Wa State Hipaa Laws Overview and Key Responsibilities

In Washington State, HIPAA laws are enforced by the Office of the Insurance Commissioner. HIPAA laws are designed to protect the confidentiality, integrity, and availability of protected health information (PHI).

Healthcare providers, health plans, and healthcare clearinghouses must comply with HIPAA regulations. This includes implementing administrative, technical, and physical safeguards to protect PHI.

Covered entities must also have a designated Privacy Official and a Security Official, as well as a written policy and procedures for protecting PHI.

To meet the requirements of the HIPAA regulations, healthcare organizations must implement a HIPAA compliance program. This includes healthcare providers, healthcare vendors, and managed service providers (MSPs).

Healthcare organizations must also ensure that their business associates comply with HIPAA regulations. This means conducting regular risk assessments and implementing corrective actions as needed.

HIPAA compliance requires ongoing effort and attention to detail, but it's essential for protecting patient health information.

To meet the requirements of the HIPAA regulations, healthcare organizations must implement a HIPAA compliance program. This includes entities like healthcare providers, vendors, and Managed Service Providers (MSPs).

The MHMDA applies to regulated entities, which includes any business operating in Washington or targeting consumers there, and determines the purposes and means of collecting, processing, sharing, or selling consumer health data. This means that even websites allowing access from Washington could be covered.

To report breaches, healthcare organizations must inform affected patients within 60 days of discovery. This includes incidents like hacking, unauthorized access, theft or loss of an unencrypted device, or improper disposal of medical records.

Breach notification requirements to the Department of Health and Human Services (HHS) vary depending on the number of patients affected. Here's a breakdown of the requirements:

Additionally, organizations must meet Washington state's breach notification requirements, which impose a stricter timeline for reporting breaches. This includes informing Washington residents within 30 days of discovering the incident.

Conducting regular security risk assessments is crucial for identifying vulnerabilities in your security practices. Healthcare organizations must conduct six self-audits annually to uncover weaknesses.

These self-audits help you pinpoint areas where your organization falls short of HIPAA safeguard requirements. By doing so, you can create a plan to address these deficiencies.

Remediation plans are essential for ensuring your organization meets HIPAA compliance. They list identified deficiencies and outline actions to take, along with a timeline for implementation.

Creating a remediation plan helps you stay on track and ensure that your organization is taking the necessary steps to address vulnerabilities. This process also helps you prioritize your efforts and allocate resources effectively.

Regular security risk assessments and remediation plans are key to maintaining HIPAA compliance and protecting sensitive patient information.

Under HIPAA regulations, covered entities in Washington are required to provide individuals with a Notice of Privacy Practices. This notice must be in plain language and contain specific information.

The notice must include a statement that describes how medical information about you may be used and disclosed, and how you can access this information. It's essential to review this notice carefully.

The notice must also describe how PHI can be used for treatment, payment, and healthcare operations. This includes things like sharing medical records with doctors or insurance companies.

Here are the types of PHI uses and disclosures that require patient authorization:

The notice must also describe the circumstances in which the covered entity may use or disclose PHI without written authorization. This includes things like sharing information to prevent harm to you or others, or sharing information with public health officials.

Certain types of data are exempt from the MHMDA's requirements.

Protected health information (PHI) governed by HIPAA is exempt, as well as medical records governed by Washington health care information laws. This includes information that is intermingled with and treated indistinguishably from PHI or medical records, and information that has been deidentified in accordance with HIPAA.

Publicly-available data is also exempt if it is lawfully made available through government records or widely distributed media, or if there is a reasonable basis to believe the consumer made the information available to the general public.

Data that cannot reasonably be linked to, or used to infer information about, a consumer is exempt if the organization takes reasonable measures to prevent reidentification and commits publicly – and in any relevant contracts – not to permit reidentification.

The following types of information are exempt from the MHMDA's requirements:

Government entities and vendors that provide services to such entities are also exempt.

As a healthcare provider, you're required to give patients a Notice of Privacy Practices that explains how their medical information will be used and shared. This notice must be written in plain language.

You'll need to include a statement that says, "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."

The notice should also describe how medical information can be used for treatment, payment, and healthcare operations. This includes things like sharing information with other healthcare providers to coordinate care.

