All licensees shall develop and implement written policies, standards and procedures for the management of health information, including policies, standards and procedures to guard against the unauthorized collection, use or disclosure of nonpublic personal health information by the licensee consistent with regulations adopted by the U.S. Department of Health and Human Services governing health information privacy (45 C.F.R. 160 through 164) which shall include:
(1) Limitation on access to health information by only those persons who need to use the health information in order to perform their jobs;
(2) Appropriate training for all employees;
(3) Disciplinary measures for violations of the health information policies, standards and procedures;
(4) Identification of the job titles and job descriptions of persons that are authorized to disclose nonpublic personal health information;
(5) Procedures for authorizing and restricting the collection, use or disclosure of nonpublic personal health information;
(6) Methods for exercising the right to access and amend incorrect nonpublic personal health information;
(7) Methods for handling, disclosing, storing and disposing of health information;
(8) Periodic monitoring of the employee's compliance with the licensee's policies, standards and procedures in a manner sufficient for the licensee to determine compliance and to enforce its policies, standards and procedures; and
(9) Methods for informing and allowing an individual who is the subject of nonpublic personal health information to request specialized disclosure or nondisclosure of nonpublic personal health information as required in this chapter.
(10) A licensee shall make the health information policies, standards and procedures developed pursuant to this section available for review by the commissioner.
[Statutory Authority: RCW
48.43.505 and Gramm-Leach-Bliley Act, Public Law 102-106, sec. 501(b), sec. 505 (b)(2). WSR 01-03-034 (Matter No. R 2000-08), § 284-04-500, filed 1/9/01, effective 2/9/01.]