sharing agreement.
Navigator Program.
The Affordable Care Act requires marketplaces such as the Washington Health Benefit Exchange (Exchange) to establish a navigator program to help consumers understand new coverage options and find the most affordable coverage that meets their health care needs. Navigators must be certified by the Exchange after successfully passing a certification exam and must sign confidentiality and non-disclosure agreements and agree to comply with a code of ethics that requires them to maintain their duty to the consumer.
Summary of Bill:
Use of Health Care Information by Health Care Providers.
The term "information and records related to mental health services" is clarified to include mental health information contained in a medical bill, registration records, and all records about the person that are maintained by the Department of Social and Health Services, regional support networks, and treatment facilities. In addition to mental health agencies, the term includes information maintained by a mental health professional. The term excludes psychotherapy notes, which are defined to include notes recorded by a mental health professional that document the contents of conversations during counseling sessions and that are separated from the rest of the individual's medical record. The term "mental health treatment records" is eliminated, and references to it are changed to "information and records related to mental health services."
The term "mental health professional" is expanded to include persons who work in a private setting, in addition to a public setting.
Exceptions to the right of a patient to receive an accounting of disclosures of health care information are applied to mental health treatment information. The exceptions relate to uses or disclosures that pertain to treatment, payment, and health care operations; the patient's own health care information; uses or disclosures that are permitted or required by law; authorizations by the patient; directory information; persons involved in the patient's care; national security; correctional institutions or law enforcement officials; and limited data sets without identifying information.
Duplicative standards related to permissible disclosures of information and records related to mental health are eliminated so that a single standard applies to situations in which the communication is between mental health professionals and a state or local correctional facility where the patient is confined or supervised.
The requirement that a person who receives health care information to perform services on behalf of a health care provider may not use the information in a manner inconsistent with the duties of the health care provider is changed so that the information may not be used in a manner that would violate confidentiality provisions if performed by the provider. The requirement that third-party payors only disclose health care information to the extent that a health care provider may disclose information without authorization is changed so that the third-party payor may only release health care information as provided under the Uniform Health Care Information Act.
The requirement that a health care provider or facility terminate a contractual relationship with any entity that violates its responsibility to keep information confidential is made permissive.
The duration of an authorization to disclose health care information to a financial institution or an employer of the patient is extended from 90 days to one year.
Disclosures of health care information for research purposes may include health care information related to chemical dependency as authorized in state and federal law.
A reference to disclosures permitted in a "treatment facility" where a patient is receiving treatment is changed to clarify that the provision applies to "mental health service agencies."
Health Care Information Received by a Government Agency.
In addition to rules regarding record acquisition, retention, and security, state and local agencies that are not health care facilities or providers must adopt rules related to the destruction of records and policies regarding the notification of persons whose health care information has been improperly disclosed. The rules and policies must be posted on each agency's website.
State and local agencies that are not health care facilities or providers, have not requested health care information, and are not authorized to receive such information may not use or disclose the information and must either destroy the information in accordance with its rules or return it to the entity that provided the information. If an agency improperly discloses the information, it must inform the person who is the subject of the information in accordance with its notification policy.
Hospital Discharge Data.
The Department must maintain the confidentiality of patient discharge data. Patient discharge data that include direct and indirect identifiers are not subject to public inspection. A "direct patient identifier" is defined as information that identifies a patient. An "indirect patient identifier" is defined as information that may identify a patient when combined with other information.
The Department may release patient discharge data that include direct and indirect patient identifiers to government agencies upon receipt of a signed data use agreement and to researchers with approval of the Washington Institutional Review Board and a signed data use agreement. Data that does not contain direct patient identifiers, but may include indirect patient identifiers, may be released to agencies, researchers, and other persons upon receipt of a signed data use agreement. Data that does not contain direct or indirect patient identifiers may be released on request.
Data use agreements must require the requestor to take steps to protect direct and indirect patient identifying information and not re-disclose the data except as authorized and consistent with the purpose of the agreement. Recipients of data may not attempt to determine the identity of persons whose information is included in the data set or use the information in a way that identifies individuals or their families.
Health Care Information Received by a Navigator.
Navigators that are not covered by the Health Insurance Portability and Accountability Act are only allowed to request health care information that is relevant to a specific assessment of health plan options and eligibility. Health care information received by a navigator may not be disclosed to a third party and must be destroyed once enrollment has been completed. If a navigator improperly discloses information to a third party, the navigator or the navigator's employer must notify the person of the breach. The Washington Health Benefit Exchange must develop a policy related to reasonable notification and make the policy available on its website.
Appropriation: None.
Fiscal Note: Available.
Effective Date: The bill takes effect July 1, 2014, except for section 8, relating to disclosures of health care information related to chemical dependency for research purposes, which contains a emergency clause and takes effect immediately.
Staff Summary of Public Testimony:
(In support) This bill establishes protocols and procedures for entities not covered by the (HIPAA) if they inadvertently receive patient health information and prohibits them from disclosing the information. This bill fills in a gap in current state law. Doctors and patients are concerned about patient privacy in many forms, including the inadvertent transfer of information, which this bill covers. The bill simply directs government agencies that are not covered by the HIPAA to establish record destruction policies. The state should take a leadership role in protecting patient health care information.
This bill strengthens the protection of patient health care information collected from hospitals. Recently, a news organization identified a risk to patient privacy by using hospital discharge data that is publicly available to identify patients and their health care information through combining the data with other public data. This bill will prohibit the use of non-confidential data to identify patients and the redisclosure of the data. This bill maintains broad public access to data while increasing protections for private patient information. The data use agreements were drafted with the intent of trying to share information with the appropriate protections for researchers and others for quality purposes. This bill provides additional protections around patient discharge data, including prohibiting deliberate efforts to identify patients from the data.
(In support with concerns) This legislation is not an adequate answer to the problem because it allows for the public disclosure of data that is not fully de-identified. Partially identifiable data allows a person to fairly easily identify a patient or narrow it down substantially and this should not be released to the public. There is no way to enforce data use agreement provisions prohibiting the use of data to locate or identify a patient. There is no public value in releasing partially identifiable information.
(Opposed) None.
Persons Testifying: (In support) Senator Frockt, prime sponsor; Christie Spice, Washington State Department of Health; Lisa Thatcher, Washington State Hospital Association; Dave Arbaugh, Allergan Pharmaceuticals; and Kristen Rogers, Providence Health and Services.
(In support with concerns) Doug Klunder, American Civil Liberties Union of Washington.
Persons Signed In To Testify But Not Testifying: None.