Some types of medical information uses and disclosures require patient authorization. For example, sharing medical information with a third party for marketing purposes would require a patient's consent.

There are certain circumstances in which a healthcare provider can use or disclose medical information without written authorization. These include sharing information with family members or friends involved in a patient's care.

If a patient wants to contact the healthcare provider for more information or questions about the notice, they should be able to reach out to a person or office with a name, title, and phone number. The date on which the notice is first in effect should also be included.

A patient has the right to revoke an authorization they've given for the use or disclosure of their medical information.

In Washington state, there are specific rules around the release of personal health information (PHI). Releasing PHI to vocational counselors, nurses, and other professionals assisting the state's L&I or self-insurer requires no additional authorization from the worker.

The worker's authorization is already given when they sign a "Report of Industrial Injury or Occupational Disease" form or file an application to reopen a claim. This allows treating providers to share the worker's PHI as needed for benefits like vocational rehabilitation and nurse case management.

To release PHI for marketing purposes or other uses not permitted by the HIPAA Privacy Rule, a HIPAA authorization form is required. This form must contain specific core elements, including a description of the information to be used or disclosed, the name of the person authorized to make the request, and the expiration date of the authorization.

You can disclose a patient's personal health information to authorized assistants without their authorization, as long as it's related to their workers' compensation claim. This includes vocational counselors, nurses, and others assisting L&I or a self-insurer.

If a worker signs a "Report of Industrial Injury or Occupational Disease" form or files an application to reopen a claim with L&I, they authorize treating providers to release their personal health information as needed. This allows professionals with an active L&I provider number to access the information for services like vocational rehabilitation and nurse case management.

You're not required to get additional authorization from the patient for these disclosures. This makes it easier for authorized assistants to provide the necessary services to the patient.

Here are the types of professionals who can access a patient's personal health information without additional authorization:

These professionals can access the patient's information for services like vocational rehabilitation, nurse case management, and utilization review.

An authorization form is a crucial document that outlines the specific information that can be shared or used. It's a requirement under HIPAA regulations in Washington state.

A HIPAA release form is required before a covered entity can use or disclose PHI for marketing purposes. This includes direct or indirect remuneration from a third party.

The law requires that a HIPAA release form contain specific "core elements" to be valid. These elements are essential to ensure the form is effective.

A description of the specific information to be used or disclosed is one of the core elements. This should be clearly stated in the form.

The name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure is another core element. This helps ensure the form is specific and accurate.

The name or other specific identification of any third parties to whom the covered entity may make the requested use or disclosure is also a core element. This is important for transparency and accountability.

A description of each purpose of the requested use or disclosure is a core element. This helps ensure the form is clear and concise.

An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure is a core element. This helps ensure the form is temporary and not permanent.

A signature of the individual, and the date, is the final core element. This confirms the individual's consent and understanding of the form.

Here are the core elements in a concise list:

Business Associate Agreements are a must-have when working with vendors who have access to your patients' sensitive information. You can't just use any vendor and expect to be HIPAA compliant.

Business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. These vendors need to sign a Business Associate Agreement (BAA) with you.

A BAA is a legal contract that requires both parties to be HIPAA compliant and take responsibility for maintaining their compliance. If a vendor doesn't sign a BAA, you can't use them for business associate services.

You'll need to carefully review each vendor's agreement to ensure they meet HIPAA standards.

In Washington State, there are specific requirements for disclosing personal health information to the Labor and Industries (L&I) department. You are required by law to disclose personal health information to L&I or a self-insured employer when a patient is treated under a workers' compensation claim.

L&I has its own privacy notice, which can be found at F101-055-000. This notice outlines their policies for handling personal health information.

You can disclose personal health information to an employer without a patient's authorization if the information is related to a workplace injury or illness, light duty work, workplace medical surveillance, or a return-to-work examination.

There are some limitations on patient requests to restrict disclosures to L&I or self-insurers. You are not required to comply with patient requests to restrict disclosures because it is required by law.

If you're unsure about what information to disclose or how to handle patient requests, it's a good idea to review L&I's privacy notice and familiarize yourself with Washington State's HIPAA laws.