(1) To ensure compliance with privacy and security requirements, the data vendor must immediately report to the authority and the office of the state chief information security officer any data breach of the WA-APCD or knowledge that a data recipient is not complying with confidentiality requirements in accordance with health care authority-approved data breach notification procedures. The data vendor may not unilaterally disclose any information related to a breach of the WA-APCD without written permission from the authority and the state chief information security officer.

(2) Upon receiving approval from the authority and the state chief information security officer, the data vendor must notify the data supplier if the data it supplied has been the subject of a data breach for which the reporting requirements in subsection (1) of this section apply. The data vendor is responsible for complying with the applicable notification provisions in state and federal law.

(3) To ensure compliance with privacy and security requirements, the lead organization must:

(a) Conduct follow-up with data recipients of PHI or PFI on a schedule developed by the lead organization;

(b) Request data recipients share any manuscripts, reports, or products with lead organization and the authority;

(c)(i) Require data recipients to complete a project completion form, attesting that the project has terminated and data have been destroyed in accordance with the data use agreement;

(ii) Require the data recipient to provide the written verification that the data has been destroyed in a manner no less stringent than is required in WAC 182-70-440(4).

(d) Track all requests and research projects and follow up with the data recipient when the research or project is expected to be completed; and

(e) Follow up and require written verification that data is destroyed.