(1) The local health officer and local health jurisdiction personnel shall maintain individual case reports, laboratory reports, investigation reports, and other data and supporting information for AIDS and HIV as confidential records consistent with the requirements of RCW 70.02.220 and any other applicable confidentiality laws.

(2) The local health officer and local health jurisdiction personnel shall:

(a) Use identifying information of individuals tested, diagnosed, or reported with HIV only:

(i) To contact the individual tested, diagnosed, or reported with HIV to provide test results or refer the individual to social and medical services; or

(ii) To contact persons who have been identified as sex or injection equipment-sharing partners; or

(iii) To link with other name-based public health disease registries when doing so will improve ability to provide needed care services and disease prevention, provided that the identity or identifying information of the individual tested, diagnosed, or reported with HIV is not disclosed outside of the local health jurisdiction; or

(iv) As specified in WAC 246-100-072; or

(v) To provide case reports, laboratory reports, or investigation reports to the department; or

(vi) To conduct investigations under RCW 70.24.022 or 70.24.024.

(b) Within ninety days of completing an investigation report, or of receiving a complete investigation report from another public health authority:

(i) Destroy case reports, laboratory reports, investigation reports, and other data and supporting identifying information on individuals tested, diagnosed, or reported with HIV received as a result of this chapter. If an investigation is not conducted for a case, then the identifying information for that case shall be destroyed within ninety days of receiving a complete HIV case report or laboratory report; or

(ii) Maintain HIV case reports, laboratory reports, investigation reports, and other data and supporting information in secure systems consistent with the 2011 DataSecurity and Confidentiality Guidelinesfor HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance Data for Public Health Action published by the Centers for Disease Control and Prevention.

(3) The local health officer shall:

(a) Describe the secure systems in written policies and review the policies annually;

(b) Limit access to case report, laboratory report, investigation report, and other data and supporting information to local health jurisdiction staff who need the information to perform their job duties;

(c) Maintain a current list of local health jurisdiction staff with access to case report, laboratory report, investigation report, and other data and supporting information;

(d) Enclose physical locations containing electronic or paper copies of surveillance data in a locked, secured area with limited access and not accessible by window;

(e) Store paper copies or electronic media containing surveillance information inside locked file cabinets that are in the locked, secured area;

(f) Destroy information by either shredding it with a crosscut shredder or appropriately sanitizing electronic media prior to disposal;

(g) Store files or databases containing confidential information on either stand-alone computers with restricted access or on networked drives with proper access controls, encryption software, and firewall protection;

(h) Protect electronic communication of confidential information by encryption standards and review the standards annually; and

(i) Make available locking briefcases for transporting confidential information.

(4) The local health officer and local health jurisdiction staff shall:

(a) If maintaining identifying information on individuals tested, diagnosed, or reported with HIV more than ninety days following completion of an investigation report or receipt of a complete investigation report from another public health authority, cooperate with the department in biennial review of system security measures described in subsection (2)(b) of this section.

(b) Not disclose identifying information received as a result of this chapter unless:

(i) Explicitly and specifically required to do so by state or federal law;

(ii) Permitted under RCW 70.02.220; or

(iii) Authorized by written patient consent.

(5) Local health officers shall investigate potential breaches of the confidentiality of HIV identifying information by health jurisdiction employees. The local health officer shall report all breaches of confidentiality to the state health officer for review and appropriate action.