(1) Except as otherwise required by law, claims or other data from the database shall only be available for retrieval in processed form to public and private requesters pursuant to this section and shall be made available within a reasonable time after the request. Each request for claims data must include, at a minimum, the following information:
- (a) The identity of any entities that will analyze the data in connection with the request;
- (b) The stated purpose of the request and an explanation of how the request supports the goals of this chapter set forth in RCW 43.371.020(1);
- (c) A description of the proposed methodology;
- (d) The specific variables requested and an explanation of how the data is necessary to achieve the stated purpose described pursuant to (b) of this subsection;
- (e) How the requester will ensure all requested data is handled in accordance with the privacy and confidentiality protections required under this chapter and any other applicable law;
- (f) The method by which the data will be destroyed at the conclusion of the data use agreement;
- (g) The protections that will be utilized to keep the data from being used for any purposes not authorized by the requester's approved application; and
- (h) Consent to the penalties associated with the inappropriate disclosures or uses of direct patient identifiers or indirect patient identifiers adopted under RCW 43.371.070(1).
- (2) The lead organization may decline a request that does not include the information set forth in subsection (1) of this section that does not meet the criteria established by the lead organization's data release advisory committee, or for reasons established by rule.
(3) Except as otherwise required by law, the authority shall direct the lead organization and the data vendor to maintain the confidentiality of claims or other data it collects for the database that include direct patient identifiers, indirect patient identifiers, or any combination thereof. Any entity that receives claims or other data must also maintain confidentiality, including by agreeing to not reidentify any deidentified patient information, and may only release such claims data or any part of the claims data if:
- (a) The claims data does not contain direct patient identifiers, indirect patient identifiers, or any combination thereof; and
- (b) The release is described and approved as part of the request in subsection (1) of this section.
(4) The lead organization shall, in conjunction with the authority and the data vendor, create and implement a process to govern levels of access to and use of data from the database consistent with the following:
- (a) Claims or other data that include direct patient identifiers, indirect patient identifiers, unique identifiers, or any combination thereof may be released only to the extent such information is necessary to achieve the goals of this chapter set forth in RCW 43.371.020(1) to researchers with approval of an institutional review board upon receipt of a signed data use and confidentiality agreement with the lead organization. A researcher or research organization that obtains claims data pursuant to this subsection must agree in writing not to disclose such data or parts of the data set to any other party, including affiliated entities, and must consent to the penalties associated with the inappropriate disclosures or uses of direct patient identifiers or indirect patient identifiers adopted under RCW 43.371.070(1).
(b) Claims or other data that do not contain direct patient identifiers, but that may contain indirect patient identifiers, unique identifiers, or any combination thereof may be released to:
- (i) Federal, state, tribal, and local government agencies upon receipt of a signed data use agreement with the authority and the lead organization;
(ii) Providers who practice a profession identified in RCW 18.130.040, hospitals licensed under chapter 70.41 or 71.12 RCW, carriers licensed under chapter 48.43 or 41.05 RCW, managed care organizations, and statewide associations representing hospitals, carriers, or providers upon receipt of a signed data use agreement with the authority and the lead organization. For entities within this class, the following purposes support the goals of this chapter set forth in RCW 43.371.020(1):
- (A) Promoting informed choices and understanding of health care access, quality, or affordability, including related barriers;
- (B) Benchmarking value and efficiency against that of others;
- (C) Validating and assessing third-party analysis and reports based on claims data; and
- (D) Performing quality improvement activities;
- (iii) Any entity when functioning as the lead organization under the terms of this chapter;
- (iv) The Washington health benefit exchange established under chapter 43.71 RCW, upon receipt of a signed data use agreement with the authority and the lead organization as directed by rules adopted under this chapter; and
- (v) Agencies, researchers, and other entities as approved by the lead organization upon receipt of a signed data use agreement with the authority and the lead organization.
- (c) Claims or other data that do not contain direct patient identifiers, indirect patient identifiers, or any combination thereof may be released upon request.
- (5) Reports utilizing data obtained under this section may not contain direct patient identifiers, indirect patient identifiers, or any combination thereof. Nothing in this subsection (5) may be construed to prohibit the use of geographic areas with a sufficient population size or aggregate gender, age, medical condition, or other characteristics in the generation of reports, so long as they cannot lead to the identification of an individual.
(6) Recipients of claims or other data under subsection (4) of this section must agree in a data use agreement or a confidentiality agreement to, at a minimum:
- (a) Take steps to protect data containing direct patient identifiers, indirect patient identifiers, or any combination thereof as described in the agreement;
- (b) Not redisclose the claims data except pursuant to subsection (3) of this section;
- (c) Not attempt to determine the identity of any person whose information is included in the data set or use the claims or other data in any manner that identifies any individual or their family or attempt to locate information associated with a specific individual;
- (d) Destroy claims data at the conclusion of the data use agreement; and
- (e) Consent to the penalties associated with the inappropriate disclosures or uses of direct patient identifiers or indirect patient identifiers adopted under RCW 43.371.070(1).
[ 2025 c 305 s 4; 2019 c 319 s 5; 2015 c 246 s 5; 2014 c 223 s 13.]
Notes:
Effective date—2025 c 305 ss 1 and 3-7: See note following RCW 43.371.010.
Effective date—2019 c 319: See note following RCW 43.371.020.
Finding—2014 c 223: See note following RCW 41.05.690.