READ FIRST TIME 02/14/05.   

     AN ACT Relating to making certain provisions in the uniform health care information act consistent with the health insurance portability and accountability act privacy regulation, by addressing the period of validity of an authorization, accounting for disclosures, reporting of criminal activities, sharing quality improvement information, and modifying provisions on payment for health care, health care operations, and related definitions; and amending RCW 70.02.010, 70.02.020, 70.02.030, and 70.02.050.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

Sec. 1   RCW 70.02.010 and 2002 c 318 s 1 are each amended to read as follows:
     The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
     (1) "Audit" means an assessment, evaluation, determination, or investigation of a health care provider by a person not employed by or affiliated with the provider to determine compliance with:
     (a) Statutory, regulatory, fiscal, medical, or scientific standards;
     (b) A private or public program of payments to a health care provider; or
     (c) Requirements for licensing, accreditation, or certification.
     (2) "Directory information" means information disclosing the presence, and for the purpose of identification, the name, ((residence, sex)) location within a health care facility, and the general health condition of a particular patient who is a patient in a health care facility or who is currently receiving emergency health care in a health care facility.
     (3) "General health condition" means the patient's health status described in terms of "critical," "poor," "fair," "good," "excellent," or terms denoting similar conditions.
     (4) "Health care" means any care, service, or procedure provided by a health care provider:
     (a) To diagnose, treat, or maintain a patient's physical or mental condition; or
     (b) That affects the structure or any function of the human body.
     (5) "Health care facility" means a hospital, clinic, nursing home, laboratory, office, or similar place where a health care provider provides health care to patients.
     (6) "Health care information" means any information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient and directly relates to the patient's health care, including a patient's deoxyribonucleic acid and identified sequence of chemical base pairs. The term includes any ((record)) required accounting of disclosures of health care information.
     (7) "Health care operations" means any of the following activities of a health care provider, health care facility, or third-party payor to the extent that the activities are related to functions that make an entity a health care provider, a health care facility, or a third-party payor:
     (a) Conducting: Quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, if the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
     (b) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance and third-party payor performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of nonhealth care professionals, accreditation, certification, licensing, or credentialing activities;
     (c) Underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care, including stop-loss insurance and excess of loss insurance, if any applicable legal requirements are met;
     (d) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
     (e) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the health care facility or third-party payor, including formulary development and administration, development, or improvement of methods of payment or coverage policies; and
     (f) Business management and general administrative activities of the health care facility, health care provider, or third-party payor including, but not limited to:
     (i) Management activities relating to implementation of and compliance with the requirements of this chapter;
     (ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that health care information is not disclosed to such policy holder, plan sponsor, or customer;
     (iii) Resolution of internal grievances;
     (iv) The sale, transfer, merger, or consolidation of all or part of a health care provider, health care facility, or third-party payor with another health care provider, health care facility, or third-party payor or an entity that following such activity will become a health care provider, health care facility, or third-party payor, and due diligence related to such activity; and
     (v) Consistent with applicable legal requirements, creating deidentified health care information or a limited dataset and fund-raising for the benefit of the health care provider, health care facility, or third-party payor.
     (8) "Health care provider" means a person who is licensed, certified, registered, or otherwise authorized by the law of this state to provide health care in the ordinary course of business or practice of a profession.
     (((8))) (9) "Institutional review board" means any board, committee, or other group formally designated by an institution, or authorized under federal or state law, to review, approve the initiation of, or conduct periodic review of research programs to assure the protection of the rights and welfare of human research subjects.
     (((9))) (10) "Maintain," as related to health care information, means to hold, possess, preserve, retain, store, or control that information.
     (((10))) (11) "Patient" means an individual who receives or has received health care. The term includes a deceased individual who has received health care.
     (((11))) (12) "Payment" means:
     (a) The activities undertaken by:
     (i) A third-party payor to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits by the third-party payor; or
     (ii) A health care provider, health care facility, or third-party payor, to obtain or provide reimbursement for the provision of health care; and
     (b) The activities in (a) of this subsection that relate to the patient to whom health care is provided and that include, but are not limited to:
     (i) Determinations of eligibility or coverage, including coordination of benefits or the determination of cost-sharing amounts, and adjudication or subrogation of health benefit claims;
     (ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;
     (iii) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, including stop-loss insurance and excess of loss insurance, and related health care data processing;
     (iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
     (v) Utilization review activities, including precertification and preauthorization of services, and concurrent and retrospective review of services; and
     (vi) Disclosure to consumer reporting agencies of any of the following health care information relating to collection of premiums or reimbursement:
     (A) Name and address;
     (B) Date of birth;
     (C) Social security number;
     (D) Payment history;
     (E) Account number; and
     (F) Name and address of the health care provider, health care facility, and/or third-party payor.
     (13) "Person" means an individual, corporation, business trust, estate, trust, partnership, association, joint venture, government, governmental subdivision or agency, or any other legal or commercial entity.
     (((12))) (14) "Reasonable fee" means the charges for duplicating or searching the record, but shall not exceed sixty-five cents per page for the first thirty pages and fifty cents per page for all other pages. In addition, a clerical fee for searching and handling may be charged not to exceed fifteen dollars. These amounts shall be adjusted biennially in accordance with changes in the consumer price index, all consumers, for Seattle-Tacoma metropolitan statistical area as determined by the secretary of health. However, where editing of records by a health care provider is required by statute and is done by the provider personally, the fee may be the usual and customary charge for a basic office visit.
     (((13))) (15) "Third-party payor" means an insurer regulated under Title 48 RCW authorized to transact business in this state or other jurisdiction, including a health care service contractor, and health maintenance organization; or an employee welfare benefit plan; or a state or federal health benefit program.
     (16) "Treatment" means the provision, coordination, or management of health care and related services by one or more health care providers or health care facilities, including the coordination or management of health care by a health care provider or health care facility with a third party; consultation between health care providers or health care facilities relating to a patient; or the referral of a patient for health care from one health care provider or health care facility to another.

