In addition to the monetary penalties set forth in WAC
182-70-625, if a person has been found to have made inappropriate disclosures or uses of direct patient identifiers, indirect patient identifiers, and proprietary financial information received from the WA-APCD, the director may order the following nonmonetary penalties:
(1)(a) Direct WA-APCD program director to review the contract between the person and lead organization to determine whether the finding is a breach of that contract, and take appropriate action including requiring all WA-APCD data provided to be destroyed, termination of the contract, and seeking damages if the contract has been breached; or
(b) In lieu of (a) of this subsection, direct the lead organization to review whether the finding is also a breach of any contract between the person and the lead organization, and take appropriate action including requiring all WA-APCD data provided to be destroyed, termination of the contract, and seeking damages if the contract has been breached, unless the lead organization is the violator, in which case (a) of this subsection shall apply.
(2) Demand the destruction of all WA-APCD data provided, whether stand alone or combined with other data, all data products, and derivatives produced from WA-APCD data, and in the person's custody or contract, including proof of the destruction in the form and manner as prescribed by the authority;
(3) Bar the person from receiving any data from the WA-APCD for a designated period of time; and
(4) Notify the funding entity of the violation, when the violation involves research funded by another entity, and any other regulatory agency that has oversight over the person or the data that the person requested.
[Statutory Authority: RCW
41.05.021,
41.05.160 and
43.371.020. WSR 20-08-059, § 182-70-630, filed 3/25/20, effective 4/25/20. WSR 19-24-090, recodified as § 182-70-630, filed 12/3/19, effective 1/1/20. Statutory Authority: RCW
43.371.070 (1)(h). WSR 18-15-002, § 82-75-630, filed 7/5/18, effective 8/5/18.]