OFFICE OF

FINANCIAL MANAGEMENT

The following additional definitions apply throughout this chapter unless the context clearly indicates another meaning.

"Claim" means a request or demand on a carrier, third-party administrator, or the state labor and industries program for payment of a benefit.

"Coinsurance" means the percentage or amount an enrolled member pays towards the cost of a covered service.

"Copayment" means the fixed dollar amount a member pays to a health care provider at the time a covered service is provided or the full cost of a service when that is less than the fixed dollar amount.

"Data management plan" or "DMP" means a formal document that outlines how a data requestor will handle the WA-APCD data to ensure privacy and security both during and after the project.

"Data release committee" or "DRC" is the committee required by RCW 43.371.020 (5)(h) to establish a data release process and to provide advice regarding formal data release requests.

"Data submission guide" means the document that contains data submission requirements including, but not limited to, required fields, file layouts, file components, edit specifications, instructions and other technical specifications.

"Data use agreement" or "DUA" means the legally binding document signed by the lead organization and the data requestor that defines the terms and conditions under which access to and use of the WA-APCD data is authorized, how the data will be secured and protected, and how the data will be destroyed at the end of the agreement term.

"Deductible" means the total dollar amount an enrolled member pays on an incurred claim toward the cost of specified covered services designated by the policy or plan over an established period of time before the carrier or third-party administrator makes any payments under an insurance policy or health benefit plan.

"Director" means the director of the office of financial management.

"Health benefits plan" or "health plan" has the same meaning as in RCW 48.43.005.

"Health care" means care, services, or supplies related to the prevention, cure or treatment of illness, injury or disease of an individual, which includes medical, pharmaceutical or dental care. Health care includes, but is not limited to:

(a) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and

(b) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

"Lead organization" means the entity selected by the office of financial management to coordinate and manage the database as provided in chapter 43.371 RCW.

"Member" means a person covered by a health plan including an enrollee, subscriber, policyholder, beneficiary of a group plan, or individual covered by any other health plan.

"Office" means the Washington state office of financial management.

"PHI" means protected health information as defined in the Health Insurance Portability and Accountability Act (HIPAA). Incorporating this definition from HIPAA, does not, in any manner, intend or incorporate any other HIPAA rule not otherwise applicable to the WA-APCD.

"Subscriber" means the insured individual who pays the premium or whose employment makes him or her eligible for coverage under an insurance policy or member of a health benefit plan.

"WA-APCD" means the statewide all payer health care claims database authorized in chapter 43.371 RCW.

"Washington covered person" means any eligible member and all covered dependents where the state of Washington has primary jurisdiction, and whose laws, rules and regulations govern the members' and dependents' insurance policy or health benefit plan.

PRIVACY AND SECURITY PROCEDURES

(1) RCW 43.371.070 (1)(d) authorizes the director of the office of financial management to adopt rules providing procedures for ensuring that all data received from data suppliers are securely collected and stored in compliance with applicable state and federal law.

(2) RCW 43.371.070 (1)(e) authorizes the director of the office of financial management to adopt rules providing procedures for ensuring compliance with state and federal privacy laws.

(3) WAC 82-75-410 through 82-75-470 provide the procedures required in subsections (1) and (2) of this section.

(1) The data vendor must enter into an agreement with the lead organization that contains the following requirements:

(a) A provision that the data vendor is responsible for ensuring compliance of all aspects of WA-APCD operations with all applicable federal and state laws, and the state's security standards established by the office of the chief information officer;

(b) Provisions that the data vendor is required to keep logs and documentation on activities conducted pursuant to the security plan consistent with the state records retention requirements, which the office can request to verify that the security protocols are being followed;

(c) A provision that requires a detailed security process, which should include, but is not limited to, details regarding security risk assessments and corrective actions plans when deficiencies are discovered;

(d) Provisions that require secure file transfer for all receipt and transmission of health care claims data; and

(e) Provisions for encryption of data both in motion and at rest using latest industry standard methods and tools for encryption, consistent with the standards of the office of the chief information officer.

(2) The data vendor must enter into a legally binding data use and confidentiality agreement with the lead organization. The agreement must include provisions that restrict the access and use of data in the WA-APCD to that necessary for the operation and administration of the database as authorized by chapter 43.371 RCW.

