Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I ensure that my company is compliant with expanding privacy protections in Washington? What are the requirements?

To ensure compliance with expanding privacy protections in Washington, your company must adhere to the following requirements:

State Oversight of Compliance with Privacy and Security Requirements [1.1][1.2]

The office or the office of chief information officer or both may request from the lead organization any or all of the following:

  1. Audit logs pertaining to accessing the WA-APCD data;
  2. Completion of a security design review as required by Washington state IT security standards;
  3. Documentation of compliance with OCIO security policy (OCIO policy 141.10 Securing information technology assets standards);
  4. All data use agreements.

Security Breach Notification Requirements [2.1]

All licensees must notify the insurance commissioner about the number of customers or consumers potentially affected and what actions are being taken in writing within two business days after determining notification must be sent to consumers or customers in compliance with RCW 19.255.010 and 45 C.F.R. 164 pertaining to:

  1. A breach of personal information as defined in RCW 19.255.010 (4) and (5) that seems reasonably likely to subject customers to a risk of criminal activity; or
  2. A breach of unsecured protected health information as defined in 45 C.F.R. 164.402 which compromises the security or privacy of the protected information for licensees subject to 45 C.F.R. 164. For breaches of protected health information, licensees subject to 45 C.F.R. 164 must comply with the regulations (45 C.F.R. 164.400 through 164.410) adopted by the U.S. Department of Health and Human Services (HHS) governing these requirements.

Appendix B—Federal Model Privacy Form [2.2]

Licensees may use the federal Model Privacy Form, if the form is accurate for each institution that uses the form. The model form may be used to meet the content requirements of the privacy notice and opt-out notice set forth in WAC 284-04-210 and 284-04-215. The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Licensees seeking to obtain the safe harbor through use of the model form may modify it only as described in the instructions.

In summary, your company must comply with state oversight of compliance with privacy and security requirements, security breach notification requirements, and use the federal Model Privacy Form to meet the content requirements of the privacy notice and opt-out notice. The procedures required for ensuring compliance with state and federal privacy laws are provided in WAC 82-75-410 through 82-75-470 [1.2].

Source(s):
Jurisdiction

Washington