D.C. Mun. Regs. tit. 29, § 8705
8705.1 A registered HIE entity shall immediately suspend an authorized user's access when it is necessary to avoid a HIPAA privacy breach, other violation of federal or District law, or a threat to the security of health information accessed, used, or, disclosed through or from a registered HIE entity.
8705.2 If the registered HIE entity determines that harm to the privacy of persons or security of health information or an ongoing risk of improper use, access, maintenance, or disclosure of PHI may occur prior to conclusion of an investigation, it shall suspend an authorized user's access pursuant to this section before an investigation is complete. Such suspension shall continue until the underlying threat to the privacy of persons or security of health information is contained.
8705.3 A registered HIE entity shall conduct an investigation in accordance with the requirements set forth below if there is reason to believe that a HIPAA breach, or any unusual finding, act, or event that it has a basis to believe is or may be a violation under § 8703, occurred:
8705.4 If a registered HIE entity has a reasonable belief that a HIPAA breach has
occurred, as a result of an audit conducted in accordance with § 8704 or investigation conducted in accordance with § 8705.3, the registered HIE entity shall carry out the following actions within twelve (12) calendar days after acquiring the reasonable belief unless another time period is set forth below:
(a) The registered HIE entity shall determine any remedial action necessary to address the breach as described below;
(1) The registered HIE entity may require that a remedial action include steps to correct an underlying problem; and
(2) The registered HIE entity shall provide a time frame for implementing the remedial action that is consistent with policy guidance set forth by DHCF and published on its website at www.dhcf.dc.gov.
(b) Within thirty (30) calendar days, the registered HIE entity shall provide the following to DHCF, the participating organization, and each authorized user whom the investigation indicates may have committed a breach or violation:
(1) A copy of the findings of the investigation, excluding any sensitive health information;
(2) A list of the remedial actions to be taken by each person and the associated time frame of the remedial action;
(3) A description of the actions necessary to mitigate the harm that may be caused by the breach or any unusual finding, act, or event that it has a basis to believe is or may be a violation under § 8703;
(4) A list of the authorized user roles that are responsible for carrying out the actions to mitigate harm; and
(5) A description of any future action that the HIE entity may take, including suspension, if the authorized user does not comply with the remedial action.
8705.5 Upon completion of the investigation, the registered HIE entity shall immediately suspend access for an authorized user or participating organization when available information indicates one of the following has occurred:
(a) A HIPAA breach or violation;
(b) A violation of District or federal law relevant to privacy or security;
(c) An authorized user or participating organization has sold health information in violation of this chapter; or
(d) An authorized user or participating organization has failed to carry out the remedial actions identified by the registered HIE entity.
8705.6 After the registered HIE entity verifies that the remedial action is complete, a registered HIE entity may reinstate a user's authorization to access information provided that the registered HIE entity modifies the authorized user's access as needed to ensure compliance with this chapter.
SOURCE: Final Rulemaking published at 66 DCR 8346 (July 19, 2019); as amended by Final Rulemaking published at 73 DCR 006876 (May 1, 2026).