The following provisions apply for the use of AIDS and HIV notifiable conditions case reports and data:
(1) Department personnel must not disclose identifying information received as a result of receiving information regarding a notifiable conditions report of a case of AIDS or HIV unless:
(a) Explicitly and specifically required to do so by state or federal law; or
(b) Authorized by written patient consent.
(2) Department personnel are authorized to use HIV identifying information received as a result of receiving information regarding a notifiable conditions report of a case of AIDS or HIV only for the following purposes:
(a) Notification of persons with substantial exposure, including sexual or syringe-sharing partners;
(b) Referral of the infected individual to social and health services; and
(c) Linkage to other public health databases, provided that the identity or identifying information on the HIV-infected person is not disclosed outside of the health department.
(3) For the purposes of this chapter, public health databases do not include health professions licensing records, certifications or registries, teacher certification lists, other employment rolls or registries, or databases maintained by law enforcement officials.
(4) The state health officer must require and maintain signed confidentiality agreements with all department employees with access to HIV identifying information. These agreements will be renewed at least annually and include reference to criminal and civil penalties for violation of chapter
70.24 RCW and other administrative actions that may be taken by the department.
(5) The state health officer must investigate potential breaches of the confidentiality of HIV identifying information by department employees. All breaches of confidentiality shall be reported to the state health officer or their authorized representative for review and appropriate action.
(6) The department must maintain all HIV case reports in a name-based surveillance system solely for the purpose of complying with HIV reporting guidelines from the federal Centers for Disease Control and Prevention, and must not disclose or otherwise use any information contained in that system for any other purpose, except as expressly permitted by this section.
(7) Authorized representatives of the department must review available records to reascertain the identities of previously reported cases of asymptomatic HIV infection and retain those cases in a confidential name-based system.
(8) The department must maintain HIV case reports in secure systems that meet the following standards and are consistent with the 2006 Security and Confidentiality Guidelines developed by the Centers for Disease Control and Prevention:
(a) Secure systems must be described in written policies that are reviewed annually by the overall responsible party;
(b) Access to case report information must be limited to health department staff who need it to perform their job duties and a current list of these staff must be maintained by the overall responsible party;
(c) All physical locations containing electronic or paper copies of surveillance data must be enclosed in a locked, secured area with limited access and not accessible by window;
(d) Paper copies or electronic media containing surveillance information must be housed inside locked file cabinets that are in the locked, secured area;
(e) A crosscut shredder must be available for destroying information and electronic media must be appropriately sanitized prior to disposal;
(f) Files or databases containing confidential information must reside on either stand-alone computers with restricted access or on networked drives with proper access controls, encryption software and firewall protection;
(g) Electronic communication of confidential information must be protected by encryption standards that are reviewed annually by the overall responsible party;
(h) Locking briefcases must be available for transporting confidential information.
(9) The state health officer or designee must conduct a biennial review of system security measures described in WAC
246-101-520 (1)(b) at local health jurisdictions that are maintaining records by name.
(10) When providing technical assistance to a local health department, authorized representatives of the department may temporarily and subject to the time limitations in WAC
246-101-520 receive the names of reportable cases of HIV infection for the purpose of partner notification, or special studies. Upon completion of the activities by representatives of the state health department, named information will be provided to the local health department subject to the provisions of WAC
246-101-520.
(11) By December 2007, the state health officer, in cooperation with local health officers, will report to the board on:
(a) The ability of the HIV reporting system to meet surveillance performance standards established by the federal Centers for Disease Control and Prevention;
(b) The cost of the reporting system for state and local health departments;
(c) The reporting system's effect on disease control activities;
(d) The impact of HIV reporting on HIV testing among persons at increased risk of HIV infection; and
(e) The availability of anonymous HIV testing in the state.
(12) The state health officer must provide a report to the state board of health if federal policy no longer requires that HIV surveillance systems be name-based.