D.C. Mun. Regs. tit. 29, § 8706
8706.1 Notification of a HIPAA breach and non-HIPAA violation by a registered HIE entity shall be consistent with notification requirements under applicable federal and District laws and regulations, including HIPAA, the HITECH Act, and under 42 CFR Part 2.
8706.2 When federal or District law does not require a registered HIE entity to provide notification to a participating organization or to an affected health care consumer, or when 42 CFR Part 2 does not mandate other notification requirements, a registered HIE entity shall provide notification of a HIPAA breach and, if applicable, non-HIPAA violations in accordance to the requirements with this section.
8706.3 If an investigation under § 8705 of this chapter concluded that there was a HIPAA breach or non-HIPAA violation, in addition to applicable HIPAA notification requirements, the HIE entity shall notify:
(a) The person who notified the registered HIE entity of the potential HIPAA breach or non-HIPAA violation, if applicable, and to the extent permitted by HIPAA and other federal and District privacy laws;
(b) Any participating organization that has provided health information regarding the health care consumer involved;
(a) Each health care consumer whose PHI or sensitive health information was inappropriately accessed or disclosed due to a HIPAA breach or non-HIPAA violation; and
(b) The DHCF Privacy Officer and the District of Columbia Office of the Attorney General.
8706.4 The registered HIE entity shall include in its notification the contact information for the registered HIE entity, including the registered HIE entity's address, telephone number, website where the health care consumer can learn more information, and a description of the breach or the violation.
8706.5 A registered HIE entity, its enrolled participating organization, or its representative shall provide notification to a health care consumer following a HIPAA breach or non-HIPAA violation subject to the following requirements:
(a) If the registered HIE entity providing the notification under this Subsection has knowledge that another person is acting as the authorized
representative for the health care consumer, the registered HIE entity shall provide the notification to that authorized representative instead of the health care consumer;
(b) Notice to the health care consumer required under this Subsection shall be provided in writing by first-class mail to the last known address of the health care consumer, if the health care consumer has made no prior election to method of notice;
(c) If there is insufficient or out-of-date contact information that precludes notice consistent with this chapter, a substitute form of notice shall be provided in accordance with the criteria set forth below:
(1) In the case in which there is insufficient or out-of-date contact information for fewer than ten (10) individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means; or
(2) In the case in which there is insufficient or out-of-date contact information for ten (10) or more individuals, then such substitute notice shall be posted on the home page of the registered HIE entity's website for a period of ninety (90) calendar days on the website or be conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside. The notice shall include a phone number that remains active for at least ninety (90) calendar days where a health care consumer can learn whether their health information may be included in the HIPAA breach or non-HIPAA violation;
(d) When notice about a HIPAA breach or non-HIPAA violation is required pursuant to this chapter, a registered HIE entity and its enrolled participating organization, as required, shall provide notice in writing within a reasonable time frame, but not later than sixty (60) days from the discovery of the breach or from the date that the registered HIE entity should have reasonably discovered the breach;
(e) If the HIPAA breach or non-HIPAA violation affects more than five hundred (500) health care consumers, in addition to providing individual notice to the affected health care consumers, a registered HIE entity shall provide notice to prominent media outlets serving the District without unreasonable delay and in no case later than sixty (60) calendar days after the discovery of a breach; and
(f) If the participating organization providing the notification keeps a medical record for the health care consumer, the notification shall be placed within the health care consumer's medical record.
8706.6 A registered HIE entity, its participating organizations, or its representative shall provide notification to appropriate authorities following HIPAA breach or non-HIPAA violation as follows:
(a) Report all violations of federal or District privacy or security law to those federal or District authorities to which reporting such violation is required by applicable law; and
(b) Send a copy of such report to the DHCF Privacy Officer and the District of Columbia Office of the Attorney General.
8706.7 If DHCF is notified of a breach under § 8706.6, DHCF shall forward such notification to the District of Columbia Office of the Attorney General within thirty (30) calendar days after receipt of the notification.
SOURCE: Final Rulemaking published at 66 DCR 8346 (July 19, 2019).