D.C. Mun. Regs. tit. 29, r. 29-8799

Current through Register Vol. 71, No. 49, December 6, 2024

Rule 29-8799 - DEFINITIONS

8799.1

When used in this this chapter, the following terms shall have the meanings ascribed:

Authentication - The process of establishing confidence in user identities electronically presented to an information system.

Authorization - Has the meaning provided in 45 CFR § 164.508.

Authorized user - A person identified by a participating organization or a HIE entity, including a health care consumer, who may use, access, or disclose protected health information through or from a health information exchange for a specific authorized purpose and whose HIE access is not currently suspended or revoked.

Breach - The meaning provided in 45 CFR § 164.402.

Business associate - The meaning provided in 45 CFR § 160.103.

Core elements of the Master Patient Index (MPI) - The minimum elements that are:

(a) Required for an HIE entity to identify a particular patient across separate clinical, financial, and administrative systems; and

(b) Needed to exchange health information electronically.

DC HIE - The District's statewide health information exchange, an interoperable system of registered and designated HIE entities that facilitates person-centered care through the secure, electronic exchange of health information among participating organizations supported by a District-wide health data infrastructure.

Designated HIE - An HIE entity that has applied for and received designation from the Department of Health Care Finance in accordance with Chapter 87, District of Columbia Health Information Exchange, of Title 29, Public Welfare, of District of Columbia Municipal Regulations.

DHCF - The District of Columbia's Department of Health Care Finance.

Disclosure - The release, re-disclosure, transfer, provision, access, transmission, communication, or divulgence in any other manner of information in a medical record, including an acknowledgment that a medical record on a particular health care consumer or recipient exists, outside the entity holding such information.

Electronic Health Record - An electronic record of health information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

Health care consumer - Any actual or potential recipient of health care services, such as a patient in a hospital.

Health care provider -

(a) A person who is licensed, certified, or otherwise authorized under District law to provide health care in the ordinary course of business or practice of a profession or in an approved education or training program;

(b) Government agencies involved in the provision of health or social services;

(c) A facility where health care is provided to health care consumers or recipients; or

(d) An agent, employee, officer, or director of a health care facility, or an agent or employee of a health care provider.

Health information - Any information, whether oral or recorded in any form or medium, that:

(a) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(b) Relates to the past, present, or future physical or mental health or condition of a person, the provision of health care to a person, or the past, present, or future payment for the provision of health care to a person.

Health Information Exchange (HIE) - A system that facilitates person-centered care through the secure electronic exchange of health

information among approved, qualifying partners in support of health data infrastructure according to nationally recognized standards.

HIE Entity - An entity that creates or maintains an infrastructure that provides organizational and technical capabilities in a system to enable the secure, electronic exchange of health information among participating organizations not under common ownership.

HIPAA - The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ( Pub.L. No. 104-191, 110 Stat. 1938 (1996)).

HITECH Act - The Health Information Technology for Economic and Clinical Health Act ( Pub. L. No. 111-5, Title XIII, 123 Stat. 226 (2009)).

Incident Response Plan - The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s).

Master patient index - A database that maintains a unique index identifier for each patient whose protected health information may be accessible through an HIE entity and is used to cross reference patient identifiers across multiple participating organizations to allow for patient search, patient matching, and consolidation of duplicate records.

Non-HIP AA violation - The acquisition, access, use, maintenance, or disclosure of health information in a manner not permitted under District or federal law:

(a) Which compromises the security or privacy of the health information; and

(b) Is not a HIPAA violation.

Opt-out - A health care consumer's election not to participate in the HIE, so that the HIE entity shall not disclose such health care consumer's protected health information, or data derived from such health care consumer's health information, except as consistent with this chapter.

Participating organization - An entity that enters into an agreement with an HIE entity that governs the terms and conditions under which its authorized users may use, access, or disclose protected health information by the HIE entity.

Point -to-point transmission - A secure electronic transmission of PHI, including, but not limited to, records sent via facsimile or secure clinical

messaging service, sent by a single entity that can be read only by the single receiving entity designated by the sender.

Protected health information (PHI) - A subset of health information that has the same meaning as given in 45 CFR § 160.103, and includes sensitive health information.

Registered Resident Agent - An agent of an entity who is authorized to receive service of any process, notice, or demand required or permitted by law to be served on the entity.

Registered HIE - An HIE entity that has applied for and received registration from the Department of Health Care Finance in accordance with Chapter 87, District of Columbia Health Information Exchange, of Title 29, Public Welfare, of District of Columbia Municipal Regulations.

Sensitive health information - A subset of PHI, which consists of:

(a) 42 CFR Part 2 information; or

(b) Any other information that has specific legal protections in addition to those required under HIPAA, as implemented and amended in federal regulations.

System administrator - An individual employee within a participating organization (or an individual employed by a contractor to the participating organization) who is designated by the participating organization to manage the user accounts of specified persons within the participating organization in coordination with an HIE entity.

Third-party system - Hardware or software provided by an external entity to a participating organization, which interoperates with an HIE entity to allow an authorized user access to information through the HIE entity and may include an electronic health record system.

Unqualified opinion - A written statement by an auditor that financial statements fairly reflect the results of the business organization's operations and its financial position according to generally accepted accounting principles.

Unusual finding - A finding that there was an irregularity in the manner in which use, access, maintenance, disclosure, or modification of health information or sensitive health information transmitted to or through an HIE entity should occur that could give rise to a breach, a violation under this chapter or a violation of other applicable privacy or security laws.

D.C. Mun. Regs. tit. 29, r. 29-8799

Final Rulemaking published at 65 DCR 8346 (7/19/2019)