D.C. Mun. Regs. tit. 29, r. 29-8709

Current through Register Vol. 71, No. 49, December 6, 2024
Rule 29-8709 - DESIGNATED HIE ENTITY AUDITING REQUIREMENTS
8709.1

A designated HIE entity shall conduct an annual privacy and security audit performed by a qualified third-party auditor, that:

(a) Detects inappropriate access, use, maintenance, and disclosure of information that are in violation of this chapter;
(b) Assesses security measures, related to the technical, physical and administrative safeguards of PHI.
8709.2

At the request of DHCF and consistent with the specifications in such request, a designated HIE entity shall:

(a) Provide the results of any audit that is required under this section, and any supporting documentation to DHCF; and
(b) Conduct an additional unscheduled audit and provide the results of such an audit to DHCF within the time frame specified by the agency.
8709.3

If a designated HIE entity's annual privacy and security audit reveals information that demonstrates inappropriate access, use, maintenance, or disclosure of information that constitutes a breach or violation of this chapter, or if the health information of more than ten (10) health care consumers was improperly used, accessed, maintained, or disclosed during the twelve (12) months prior to the audit, then:

(a) The designated HIE entity shall use the findings from the audit to:
(1) Educate and train a participating organization or an authorized user on proper access, use, and disclosure of information through or from the HIE; or
(2) Evaluate and implement new control measures, including policies, procedures, or technology, to ensure proper use and access of the HIE;
(b) The designated HIE entity shall take the appropriate measures specified in § 8705; and
(c) The designated HIE entity shall post a publicly available summary report of the audit on its website within thirty (30) calendar days after completion of the audit and DHCF shall also post the report on its website.
8709.4

A designated HIE entity shall adopt and implement an access and auditing plan that requires the designated HIE entity and each participating organization, as applicable, to conduct a random audit of the HIE access logs on a periodic basis in accordance with the requirements set forth in §§ 8709.5 and 8709.6.

8709.5

The access and auditing plan shall prescribe responsibility for conducting random audits to either the designated HIE entity or its participating organizations according to the designated HIE entity's or participating organizations' technological capabilities.

8709.6

The access and auditing plan required under § 8709.4 shall include:

(a) The manner used to identify a non-HIPAA violation of this chapter or a HIPAA breach;
(b) The method used to report a non-HIPAA violation of this chapter or a HIPAA breach;
(c) The reasonable steps that shall be taken to promptly mitigate a non-HIPAA violation of this chapter or a HIPAA breach;
(d) A review of the designated HIE entity's access logs to ensure that only an authorized user is granted access to HIE information and is meeting the requirements of this rule; and
(e) A plan to ensure that the designated HIE entity's participating organization conduct its own audit or review of the HIE access logs within ten (10) business days of receipt of the access logs from the designated HIE entity, if the designated HIE entity chooses to hold its participating organizations responsible for implementing the plan, as per § 8709.5.

D.C. Mun. Regs. tit. 29, r. 29-8709

Final Rulemaking published at 65 DCR 8346 (7/19/2019)