(1) All nonpublic personal health information obtained by, disclosed to, or in the custody of the commissioner, regardless of the form or medium, is confidential and is not subject to public disclosure under chapter 42.56 RCW. The commissioner shall not disclose nonpublic personal health information except in the furtherance of regulatory or legal action brought as a part of the commissioner's official duties.
(2) The following definitions apply only for the purposes of this section:
(a) "Health information" means any information or data, except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or a patient, or a policyholder or enrollee, that relates to:
(i) The past, present, or future physical, mental, or behavioral health or condition of an individual;
(ii) The provision of health care to an individual; or
(iii) Payment for the provision of health care to an individual.
(b) "Health care" means preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, services, procedures, tests, or counseling that:
(i) Relates to the physical, mental, or behavioral condition of an individual;
(ii) Affects the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs, or any other tissue; or
(iii) Prescribes, dispenses, or furnishes to an individual drugs or biologicals, or medical devices or health care equipment and supplies.
(c) "Nonpublic personal health information" means health information:
(i) That identifies an individual who is the subject of the information; or
(ii) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual.
(d) "Patient" means an individual who is receiving, has received, or has sought health care. The term includes a deceased individual who has received health care.
(e) "Policyholder" or "enrollee" means a person who is covered by, enrolled in, has applied for, or purchased, an insurance policy, a health plan as defined in RCW 48.43.005, a group plan, or any other product regulated by the insurance commissioner. "Policyholder" or "enrollee" may include, without limitation, a subscriber, member, annuitant, beneficiary, spouse, or dependent.
(3) The commissioner may:
(a) Share documents, materials, or other information, including the confidential documents, materials, or information subject to subsection (1) of this section, with (i) the national association of insurance commissioners and its affiliates and subsidiaries, and (ii) regulatory and law enforcement officials of this and other states and nations, the federal government, and international authorities, if the recipient agrees to maintain the confidentiality and privileged status of the document, material, or other information;
(b) Receive documents, materials, or information, including otherwise either confidential or privileged documents, materials, or information, from (i) the national association of insurance commissioners and its affiliates and subsidiaries, and (ii) regulatory and law enforcement officials of this and other states and nations, the federal government, and international authorities and must maintain as confidential or privileged any document, material, or information received that is either confidential or privileged, or both, under the laws of the jurisdiction that is the source of the document, material, or information; and
(c) Enter into agreements governing the sharing and use of information consistent with this subsection.
(4) No waiver of an existing claim of confidentiality or privilege in the documents, materials, or information may occur as a result of disclosure to the commissioner under this section or as a result of sharing as authorized in subsection (3) of this section.
(5) The commissioner shall add language in large font to the release consumers use when filing complaints with the office, whether online or in writing, informing them that the office may share their personal health information with other entities and for the purposes authorized under subsection (3) of this section, and that the information will only be shared if it is to be held confidential by the other entity. Consumers shall be provided the opportunity to opt out at the time of filing their complaint, indicating that their personal health information may not be shared under subsection (3) of this section.
[ 2017 c 193 § 1.]