Can I ignore my obligations as a service provider with access to personal information in Washington? What are the requirements?

Obligations as a Service Provider with Access to Personal Information in Washington

As a service provider with access to personal information in Washington, you cannot ignore your obligations. The requirements for service providers with access to personal information in Washington include:

• Obtaining authorization from the consumer or customer before disclosing nonpublic personal health information [WAAC 284-04-505].
• Protecting customer proprietary network information [WAAC 480-120-202].
• Notifying the insurance commissioner about security breaches affecting customers or consumers [WAAC 284-04-625].
• Complying with federal regulations governing the release of health information [WAAC 284-04-515].
• Providing notice to affected consumers in the event of a security breach [WAAC 284-04-625].
• Screening to decide if individuals meet NSA requirements [WAAC 388-472-0020].
• Providing a valid authorization to disclose nonpublic personal health information in written or electronic form [WAAC 284-04-515].

There are exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information [WAAC 284-04-410]. You must not disclose nonpublic personal health information concerning health services related to reproductive health, sexually transmitted diseases, chemical dependency, and mental health without the express authorization of the individual who is the subject of the information [WAAC 284-04-510]. Compliance with federal regulations is also required [WARC 19.215.030].

Failure to comply with these requirements may result in penalties and legal action.

[WAAC 284-04-505][WAAC 480-120-202][WAAC 284-04-625][WAAC 284-04-515][WAAC 388-472-0020][WAAC 284-04-510][WAAC 284-04-410][WARC 19.215.030]

Jurisdiction

Washington

• Privacy