HTML has links - PDF has Authentication
182-70-440  <<  182-70-450 >>   182-70-460

PDFWAC 182-70-450

Data vendor and lead organization compliance with privacy and security requirements.

(1) To ensure compliance with privacy and security requirements, the data vendor must immediately report to the authority and the office of the state chief information security officer any data breach of the WA-APCD or knowledge that a data recipient is not complying with confidentiality requirements in accordance with health care authority-approved data breach notification procedures. The data vendor may not unilaterally disclose any information related to a breach of the WA-APCD without written permission from the authority and the state chief information security officer.
(2) Upon receiving approval from the authority and the state chief information security officer, the data vendor must notify the data supplier if the data it supplied has been the subject of a data breach for which the reporting requirements in subsection (1) of this section apply. The data vendor is responsible for complying with the applicable notification provisions in state and federal law.
(3) To ensure compliance with privacy and security requirements, the lead organization must:
(a) Conduct follow-up with data recipients of PHI or PFI on a schedule developed by the lead organization;
(b) Request data recipients share any manuscripts, reports, or products with lead organization and the authority;
(c)(i) Require data recipients to complete a project completion form, attesting that the project has terminated and data have been destroyed in accordance with the data use agreement;
(ii) Require the data recipient to provide the written verification that the data has been destroyed in a manner no less stringent than is required in WAC 182-70-440(4).
(d) Track all requests and research projects and follow up with the data recipient when the research or project is expected to be completed; and
(e) Follow up and require written verification that data is destroyed.
[Statutory Authority: RCW 41.05.021, 41.05.160 and 43.371.020. WSR 20-08-059, § 182-70-450, filed 3/25/20, effective 4/25/20. WSR 19-24-090, recodified as § 182-70-450, filed 12/3/19, effective 1/1/20. Statutory Authority: Chapter 43.371 RCW. WSR 17-08-079, § 82-75-450, filed 4/4/17, effective 5/5/17.]