If the information on this translated website is unclear, please contact us at 360.902.3900 for help in your language of choice.

Data sharing contract compliance

The following information provides an overview of our data sharing requirements. You will get more detailed information after you submit your application. All information provided to us under these requirements is available to the public. There may be exemptions. For more information see the Washington Public Records Act (RCW 42.56).

We use secure email when sending communications containing confidential information. Request a secure email link when sending compliance documents to us.

Data sharing requirements

The following requirements pertain to these data sharing agreements when we share large quantities of Protected Personal Information (PPI):

New applicants

You must submit information about your security practices before receiving PPI. Information typically includes:

  • Evidence of an audit report conducted by an independent auditor within the prior 12 months. Focus of this audit is on the system(s) and personnel who would process the PPI we provide. The report must describe how the auditor tested the effectiveness of each control.
    • You don’t need to submit the report to us. Instead, you can produce evidence the audit was conducted.
    • Include a description on each exception or deficiency identified in the audit report. If no audit is available, discuss other options with our compliance staff.
  • Provide a statement signed by an officer of your organization attesting to the current status of each exception or deficiency identified in the audit report.
  • Evidence of the following tests on all systems where you propose to process PPI:
    • A penetration test performed within the prior year,
    • and
    • A vulnerability test performed in the past calendar quarter.
  • A statement signed by an officer of your organization attesting that you are in compliance with our Privacy and Security Requirements. If you can’t make the statement with confidence, tell us where you suspect or know exceptions exist. Let us know if you have plans to correct each deficiency.

Data security audits

  • You must submit a data security audit approximately every 3 years.
  • The due-date is in the data sharing agreement.
  • Audits show that you comply with the data security requirements.
  • An independent, third-party auditor must conduct the audit.
  • A corrective action plan will manage all deficiencies.
  • You pay for the cost of all audits.*

Permissible use audits

  • Our personnel conduct the audits. We schedule these approximately every 3 years.
  • We’ll notify you approximately 6 months in advance of the audit.
  • Audits show that you comply with the privacy, permissible use, and subrecipient requirements.
  • A corrective action plan will manage all deficiencies.
  • You pay for the cost of all audits.*

Consent audits

  • Our personnel conduct the audits. We conduct audits at our discretion.
  • Audits show that you obtained consent of all persons, when required by your agreement. You must get a person’s consent before requesting records from us. The audit determines if the consent contains the required information and was properly executed.
  • You pay for the cost of all audits.*

Annual statement of compliance

Each year you must attest to compliance with Privacy and Security and Subrecipient Requirements. You do this by submitting a written statement.

Subrecipient requirements

  • If you share PPI, you must ensure that each subrecipient takes reasonable actions to prevent unauthorized disclosure and misuse.
  • If you share large quantities of PPI, you must regularly audit subrecipients for compliance with our:
    • Privacy and security requirements.
    • Subrecipient requirements.
  • You must submit a list of all subrecipients to us each year.

e-Services data sharing agreement

The following requirements pertain to these e-Service data sharing agreements:

We conduct all e-Service audits

Annual statement of compliance

Each year you will submit a written statement to us. It must attest to compliance with all requirements in the data sharing agreement.

Data security audits

  • We schedule audits at our discretion.
  • A normal e-Service data security audit is equal to filling out a questionnaire and returning it to us.
  • A formal data security audit occurs when significant risk exists in the security of PPI. We’ll always provide advance notice.
  • Audits show that you comply with the Privacy and Security Requirements.
  • You pay for the cost of all audits.*

Permissible use audits

  • We schedule audits at our discretion.
  • A normal e-Service permissible use audit is equal to filling out a questionnaire and returning it to us.
  • A formal permissible use audit occurs when significant risk exists in the use of PPI. We’ll always provide advance.
  • Audits show that you comply with the Privacy and Security and Subrecipient Requirements.
  • You pay for the cost of all audits.*

Consent audits

  • We conduct audits at our discretion. We’ll always provide advance notice.
  • Audits show that you obtained consent of all persons, when required by your agreement. You must get a person’s consent before requesting records from us. The audit determines if the consent contains the required information and was properly executed.
  • You pay for the cost of all audits.*

Subrecipient requirements

  • If you share PPI, you must ensure that each subrecipient takes reasonable actions to prevent unauthorized disclosure and misuse.
  • If you share large quantities of PPI, you must regularly audit subrecipients for compliance with our:
    • Privacy and Security Requirements.
    • Subrecipient Requirements.
  • You must submit a list of all subrecipients to us each year.

Questions? Need Help?

Email us at Datacontracts@dol.wa.gov.

* We’ll invoice you for the time our staff spend scheduling and reviewing audits.

Chatbot icon
Washington Healthcare Finder
Good To Go!
Access Washington – official state government website