D.C. Mun. Regs. tit. 29, § 8703
8703.1 A registered HIE entity shall only disclose PHI for an authorized purpose, as set forth in §§ 8703.2 and 8703.3.
8703.2 An authorized user may use, access, or disclose PHI for Primary Use. Primary Use of PHI is the use, access, and disclosure of data through or by a registered HIE entity for the purpose of:
8703.3 A registered HIE entity shall only disclose PHI for a Primary Use in accordance with the requirements below:
8703.4 Secondary Use of health information is the use, access, or disclosure of health information through the registered HIE entity that is not for a Primary Use. A registered HIE entity may engage in data use for Secondary Use Purposes, subject to any limitations under District or federal law.
8703.5 Beginning October 1, 2025, DHCF shall review and keep a record of Primary Uses and Secondary Uses proposed by HIE's, submitted electronically as described by DHCF guidance, prior to implementation. The registered HIE entity
shall:
(a) Provide DHCF with its policies governing the disclosure and use of health information for Secondary Use, in accordance with the policy guidance published on the DHCF website, and notify DHCF of any amendments or updates to these policies;
(b) Report Primary and Secondary Uses of health information to DHCF on the last business day of every month, including detailed descriptions of each use to ensure transparency and accountability; and
(c) Suspend any Primary or Secondary Use DHCF deems inconsistent with the definition of HDU set forth in this chapter.
8703.6 To assure that only an authorized user accesses, uses, or discloses PHI through or from a registered HIE entity, a registered HIE entity shall:
(d) Use and ensure that its participating organizations are using an authentication methodology that meets the minimum technical requirements set forth in the National Institute of Standards and Technology (“NIST”), Special Publication 800-63 Revision 4, and other standards identified by DHCF in its policy guidance. DHCF shall maintain additional information on minimum technical requirements in policy guidance published to the DHCF website; and
(e) Take appropriate actions to mitigate the risk of unauthorized use, access, or disclosure of PHI when the registered HIE entity learns or has reason to believe that a participating organization’s system or third-party system is not compliant with NIST guidelines, as set forth in guidance published to the DHCF website. Appropriate actions include ceasing acceptance of the system’s authentication of authorized users until the system demonstrates compliance with NIST guidelines to the satisfaction of the registered HIE entity.
8703.7 To assure that only an authorized user accesses, uses, or discloses PHI through or from a registered HIE entity, a registered HIE entity shall require that its enrolled participating organizations comply with all of the following requirements:
(a) Appoint a system administrator who is capable of carrying out the requirements set forth in § 8703.5 on behalf of the participating organization prior to exchanging any PHI;
(b) Promptly inform the registered HIE entity system administrator of any
circumstances that require termination of an authorized users access as described under § 8703.9;
(c) Ensure that any third-party system it uses authenticates an authorized user in accordance with NIST guidelines, as set forth in guidance published to the DHCF website, prior to allowing that person's access to the HIE through the third-party system; and
(d) Inform the registered HIE entity concerning the following:
(1) The appointment of the system administrator, or any change in such an appointment, within thirty (30) calendar days, of any such appointment or change;
(2) A breach, as defined in 45 CFR § 164.402; or
(3) Any unusual finding, act, or event that it has reason to believe is or may be a violation of this chapter.
8703.8
A registered HIE entity shall require that the participating organization's system administrator carries out each of the following measures on behalf of the participating organization:
(a) Identify each authorized user within the participating organization and note the user's assigned unique username in accordance with the most recent applicable guidelines issued by NIST, or other standards identified by DHCF in policy guidance published to its website at www.dhcf.dc.gov;
(b) Coordinate with the registered HIE entity to determine a methodology for assigning each authorized user access to PHI;
(c) Assign to each authorized user an access level that appropriately corresponds to that person's role within the participating organization and the permitted access to PHI;
(d) Modify an authorized user's access level as appropriate to reflect any change in that user's role within the participating organization within thirty (30) days;
(e) Immediately inform the registered HIE entity of changes in an authorized user's role within the participating organization; and
(f) Confirm to the registered HIE entity the appropriateness of a staff member to be an authorized user and that the HIE access level assigned to that staff
member corresponds to the authorized user's role within the participating organization.
8703.9 The registered HIE entity shall ensure that access to PHI is terminated for any authorized user within seven (7) calendar days of the user's disassociation from the participating organization. This requirement applies to users who:
(a) Are suspended by the participating organization;
(b) Are no longer associated with the participating organization; or
(c) No longer require access to the PHI to perform their duties.
8703.10 To mitigate the risks of improper access or disclosure of electronic PHI the registered HIE entity shall conduct annual assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI conducted in accordance with guidance published on the DHCF website. The registered HIE entity shall provide the DHCF's Information and Privacy Officer with a copy of their risk assessment on an annual basis by email at DHCFprivacy@dc.gov.
8703.11 Based on the findings of the assessment conducted in accordance with § 8703.10, the registered HIE entity shall implement security measures to reduce risks and vulnerabilities to:
(a) Protect against anticipated threats to the security or integrity of PHI; and
(b) Protect against any unauthorized uses or disclosures of such PHI in accordance with applicable District or federal laws.
8703.12 The Department may, upon request, extend deadlines in this Section when a delay is caused by circumstances beyond the HIE's control such as:
(a) A natural disaster or other emergency that could not be reasonably controlled by the HIE or the Department, or
(b) A circumstance where the HIE can demonstrate good cause for an extension.
SOURCE: Final Rulemaking published at 66 DCR 8346 (July 19, 2019); as amended by Final Rulemaking published at 73 DCR 006876 (May 1, 2026).