WSR 17-04-082
PROPOSED RULES
OFFICE OF
FINANCIAL MANAGEMENT
[Filed January 31, 2017, 10:16 a.m.]
Original Notice.
Preproposal statement of inquiry was filed as WSR 16-23-150.
Title of Rule and Other Identifying Information: New sections in chapter 82-75 WAC, All payer health care claims. Specifically, the rules will address (1) the procedures for ensuring that all data received from data suppliers are securely collected and stored in compliance with state and federal law (security rules) and (2) procedures for ensuring compliance with state and federal privacy laws (privacy rules).
Hearing Location(s): Office of Financial Management (OFM), Insurance Building, 302 Sid Snyder Avenue S.W., Conference Room 440, Olympia, WA 98501, on March 7, 2017, at 1:30 p.m.
Date of Intended Adoption: April 4, 2017.
Submit Written Comments to: Mandy Stahre, OFM, P.O. Box 43113, Olympia, WA 98504-3113, email apcd@ofm.wa.gov, fax (360) 725-5517, comments must be submitted by March 7, 2017.
Assistance for Persons with Disabilities: Contact OFM by March 3, 2017, TTY (360) 753-4107 or (360) 902-3092.
Purpose of the Proposal and Its Anticipated Effects, Including Any Changes in Existing Rules: The purpose of this rule-making proposal relates to the statewide all-payer health care claims database (APCD). Specifically, the rules are intended to provide the procedures for ensuring that privacy and security standards are met. These standards may be set by federal or state law, or by the Washington state office of chief information officer. In all events, it is necessary to ensure that the privacy of the data is maintained and that the security standards are understood and met to safeguard the public's data.
Reasons Supporting Proposal: Chapter 43.371 RCW directs OFM to establish a statewide APCD to support transparent public reporting of health care information. To accomplish this requirement, OFM is further directed to select a lead organization to coordinate and manage the database. RCW 43.371.070 [(1)](d) and (e) provide that the OFM director shall adopt rules necessary to implement this chapter including:
(d) Procedures for ensuring that all data received from data suppliers are securely collected and stored in compliance with state and federal law;
(e) Procedures for ensuring compliance with state and federal privacy laws (privacy rules).
Statutory Authority for Adoption: Chapter 43.371 RCW.
Statute Being Implemented: Chapter 43.371 RCW.
Rule is not necessitated by federal law, federal or state court decision.
Name of Proponent: OFM, governmental.
Name of Agency Personnel Responsible for Drafting: Roselyn Marcus, 302 Sid Snyder Avenue S.W., Olympia, WA 98501, (360) 902-0434; Implementation and Enforcement: Thea Mounts, General Administration Building, Olympia, Washington 98501, (360) 902-0552.
No small business economic impact statement has been prepared under chapter 19.85 RCW. The rules do not have an impact to small businesses, as that term is defined in statute.
A cost-benefit analysis is not required under RCW 34.05.328. These rules are not significant legislative rules, as defined in statute. These rules are not subject to this requirement.
January 31, 2017
Roselyn Marcus
Assistant Director of Legal
and Legislative Affairs
AMENDATORY SECTION (Amending WSR 16-22-062, filed 11/1/16, effective 12/2/16)
WAC 82-75-030 Additional definitions authorized by chapter 43.371 RCW.
The following additional definitions apply throughout this chapter unless the context clearly indicates another meaning.
"Claim" means a request or demand on a carrier, third-party administrator, or the state labor and industries program for payment of a benefit.
"Coinsurance" means the percentage or amount an enrolled member pays towards the cost of a covered service.
"Copayment" means the fixed dollar amount a member pays to a health care provider at the time a covered service is provided or the full cost of a service when that is less than the fixed dollar amount.
"Data management plan" or "DMP" means a formal document that outlines how a data requestor will handle the WA-APCD data to ensure privacy and security both during and after the project.
"Data release committee" or "DRC" is the committee required by RCW 43.371.020 (5)(h) to establish a data release process and to provide advice regarding formal data release requests.
"Data submission guide" means the document that contains data submission requirements including, but not limited to, required fields, file layouts, file components, edit specifications, instructions and other technical specifications.
