(1) All state or local agencies obtaining patient health care information pursuant to RCW
70.02.050 and
70.02.200 through
70.02.240 that are not health care facilities or providers shall adopt rules establishing their record acquisition, retention, destruction, and security policies that are consistent with this chapter.
(2) State and local agencies that are not health care facilities or providers that have not requested health care information and are not authorized to receive this information under this chapter:
(a) Must not use or disclose this information unless permitted under this chapter; and
(b) Must destroy the information in accordance with the policy developed under subsection (1) of this section or return the information to the entity that provided the information to the state or local agency if the entity is a health care facility or provider and subject to this chapter.
(3) A person who has health care information disclosed in violation of subsection (2)(a) of this section, must be informed of the disclosure by the state or local agency improperly making the disclosure. State and local agencies that are not health care facilities or providers must develop a policy to establish a reasonable notification period and what information must be included in the notice, including whether the name of the entity that originally provided the information to the agency must be included.
(4) Rules or policies adopted under this section must be available through each agency's website.