5021222 Human Services, Department of - Notice of Final Rulemaking - Amending Title 29 of the DCMR to create a new Chapter 30 entitled, Data-Sharing  

DEPARTMENT OF HUMAN SERVICES

 

NOTICE OF FINAL RULEMAKING

 

The Interim Director of the District of Columbia Department of Human Services (DHS), pursuant to authority set forth in Section 108 of the Data-Sharing and Information Coordination Amendment Act of 2010 (Act), effective December 4, 2010 (D.C. Law 18-273; D.C. Official Code § 7-248 (2012 Repl.)), and Mayor’s Order 2011-169, dated October 5, 2011, hereby gives notice of the adoption of a new Chapter 30 within Title 29 (Public Welfare) of the DCMR entitled “Data-sharing.”

 

The final rulemaking promulgates rules for implementing the Act which allows District of Columbia (District) agencies and service providers to share health and human services information (HHSI) for specified purposes.  These rules will mandate: (1) the purposes for using or disclosing information, (2) the requirements for sharing HHSI between District agencies, (3) the requirements District agencies and service providers must follow when sharing HHSI with other service providers, and (4) the penalties for not complying with the Act.

 

A Notice of Proposed Rulemaking (NOPR) was published in the D.C. Register on May 30, 2014, at 61 DCR 5522.  DHS received and considered comments in response to the NOPR.  DHS did not make any changes since the rules were published as proposed.  Further, and in accordance with Section 108(b) of the Act, the NOPR was submitted to the Council for a thirty (30)-day period of review (Council Review Period).  The Council Review Period ended on July 11, 2014, without any action.  Therefore, the rules were deemed approved on that date.

 

DHS took action to adopt the rules as final on July 21, 2014.  These rules shall take effect upon publication in the D.C. Register.

 

Title 29 (Public Welfare) is amended by creating a new Chapter 30 (Data-sharing) to read as follows:

 

CHAPTER 30: DATA-SHARING

 

3000                                SCOPE AND APPLICABILITY

 

3000.1                          These rules shall apply to the sharing of health and human services information (HHSI) between District of Columbia (District) agencies (Agency or Agencies) and the Agency’s service providers (Provider) in accordance with the Data-Sharing and Information Coordination Amendment Act of 2010, effective December 4, 2010, as amended (D.C. Law 18-273; D.C. Official Code §§ 7-241, et seq.) (Act).

 

3001                                USE AND DISCLOSURE OF HEALTH AND HUMAN SERVICES INFORMATION

 

3001.1                          An Agency or Provider shall disclose HHSI referencing or related to an identified individual client or customer (Individual) upon request from another Agency or Provider for the following purposes, unless disclosure is precluded by District or federal law:

 

(a)                To establish the Individual’s eligibility for, or determine his or her amount of: 

 

(1)               Treatment;

 

(2)               Services;

 

(3)               Benefits;

 

(4)               Support; or

 

(5)               Assistance;

 

(b)               To coordinate for the Individual, his or her:

 

(1)               Treatment;

 

(2)               Benefits;

 

(3)               Services;

 

(4)               Support; or

 

(5)               Assistance;

 

(c)             To conduct oversight activities, including:

 

(1)               Management;

 

(2)               Financial and other audits;

 

(3)               Program evaluations;

 

(4)               Planning;

 

(5)               Investigations;

 

(6)               Examinations;

 

(7)               Inspections;

 

(8)               Quality reviews;

 

(9)               Licensure;

 

(10)           Disciplinary actions; or

 

(11)           Civil, administrative, or criminal proceedings or actions; and

 

(d)               To conduct research related to treatments, benefits, services, support, or assistance provided that:

 

(1)               Information referencing or relating to an Individual shall not be disclosed in a manner that would permit the Individual’s identity to be reasonably inferred by either direct or indirect means; and

 

(2)               The Agency or Provider receiving HHSI shall affirm in writing that any individually identifiable health information shall be treated in accordance with the Health Insurance Portability and Accountability Act of 1996, approved August 21, 1996, as amended (110 Stat. 1936; 42 U.S.C. §§ 1320d, et seq.) (HIPAA) and its implementing regulations.

 

3001.2             Neither an Agency nor a Provider requesting or disclosing HHSI referencing or related to an Individual pursuant to § 3001.1 of this chapter has to obtain the person’s prior consent to using or disclosing HHSI unless required by § 3004 of this chapter.

 

3001.3             An Agency or Provider shall use or disclose HHSI in accordance with this chapter. 

 

3001.4             Notwithstanding any other provision in this chapter, Agencies and Providers shall comply with any applicable Agency or Provider HIPAA policies and procedures, and Agencies shall comply with the District-wide HIPAA Policy.

