New Law in Effect Regarding Health Care Information Received by an Agency

Has your agency received "health care information" about a person that it never requested and is not authorized to receive? ("Health care information" is defined in RCW 70.02.010(16).) If so, you need to pay attention to new legislation related to such health care information that took effect on July 1, 2014. This legislation amends the Washington State’s Uniform Health Care Information Act (UHCIA), chapter 70.02 RCW, to address the unauthorized receipt and disclosure of an individual’s health care information.

Unfortunately, the language of RCW 70.02.290, as amended by the 2014 legislature, is not a model of clarity as to exactly how it applies to agencies that receive health care information they shouldn't receive. However, two things are clear from the new requirements:

1. The requirements do not apply to health care facilities or providers (like public hospital districts); those entities are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other sections of the UHCIA, which have patient privacy regulations already in place applicable to health care facilities and providers.
2. The information covered is “any information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient and directly relates to the patient’s health care . . . .” RCW 70.02.010(16).

What does the new law require?

• Adoption of a local policy for handling of health care records. Non-health care local and state agencies that obtain health care information pursuant to RCW 70.02.050 and RCW 70.02.200 through .240 (hereafter, "authorized agencies") must adopt policies related to acquisition, retention, security, and destruction of such health care information. (Chapter 70.02 RCW provides limited circumstances in which authorized agencies may receive certain health care information.)
  • In 2013, the legislature added the requirement, codified as RCW 70.02.290, that applies to these authorized agencies and that requires them to adopt these policies. That 2013 legislation did not go into effect until July 1, 2014. The 2014 amendment to RCW 70.02.290, also effective on July 1, 2014, added the requirement that such policies also address the destruction of records containing health care information and what to do when an agency improperly discloses such information.
  • The 2014 amendment apparently requires non-health care agencies that do not obtain health care information pursuant to RCW 70.02.050 and RCW 70.02.200 through .240 (hereafter, "non-authorized agencies"), but rather receive such information without authorization, to also adopt policies required of authorized agencies.
• Careful handling, use, and disclosure of health care information. Agencies that have not requested health care information (but nevertheless receive it) and are not authorized to receive that information are subject to the following requirements:
  • Must not use or disclose the health care information unless permitted by chapter 70.02 RCW.
  • Must destroy the information in accordance with the agency’s adopted destruction policy.
  • As an alternative to destruction of the information, the agency may return the information to the entity that provided the information if the entity is a health care facility or provider and subject to chapter 70.02 RCW.
  • If third party disclosure of this information inadvertently occurs, the agency must inform the individual that their health information has been disclosed.
  • Must adopt a policy regarding notification of improper disclosure of health care information, which must address:
    • A reasonable period in which to notify the individual of the unauthorized disclosure;
    • What information must be included in the notice, including whether the name of the entity that originally provided the information to the agency must be included.

Agencies are required to post the policies adopted under RCW 70.02.290 on their website. Though, logically, that requirement does not apply if an agency does not have a website.

I tried to get information on what circumstances may have prompted this legislation so that I could better understand its intent, but I came up with nothing. Do you have any particular insight on this new law or has your agency adopted such a policy yet? MRSC is looking for more information on these requirements and example policies. Please email Flannary Collins at fcollins@mrsc.org with information or if you are willing to share your agency’s policy with other local agencies on the MRSC website.