D.C. Mun. Regs. tit. 29, § 8709
8709.1 A designated HIE entity shall conduct an annual privacy and security audit performed by a qualified third-party auditor, that:
8709.2 At the request of DHCF and consistent with the specifications in such request, a designated HIE entity shall:
8709.3 If a designated HIE entity's annual privacy and security audit reveals information that demonstrates inappropriate access, use, maintenance, or disclosure of information that constitutes a breach or violation of this chapter, or if the health information of more than ten (10) health care consumers was improperly used, accessed, maintained, or disclosed during the twelve (12) months prior to the audit, then:
8709.4 A designated HIE entity shall adopt and implement an access and auditing plan that requires the designated HIE entity and each participating organization, as applicable, to conduct a random audit of the HIE access logs on a periodic basis in accordance with the requirements set forth in §§ 8709.5 and 8709.6.
8709.5 The access and auditing plan shall prescribe responsibility for conducting random audits to either the designated HIE entity or its participating organizations according to the designated HIE entity's or participating organizations' technological capabilities.
8709.6 The access and auditing plan required under § 8708.4 shall include:
(a) The manner used to identify a violation of this chapter or a HIPAA breach;
(b) The method used to report a violation of this chapter or a HIPAA breach;
(c) The reasonable steps that shall be taken to promptly mitigate a violation of this chapter or a HIPAA breach;
(d) A review of the designated HIE entity's access logs to ensure that only an authorized user is granted access to HIE information and is meeting the requirements of this chapter; and
(e) A plan to ensure that the designated HIE entity's participating organization conduct its own audit or review of the HIE access logs within twelve (12) calendar days of receipt of the access logs from the designated HIE entity, if the designated HIE entity chooses to hold its participating organizations responsible for implementing the plan, pursuant to § 8709.5.
SOURCE: Final Rulemaking published at 66 DCR 8346 (July 19, 2019); as amended by Final Rulemaking published at 73 DCR 006876 (May 1, 2026).