Background: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, storage, and transfer of protected health information. Entities covered by HIPAA must have a patient's authorization to use or disclose health care information unless there is a specific exemption. Some exemptions pertain to disclosures for treatment, payment, and health care operations; public health activities; judicial proceedings; law enforcement purposes; and research purposes. HIPAA allows a state to establish standards that are more stringent than its provisions. Covered entities include health plans, health care providers, and health care clearinghouses. Using this definition, many state agencies would not be considered covered entities.

In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees. UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or a written authorization by the patient. Some exceptions include disclosures for the provision of health care; quality improvement, legal, actuarial, and administrative services; research purposes; directory information; public health and law enforcement activities as required by law; and judicial proceedings.

The Comprehensive Hospital Abstract Reporting System (CHARS) provides hospital patient discharge information to public health personnel, consumers, purchasers, payers, providers, and researchers to help make informed decisions on health care. CHARS contains coded hospital inpatient discharge information, derived from billing systems, available from 1987 to 2012. Coded hospital-based observation stay data is available from 2008 forward. For example, the Department of Health (DOH) uses CHARS data to identify and analyze health trends related to hospitalizations and to identify and quantify issues related to health care access, quality, and cost containment.

The non-confidential CHARS data file does not contain direct patient identifiers, defined as information that identifies a patient or, in other words, information that is readily associated with a person's identity and exempt from disclosure under the Public Records Act. The nonconfidential CHARS data file does include indirect identifiers, defined as information that may identify a patient when combined with other information, such as the patient's age, sex, zip code, billed charges, and diagnostic or procedure codes.

The Affordable Care Act requires marketplaces such as the Washington Health Benefit Exchange (Exchange) to establish a navigator program to help consumers understand new coverage options and find the most affordable coverage that meets their health care needs. Navigators must be certified by the Exchange after successfully passing a certification exam and must sign confidentiality and non-disclosure agreements and agree to comply with a code of ethics that requires them to maintain their duty to the consumer.

Summary of Engrossed Substitute Bill: State and local agencies that inadvertently obtain health care information must not use or disclose this information. Agencies that receive such information must either destroy it or return it to the entity that provided the information to the agency. This must be done within five days of the agency discovering that it received the information in error. If the health care information has been disclosed to a third party, the state or local agency must notify the person whose information has been disclosed of the disclosure and whether the information has subsequently been destroyed or returned to the health care facility or provider. Notice must be made within five business days of discovering its disclosure and include the name of the entity that originally provided the information to the agency.

DOH must maintain confidentiality of CHARS data and this data is excluded from public inspection. DOH may release CHARS data as follows:

data with both direct and indirect patient identifiers may be released to:
1. federal, state, and local government agencies upon receipt of a signed data use agreement; and
2. researchers approved by the Washington State Institutional Review Board upon receipt of a signed confidentiality agreement;
data without direct patient identifiers but with possible indirect patient identifiers may be released to agencies, researchers, and other persons upon receipt of a signed data use agreement; and
data without direct or indirect patient identifiers may be released on request.

Recipients of CHARS data with either direct or indirect identifiers must agree in a written data use agreement to take steps to protect direct and indirect patient-identifying information as described in the agreement, and not re-disclose the data except as authorized in their agreement. Recipients of CHARS data without direct identifiers are prohibited from attempting to identify persons whose information is included in the data set or using the data in any manner that identifies individuals or their families. DOH must consider national standards when adopting rules necessary to implement the new confidentiality standards.

Navigators who are certified by the Exchange may only request health care information that is relevant to the specific assessment and recommendation of health plan options. Information received by navigators may not be disclosed to third parties. If a disclosure occurs, the navigator must notify the person of the breach. The Exchange must develop a policy to establish a reasonable notification period and include this policy on its website.

Staff Summary of Public Testimony on Original Bill: PRO: This bill should have little impact on state agencies because if they take care of the problem right away, they will not need to comply with the notification requirements of the bill. They must only send the required notice if they make a disclosure to a third party. The bill is not intended to be overly burdensome. It is intended to protect patients from inadvertent data breaches. This is important because of the ease in which data can be distributed, especially through electronic means. This helps to underscore that health care information must be protected.

OTHER: We suggest a technical change that provides that the same people subject to current law are included in the additions made in the bill.