Sec. 2   RCW 70.02.020 and 1993 c 448 s 2 are each amended to read as follows:
     (1) Except as authorized in RCW 70.02.050, a health care provider, an individual who assists a health care provider in the delivery of health care, or an agent and employee of a health care provider may not disclose health care information about a patient to any other person without the patient's written authorization. A disclosure made under a patient's written authorization must conform to the authorization.
     ((Health care providers or facilities shall chart all disclosures, except to third-party payors, of health care information, such chartings to become part of the health care information.))
     (2) A patient has a right to receive an accounting of disclosures of health care information made by a health care provider or a health care facility in the six years before the date on which the accounting is requested, except for disclosures:
     (a) To carry out treatment, payment, and health care operations;
     (b) To the patient of health care information about him or her;
     (c) Incident to a use or disclosure that is otherwise permitted or required;
     (d) Pursuant to an authorization where the patient authorized the disclosure of health care information about himself or herself;
     (e) Of directory information;
     (f) To persons involved in the patient's care;
     (g) For national security or intelligence purposes if an accounting of disclosures is not permitted by law;
     (h) To correctional institutions or law enforcement officials if an accounting of disclosures is not permitted by law; and
     (i) Of a limited data set that excludes direct identifiers of the patient or of relatives, employers, or household members of the patient.

Sec. 3   RCW 70.02.030 and 2004 c 166 s 19 are each amended to read as follows:
     (1) A patient may authorize a health care provider or health care facility to disclose the patient's health care information. A health care provider or health care facility shall honor an authorization and, if requested, provide a copy of the recorded health care information unless the health care provider or health care facility denies the patient access to health care information under RCW 70.02.090.
     (2) A health care provider or health care facility may charge a reasonable fee for providing the health care information and is not required to honor an authorization until the fee is paid.
     (3) To be valid, a disclosure authorization to a health care provider or health care facility shall:
     (a) Be in writing, dated, and signed by the patient;
     (b) Identify the nature of the information to be disclosed;
     (c) Identify the name((, address,)) and institutional affiliation of the person or class of persons to whom the information is to be disclosed;
     (d) ((Except for third-party payors,)) Identify the provider or class of providers who ((is)) are to make the disclosure; ((and))
     (e) Identify the patient; and
     (f) Contain an expiration date or an expiration event that relates to the patient or the purpose of the use or disclosure.
     (4) Unless disclosure without authorization is otherwise permitted under RCW 70.02.050 or the federal health insurance portability and accountability act of 1996 and its implementing regulations, an authorization may permit the disclosure of health care information to a class of persons that includes:
     (a) Researchers if the health care provider or health care facility obtains the informed consent for the use of the patient's health care information for research purposes; or
     (b) Third-party payors if the information is only disclosed for payment purposes.
     (5) Except as provided by this chapter, the signing of an authorization by a patient is not a waiver of any rights a patient has under other statutes, the rules of evidence, or common law.
     (((5))) (6) When an authorization permits the disclosure of health care information to a financial institution or an employer of the patient for purposes other than payment, the authorization as it pertains to those disclosures shall expire ninety days after the signing of the authorization, unless the authorization is renewed by the patient.
     (7) A health care provider or health care facility shall retain the original or a copy of each authorization or revocation in conjunction with any health care information from which disclosures are made. ((This requirement shall not apply to disclosures to third-party payors.
     (6) Except for authorizations given pursuant to an agreement with a treatment or monitoring program or disciplinary authority under chapter 18.71 or 18.130 RCW, when the patient is under the supervision of the department of corrections, or to provide information to third-party payors, an authorization may not permit the release of health care information relating to future health care that the patient receives more than ninety days after the authorization was signed. Patients shall be advised of the period of validity of their authorization on the disclosure authorization form. If the authorization does not contain an expiration date and the patient is not under the supervision of the department of corrections, it expires ninety days after it is signed.
     (7))) (8) Where the patient is under the supervision of the department of corrections, an authorization signed pursuant to this section for health care information related to mental health or drug or alcohol treatment expires at the end of the term of supervision, unless the patient is part of a treatment program that requires the continued exchange of information until the end of the period of treatment.

