The lead organization may decline a request for data for any of the following reasons:
(1) The requestor has violated a data use agreement, nondisclosure agreement or confidentiality agreement within three years of the date of request.
(2) Any person, other than the requestor, who will have access to the data has violated a data use agreement, nondisclosure agreement or confidentiality agreement within three years of the date of request.
(3) The requestor or any person other than the requestor, who will have access to the data, within the five years prior to the data request date, been subject to a state or federal regulatory action related to a data breach and has been found in violation and assessed a penalty, been a party to a criminal or civil action relating to a data breach and found guilty or liable for that breach, or had to take action to notify individuals due to a data breach for data maintained by the data requestor or for which the data requestor was responsible for maintaining in a secure environment.
(4) The proposed privacy and security protections in the data management plan on the date the data is requested are not sufficient to meet Washington state standards. The protections must be in place on the date the data is requested. For out-of-state requestors, meeting the standards in the state where the requestor or data recipient is located is not acceptable if those standards do not meet those required in Washington state.
(5) The information provided is incomplete or not sufficient to approve the data request.
(6) The proposed purpose for accessing the data is not allowable under WA-APCD statutes, rules or policies, or other state or federal statutes, rules, regulations or federal agency policy or standards for example the Department of Justice Statements of Antitrust Enforcement Policy in Health Care.
(7) The proposed use of the requested data is for an unacceptable commercial use or purpose. An unacceptable commercial use or purpose includes, but is not limited to:
(a) A requestor using data to identify patients using a particular product or drug to develop a marketing campaign to directly contact those patients; or
(b) A requestor using data to directly contact patients for fund-raising purposes; or
(c) A requestor intends to contact an individual whose data is released; or
(d) Sells, gives, shares or intends to sell, give or share released data with another entity or individual not included in the original application for the data and for which approval was given.
[WSR 19-24-090, recodified as § 182-70-280, filed 12/3/19, effective 1/1/20. Statutory Authority: Chapter
43.371 RCW. WSR 16-22-062, § 82-75-280, filed 11/1/16, effective 12/2/16.]