8710.1 A designated HIE entity and its participating organizations shall take affirmative steps to ensure health care consumers have:
(a) Information regarding the health care consumer's access and participation options under these regulations is readily available to assist the health care consumer in making an informed decision concerning:(1) The accessibility of a health care consumer's PHI electronically through a designated HIE entity; and(2) The risks and benefits of health information exchange;(b) The ability to opt out of health information exchange at any time and refuse access to the health care consumer's PHI through an HIE entity, except when a disclosure meets conditions identified in § 8710.2; and(c) The ability to resume participation in an HIE entity at any point after the health care consumer has elected to opt out of participation. Any such resumption of participation shall be upon written notice or request to the designated HIE entity by the health care consumer.8710.2 Designated HIE entity disclosures that meet one of the following criteria set forth below are not subject to consumer opt out:
(a) Information making up the designated HIE entity's or participating organization's core elements of the master patient index;(b) A disclosure that a person is required to make under federal or State law requirements;(c) Results of a diagnostic procedure sent to the health care provider who ordered the procedure or another provider as designated by the ordering provider;(d) Information regarding prescription medications dispensed or filled by a pharmacy, sent to the health care provider who ordered the prescriptions or another health care provider as designated by the ordering health care provider;(e) Public health authorities for reporting purposes required, authorized, or otherwise compliant with applicable law; or(f) Communications permitted under HIPAA or District law without a health care consumer's consent or authorization when using point-to-point transmission.8710.3 A designated HIE entity shall provide information about the HIE to a health care consumer whose PHI is maintained by the designated HIE entity, or may be accessed, used, or disclosed through the HIE in accordance with the requirements set forth in §§ 8710.4 and 8710.5:
8710.4 A designated HIE entity shall make health care consumer educational materials available to participating organizations and their users. A designated HIE entity shall develop, adopt, implement, keep current, and make available to health care consumers a health care consumer education plan that includes:
(a) Definitions of the key terms and concepts underlying health information technology, including electronic health records and the exchange of electronic health information;(b) Health information privacy and security laws;(c) The general overview of individual benefits an d risks to health care consumers of exchanging health information through an HIE entity as compared to opting- out and exchanging health information through a paper-based system; and(d) Information on how the designated HIE entity shall make the following information available to health care consumers: (1) A description of each type of PHI that is accessed or disclosed through the designated HIE entity;(2) The health information maintained by the designated HIE entity;(3) The specific details concerning who may access, use, or disclose a health care consumer's health information and for what purpose;(4) The privacy and security measures that the designated HIE entity has implemented to protect health information, and a detailed explanation of what happens if there is a breach that results in unauthorized access to PHI;(5) A health care consumer's access and participation options regarding health information exchange and the control over, protection of, use of, and correction of each type of health information;(6) The process provided for a health care consumer to exercise the health care consumer's access and participation options, including a detailed description of the steps a health care consumer can to opt out of participation in health information exchange;(7) The implications of a health care consumer's decision to opt out of participation in health information exchange and not permit the disclosure of that consumer's PHI to authorized users, except as otherwise permitted under applicable law; and (8) The designated HIE entity's policies and procedures, including without limitation, policies and procedures consistent with these regulations regarding how the health care consumer may gain access to the health care consumer's health information.8710.5 The health care consumer education materials required under § 8710.4 must:
(a) Provide a balanced perspective, outlining the various points of view concerning each subject matter set forth in § 8710.4 and set forth in policy guidance by DHCF and published on its website at http://dhcf.dc.gov, including the risks and benefits associated with sharing PHI electronically;(b) Present accurate, and not misleading information;(c) Minimize the use of technical terms and, when such terms are necessary, clearly define the technical terms;(d) Use plain language that is easily understandable to each health care consumer population served, taking into account the various levels of education, understanding, and interest across that population;(e) Use text and illustrations that are culturally sensitive, language appropriate, and that recognize user diversity including ethnicity, age, race, sexual orientation, and gender;(f) Update material to include and incorporate new information; and(g) Specify the time sensitivity of any material included.8710.6 A designated HIE entity shall allow a health care consumer to obtain or correct information concerning the consumer's PHI by meeting the requirements set forth below:
(a) A designated HIE entity shall provide the following information to the health care consumer, upon written notice or request by the health care consumer, describing what PHI is available through the HIE concerning the specified health care consumer:(1) The participating organization that disclosed the PHI to the designated HIE entity;(2) The date the PHI was disclosed to the designated HIE entity; and(3) The type of PHI disclosed to the designated HIE entity, if known by the designated HIE entity;(b) A designated HIE entity shall inform the health care consumer how to correct perceived inaccurate information consistent with the requirements below: (1) A designated HIE entity shall send information regarding the process for petitioning a participating organization or provider regarding the correction of inaccurate health information within twenty (20) calendar days of receiving notice from a health care consumer of a potential inaccuracy in the health care consumer's health information available through the HIE. The information shall include the contact information of relevant participating organizations that provided the perceived inaccurate information; and(2) This process shall be in accordance with the requirements specified under federal HIPAA requirements, including but not limited to 45 CFR § 164.526.8710.7 Upon receipt of written notice or request, a designated HIE entity shall provide each health care consumer with a report detailing any disclosure for a time period specified by the health care consumer, of the health care consumer's PHI. In instances where a health care consumer requests recurring disclosures to the same HIE entity for the same purpose, a summary report may be provided by the designated HIE entity.
