(1) This chapter does not apply to:
(a) Information that meets the definition of:
(i) Protected health information for purposes of the federal health insurance portability and accountability act of 1996 and related regulations;
(ii) Health care information collected, used, or disclosed in accordance with chapter
70.02 RCW;
(iii) Patient identifying information collected, used, or disclosed in accordance with 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
(iv) Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization; the protection of human subjects under 21 C.F.R. Parts 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the requirements set forth in this subsection;
(v) Information and documents created specifically for, and collected and maintained by:
(B) A peer review committee for purposes of RCW
4.24.250;
(D) A hospital, as defined in RCW
43.70.056, for reporting of health care-associated infections for purposes of RCW
43.70.056, a notification of an incident for purposes of RCW
70.56.040(5), or reports regarding adverse events for purposes of RCW
70.56.020(2)(b); or
(E) A manufacturer, as defined in 21 C.F.R. Sec. 820.3(o), when collected, used, or disclosed for purposes specified in chapter
70.02 RCW;
(vi) Information and documents created for purposes of the federal health care quality improvement act of 1986, and related regulations;
(vii) Patient safety work product for purposes of 42 C.F.R. Part 3, established pursuant to 42 U.S.C. Sec. 299b-21 through 299b-26;
(viii) Information that is (A) deidentified in accordance with the requirements for deidentification set forth in 45 C.F.R. Part 164, and (B) derived from any of the health care-related information listed in this subsection (1)(a)(viii);
(b) Information originating from, and intermingled to be indistinguishable with, information under (a) of this subsection that is maintained by:
(i) A covered entity or business associate as defined by the health insurance portability and accountability act of 1996 and related regulations;
(ii) A health care facility or health care provider as defined in RCW
70.02.010; or
(iii) A program or a qualified service organization as defined by 42 C.F.R. Part 2, established pursuant to 42 U.S.C. Sec. 290dd-2;
(c) Information used only for public health activities and purposes as described in 45 C.F.R. Sec. 164.512 or that is part of a limited data set, as defined, and is used, disclosed, and maintained in the manner required, by 45 C.F.R. Sec. 164.514; or
(d) Identifiable data collected, used, or disclosed in accordance with chapter
43.371 RCW or RCW
69.43.165.
(2) Personal information that is governed by and collected, used, or disclosed pursuant to the following regulations, parts, titles, or acts, is exempt from this chapter: (a) The Gramm-Leach-Bliley act (15 U.S.C. 6801 et seq.) and implementing regulations; (b) part C of Title XI of the social security act (42 U.S.C. 1320d et seq.); (c) the fair credit reporting act (15 U.S.C. 1681 et seq.); (d) the family educational rights and privacy act (20 U.S.C. 1232g; Part 99 of Title 34, C.F.R.); (e) the Washington health benefit exchange and applicable statutes and regulations, including 45 C.F.R. Sec. 155.260 and chapter
43.71 RCW; or (f) privacy rules adopted by the office of the insurance commissioner pursuant to chapter
48.02 or
48.43 RCW.
(3) The obligations imposed on regulated entities, small businesses, and processors under this chapter does not restrict a regulated entity's, small business's, or processor's ability for collection, use, or disclosure of consumer health data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any activity that is illegal under Washington state law or federal law; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action that is illegal under Washington state law or federal law.
(4) If a regulated entity, small business, or processor processes consumer health data pursuant to subsection (3) of this section, such entity bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements of this section.