"Data use agreement" or "DUA" means the legally binding document signed by the lead organization and the data requestor that defines the terms and conditions under which access to and use of the WA-APCD data is authorized, how the data will be secured and protected, and how the data will be destroyed at the end of the agreement term.
"Deductible" means the total dollar amount an enrolled member pays on an incurred claim toward the cost of specified covered services designated by the policy or plan over an established period of time before the carrier or third-party administrator makes any payments under an insurance policy or health benefit plan.
"Director" means the director of the office of financial management.
"Health benefits plan" or "health plan" has the same meaning as in RCW 48.43.005.
"Health care" means care, services, or supplies related to the prevention, cure or treatment of illness, injury or disease of an individual, which includes medical, pharmaceutical or dental care. Health care includes, but is not limited to:
(a) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(b) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
"Lead organization" means the entity selected by the office of financial management to coordinate and manage the database as provided in chapter 43.371 RCW.
"Member" means a person covered by a health plan including an enrollee, subscriber, policyholder, beneficiary of a group plan, or individual covered by any other health plan.
"Office" means the Washington state office of financial management.
"PFI" means the protected proprietary financial information as defined in RCW 43.371.010(12).
"PHI" means protected health information as defined in the Health Insurance Portability and Accountability Act (HIPAA). Incorporating this definition from HIPAA, does not, in any manner, intend or incorporate any other HIPAA rule not otherwise applicable to the WA-APCD.
"Subscriber" means the insured individual who pays the premium or whose employment makes him or her eligible for coverage under an insurance policy or member of a health benefit plan.
"WA-APCD" means the statewide all payer health care claims database authorized in chapter 43.371 RCW.
"Washington covered person" means any eligible member and all covered dependents where the state of Washington has primary jurisdiction, and whose laws, rules and regulations govern the members' and dependents' insurance policy or health benefit plan.
PRIVACY AND SECURITY PROCEDURES
NEW SECTION
WAC 82-75-400 Privacy and security.
(1) RCW 43.371.070 (1)(d) authorizes the director of the office of financial management to adopt rules providing procedures for ensuring that all data received from data suppliers are securely collected and stored in compliance with applicable state and federal law.
(2) RCW 43.371.070 (1)(e) authorizes the director of the office of financial management to adopt rules providing procedures for ensuring compliance with state and federal privacy laws.
(3) WAC 82-75-410 through 82-75-470 provide the procedures required in subsections (1) and (2) of this section.
NEW SECTION
WAC 82-75-410 Requirements for data vendor.
(1) The data vendor must enter into an agreement with the lead organization that contains the following requirements:
(a) A provision that the data vendor is responsible for ensuring compliance of all aspects of WA-APCD operations with all applicable federal and state laws, and the state's security standards established by the office of chief information officer;
(b) Provisions that the data vendor is required to keep logs and documentation on activities conducted pursuant to the security plan, which the office can request to verify that the security protocols are being followed;
(c) A provision that requires a detailed security process;
(d) Provisions that require secure file transfer for all receipt and transmission of health care claims data; and
(e) Provisions for encryption of data both in motion and at rest using latest industry standard methods and tools for encryption, consistent with the standards of the office of chief information officer.
(2) The data vendor must enter into a legally binding data use and confidentiality agreement with the lead organization. The agreement must include provisions that restrict the access and use of data in the WA-APCD to that necessary for the operation and administration of the database as authorized by chapter 43.371 RCW.
(3)(a) The data vendor must annually engage the services of an independent third-party security auditor to conduct a security audit to verify that the infrastructure, environment and operations of the WA-APCD are in compliance with federal and state laws, Washington state information technology security standards, and the contract with the lead organization. The data vendor must prepare a plan to correct any deficiency found in the annual security audit.
(b) The data vendor must submit its latest HITRUST common security framework (CSF) report and the latest statement on standards for attestation engagements (SSAE) No. 16 service organization control 2 (SOC 2) Type II audit report covering the data vendor's third-party data center, to the office within thirty calendar days of receiving the final report. The data vendor must develop and implement an appropriate corrective action plan, including remediation timelines, when necessary, and provide the corrective action plan to the office or the office of the state chief information security officer upon request.
