Can I use third-party collaboration tools that collect personal information in Washington? What are the requirements?

Based on the documents provided, there are several regulations in Washington that govern the collection, use, and sharing of personal information by third-party collaboration tools. Here are the requirements that you need to consider:

Personal Information Covered Entities

Under WARC 42.56.592, covered entities under the federal health insurance portability and accountability act of 1996 (HIPAA) are deemed to have complied with the requirements of Washington’s privacy laws with respect to protected health information if they have complied with section 13402 of the federal health information technology for economic and clinical health act. Covered entities must also notify the attorney general in compliance with the timeliness of notification requirements of section 13402 of the federal health information technology for economic and clinical health act.

Nonpublic Personal Health Information

Under WAAC 284-04-505, a licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed. However, there are exceptions for the performance of insurance functions by or on behalf of the licensee, for activities permitted under RCW 70.02.050, and for activities permitted under health privacy regulations adopted by the U.S. Department of Health and Human Services governing health information privacy.

Requirements for Data Vendor

Under WAAC 82-75-410, data vendors must enter into an agreement with the lead organization that contains several requirements, including a provision that the data vendor is responsible for ensuring compliance of all aspects of WA-APCD operations with all applicable federal and state laws, and the state’s security standards established by the office of the chief information officer. The data vendor must also enter into a legally binding data use and confidentiality agreement with the lead organization, and must annually engage the services of an independent third-party security auditor to conduct a security audit to verify compliance with federal and state laws, Washington state information technology security standards, and the contract with the lead organization.

State oversight of compliance with privacy and security requirements

Under WAAC 82-75-470, the office or the office of chief information officer or both may request from the lead organization any or all of the following to ensure compliance with privacy and security requirements and procedures: (1) Audit logs pertaining to accessing the WA-APCD data; (2) Completion of a security design review as required by Washington state IT security standards; (3) Documentation of compliance with OCIO security policy (OCIO policy 141.10 Securing information technology assets standards); (4) All data use agreements.

Based on the above regulations, it is important to ensure that any third-party collaboration tools used in Washington comply with the relevant privacy laws and regulations. This includes obtaining authorization from consumers or customers before disclosing nonpublic personal health information, ensuring compliance with applicable federal and state laws and security standards, complying with public records rules, and complying with state oversight of compliance with privacy and security requirements. If you have any further questions or concerns, it is recommended that you consult with a legal professional.

Jurisdiction

Washington

• Privacy