8710.8 If the health care consumer requests the details of the summary report as described in § 8710.7, the designated HIE entity shall provide the health care consumer information consistent with the requirements set forth below:
(a) The time period specified by the health care consumer shall not exceed the data retention period as specified by HIPAA and federal regulations at 45 CFR § 164.528;(b) Except as otherwise permissible under 45 CFR § 164.528(b)(3) through (4), the report shall specify the following for each instance that the health care consumer's PHI was disclosed during the time frame reflected in the report: (1) The name of each authorized user;(2) The name of the participating organization to which the authorized user is affiliated, if such information is kept by the HIE entity in the ordinary course of business; (3) The date and time of the disclosure;(4) The type of PHI disclosed, if known by the designated HIE entity; and(5) The name of the participating organization that made the PHI available to the designated HIE entity.8710.9 A designated HIE entity shall acknowledge a health care consumer's written notice or request, as described in § 8710.7, within ten (10) business days of receipt of the request.
8710.10 A designated HIE entity shall respond to a health care consumer's written notice or request, described in § 8710.7, with either the requested report or with a written explanation why such report is unavailable, when it shall be available, or where the health care consumer may obtain the requested information.
8710.11 The designated HIE entity shall respond within a reasonable time frame, but not later than thirty (30) calendar days after the initial written notice or request, as described § 8710.7, by the health care consumer:
(a) A designated HIE entity shall provide a summary report, as described in § 8710.7, upon request by the health care consumer, at least twice per calendar year at no cost to the health care consumer. If the summary report is available in an electronic format, it shall be provided to the consumer in a generally available electronic format, if so requested, at no additional charge; and(b) For any additional report, the designated HIE entity may charge a reasonable fee not to exceed the cost to provide the additional report, but no more than the allowable amount in accordance 45 CFR § 164.524(c)(4).8710.12 A designated HIE entity shall implement a process to manage and enable consumer choice regarding the consumer's participation in an HIE, opting out from such participation, or opting to resume participation in the HIE system, in accordance with the requirements set forth below:
(a) A designated HIE entity shall maintain a log that records each health care consumer's participation status over time in accordance with the requirements set forth in paragraphs (a)(1) and (2) below; (1) A designated HIE entity shall retain the log for the duration required by State or federal law, whichever requires a longer retention; and (2) A designated HIE entity shall keep the log in a retrievable storage medium;(b) A designated HIE entity shall not disclose a health care consumer's PHI if the health care consumer has submitted a written notice or request to opt-out of health information exchange in accordance with § 8710.1(b) except as otherwise permitted under applicable law and in accordance with this chapter; and(c) A designated HIE entity shall not disclose information derived from a health care consumer's PHI, including for Secondary Use, if the health care consumer has submitted a written notice or request to opt-out of health information exchange, except as otherwise permitted under applicable law.8710.13 The requirements set forth in §§ 8710.14 through 8710.19 shall apply to all communications between a designated HIE entity and a health care consumer.8710.14 A designated HIE entity or its participating organizations shall implement a process to allow a health care consumer to communicate with a designated HIE entity about the health care consumer's participation status through an appropriate medium of the health care consumer's choice, including:
(a) By telephone, via a phone number;(b) By mail, via a standardized form;(c) By fax, via a standardized form;(d) Online, via a secure website;(e) Secure email or text message; and(f) In-person at the designated HIE entity's offices during business hours.8710.15 A health care consumer's communication opting out (or opting in if the consumer has already opted out) of health information exchange shall be made in:
(d) Secure email or text message; or(e) By telephone, if the designated HIE entity confirms the action with a written communication to the health care consumer in accordance with § 8710.18;8710.16 A designated HIE entity shall take appropriate measures to assure that an individual who communicates with the designated HIE entity is authorized to act on behalf of the participating health care consumer.
8710.17 A designated HIE entity shall implement the health care consumer's requested action within five (5) business days of receipt of the health care consumer's written or online request concerning:
(a) Opting-out of the HIE; and(b) Resuming participation in the HIE after previously opting-out.8710.18 A designated HIE entity shall provide each health care consumer the option to receive confirmation of any change in the health care consumer's participation status. If a health care consumer requests confirmation in writing, the designated HIE entity shall:
(a) Send the confirmation of participation status change within three (3) business days of the effective date of change of the health care consumer's participation status; and(b) If consistent with all applicable privacy and security law and regulations, including HIPAA and applicable District laws and regulations, send the confirmation of status change through one of the following methods as specified by the health care consumer: (1) An email sent to the email address specified by the health care consumer;(2) A letter to an address specified by the health care consumer;(3) A letter by fax to a fax number specified by the health care consumer;(4) A letter given to the health care consumer at the designated HIE entity during normal business hours; or(5) A text message sent to the number specified by the health care consumer.8710.19When a health care consumer changes their participation status, the designated HIE entity shall provide the following to the health care consumer:
(a) Information concerning when the status change will become effective; and(b) Information concerning what information shall be excluded from health information exchange regarding a health care consumer who opts out.D.C. Mun. Regs. tit. 29, r. 29-8710
Final Rulemaking published at 65 DCR 8346 (7/19/2019)