D.C. Mun. Regs. tit. 29, § 8703
8703.1 A registered HIE entity shall only disclose PHI for an authorized purpose, as set forth in §§ 8703.2 and 8703.3.
8703.2 An authorized user may use, access, or disclose PHI for Primary Use. Primary Use of PHI is the use, access, and disclosure of data through or by a registered HIE entity for the purpose of:
8703.3 A registered HIE entity shall only disclose PHI for a Primary Use in accordance with the requirements below:
8703.4 Secondary Use of health information is the use, access, or disclosure of health information through the registered HIE entity that is not for a Primary Use; subject to any limitations under HIPAA or federal law. A registered HIE entity shall provide DHCF with policies governing disclosure for Secondary Use in accordance with policy guidance published to the DHCF website.
8703.5 To assure that only an authorized user accesses, uses, or discloses PHI through or from a registered HIE entity, a registered HIE entity shall:
(a) Use and ensure that its participating organizations are using an authentication methodology that meets the minimum technical requirements set forth in the latest edition of the National Institute of Standards and Technology (“NIST”), Special Publication 800-63. DHCF shall maintain additional information on minimum technical requirements in policy guidance published to the DHCF website; and
(b) Take appropriate actions to mitigate the risk of unauthorized use, access, or disclosure of PHI when the registered HIE entity learns or has reason to believe that a participating organization’s system or third-party system is not compliant with NIST guidelines, as set forth in guidance published to the DHCF website. Appropriate actions include but are not limited to ceasing acceptance of the system’s authentication of authorized users until the system demonstrates compliance with NIST guidelines to the satisfaction of the registered HIE entity.
8703.6
To assure that only an authorized user accesses, uses, or discloses PHI through or from a registered HIE entity, a registered HIE entity shall ensure that its enrolled participating organizations comply with all of the following requirements:
(a) Appoint a system administrator who is capable of carrying out the requirements set forth in § 8703.5 on behalf of the participating organization prior to exchanging any PHI;
(b) Promptly inform the registered HIE entity system administrator of any circumstances that require termination of an authorized users access as described under § 8703.8;
(c) Ensure that any third-party system it uses authenticates an authorized user in accordance with NIST guidelines, as set forth in guidance published to the DHCF website, prior to allowing that person’s access to the HIE through the third-party system; and
(d) Inform the registered HIE entity concerning the following:
(1) The appointment of the system administrator, or any change in such an appointment, within a timely manner of any such appointment or change;
(2) A breach, as defined in 45 CFR § 164.402, or non-HIPAA violation by a person who had or has access to the HIE through the participating organization; or
(3) Any unusual finding, act, or event that it has a basis to believe is or may be a violation of this chapter.
8703.7 A registered HIE entity shall require that the participating organization's system administrator carries out each of the following measures on behalf of the participating organization:
8703.8 The registered HIE entity shall promptly, but no later than thirty (30) calendar days, terminate access to PHI by any authorized user:
8703.9 To mitigate the risks of improper access or disclosure of electronic PHI the registered HIE entity shall undergo annual assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI
conducted in accordance with guidance published on the DHCF website. The registered HIE entity shall provide the DHCF Privacy and Security Officer with a copy of their risk assessment on an annual basis.
8703.10 Based on the findings of the assessment conducted in accordance with § 8703.9, the registered HIE entity shall implement security measures to reduce risks and vulnerabilities to:
(a) Protect against anticipated threats to the security or integrity of PHI; and
(b) Protect against any unauthorized uses or disclosures of such PHI in accordance with applicable District or federal laws.
SOURCE: Final Rulemaking published at 66 DCR 8346 (July 19, 2019).