(3)(a) The data vendor must annually engage the services of an independent third-party security auditor to conduct a security audit to verify that the infrastructure, environment and operations of the WA-APCD are in compliance with federal and state laws, Washington state information technology security standards, and the contract with the lead organization. The data vendor must prepare a plan to correct any deficiency found in the annual security audit.

(b) The data vendor must submit its latest HITRUST common security framework (CSF) report and the latest statement on standards for attestation engagements (SSAE) No. 16 service organization control 2 (SOC 2) Type II audit report covering the data vendor's third-party data center, to the office within thirty calendar days of receiving the final report. The data vendor must develop and implement an appropriate corrective action plan, including remediation timelines, when necessary, and provide the corrective action plan to the office or the office of the state chief information security officer upon request.

(1) All data suppliers must submit data to the WA-APCD using a secure transfer protocol and transmission approach approved by the office of the state chief information security officer.

(2) All data suppliers must encrypt data using the latest industry standard methods and tools for encryption consistent with the data vendor's requirements for data encryption as required in WAC 82-75-410.

(3) The data vendor must provide a unique set of login credentials for each individual acting on behalf of or at the direction of an active data supplier.

(4) The data vendor must ensure that the data supplier can only use strong passwords consistent with the state standards when securely submitting data or accessing the secure site.

(5) The data vendor must automatically reject and properly dispose of any files from data suppliers that are not properly encrypted.

(1) The data vendor must limit access to the secure site. Personnel allowed access must be based on the principle of least privilege and have an articulable need to know or access the site.

(2) The data vendor must conduct annual penetration testing and have specific requirements around the timing of penetration and security testing of infrastructure used to host the WA-APCD by the outside firm. The results of penetration and security testing must be documented and the data vendor must provide the summary results, along with a corrective action plan and remediation timelines, to the office and the office of the state chief information security officer within thirty calendar days of receipt of the results.

(1) The data vendor must submit an annual report to the lead organization, the office, and the office of the state chief information security officer that includes the following information:

(a) Summary results of its independent security assessment; and

(b) Summary of its penetration testing and vulnerability assessment results.

(2) The data vendor, upon reasonable notice, must allow access and inspections by staff of the office of the state chief information security officer to ensure compliance with state standards.

(3) The data vendor, upon reasonable notice, must allow on-site inspections by the office to ensure compliance with laws, rules and contract terms and conditions.

(4) The data vendor must have data retention and destruction policies that are no less stringent than that required by federal standards, including the most current version of NIST Special Publication 800-88, Guidelines for Media Sanitization.

(1) To ensure compliance with privacy and security requirements, the data vendor must immediately report to the office and the office of the state chief information security officer any data breach of the WA-APCD or knowledge that a data recipient is not complying with confidentiality requirements in accordance with OFM-approved data breach notification procedures. The data vendor may not unilaterally disclose any information related to a breach of the WA-APCD without written permission from the office and the state chief information security officer.

(2) Upon receiving approval from the office and the state chief information security officer, the data vendor must notify the data supplier if the data it supplied has been the subject of a data breach for which the reporting requirements in subsection (1) of this section apply. The data vendor is responsible for complying with the applicable notification provisions in state and federal law.

(3) To ensure compliance with privacy and security requirements, the lead organization must:

(a) Conduct follow-up with data recipients of PHI or PFI on a schedule developed by the lead organization;

(b) Request data recipients share any manuscripts, reports, or products with lead organization and office;

(c)(i) Require data recipients to complete a project completion form, attesting that the project has terminated and data have been destroyed in accordance with the data use agreement;

(ii) Require the data recipient to provide the written verification that the data has been destroyed in a manner no less stringent than is required in WAC 82-75-440(4).

(d) Track all requests and research projects and follow up with the data recipient when the research or project is expected to be completed; and

(e) Follow up and require written verification that data is destroyed.

(1) The data vendor will ensure access to the WA-APCD data is strictly controlled and limited to authorized staff with appropriate training, clearance, background checks, and confidentiality agreements.

(2) All data vendor employees who are provided access to data submitted to the WA-APCD must attend security and privacy training before actual access to data is allowed. The training will cover the relevant privacy and security requirements in state and federal law.

In order to ensure compliance with privacy and security requirements and procedures, the office or the office of chief information officer or both may request from the lead organization any or all of the following:

(1) Audit logs pertaining to accessing the WA-APCD data;

(2) Completion of a security design review as required by Washington state IT security standards;

(3) Documentation of compliance with OCIO security policy (OCIO policy 141.10 Securing information technology assets standards);

(4) All data use agreements.