What is Washington HIPAA: Washington State HIPAA Laws

Washington State HIPAA Laws

While healthcare organizations across the country need to comply with the federal HIPAA law, those that operate in Washington must also abide by that state’s laws. Although Washington does not have its own data privacy law, there is a Washington data breach notification law. Do you need to comply with Washington state HIPAA laws?

Washington HIPAA Laws

Washington HIPAA laws consist of meeting a set of standards set forth by the Privacy, Security, and Breach Notification Rules.

Complying with HIPAA

To meet the requirements of the HIPAA regulations, healthcare organizations (healthcare providers, healthcare vendors, and MSPs) must implement a HIPAA compliance program.

Security Risk Assessments, Gap Identification, and Remediation

To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

HIPAA Policies and Procedures

To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.

Employee HIPAA Training

To make sure that your employees are aware of their responsibilities regarding the HIPAA rules, they must be trained annually. This training must cover HIPAA basics, an overview of your organization’s policies and procedures, and cybersecurity best practices.

Business Associate Agreements

Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. 

You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, it cannot be used for business associate services.

Incident Management

To comply with the HIPAA Breach Notification Rule, you must have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect an incident has occurred. 

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

HIPAA Notice of Privacy Practices in Washington

Under HIPAA regulations, covered entities are required to provide individuals with a Notice of Privacy Practices in plain language that contains:   

  • The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
  • A description of how PHI can be used for treatment, payment, and health care operations.
  • A description of the types of PHI uses and disclosures requiring patient authorization.
  • A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.