District of Columbia Health Data Protection Requirements: What You Need to Know

Health Planning Data System Compliance

What the HPDS is and who must report

The District’s State Health Planning and Development Agency (SHPDA) maintains the Health Planning Data System (HPDS). Health care facilities must submit utilization, cost and charge data, patient demographics, and information about uncompensated care and other community benefits in the format SHPDA prescribes. These submissions feed the District’s Health Systems Plan and inform Certificate of Need oversight under District of Columbia Health Regulations. ([code.dccouncil.gov](https://code.dccouncil.gov/us/dc/council/code/sections/44-405?utm_source=openai))

Submission schedules and formats

SHPDA sets the form, format, and reporting schedule. Annual reports are typically due within 90 days after the reporting period; other required data may be due within 60 days. Facilities must also provide audited financial statements within 120 days after the close of the fiscal year. ([dchealth.dc.gov](https://dchealth.dc.gov/sites/default/files/dc/sites/doh/publication/attachments/SHPDA%20Regulations%20DCMR%2040-46.pdf))

How to stay compliant

• Map data sources to HPDS fields and institute validation checks before submission.
• Document a Medical Records Retention Policy aligned to District of Columbia Health Regulations and your facility type.
• Designate data stewards and a single point of contact for SHPDA inquiries.
• Track uncompensated care metrics that HPDS and SHPDA reviews expect. ([dchealth.dc.gov](https://dchealth.dc.gov/sites/default/files/dc/sites/doh/publication/attachments/SHPDA%20Regulations%20DCMR%2040-46.pdf))

Immunization Information System Management

Provider and facility reporting to DOCIIS

The District of Columbia Immunization Information System (DOCIIS) is the official registry for vaccine records across the lifespan. Health care providers must report ACIP-recommended immunizations they administer—as well as past immunizations—to individuals age 26 or younger within seven days. Schools and licensed child development facilities must provide specified immunization certifications for noncompliant students within 10 business days of DC Health notification. ([dchealth.dc.gov](https://dchealth.dc.gov/dociis?utm_source=openai))

Immunization data confidentiality

Immunization data reported to DC Health is confidential. DC Health may use it to generate aggregate coverage reports, produce official immunization records, and send reminders to patients, parents/guardians, providers, insurers, and schools or child development facilities. Other disclosures of identifiable data require written consent from the patient or parent/guardian. ([dcrules.elaws.us](https://dcrules.elaws.us/dcmr/22-b129))

Patient access to immunization records

Residents can obtain their official DOCIIS immunization record, including through DC Health’s supported channels (e.g., the Docket pathway), which produce a DC Health Patient Vaccine Record. ([vaccines.dc.gov](https://vaccines.dc.gov/page/immunization-records-docket?utm_source=openai))

Data Breach Notification Procedures

District-specific Data Breach Notification Requirements

District law requires notifying affected residents and the Office of the Attorney General (OAG) “in the most expedient time possible and without unreasonable delay.” Personal information includes identifiers combined with sensitive elements such as medical, biometric, genetic, or health insurance information. Encryption/redaction may be a safe harbor, but entities must consult OAG before concluding consumer harm is unlikely. If Social Security or Tax ID numbers are involved, 18 months of free identity-theft services must be offered. ([oag.dc.gov](https://oag.dc.gov/about-oag/laws-legal-opinions/requirements-districts-data-breach-notification))

What to include in notices

Notices to OAG should include the reporting entity, nature and timing of the breach, the types of data affected, number of District residents impacted, remedial steps taken, and a sample consumer notice. Consumer notices must contain prescribed content, including how to obtain a security freeze and key agency contacts. ([oag.dc.gov](https://oag.dc.gov/about-oag/laws-legal-opinions/requirements-districts-data-breach-notification))

Medical Records Confidentiality Standards

Hospitals

Hospitals must maintain a medical record for every patient, keep records accurate and retrievable, complete them within 30 days of discharge, and preserve them for at least 10 years after discharge—or three years after a minor reaches the age of majority. Records must remain confidential, released only to authorized persons or as otherwise permitted by law, and be destroyed securely when eligible. ([dchealth.dc.gov](https://dchealth.dc.gov/sites/default/files/dc/sites/doh/publication/attachments/Hospitals.pdf))

Physician practices

Licensed physicians must maintain accurate records and, upon request, provide a copy to the patient or representative within 30 days. Physicians may charge a reasonable duplication fee. Records must be retained for at least three years after the last patient contact, or three years after a minor turns 18. Mental health information in records is subject to additional protections. ([dchealth.dc.gov](https://dchealth.dc.gov/sites/default/files/dc/sites/doh/publication/attachments/Medicine_DC_Municipal_Regulations_for_Medicine_0.pdf))

Consumer Health Information Privacy Protection Act Implementation

Status and scope

The Consumer Health Information Privacy Protection Act of 2024 (CHIPPA) was introduced to the DC Council to govern non‑HIPAA consumer health data. As of April 24, 2026, it has been introduced but not enacted; organizations should monitor for reintroduction or passage. ([oag.dc.gov](https://oag.dc.gov/release/attorney-general-schwalb-introduces-privacy-legislation?utm_source=openai))

