Ask Reggi Your Question Now
Can I use third-party project management tools that collect personal information in Washington? What are the requirements?
Based on the provided context documents, there are requirements for using third-party project management tools that collect personal information in Washington.
Requirements for using third-party project management tools that collect personal information in Washington
According to WAAC 182-70-410, the data vendor must enter into an agreement with the lead organization that contains the following requirements:
- A provision that the data vendor is responsible for ensuring compliance of all aspects of WA-APCD operations with all applicable federal and state laws, and the state’s security standards established by the office of the chief information officer;
- Provisions that the data vendor is required to keep logs and documentation on activities conducted pursuant to the security plan consistent with the state records retention requirements, which the authority can request to verify that the security protocols are being followed;
- A provision that requires a detailed security process, which should include, but is not limited to, details regarding security risk assessments and corrective actions plans when deficiencies are discovered;
- Provisions that require secure file transfer for all receipt and transmission of health care claims data; and
- Provisions for encryption of data both in motion and at rest using latest industry standard methods and tools for encryption, consistent with the standards of the office of the chief information officer.
Additionally, the data vendor must enter into a legally binding data use and confidentiality agreement with the lead organization. The agreement must include provisions that restrict the access and use of data in the WA-APCD to that necessary for the operation and administration of the database as authorized by chapter 43.371 RCW.
Compliance with privacy and security requirements
To ensure compliance with privacy and security requirements, the data vendor and lead organization must comply with the following:
- The data vendor must immediately report to the authority and the office of the state chief information security officer any data breach of the WA-APCD or knowledge that a data recipient is not complying with confidentiality requirements in accordance with health care authority-approved data breach notification procedures. The data vendor may not unilaterally disclose any information related to a breach of the WA-APCD without written permission from the authority and the state chief information security officer [2.2].
- The lead organization must conduct follow-up with data recipients of PHI or PFI on a schedule developed by the lead organization; request data recipients share any manuscripts, reports, or products with lead organization and the authority; require data recipients to complete a project completion form, attesting that the project has terminated and data have been destroyed in accordance with the data use agreement; track all requests and research projects and follow up with the data recipient when the research or project is expected to be completed; and follow up and require written verification that data is destroyed [2.2].
Conclusion
Therefore, if you plan to use third-party project management tools that collect personal information, you should ensure that the tools comply with the above requirements. Additionally, you should review any other relevant privacy and security requirements and procedures to ensure compliance. It is important to note that this response is based solely on the provided context documents and may not be comprehensive. If you have any specific concerns or questions regarding the use of third-party project management tools that collect personal information, you should consult with a legal professional.
Source(s):
Jurisdiction
Washington