Brief Description: Modifying the uniform health care information act.

Sponsors: Senate Committee on Health & Long-Term Care (originally sponsored by Senators Keiser, Brandland, Kastama, Parlette and Benson).

Hearing Date: 3/22/05

Staff: Chris Blake (786-7392).

Background:

Federal and State Privacy Laws
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, storage, and transfer of protected health information. Entities covered by HIPAA must have a patient's authorization to use or disclose health care information, unless there is a specified exception. Some exceptions pertain to disclosures for treatment, payment, and health care operations; public health activities; judicial proceedings; law enforcement purposes; and research purposes. HIPAA allows a state to establish standards that are more stringent than its provisions.

In Washington, the Uniform Health Care Information Act (UHCIA) governs the disclosure of health care information by health care providers and their agents or employees. The UHCIA provides that a health care provider may not disclose health care information about a patient unless there is a statutory exception or a written authorization by the patient. Some exceptions include disclosures for the provision of health care; quality improvement, legal, actuarial, and administrative services; research purposes; directory information; public health and law enforcement activities as required by law; and judicial proceedings.

Records of Disclosures
Under the UHCIA, health care providers and facilities must chart all disclosures of health care information, except for disclosures to third-party payors. These disclosures become part of the patient's health care information.

HIPAA provides an individual with the right to an accounting of disclosures made by a covered entity for up to six years. There are several exceptions to this right, including disclosures related to: treatment, payment, or health care operations; the patient's own health care information; uses and disclosures permitted or required by law; authorizations by the patient; directory information; disclosures to people involved in the patient's care; national security; correctional institutions; or deidentified information.

Patient Disclosure Authorizations
Under the UHCIA, health care providers must honor authorizations to disclose health care information. Valid disclosure authorizations must: (1) be in writing, dated, and signed by the patient; (2) identify the nature of the information to be disclosed; (3) identify the name, address, and institutional affiliation of the person to receive the information; (4) identify the provider to make the disclosure; and (5) identify the patient. A disclosure authorization is valid until the expiration date. If the authorization does not have a specified expiration date, it is only valid for ninety days after it is signed. Authorizations to disclose health care information for future health care may only apply to services provided within 90 days of signing the authorization.

A disclosure authorization under HIPAA must have the following core elements: (1) the patient's signature and date of signing; (2) a description of the information to be used or disclosed; (3) an identification of the individuals that may use or disclose the information; (4) an identification of the individuals that may receive the information; (5) a description of the purpose of the use or disclosure; and (6) an expiration date or expiration event.

Summary of Bill:

Definitions
Three new definitions are added to the UHCIA that are closely related to definitions in HIPAA.

"Health care operations" are defined as the activities of a health care provider, health care facility, or third-party payor related to their business, including conducting quality improvement; reviewing the competence and qualifications of health care providers; underwriting and premium-rating; conducting or arranging for medical review, legal, and auditing services; conducting business planning and development; and carrying out business management and administration functions.

"Payment" is defined as the activities of (1) a third-party payor to obtain premiums or provide coverage and benefits, or (2) a health care provider or facility or third-party payor to obtain or provide reimbursement for health care services.

"Treatment" is defined as the provision, coordination, or management of health care services by health care providers or facilities, including coordination of health care with a third party and consultation with or referral to another health care provider or facility.

Records of Disclosures
Existing requirements for health care providers and facilities to chart disclosures of health care information and make them a part of the patient's health care information are replaced with a requirement that health care providers and facilities provide an accounting of disclosures made during the six years prior to the patient's request. There are exceptions to the patient's right to receive an accounting when the disclosure is:

• for treatment, payment, and health care operations;
• to the patient regarding his or her own health care information;
• for uses and disclosures permitted or required by law;
• for authorizations by the patient about his or her own health care information;
• of directory information;
• to people involved in the patient's care;
• for national security or intelligence;
• to correctional institutions or law enforcement officials; or
• of a limited data set without direct identifiers.

Patient Disclosure Authorizations
The 90 day limitation on the duration of disclosure authorizations that do not have a specified expiration date is removed. The prohibition on the release of information regarding future health care services more than 90 days after signing an authorization is also removed. An additional element of a valid authorization is added to specify that it must contain an expiration date or an expiration event.

Health care facilities are required to perform the same functions as health care providers with respect to disclosure authorizations, including disclosing information and providing copies. The exception for health care providers maintaining authorizations and revocations related to third party payors is removed.

Disclosures without Patient Authorization
A health care provider or facility or third-party payor may disclose a patient's health care information for its own health care operations or for the health care operations of another health care provider or facility or third-party payor without the patient's authorization if the other entity had a relationship with the patient. Health care providers and facilities may disclose a patient's health care information without an authorization if it is to law enforcement authorities and the health care provider or facility or third-party payor believes in good faith that the health care information constitutes evidence of criminal conduct. A health care provider or facility may also disclose a patient's health care information without an authorization if it is for purposes of payment.

Appropriation: None.

Fiscal Note: Not requested.

Effective Date: The bill takes effect 90 days after adjournment of session in which bill is passed.