Wash. Admin. Code § 246-455-080

Security and Release of Reported Hospital Patient Discharge Data

The Department of Health must maintain the confidentiality of any individually identifiable health information as required by Washington state laws and federal HIPAA standards.  The Department must institute security and system safeguards to prevent and detect unauthorized access, modification, or manipulation of individually identifiable health information.  These safeguards must include:

•         Documented formal procedures for handling the information
•         Physical safeguards to protect computer systems and other pertinent equipment from intrusion
•         Processes to protect, control and audit access to the information
•         Processes to protect the information from unauthorized access or disclosure when it is transmitted over communication networks
•         Processes to protect the information when it is physically moved from one location to another
•         Processes to ensure the information is encrypted

Federal privacy rules should be used as models for deidentification of individually identifiable health information and for minimum necessary disclosure of individually identifiable health information in the release of such data.  This includes such requirements as:

• Individually identifiable health information will not be released to the public.
• Confidential data sets will be released only under certain conditions.  Data sets containing any of the individually identifiable health information will be constructed by applying the standard of inclusion of the minimum elements necessary for the recipient's project requirements.  Research projects may receive these data sets following approval by Washington state institutional review board, and receipt of a signed data use agreement with the board and the department of health.  Projects of state, local and federal agencies directly related to quality assurance or quality improvement of the data activities, hospitalization payment rate setting, program evaluation or public health surveillance may receive these data sets through a signed contract that includes a data use agreement.  The Department reserves the right to determine whether a use is appropriate.
• The data sharing agreements for confidential data sets must include language which establishes who will use and receive the data set, requires that the data not be used to identify or contact individuals, requires appropriate safeguards to prevent the use or disclosure of the information other than as provided for in the agreement, establishes the permitted use of the data set and excludes other uses, requires immediate notification to DOH of any suspected security breach, requires a report to the Department of any use or disclosure not permitted in the agreement, contains penalties for violation of the agreement, requires that the data set be destroyed or returned, and requires all users, including contractors and subcontractors, to read the agreement, abide by its provisions and sign it.