 

3001.5             An Agency or Provider using or disclosing HHSI shall make reasonable efforts to limit the use or disclosure of HHSI to the minimum extent necessary to accomplish its intended purpose.

 

3001.6             An Agency or Provider that discloses HHSI shall designate a person within the Agency or Provider’s staff who shall, in coordination with any person that the Agency or Provider has designated as its HIPAA privacy officer and/or security officer, be responsible for:

 

(a)                Responding to requests for HHSI from another Agency or Provider; and

 

(b)               Ensuring that any HHSI disclosed pursuant to this chapter is limited to the minimum amount of HHSI necessary to accomplish the purpose of the disclosure.

 

3001.7             The individual designated by an Agency or Provider pursuant to § 3001.6

shall:

 

(a)        Respond to a request within forty-eight (48) hours;

 

(b)        Not unreasonably deny a request; and

 

(c)        Within five (5) business days of the date of the request, supply the

requested information to the extent such request was approved.

 

3001.8             If an Agency or Provider is unable to provide the requested HHSI within five (5) business days pursuant to § 3001.7(c), it shall notify the requesting Agency or Provider immediately and provide a reasonable timeline for fulfilling the request to the extent possible. 

 

3002                                DATA-SHARING AGREEMENT BETWEEN AGENCIES

 

3002.1                          A District Agency seeking to use another District Agency’s HHSI or seeking to disclose HHSI to another District Agency shall, consistent with the District-wide HIPAA Policy, enter into a data-sharing agreement (Agreement).  Any Agency or Provider seeking to enter into an Agreement must follow any applicable Agency or Provider HIPAA policies and procedures. 

 

3002.2                          At a minimum, the Agreement shall include the following information:

 

(a)                The legal authority which authorizes the sharing of HHSI between the two Agencies including the Act’s legal citation;

 

(b)               A listing of the specific HHSI each Agency is requesting from the other along with a statement of the Agency’s purpose for requesting each piece of HHSI on that list, which shall be limited to the minimum amount of HHSI necessary to accomplish the purpose of the disclosure;

 

(c)                A provision stating that the requested HHSI shall be safeguarded and protected from improper access, use, or dissemination in accordance with the Act, and any other applicable District and Federal laws;

 

(d)               A provision stating that any unlawful use or disclosure of HHSI shall be subject to penalties outlined in the Act, and any other applicable District and Federal laws;

 

(e)                Procedures for notifying an Agency of an actual or suspected unauthorized access, use, or dissemination of the HHSI.

 

3003                A PROVIDER OR AGENCY DISCLOSING HEALTH AND HUMAN SERVICES INFORMATION TO SERVICE PROVIDERS

 

3003.1             A Provider or Agency seeking to request or disclose HHSI to a Provider shall do so in accordance with their applicable contract, grant, or similar agreement with the Provider which shall contain provisions governing the sharing of HHSI.

 

3003.2             A Provider seeking to obtain HHSI from an Agency or another Provider shall submit a written request to the Agency or Provider in possession of the HHSI describing in detail the HHSI sought and the purpose for the HHSI being requested. 

 

3003.3             An Agency or Provider that receives a request for HHSI from another Provider shall maintain an accurate record, for a reasonable period of time:

 

(a)        Of the date and purpose for any request for the HHSI;

 

(b)               The date which the HHSI was disclosed; and

 

(c)                A record of whom the HHSI was disclosed to.

 

3003.4             For purposes of this Section 3003.3, the term “reasonable period of time” incorporates any applicable document retention requirements imposed by District or federal law.

 

3004                PRIOR WRITTEN CONSENT

 

3004.1             Unless Federal law states otherwise, an Agency or Provider disclosing HHSI in response to a request from another Agency or Provider pursuant to Section 3000.1 shall obtain the Individual’s prior written consent to disclose the HHSI requested if it involves:

 

(a)                Alcohol and drug abuse patient records governed by 42 C.F.R. Part 2;

 

(b)               Psychotherapy notes governed by 45 C.F.R. § 164.508(a)(2); and

 

(c)                Any other HHSI requiring prior Consent for disclosure as required by Federal law.

 

3004.2             Unless District or Federal law states otherwise, an Agency or Provider disclosing HHSI in response to a request from another Agency or Provider pursuant to Section 3000.1 shall obtain the Individual’s prior written consent to disclose the HHSI requested if it involves:

 

(a)                Records governed by Section 1 of An Act To authorize the Commissioners of the District of Columbia to make regulations to prevent and control the spread of communicable and preventable diseases, approved August 11, 1939 (53 Stat. 1408; D.C. Official Code § 7-131);

 

(b)               Records which are incident to a case of HIV infection or AIDS as required by Section 6 of the AIDS Health-Care Response Act of 1986, effective June 10, 1986 (D.C. Law 6-121; D.C. Official Code § 7-1605);

