D.C. Mun. Regs. tit. 29, r. 29-3001

Current through Register Vol. 71, No. 49, December 6, 2024
Rule 29-3001 - USE AND DISCLOSURE OF HEALTH AND HUMAN SERVICES INFORMATION
3001.1

An Agency or Provider shall disclose HHSI referencing or related to an identified individual client or customer (Individual) upon request from another Agency or Provider for the following purposes, unless disclosure is precluded by District or federal law:

(a) To establish the Individual's eligibility for, or determine his or her amount of:
(1) Treatment;
(2) Services;
(3) Benefits;
(4) Support; or
(5) Assistance;
(b) To coordinate for the Individual, his or her:
(1) Treatment;
(2) Benefits;
(3) Services;
(4) Support; or
(5) Assistance;
(c) To conduct oversight activities, including:
(1) Management;
(2) Financial and other audits;
(3) Program evaluations;
(4) Planning;
(5) Investigations;
(6) Examinations;
(7) Inspections;
(8) Quality reviews;
(9) Licensure;
(10) Disciplinary actions; or
(11) Civil, administrative, or criminal proceedings or actions; and
(d) To conduct research related to treatments, benefits, services, support, or assistance provided that:
(1) Information referencing or relating to an Individual shall not be disclosed in a manner that would permit the Individual's identity to be reasonably inferred by either direct or indirect means; and
(2) The Agency or Provider receiving HHSI shall affirm in writing that any individually identifiable health information shall be treated in accordance with the Health Insurance Portability and Accountability Act of 1996, approved August 21, 1996, as amended (110 Stat. 1936; 42 U.S.C. §§ 1320d, et seq.) (HIPAA) and its implementing regulations.
3001.2

Neither an Agency nor a Provider requesting or disclosing HHSI referencing or related to an Individual pursuant to § 3001.1 of this chapter has to obtain the person's prior consent to using or disclosing HHSI unless required by § 3004 of this chapter.

3001.3

An Agency or Provider shall use or disclose HHSI in accordance with this chapter.

3001.4

Notwithstanding any other provision in this chapter, Agencies and Providers shall comply with any applicable Agency or Provider HIPAA policies and procedures, and Agencies shall comply with the District-wide HIPAA Policy.

3001.5

An Agency or Provider using or disclosing HHSI shall make reasonable efforts to limit the use or disclosure of HHSI to the minimum extent necessary to accomplish its intended purpose.

3001.6

An Agency or Provider that discloses HHSI shall designate a person within the Agency or Provider's staff who shall, in coordination with any person that the Agency or Provider has designated as its HIPAA privacy officer and/or security officer, be responsible for:

(a) Responding to requests for HHSI from another Agency or Provider; and
(b) Ensuring that any HHSI disclosed pursuant to this chapter is limited to the minimum amount of HHSI necessary to accomplish the purpose of the disclosure.
3001.7

The individual designated by an Agency or Provider pursuant to § 3001.6 shall:

(a) Respond to a request within forty-eight (48) hours;
(b) Not unreasonably deny a request; and
(c) Within five (5) business days of the date of the request, supply the requested information to the extent such request was approved.
3001.8

If an Agency or Provider is unable to provide the requested HHSI within five (5) business days pursuant to § 3001.7(c), it shall notify the requesting Agency or Provider immediately and provide a reasonable timeline for fulfilling the request to the extent possible.

D.C. Mun. Regs. tit. 29, r. 29-3001

As amended by Final Rulemaking published at 61 DCR 8497 (August 15, 2014)
Authority: Section 108 of the Data-Sharing and Information Coordination Amendment Act of 2010 (Act), effective December 4, 2010 (D.C. Law 18-273; D.C. Official Code § 7-248 (2012 Repl.)), and Mayor's Order 2011-169, dated October 5, 2011.