Core implementation obligations to prepare for

• Publish clear Health Data Privacy Policies describing collection, use, sharing, and retention of consumer health data; limit practices to what is necessary and proportionate.
• Obtain Consumer Consent for Health Data collection and separate consent for sharing; honor withdrawals of consent.
• Enable data-subject rights: access, a list of third parties with whom data was shared or sold, and deletion (including cascaded deletion to affiliates, processors, and third parties; archived/backup deletion may be delayed up to six months).
• Execute binding contracts with processors/affiliates covering permitted uses and security obligations; prohibit inconsistent downstream processing.
• Prohibit certain geofencing around locations where health services are provided; violations may constitute unfair or deceptive trade practices. ([oag.dc.gov](https://oag.dc.gov/sites/default/files/2024-07/Consumer%20Health%20Information%20Privacy%20Protection%20Act%20of%202024.pdf))

Patient Rights and Access to Health Data

Access to medical records

Patients have a right to receive copies of their medical records. In hospitals, patients must be allowed to access information in a reasonable time; in physician practices, copies must be provided within 30 days, subject to reasonable duplication fees and any additional protections for mental health information. ([dchealth.dc.gov](https://dchealth.dc.gov/sites/default/files/dc/sites/doh/publication/attachments/Hospitals.pdf))

Access to immunization records

DC Health issues official immunization records from DOCIIS; residents can request them through supported channels that generate a DC Health Patient Vaccine Record suitable for schools, employers, and travel. ([vaccines.dc.gov](https://vaccines.dc.gov/page/immunization-records-docket?utm_source=openai))

Regulatory Enforcement and Compliance Monitoring

Who enforces what

• SHPDA monitors HPDS reporting and related obligations, audits data, and can take enforcement actions tied to Certificate of Need compliance. ([dchealth.dc.gov](https://dchealth.dc.gov/sites/default/files/dc/sites/doh/publication/attachments/SHPDA%20Regulations%20DCMR%2040-46.pdf))
• DC Health enforces District of Columbia Health Regulations for hospitals and other facilities, including recordkeeping, confidentiality, and retention standards. ([dchealth.dc.gov](https://dchealth.dc.gov/sites/default/files/dc/sites/doh/publication/attachments/Hospitals.pdf))
• The OAG enforces the District’s breach notification law and broader consumer protection laws. ([oag.dc.gov](https://oag.dc.gov/about-oag/laws-legal-opinions/requirements-districts-data-breach-notification))

Practical monitoring steps

• Perform periodic audits of HPDS submissions, immunization reporting workflows, and breach-response playbooks.
• Centralize policies (privacy, security, retention) and train staff annually; log and remediate exceptions.
• Test consumer access processes for medical and immunization records to confirm timeliness and completeness.

Conclusion

To protect patient trust and meet District of Columbia Health Regulations, align your data governance to HPDS rules, rigorously manage DOCIIS reporting and Immunization Data Confidentiality, follow DC’s Data Breach Notification Requirements, and maintain sound recordkeeping. Preparing now for CHIPPA-style consent and rights frameworks will future‑proof your operations. ([code.dccouncil.gov](https://code.dccouncil.gov/us/dc/council/code/sections/44-405?utm_source=openai))

FAQs

What are the submission requirements for the Health Planning Data System?

Facilities must submit data on utilization, costs/charges, patient demographics, uncompensated care, and community benefits in the form and on the schedule SHPDA designates. Annual reports are generally due within 90 days, other periodic data within 60 days, and audited financials within 120 days after fiscal year‑end. ([code.dccouncil.gov](https://code.dccouncil.gov/us/dc/council/code/sections/44-405?utm_source=openai))

How does DOCIIS protect immunization information?

Immunization data reported to DC Health is confidential. The Department may use it for official records, coverage analytics, and reminders to the patient, parent/guardian, providers, insurers, and schools/LCDCs; other identifiable disclosures require written consent. ([dcrules.elaws.us](https://dcrules.elaws.us/dcmr/22-b129))

When must entities notify the Office of the Attorney General about a data breach?

Notify OAG in the most expedient time possible and without unreasonable delay. Notice should include the nature and timing of the breach, types of data affected, number of impacted District residents, remedial actions, and a sample consumer notice. Entities should consult OAG before concluding that consumer harm is unlikely. ([oag.dc.gov](https://oag.dc.gov/about-oag/laws-legal-opinions/requirements-districts-data-breach-notification))

What rights do patients have under CHIPPA regarding their health data?

As proposed, CHIPPA would require clear health data privacy policies; opt‑in consent for collection and separate consent for sharing; rights to access, a list of third parties receiving data, withdrawal of consent, and deletion (including cascaded deletion to affiliates/processors, with limited delay for backups). Note: As of April 24, 2026, CHIPPA has been introduced but not enacted. ([oag.dc.gov](https://oag.dc.gov/sites/default/files/2024-07/Consumer%20Health%20Information%20Privacy%20Protection%20Act%20of%202024.pdf))