HIPAA Notice of Privacy Practices in Washington
Under HIPAA regulations, covered entities are required to provide individuals with a Notice of Privacy Practices in plain language that contains:
- The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
- A description of how PHI can be used for treatment, payment, and health care operations.
- A description of the types of PHI uses and disclosures requiring patient authorization.
- A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.
- A covered entity may use or disclose PHI without authorization for a number of purposes. Examples include public health and health oversight activities, and judicial proceedings.
- The name, title, and phone number of a person or office to contact for further information or questions about the notice.
- The date on which the notice is first in effect.
- A statement that an individual may revoke an authorization.
HIPAA Authorization Form Washington State
A HIPAA authorization form in Washington state is required under certain circumstances. HIPAA regulations outline the uses and disclosures of PHI that require authorization to be obtained from a patient/plan member before that person’s PHI can be shared or used.
HIPAA release forms are required before:
- The covered entity can use or disclose PHI whose use or disclosure is otherwise not permitted by the HIPAA Privacy Rule
- The covered entity can use or disclose PHI for marketing purposes. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.
The law requires that a HIPAA release form contain specific “core elements” to be valid.
These elements include:
- A description of the specific information to be used or disclosed.
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
- The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure.
- A description of each purpose of the requested use or disclosure.
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
- The signature of the individual, and the date.
HIPAA Training Washington
HIPAA imposes employee training requirements that are the same regardless of the state the healthcare organization operates in. HIPAA training in Washington must be provided to each employee that has the potential to access PHI. Training must be provided annually, in which employees must legally attest that they understand and agree to adhere to the training material.
Washington HIPAA Breach Notification Requirements
The HIPAA Breach Notification Rule requires healthcare organizations to report breaches that compromise the confidentiality, integrity, or availability of protected health information.
Incidents that are considered reportable breaches include:
- Hacking or IT incidents
- Unauthorized access or disclosure of PHI
- Theft or loss of an unencrypted device with access to PHI
- Improper disposal of medical records
When a patient’s PHI is potentially affected by one of these incidents, the affected patient must be informed within 60 days of discovery. Breach notification letters must be mailed to affected patients. If ten or more patients cannot be reached by mail, a substitute notice must be available on the organization’s website. If the incident affected 500 or more patients, the breached organization must notify media outlets to ensure that all affected patients are aware of the incident.
Breach notification requirements to the Department of Health and Human Services (HHS) differ depending on how many patients are affected by the incident.
- Breaches affecting 1 – 499 patients: organizations must keep an account of any breach that involved less than 500 patients over the course of the calendar year. Organizations have 60 days from the end of the calendar year in which the breach occurred to report these incidents to the HHS – March 1st.
- Breaches affecting 500+ patients: any incident that affected 500 or more patients must be reported to the HHS within 60 days of discovering the incident. These incidents are posted on the OCR’s online breach portal.
In addition to meeting HIPAA’s breach notification requirements, organizations that suffer a breach affecting the information of Washington residents must also meet the state’s requirements.
The Washington data breach notification law imposes a stricter timeline for reporting breaches. Washington residents whose personal information is involved in a breach must be informed within 30 days of discovering the incident. If the breach affects more than 500 individuals, the breach must also be reported to the Washington state Attorney General within 30 days of discovery.
HIPAA Violation Washington
HIPAA violations in Washington occur when healthcare organizations fail to comply with the standards set forth by HIPAA. While many HIPAA violations occur as the result of breaches, it is not the breach itself that would conclude that a healthcare organization violated HIPAA. Most HIPAA violations occur when healthcare organizations fail to conduct accurate and thorough risk assessments, provide patients timely access to their medical records, have signed business associate agreements, or report breaches promptly.