3001.1 An Agency or Provider shall disclose HHSI referencing or related to an identified individual client or customer (Individual) upon request from another Agency or Provider for the following purposes, unless disclosure is precluded by District or federal law:
(a) To establish the Individual's eligibility for, or determine his or her amount of: (b) To coordinate for the Individual, his or her: (c) To conduct oversight activities, including: (2) Financial and other audits;(10) Disciplinary actions; or(11) Civil, administrative, or criminal proceedings or actions; and(d) To conduct research related to treatments, benefits, services, support, or assistance provided that: (1) Information referencing or relating to an Individual shall not be disclosed in a manner that would permit the Individual's identity to be reasonably inferred by either direct or indirect means; and(2) The Agency or Provider receiving HHSI shall affirm in writing that any individually identifiable health information shall be treated in accordance with the Health Insurance Portability and Accountability Act of 1996, approved August 21, 1996, as amended (110 Stat. 1936; 42 U.S.C. §§ 1320d, et seq.) (HIPAA) and its implementing regulations.3001.2Neither an Agency nor a Provider requesting or disclosing HHSI referencing or related to an Individual pursuant to § 3001.1 of this chapter has to obtain the person's prior consent to using or disclosing HHSI unless required by § 3004 of this chapter.
3001.3An Agency or Provider shall use or disclose HHSI in accordance with this chapter.
3001.4Notwithstanding any other provision in this chapter, Agencies and Providers shall comply with any applicable Agency or Provider HIPAA policies and procedures, and Agencies shall comply with the District-wide HIPAA Policy.
3001.5An Agency or Provider using or disclosing HHSI shall make reasonable efforts to limit the use or disclosure of HHSI to the minimum extent necessary to accomplish its intended purpose.
3001.6 An Agency or Provider that discloses HHSI shall designate a person within the Agency or Provider's staff who shall, in coordination with any person that the Agency or Provider has designated as its HIPAA privacy officer and/or security officer, be responsible for:
(a) Responding to requests for HHSI from another Agency or Provider; and(b) Ensuring that any HHSI disclosed pursuant to this chapter is limited to the minimum amount of HHSI necessary to accomplish the purpose of the disclosure.3001.7The individual designated by an Agency or Provider pursuant to § 3001.6 shall:
(a) Respond to a request within forty-eight (48) hours;(b) Not unreasonably deny a request; and(c) Within five (5) business days of the date of the request, supply the requested information to the extent such request was approved.3001.8If an Agency or Provider is unable to provide the requested HHSI within five (5) business days pursuant to § 3001.7(c), it shall notify the requesting Agency or Provider immediately and provide a reasonable timeline for fulfilling the request to the extent possible.
D.C. Mun. Regs. tit. 29, r. 29-3001
As amended by Final Rulemaking published at 61 DCR 8497 (August 15, 2014)Authority: Section 108 of the Data-Sharing and Information Coordination Amendment Act of 2010 (Act), effective December 4, 2010 (D.C. Law 18-273; D.C. Official Code § 7-248 (2012 Repl.)), and Mayor's Order 2011-169, dated October 5, 2011.