(1) If a person has been found to have made inappropriate disclosures or uses of direct patient identifiers, indirect patient identifiers, and proprietary financial information received from the WA-APCD, the director may impose one or more of the following monetary penalties:
(a) A civil penalty determined pursuant to the criteria and requirements in this chapter;
(b) Cost, including reasonable investigative costs, that do not exceed the amount of any civil penalty;
(c) The cost of any audit performed that uncovered the violation, or was conducted as a result of investigating an alleged violation; and
(d) Up to three times the amount of financial gain received by the alleged violator or financial loss of any person whose protected information was inappropriately disclosed or used.
(2) The director shall include with the decision regarding the monetary penalty assessment, the director's reasoning for the specific penalty, or lack thereof, that is being assessed.
[WSR 19-24-090, recodified as § 182-70-625, filed 12/3/19, effective 1/1/20. Statutory Authority: RCW
43.371.070 (1)(h). WSR 18-15-002, § 82-75-625, filed 7/5/18, effective 8/5/18.]