D.C. Mun. Regs. tit. 29, § 8706
8706.1 Notification of a HIPAA breach by a registered HIE entity shall be consistent with notification requirements under applicable federal and District laws and regulations, including HIPAA, the HITECH Act, and 42 CFR Part 2.
8706.2 When federal or District law, other than this chapter, does not require a registered HIE entity to provide notification to a participating organization or to an affected health care consumer, or when 42 CFR Part 2 does not mandate other notification requirements, a registered HIE entity shall provide notification of a HIPAA breach and, if applicable, violations of other federal or District law in accordance with the requirements of this section.
8706.3 If an investigation under § 8705 concluded that there was a HIPAA breach or other violation of federal or District law, in addition to applicable HIPAA notification requirements, the HIE entity shall notify:
(a) The person who notified the registered HIE entity of the potential HIPAA breach or other violation under § 8703, if applicable, and to the extent permitted by HIPAA and other federal and District privacy laws;
(b) Any participating organization that has provided health information regarding the health care consumer involved;
(c) Each health care consumer whose PHI or sensitive health information was inappropriately accessed or disclosed due to a HIPAA breach or other violation under § 8703; and
(d) The DHCF Privacy Officer.
8706.4 The registered HIE entity shall include in its notification the contact information for the registered HIE entity, including the registered HIE entity's address, telephone number, email address, and website where the health care consumer can learn more information, and a description of the breach or other violation.
8706.5 A registered HIE entity, its enrolled participating organization, or its representative shall provide notification to a health care consumer following a HIPAA breach or violation under § 8703 subject to the following requirements:
(a) If the registered HIE entity providing the notification under this subsection has knowledge that another person is acting as the authorized representative for the health care consumer, the registered HIE entity shall provide the notification to that authorized representative instead of the
health care consumer;
(b) Notice to the health care consumer required under this Subsection shall be provided in writing by first-class mail to the last known address of the health care consumer, if the health care consumer has made no prior election to method of notice;
(c) If there is insufficient or out-of-date contact information that precludes notice consistent with this chapter, a substitute form of notice, reasonably calculated to reach each affected health care consumer, shall be provided in accordance with the criteria set forth below:
(1) If there is insufficient or out-of-date contact information for fewer than ten (10) individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means; or
(2) If there is insufficient or out-of-date contact information for ten (10) or more individuals, then such substitute notice shall be posted on the home page of the registered HIE entity's website for a period of ninety (90) calendar days or be conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. The notice shall include a phone number that remains active for at least ninety (90) calendar days where a health care consumer can learn whether their health information may be included in the HIPAA breach or violation under § 8703.
(d) When notice about a HIPAA breach or violation under § 8703 is required pursuant to this chapter, a registered HIE entity and its enrolled participating organization, shall provide notice in writing to DHCF no later than sixty (60) days from the discovery of the breach or from the date that the registered HIE entity should have reasonably discovered the breach;
(e) If the HIPAA breach or violation under § 8703 affects more than five hundred (500) health care consumers, in addition to providing individual notice to the affected health care consumers, a registered HIE entity shall provide notice to prominent media outlets serving the District without unreasonable delay and no later than sixty (60) calendar days after the discovery of a breach; and
(f) If the participating organization providing the notification keeps a medical record for the health care consumer, the notification shall be placed within the health care consumer's medical record.
8706.6 A registered HIE entity, its participating organizations, or its representative shall provide notification to appropriate authorities following HIPAA breach or violation under § 8703 as follows:
(a) Report all violations of federal or District privacy or security law to those federal or District authorities to which reporting such violation is required by applicable law; and
(b) Send a copy of such report to the DHCF Privacy Officer (DHCFPrivacy@dc.gov).
8706.7 If DHCF is notified of a breach under § 8706.6, DHCF shall forward such notification to the District of Columbia Office of the Attorney General within thirty (30) calendar days after receipt of the notification and pursue enforcement actions as necessary in accordance with § 8711.
SOURCE: Final Rulemaking published at 66 DCR 8346 (July 19, 2019); as amended by Final Rulemaking published at 73 DCR 006876 (May 1, 2026).