This section establishes how the department acquires, secures, retains, discloses, and destroys health care information under chapter 70.02 RCW and health-related data under RCW 43.70.050.

(1) The department of health (department) is the single department in state government with the primary responsibilities for the preservation of public health, monitoring health care costs, the maintenance of minimal standards for quality in health care delivery, and the general oversight and planning for all the state's activities as they relate to the health of its citizenry. In this capacity, the department regularly obtains individually identifiable health care information and health-related data necessary for the department to carry out public health activities.

(2) For the purposes of this section "health information" means "health care information" as defined in chapter 70.02 RCW and "health-related data" as described in RCW 43.70.050.

(3) Acquisition.

(a) The department may obtain health information as authorized by state and federal law.

(b) The department will identify its statutory authority to obtain health information when the department makes a request for health information.

(c) The department will identify its statutory authority to obtain and to disclose health information when entering into a data sharing agreement.

(4) Privacy and security.

(a) The department protects the privacy of individuals and secures health information consistent with state and federal law and applicable information security standards and guidelines set by the National Institute of Standards and Technologies (NIST).

(b) The department shall appoint a chief information security officer and a privacy officer with delegated agency wide authority to protect the availability, integrity, confidentiality, and privacy of all health information acquired by the department.

(c) Managers of any programs within the department that receive health information act as the primary data steward and assure health information is protected consistent with applicable law and agency privacy, confidentiality and security policies, standards, and practices.

(d) The department will notify a person whose health information is disclosed in violation of state or federal law. The department will make a notification as soon as practicable pursuant to the department's confidential information policy and procedure.

(5) Retention. The department will retain health information in accordance with the department's records retention schedules.

(6) Public inspection and copying.

(a) Chapters 70.02 and 42.56 RCW apply to the public inspection and copying of health information.

(i) Health information that identifies or can readily be associated with the identity of a patient and directly relates to the patient's health care is not available for public inspection and copying. Health information that is not individually identifiable is described as "deidentified."

(ii) "Deidentified" has the same meaning as defined in chapter 70.02 RCW.

(iii) The department may consider analogous federal standards for deidentification of protected health information when determining if deidentification of health information is possible.

(b) Permitted disclosures of information and records related to sexually transmitted diseases and information and records related to mental health services are found in chapter 70.02 RCW.

(c) RCW 43.70.050(2) and chapter 42.56 RCW apply to the public inspection and copying of health information as described in RCW 43.70.050(2).

(i) Health information in any form where the patient or provider of health care can be identified shall not be disclosed.

(ii) The department's use of health information shall be in accordance with state and federal confidentiality laws.

(7) Sharing identifiable health information with public health partners.

The department may disclose identifiable health information, including information and records related to sexually transmitted diseases and information and records related to mental health services, for public health purposes as described in chapter 70.02 RCW or as otherwise permitted by law.

(8) Health information received by the department that the department has not requested and is not authorized to receive.

As required by RCW 70.02.290, the department will not make health information the department has not requested and the department is not authorized to receive available for public inspection and copying. The department will destroy such health care information or the department may securely return such health information to the sender if the sender is a health care facility or health care provider subject to chapter 70.02 RCW.

(9) Destruction.

The department shall destroy health information in a manner that reduces it to an illegible condition. Destruction shall take place as soon as practicable after the approved records retention period ends.