(1) The department and its contractors or agents shall maintain the confidentiality of any individually identifiable health information as required by RCW 70.170.090
and federal Health Insurance Portability and Accountability Act standards.
(2) The department shall institute security and system safeguards to prevent and detect unauthorized access, modification, or manipulation of individually identifiable health information. Accordingly, the safeguards will include:
(a) Documented formal procedures for handling the information;
(b) Physical safeguards to protect computer systems and other pertinent equipment from intrusion;
(c) Processes to protect, control and audit access to the information;
(d) Processes to protect the information from unauthorized access or disclosure when it is transmitted over communication networks;
(e) Processes to protect the information when it is physically moved from one location to another;
(f) Processes to ensure the information is encrypted when:
(i) It resides in an area that is readily accessible by individuals who are not authorized to access the information (e.g., shared network drives or outside the agency data centers);
(ii) It is stored in a format that is easily accessible by individuals who are not authorized to access the information (e.g., text files and spreadsheets);
(iii) It is stored on removable media, or portable devices (e.g., tapes, electronic disks, thumb drives, external hard drives, laptops and handheld devices).
[Statutory Authority: RCW 43.70.040 and 43.70.052. 07-09-091, § 246-455-080, filed 4/18/07, effective 5/23/07. Statutory Authority: RCW 43.70.040 and [43.]70.170. 03-13-029, § 246-455-080, filed 6/10/03, effective 7/11/03. Statutory Authority: RCW 43.70.040 and chapter 70.170 RCW. 94-12-090, § 246-455-080, filed 6/1/94, effective 7/2/94. Statutory Authority: RCW 43.70.040. 91-02-049 (Order 121), recodified as § 246-455-080, filed 12/27/90, effective 1/31/91. Statutory Authority: Chapter 70.39 RCW. 84-20-067 (Order 84-06, Resolution No. 84-06), § 261-50-070, filed 10/1/84.]