(1) Except as otherwise required by law, claims or other data from the database shall only be available for retrieval in processed form to public and private requesters pursuant to this section and shall be made available within a reasonable time after the request. Each request for claims data must include, at a minimum, the following information:
(a) The identity of any entities that will analyze the data in connection with the request;
(b) The stated purpose of the request and an explanation of how the request supports the goals of this chapter set forth in RCW
43.371.020(1);
(c) A description of the proposed methodology;
(d) The specific variables requested and an explanation of how the data is necessary to achieve the stated purpose described pursuant to (b) of this subsection;
(e) How the requester will ensure all requested data is handled in accordance with the privacy and confidentiality protections required under this chapter and any other applicable law;
(f) The method by which the data will be destroyed at the conclusion of the data use agreement;
(g) The protections that will be utilized to keep the data from being used for any purposes not authorized by the requester's approved application; and
(h) Consent to the penalties associated with the inappropriate disclosures or uses of direct patient identifiers, indirect patient identifiers, or proprietary financial information adopted under RCW
43.371.070(1).
(2) The lead organization may decline a request that does not include the information set forth in subsection (1) of this section that does not meet the criteria established by the lead organization's data release advisory committee, or for reasons established by rule.
(3) Except as otherwise required by law, the authority shall direct the lead organization and the data vendor to maintain the confidentiality of claims or other data it collects for the database that include proprietary financial information, direct patient identifiers, indirect patient identifiers, or any combination thereof. Any entity that receives claims or other data must also maintain confidentiality and may only release such claims data or any part of the claims data if:
(a) The claims data does not contain proprietary financial information, direct patient identifiers, indirect patient identifiers, or any combination thereof; and
(b) The release is described and approved as part of the request in subsection (1) of this section.
(4) The lead organization shall, in conjunction with the authority and the data vendor, create and implement a process to govern levels of access to and use of data from the database consistent with the following:
(a) Claims or other data that include proprietary financial information, direct patient identifiers, indirect patient identifiers, unique identifiers, or any combination thereof may be released only to the extent such information is necessary to achieve the goals of this chapter set forth in RCW
43.371.020(1) to researchers with approval of an institutional review board upon receipt of a signed data use and confidentiality agreement with the lead organization. A researcher or research organization that obtains claims data pursuant to this subsection must agree in writing not to disclose such data or parts of the data set to any other party, including affiliated entities, and must consent to the penalties associated with the inappropriate disclosures or uses of direct patient identifiers, indirect patient identifiers, or proprietary financial information adopted under RCW
43.371.070(1).
(b) Claims or other data that do not contain direct patient identifiers, but that may contain proprietary financial information, indirect patient identifiers, unique identifiers, or any combination thereof may be released to:
(i) Federal, state, tribal, and local government agencies upon receipt of a signed data use agreement with the authority and the lead organization. Federal, state, tribal, and local government agencies that obtain claims data pursuant to this subsection are prohibited from using such data in the purchase or procurement of health benefits for their employees;
(ii) Any entity when functioning as the lead organization under the terms of this chapter; and
(iii) The Washington health benefit exchange established under chapter
43.71 RCW, upon receipt of a signed data use agreement with the authority and the lead organization as directed by rules adopted under this chapter.
(c) Claims or other data that do not contain proprietary financial information, direct patient identifiers, or any combination thereof, but that may contain indirect patient identifiers, unique identifiers, or a combination thereof may be released to agencies, researchers, and other entities as approved by the lead organization upon receipt of a signed data use agreement with the lead organization.
(d) Claims or other data that do not contain direct patient identifiers, indirect patient identifiers, proprietary financial information, or any combination thereof may be released upon request.
(5) Reports utilizing data obtained under this section may not contain proprietary financial information, direct patient identifiers, indirect patient identifiers, or any combination thereof. Nothing in this subsection (5) may be construed to prohibit the use of geographic areas with a sufficient population size or aggregate gender, age, medical condition, or other characteristics in the generation of reports, so long as they cannot lead to the identification of an individual.
(6) Reports issued by the lead organization at the request of providers, facilities, employers, health plans, and other entities as approved by the lead organization may utilize proprietary financial information to calculate aggregate cost data for display in such reports. The authority shall approve by rule a format for the calculation and display of aggregate cost data consistent with this chapter that will prevent the disclosure or determination of proprietary financial information. In developing the rule, the authority shall solicit feedback from the stakeholders, including those listed in RCW
43.371.020(5)(h), and must consider, at a minimum, data presented as proportions, ranges, averages, and medians, as well as the differences in types of data gathered and submitted by data suppliers.
(7) Recipients of claims or other data under subsection (4) of this section must agree in a data use agreement or a confidentiality agreement to, at a minimum:
(a) Take steps to protect data containing direct patient identifiers, indirect patient identifiers, proprietary financial information, or any combination thereof as described in the agreement;
(b) Not redisclose the claims data except pursuant to subsection (3) of this section;
(c) Not attempt to determine the identity of any person whose information is included in the data set or use the claims or other data in any manner that identifies any individual or their family or attempt to locate information associated with a specific individual;
(d) Destroy claims data at the conclusion of the data use agreement; and
(e) Consent to the penalties associated with the inappropriate disclosures or uses of direct patient identifiers, indirect patient identifiers, or proprietary financial information adopted under RCW
43.371.070(1).