NEW SECTION
WAC 82-75-420 Data submission.
(1) All data suppliers must submit data to the WA-APCD using a secure transfer protocol and transmission approach approved by the office of the chief information security officer.
(2) All data suppliers must encrypt data using the latest industry standard methods and tools for encryption consistent with the data vendor's requirements for data encryption as required in WAC 82-75-410.
(3) The data vendor must provide a unique set of login credentials for each active data supplier.
(4) The data vendor must ensure that the data supplier can only use strong passwords consistent with the state standards when securely submitting data or accessing the secure site.
(5) The data vendor must automatically reject and properly dispose of any files from data suppliers that are not properly encrypted.
NEW SECTION
WAC 82-75-430 WA-APCD infrastructure.
(1) The data vendor must limit access to the secure site. Personnel allowed access must be based on the principle of least privilege and have an articulable need to know or access the site.
(2) The data vendor must conduct annual penetration testing and have specific requirements around the timing of penetration and security testing of infrastructure used to host the WA-APCD by the outside firm. The results of penetration and security testing must be documented and the data vendor must provide the summary results, along with a corrective action plan and remediation timelines, to the office and the office of the state chief information security officer within thirty calendar days of receipt of the results.
NEW SECTION
WAC 82-75-440 Accountability.
(1) The data vendor must submit an annual report to the lead organization and the state that includes the following information:
(a) Summary results of its independent security assessment; and
(b) Summary of its penetration testing and vulnerability assessment results.
(2) The data vendor, upon reasonable notice, must allow access and inspections by staff of the office of the state chief information security officer to ensure compliance with state standards.
(3) The data vendor, upon reasonable notice, must allow on-site inspections by the office to ensure compliance with laws, rules and contract terms and conditions.
(4) The data vendor must have data retention and destruction policies that are no less stringent than that required by federal standards, including the most current version of NIST Special Publication 800-88, Guidelines for Media Sanitization.
NEW SECTION
WAC 82-75-450 Data vendor and lead organization compliance with privacy and security requirements.
(1) To ensure compliance with privacy and security requirements, the data vendor must immediately report to the office and the office of the state chief information security officer any data breach of the WA-APCD or knowledge that a data recipient is not complying with confidentiality requirements in accordance with OFM-approved data breach notification procedures. The data vendor may not unilaterally disclose any information related to a breach of the WA-APCD without written permission from the office and the state chief information security officer.
(2) Upon receiving approval from the office and the state chief information security officer, the data vendor must notify the data supplier if the data it supplied has been the subject of a data breach for which the reporting requirements in subsection (1) of this section apply. The data vendor is responsible for complying with the applicable notification provisions in state and federal law.
(3) To ensure compliance with privacy and security requirements, the lead organization must:
(a) Conduct follow-up with data recipients of PHI or PFI on a schedule developed by the lead organization;
(b) Request data recipients share any manuscripts, reports, or products with lead organization and office;
(c)(i) Require data recipients to complete a project completion form, attesting that the project has terminated and data have been destroyed in accordance with the data use agreement;
(ii) Require the data recipient to provide the written verification that the data has been destroyed in a manner no less stringent than is required in WAC 82-75-440(4).
(d) Track all requests and research projects and follow up with requestor when the research or project is expected to be completed; and
(e) Follow up and require written verification that data is destroyed.
NEW SECTION
WAC 82-75-460 Additional requirements.
(1) The data vendor will ensure access to the WA-APCD data is strictly controlled and limited to authorized staff with appropriate training, clearance, background checks, and confidentiality agreements.
(2) All data vendor employees who are provided access to data submitted to the WA-APCD must attend security and privacy training before actual access to data is allowed. The training will cover the relevant privacy and security requirements in state and federal law.
NEW SECTION
WAC 82-75-470 State oversight of compliance with privacy and security requirements.
In order to ensure compliance with privacy and security requirements and procedures, the office may request any or all of the following:
(1) Audit logs pertaining to accessing the WA-APCD data;
(2) Completion of a security design review as required by Washington state IT security standards;
(3) Documentation of compliance with OCIO security policy (OCIO policy 141.10 Securing information technology assets standards);
(4) All data use agreements.