Sec. 4   RCW 70.02.050 and 1998 c 158 s 1 are each amended to read as follows:
     (1) A health care provider or health care facility may disclose health care information about a patient without the patient's authorization to the extent a recipient needs to know the information, if the disclosure is:
     (a) To a person who the provider or facility reasonably believes is providing health care to the patient;
     (b) To any other person who requires health care information for health care education, or to provide planning, quality assurance, peer review, or administrative, legal, financial, ((or)) actuarial services to, or other health care operations for or on behalf of the health care provider or health care facility; or for assisting the health care provider or health care facility in the delivery of health care and the health care provider or health care facility reasonably believes that the person:
     (i) Will not use or disclose the health care information for any other purpose; and
     (ii) Will take appropriate steps to protect the health care information;
     (c) To any other health care provider or health care facility reasonably believed to have previously provided health care to the patient, to the extent necessary to provide health care to the patient, unless the patient has instructed the health care provider or health care facility in writing not to make the disclosure;
     (d) To any person if the health care provider or health care facility reasonably believes that disclosure will avoid or minimize an imminent danger to the health or safety of the patient or any other individual, however there is no obligation under this chapter on the part of the provider or facility to so disclose;
     (e) ((Oral, and made)) To immediate family members of the patient, or any other individual with whom the patient is known to have a close personal relationship, if made in accordance with good medical or other professional practice, unless the patient has instructed the health care provider or health care facility in writing not to make the disclosure;
     (f) To a health care provider or health care facility who is the successor in interest to the health care provider or health care facility maintaining the health care information;
     (g) For use in a research project that an institutional review board has determined:
     (i) Is of sufficient importance to outweigh the intrusion into the privacy of the patient that would result from the disclosure;
     (ii) Is impracticable without the use or disclosure of the health care information in individually identifiable form;
     (iii) Contains reasonable safeguards to protect the information from redisclosure;
     (iv) Contains reasonable safeguards to protect against identifying, directly or indirectly, any patient in any report of the research project; and
     (v) Contains procedures to remove or destroy at the earliest opportunity, consistent with the purposes of the project, information that would enable the patient to be identified, unless an institutional review board authorizes retention of identifying information for purposes of another research project;
     (h) To a person who obtains information for purposes of an audit, if that person agrees in writing to:
     (i) Remove or destroy, at the earliest opportunity consistent with the purpose of the audit, information that would enable the patient to be identified; and
     (ii) Not to disclose the information further, except to accomplish the audit or report unlawful or improper conduct involving fraud in payment for health care by a health care provider or patient, or other unlawful conduct by the health care provider;
     (i) To an official of a penal or other custodial institution in which the patient is detained;
     (j) To provide directory information, unless the patient has instructed the health care provider or health care facility not to make the disclosure;
     (k) ((In the case of a hospital or health care provider to provide, in cases reported by)) To fire, police, sheriff, or ((other)) another public authority, that brought, or caused to be brought, the patient to the health care facility or health care provider if the disclosure is limited to the patient's name, residence, sex, age, occupation, condition, diagnosis, estimated or actual discharge date, or extent and location of injuries as determined by a physician, and whether the patient was conscious when admitted;
     (l) To federal, state, or local law enforcement authorities and the health care provider, health care facility, or third-party payor believes in good faith that the health care information disclosed constitutes evidence of criminal conduct that occurred on the premises of the health care provider, health care facility, or third-party payor;
     (m) To another health care provider, health care facility, or third-party payor for the health care operations of the health care provider, health care facility, or third-party payor that receives the information, if each entity has or had a relationship with the patient who is the subject of the health care information being requested, the health care information pertains to such relationship, and the disclosure is for the purposes described in RCW 70.02.010(7) (a) and (b); or
     (n) For payment.
     (2) A health care provider shall disclose health care information about a patient without the patient's authorization if the disclosure is:
     (a) To federal, state, or local public health authorities, to the extent the health care provider is required by law to report health care information; when needed to determine compliance with state or federal licensure, certification or registration rules or laws; or when needed to protect the public health;
     (b) To federal, state, or local law enforcement authorities to the extent the health care provider is required by law;
     (c) To county coroners and medical examiners for the investigations of deaths;
     (d) Pursuant to compulsory process in accordance with RCW 70.02.060.
     (3) All state or local agencies obtaining patient health care information pursuant to this section shall adopt rules establishing their record acquisition, retention, and security policies that are consistent with this chapter.