Background: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, storage, and transfer of protected health information. Entities covered by HIPAA must have a patient's authorization to use or disclose health care information unless there is a specific exemption. Some exemptions pertain to disclosures for treatment, payment, and health care operations; public health activities; judicial proceedings; law enforcement purposes; and research purposes. HIPAA allows a state to establish standards that are more stringent than its provisions. Covered entities include health plans, health care providers, and health care clearinghouses. Using this definition, many state agencies would not be considered covered entities.

In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees. UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or a written authorization by the patient. Some exceptions include disclosures for the provision of health care; quality improvement, legal, actuarial, and administrative services; research purposes; directory information; public health and law enforcement activities as required by law; and judicial proceedings.

On April 25, 2000, then-Governor Gary Locke issued an executive order requiring each state agency to establish procedures and practices for the handling and disposal of public records and copies to provide reasonable assurances that confidential personal information is safeguarded. The information addressed in the order relates to that information that is appropriately provided to the agency. Direction was not provided to the agencies on developing policies on addressing situations when private health care information was inadvertently delivered to the agency in violation of the UHCIA. Because many state agencies are not covered agencies, some health care stakeholders have raised concerns that this information could be subject to public disclosure or inadvertently forwarded to a non-HIPAA covered entity.

Summary of Bill (Recommended Substitute): State and local agencies that inadvertently obtain health care information must not use or disclose this information. Agencies that receive such information must either destroy it or return it to the entity that provided the information to the agency. This must be done within five days of the agency discovering that it received the information in error. If the health care information has been disclosed to a third party, the state or local agency must notify the person whose information has been disclosed of the disclosure and whether the information has subsequently been destroyed or returned to the health care facility or provider. Notice must be made within five business days of discovering its disclosure and include the name of the entity that originally provided the information to the agency.

EFFECT OF CHANGES MADE BY HEALTH CARE COMMITTEE (Recommended Substitute): State and local agencies that are not health care facilities or providers must destroy or return health care information they did not request and are not permitted to receive under the UHCIA. A person whose information has been disclosed to a third party must be informed of the disclosure. State and local agencies that are not health care facilities or providers must develop a policy to establish a reasonable notification period and what information must be included in the notice.

Staff Summary of Public Testimony on Original Bill: PRO: This bill should have little impact on state agencies because if they take care of the problem right away, they will not need to comply with the notification requirements of the bill. They must only send the required notice if they make a disclosure to a third party. The bill is not intended to be overly burdensome. It is intended to protect patients from inadvertent data breaches. This is important because of the ease in which data can be distributed, especially through electronic means. This helps to underscore that health care information must be protected.

OTHER: We suggest a technical change that provides that the same people subject to current law are included in the additions made in the bill.