D.C. Mun. Regs. tit. 29, § 8705
8705.1 A registered HIE entity shall immediately suspend an authorized user's access when it is necessary to avoid a HIPAA privacy breach, non-HIPAA violation, or a threat to the security of health information accessed, used, or disclosed through or from a registered HIE entity.
8705.2 If the registered HIE entity determines that harm to the privacy of persons or security of health information or an ongoing risk of improper use, access, maintenance, or disclosure of PHI may occur prior to conclusion of an investigation, it shall suspend an authorized user's access pursuant to this section before an investigation is complete. Such suspension shall continue until the underlying threat to the privacy of persons or security of health information is contained.
8705.3 A registered HIE entity shall conduct an investigation in accordance with the requirements set forth below if there is reason to believe that a HIPAA breach or non-HIPAA violation has occurred:
(a) The registered HIE entity shall begin the investigation, no later than sixty (60) calendar days after learning of the allegations giving rise to a potential breach or violation;
(b) The registered HIE entity shall conduct the investigation in a thorough, timely, professional manner and take all necessary actions to gather information concerning the potential breach or violation that reflects the size and scope of such potential breach or violation;
(c) If appropriate, an investigation shall include an audit under the § 8704;
(d) Upon the completion of an investigation, a registered HIE entity shall:
(1) Make a written finding describing the results of the investigation and provide a copy to DHCF and the District of Columbia Office of the Attorney General within thirty (30) calendar days; and
(2) Maintain records of each investigation for at least five (5) years from the date of completion of such investigation or five (5) years from the date a minor health care consumer becomes an adult, whichever is longer.
8705.4 If a registered HIE entity has a reasonable belief that a HIPAA breach or a non-HIPAA violation has occurred, as a result of an audit conducted in accordance
with § 8704 or investigation conducted in accordance with § 8705.3, the registered HIE entity shall carry out the following actions within ten (10) business days after acquiring the reasonable belief unless another time period is set forth below:
(a) The registered HIE entity shall determine any remedial action necessary to address the breach or violation as described below;
(1) The registered HIE entity may require that a remedial action include steps to correct an underlying problem; and
(2) The registered HIE entity shall provide a time frame for implementing the remedial action that is consistent with policy guidance set forth by DHCF and published on its website at www.dhcf.dc.gov; and
(b) Within thirty (30) calendar days, the registered HIE entity shall provide the following to DHCF and the District-wide Privacy and Security Official to the participating organization, and to each authorized user whom the investigation indicates may have committed a breach or violation:
(1) A copy of the findings of the investigation, excluding any sensitive health information;
(2) A list of the remedial actions to be taken by each person and the associated time frame of the remedial action;
(3) A description of the actions necessary to mitigate the harm that may be caused by the breach or the non-HIPAA violation;
(4) A list of the authorized users that are responsible for carrying out the actions to mitigate harm; and
(5) A description of any future action that the HIE entity may take, including suspension, if the authorized user does not comply with the remedial action.
8705.5 Upon completion of the investigation, the registered HIE entity shall immediately suspend access for an authorized user or participating organization when available information indicates one of the following has occurred:
(a) An actual HIPAA breach;
(b) An actual non-HIPAA violation;
(c) An actual violation of District or federal law relevant to privacy or security;
(d) An authorized user or participating organization has sold health information in violation of these regulations; or
(e) An authorized user or participating organization has failed to carry out the remedial actions identified by the registered HIE entity.
8705.6 After the registered HIE entity verifies that the remedial action is complete, a registered HIE entity may reinstate a user's authorization to access information provided that the registered HIE entity modifies the authorized user's access as needed to ensure compliance with this chapter.
SOURCE: Final Rulemaking published at 66 DCR 8346 (July 19, 2019).