 

(c)                Records incident to a reported case of cancer as required by Section 2 of the Preventive Health Services Amendments Act of  1985, effective February 21, 1986 (D.C. Law 6-83; D. C. Official Code § 7-302);

 

(d)               Substance abuse records governed by Section 7 of the Choice in Drug Treatment Act of 2000, effective July 18, 2000 (D.C. Law 13-146; D.C. Official Code § 7-3006);

 

(e)                Registration and other records of a detoxification center governed by Section 4(c) of An Act to establish a program for the rehabilitation of alcoholics, promote temperance, and provide for the medical and scientific treatment of persons found to be alcoholics by the courts of the District, and for other purpose, approved August 4, 1947 (61 Stat. 745; D.C. Official Code § 24-604(c)).

 

(f)                Information provided to a Domestic Violence counselor governed by Section 3 of the Domestic Violence Amendment Act of 2006, effective March 2, 2007 (D.C. Law 16-204; D.C. Official Code § 14-310);

 

(g)               Information provided to a Human Trafficking counselor governed by Section 203 of the Prohibition Against Human Trafficking Amendment Act of 2010, effective October 23, 2010 (D. C. Law 18-239; D.C. Official Code § 14-311); and

 

(h)               Any other HHSI requiring prior written consent for disclosure as required by District law.

 

3004.3             The prior written consent required by Sections 3004.1 and 3004.2 shall comply with all applicable laws and regulations, and with any applicable District-wide, Agency, or Provider HIPAA policies and procedures, and shall use plain language.  

 

3005                CIVIL AND CRIMINAL PENALTIES FOR UNLAWFUL USE OR DISCLOSURE OF INFORMATION IN ACCORDANCE WITH THE ACT

 

3005.1             A person who negligently uses or discloses HHSI in a manner not authorized by the Act or other District law shall be liable in an amount of five hundred dollars ($500) for each violation.

 

3005.2             For purposes of this section, “negligently” means that a person guided by ordinary considerations should have known, and by exercising reasonable diligence would have known, that the use or disclosure was not authorized.

 

3005.3             A person who willfully uses or discloses HHSI in a manner not authorized by the Act or other District law shall be liable in an amount of one thousand dollars ($1,000) for each violation.

 

3005.4             A person who knowingly obtains, uses, or discloses HHSI in a manner not authorized by the Act or other District law shall be guilty of a misdemeanor, and upon conviction, shall be fined not more than two thousand five hundred dollars ($2,500), imprisoned not more than sixty (60) days, or both.  If the offense is committed through deception or theft, the person shall be guilty of a misdemeanor and shall be fined not more than five thousand dollars ($5,000), imprisoned for not more than one hundred eighty (180) days, or both.

 

3005.5             If a civil or criminal penalty imposed by another law applies to an action that is also subject to a civil or criminal penalty under the Act, the greater penalty shall apply.

 

3099                DEFINITIONS

 

3099.1             The following terms shall have the meanings ascribed:

 

Act – Data-Sharing and Information Coordination Amendment Act of 2010, effective December 4, 2010 (D.C. Law 18-273; D.C. Official Code §§ 7-241, et seq.).

 

Agency – an agency, department, unit, or instrumentality of the District of Columbia government.

           

Department – District of Columbia Department of Human Services.

 

Disclosure – the release, transfer, provision of access to, or distribution of information in any manner by an entity holding the information to a person outside of the entity.

 

District-wide HIPAA Policy – the set of HIPAA policies and procedures issued by the District as a hybrid entity in accordance with 45 C.F.R.  § 164.105(a)(2)(iii)(D).  The District-wide HIPAA Policy applies to any District agency, and any subdivision of a District agency, that is subject to HIPAA as part of the District’s hybrid entity.

           

Health and human services information (HHSI) – any information that relates to:

 

(a)                The past, present, or future physical or mental health of an Individual or family;

 

(b)               The provision of health care or human services, including benefits or supports, to an Individual or family;

 

(c)                The past, present, or future payment for the provision of health care or human services to an Individual.

 

HIPAA – the Health Insurance Portability and Accountability Act of 1996, approved August 21, 1996 (110 Stat. 1936; 42 U.S.C. §§ 1320d, et seq.), as amended; 45 C.F.R Parts 160, 162, and 164, as amended.

 

Identified individual – a natural person to whom health and human services information pertains.

 

Individually identifiable health information – shall have the same meaning as it does in HIPAA.

 

Person – a natural person, firm, company, association, corporation, service provider, or government instrumentality or agency authorized to receive HHSI in accordance with the Act.

 

Service provider (Provider) – an entity that provides health or human services to District residents pursuant to a contract, grant, or other similar agreement with an Agency.

 

Use – the sharing, employment, application, utilization, examination, or analysis of health and human services information.