D.C. Mun. Regs. tit. 29, § 8704
8704.1 In order to ensure that only an authorized user, who is appropriately authenticated, is granted access and has access to health information, a registered HIE entity shall:
(a) Develop and implement protocols, methodologies, and a monitoring approach designed to discover any unusual finding, which may be identified within an audit of the user access logs, including conducting ongoing electronic monitoring of user access logs and investigate any unusual findings in accordance with this chapter;
(b) Conduct each audit under this section in accordance with standards and methodologies identified by DHCF in policy guidance published on its website at www.dhcf.dc.gov;
(c) Conduct random audits of the user access logs to identify any unusual finding; and, if the registered HIE entity has been notified about an unusual finding or has reason to believe that inappropriate access has occurred;
(d) Investigate each unusual finding identified in the access log audit to determine if there has been a violation of § 8703;
(e) Resolve the matter surrounding an unusual finding by taking remedial actions under § 8705 of this chapter;
(f) Report any unusual finding to each participating organization involved in the unusual finding in a manner consistent with policy guidance set forth by DHCF and published on its website at www.dhcf.dc.gov; and
(g) Maintain an audit trail of user access logs in a retrievable storage medium in accordance with the requirements set forth below:
(1) The registered HIE entity shall perform periodic testing to ensure that the storage medium being used to maintain the user access logs shall allow the data to be recovered; and
(2) Maintenance and storage of the audit trail of user access log data shall comply with the most stringent requirements outlined in applicable District and federal requirements, including ensuring data storage for the longest duration of time identified in applicable District and federal requirements.
8704.2 When a registered HIE entity has identified a potential violation of this chapter, the registered HIE entity shall conduct an unscheduled audit that shall:
(a) Determine whether there is a violation;
(b) Identify the size and scope of the potential violation; and
(c) Identify and complete remedial actions required under § 8705 of this chapter.
SOURCE: Final Rulemaking published at 66 DCR 8346 (July 19, 2019); as amended by Final Rulemaking published at 73 DCR 006876 (May 1, 2026).