(1) The local health officer and local health department personnel shall maintain individual case reports for AIDS and HIV as confidential records consistent with the requirements of this section. The local health officer and local health department personnel must:

(a) Use identifying information on HIV-infected individuals only:

(i) For purposes of contacting the HIV-positive individual to provide test results and post-test counseling; or

(ii) To contact persons who have experienced substantial exposure, including sex and injection equipment-sharing partners, and spouses; or

(iii) To link with other name-based public health disease registries when doing so will improve ability to provide needed care services and counseling and disease prevention; or

(iv) As specified in WAC 246-100-072; or

(v) To provide case reports to the state health department.

(b) Destroy case report identifying information on asymptomatic HIV-infected individuals received as a result of this chapter within three months of receiving a complete case report, or maintain HIV case reports in secure systems that meet the following standards and are consistent with the 2006 Security and Confidentiality Guidelines developed by the Centers for Disease Control and Prevention:

(i) Secure systems must be described in written policies that are reviewed annually by the local health officer;

(ii) Access to case report information must be limited to health department staff who need it to perform their job duties and a current list of these staff must be maintained by the local health officer;

(iii) All physical locations containing electronic or paper copies of surveillance data must be enclosed in a locked, secured area with limited access and not accessible by window;

(iv) Paper copies or electronic media containing surveillance information must be housed inside locked file cabinets that are in the locked, secured area;

(v) A crosscut shredder must be available for destroying information and electronic media must be appropriately sanitized prior to disposal;

(vi) Files or databases containing confidential information must reside on either stand-alone computers with restricted access or on networked drives with proper access controls, encryption software and firewall protection;

(vii) Electronic communication of confidential information must be protected by encryption standards that are reviewed annually by the local health officer;

(viii) Locking briefcases must be available for transporting confidential information;

(c) If maintaining identifying information on asymptomatic HIV-infected individuals more than ninety days following receipt of a completed case report, cooperate with the department of health in biennial review of system security measures described in (b) of this subsection.

(d) Destroy documentation of referral information established in WAC 246-100-072 containing identities and identifying information on HIV-infected individuals and at-risk partners of those individuals immediately after notifying partners or within three months, whichever occurs first unless such documentation is being used in an investigation of conduct endangering the public health or of behaviors presenting an imminent danger to the public health pursuant to RCW 70.24.022 or 70.24.024.

(e) Not disclose identifying information received as a result of this chapter unless:

(i) Explicitly and specifically required to do so by state or federal law; or

(ii) Authorized by written patient consent.

(2) Local health department personnel are authorized to use HIV identifying information obtained as a result of this chapter only for the following purposes:

(a) Notification of persons with substantial exposure, including sexual or syringe-sharing partners;

(b) Referral of the infected individual to social and health services;

(c) Linkage to other public health databases, provided that the identity or identifying information on the HIV-infected person is not disclosed outside of the health department; and

(d) Investigations pursuant to RCW 70.24.022 or 70.24.024.

(3) Public health databases do not include health professions licensing records, certifications or registries, teacher certification lists, other employment rolls or registries, or databases maintained by law enforcement officials.

(4) Local health officials will report HIV infection cases to the state health department.

(5) Local health officers must require and maintain signed confidentiality agreements with all health department employees with access to HIV identifying information. These agreements will be renewed at least annually and include reference to criminal and civil penalties for violation of chapter 70.24 RCW and other administrative actions that may be taken by the department.

(6) Local health officers must investigate potential breaches of the confidentiality of HIV identifying information by health department employees. All breaches of confidentiality must be reported to the state health officer or their designee for review and appropriate action.

(7) Local health officers and local health department personnel must assist the state health department to reascertain the identities of previously reported cases of HIV infection.

(1) The local health officer and local health jurisdiction personnel shall maintain individual case reports, laboratory reports, investigation reports, and other data and supporting information for AIDS and HIV as confidential records consistent with the requirements of RCW 70.02.220 and any other applicable confidentiality laws.

(2) The local health officer and local health jurisdiction personnel shall:

(a) Use identifying information of individuals tested, diagnosed, or reported with HIV only:

(i) To contact the individual tested, diagnosed, or reported with HIV to provide test results or refer the individual to social and medical services; or

(ii) To contact persons who have been identified as sex or injection equipment-sharing partners; or

(iii) To link with other name-based public health disease registries when doing so will improve ability to provide needed care services and disease prevention, provided that the identity or identifying information of the individual tested, diagnosed, or reported with HIV is not disclosed outside of the local health jurisdiction; or

(iv) As specified in WAC 246-100-072; or

(v) To provide case reports, laboratory reports, or investigation reports to the department; or

(vi) To conduct investigations under RCW 70.24.022 or 70.24.024.

(b) Within ninety days of completing an investigation report, or of receiving a complete investigation report from another public health authority:

(i) Destroy case reports, laboratory reports, investigation reports, and other data and supporting identifying information on individuals tested, diagnosed, or reported with HIV received as a result of this chapter. If an investigation is not conducted for a case, then the identifying information for that case shall be destroyed within ninety days of receiving a complete HIV case report or laboratory report; or

(ii) Maintain HIV case reports, laboratory reports, investigation reports, and other data and supporting information in secure systems consistent with the 2011 DataSecurity and Confidentiality Guidelinesfor HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action published by the Centers for Disease Control and Prevention.

(3) The local health officer shall:

(a) Describe the secure systems in written policies and review the policies annually;

(b) Limit access to case report, laboratory report, investigation report, and other data and supporting information to local health jurisdiction staff who need the information to perform their job duties;

(c) Maintain a current list of local health jurisdiction staff with access to case report, laboratory report, investigation report, and other data and supporting information;

(d) Enclose physical locations containing electronic or paper copies of surveillance data in a locked, secured area with limited access and not accessible by window;

(e) Store paper copies or electronic media containing surveillance information inside locked file cabinets that are in the locked, secured area;

(f) Destroy information by either shredding it with a crosscut shredder or appropriately sanitizing electronic media prior to disposal;

(g) Store files or databases containing confidential information on either stand-alone computers with restricted access or on networked drives with proper access controls, encryption software, and firewall protection;

(h) Protect electronic communication of confidential information by encryption standards and review the standards annually; and

(i) Make available locking briefcases for transporting confidential information.

(4) The local health officer and local health jurisdiction staff shall:

(a) If maintaining identifying information on individuals tested, diagnosed, or reported with HIV more than ninety days following completion of an investigation report or receipt of a complete investigation report from another public health authority, cooperate with the department in biennial review of system security measures described in subsection (2)(b) of this section.

(b) Not disclose identifying information received as a result of this chapter unless:

(i) Explicitly and specifically required to do so by state or federal law;

(ii) Permitted under RCW 70.02.220; or

(iii) Authorized by written patient consent.

(5) Local health officers shall investigate potential breaches of the confidentiality of HIV identifying information by health jurisdiction employees. The local health officer shall report all breaches of confidentiality to the state health officer for review and appropriate action.