Oregon Bulletin
Rule Caption: Requirements for organizations and users seeking or receiving access to
Authority information assets.
Adm. Order No.: OHA 27-2011
Filed with Sec. of State: 12-1-2011
Certified to be Effective: 12-1-11
Notice Publication Date: 11-1-2011
Rules Adopted: 943-014-0300, 943-014-0305, 943-014-0310, 943-014-0315, 943-014-0320
Rules Repealed: 943-014-0300(T), 943-014-0305(T), 943-014-0310(T), 943-014-0315(T),
943-014-0320(T)
Subject: These rules apply to anyone who seeks access to the
Oregon Health Authority’s (Authority) information assets, systems, and
networks. It establishes access controls for all organizations and users and
requires organizations to establish a risk management plan addressing common
safeguards and HIPAA compliance. These rules allow for audits of organizations
handling Authority information assets, address privilege changes, and establish
requirements for reporting incidents and resolutions.
Rules Coordinator: Evonne Alderete—(503) 932-9663
943-014-0300
Scope
These rules
(OAR 943-014-0300 through 943-014-0320) apply to an organization or individual
seeking or receiving access to Authority information assets or network and
information systems for the purpose of carrying out a business transaction
between the Authority and the user.
(1) These
rules are intended to complement, and not supersede, access control or security
requirements in the Authority’s Electronic Data Transmission rules, OAR
943-120-0100 to 943-120-0200, and whichever rule is more specific shall
control.
(2) The
confidentiality of specific information and the conditions for use and
disclosure of specific information are governed by other laws and rules,
including but not limited to the Authority’s rules for the privacy of protected
information, OAR 943-014-0000 to 943-014-0070.
Stat.
Auth.: ORS 413.042
Stats.
Implemented: ORS 182.122
Hist.: OHA
16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. &
cert. ef. 12-1-11
943-014-0305
Definitions
For purpose
of these rules, the following terms have definitions set forth below. All other
terms not defined in this section shall have the meaning used in the Health
Insurance Portability and Accountability Act (HIPAA) security rules found at 45
CFR § 164.304:
(1) “Access”
means the ability or the means necessary to read, communicate, or otherwise use
any Authority information asset.
(2) “Access
Control Process” means Authority forms and processes used to authorize a user,
identify their job assignment, and determine the required access.
(3) “Authority”
means the Oregon Health Authority.
(4) “Client
Records” means any client, applicant, or participant information regardless of
the media or source, provided by the Authority to the user, or exchanged
between the Authority and the user.
(5) “Incident”
means the attempted or successful unauthorized access, use, disclosure,
modification, or destruction of any network and information system or Authority
information asset including, but not limited to unauthorized disclosure of
information; failure to protect user’s identification (ID) provided by the
Authority; or, theft of computer equipment that uses or stores any Authority
information asset.
(6) “Information
Asset” means any information, also known as data, provided through the
Authority, regardless of the source or media, which requires measures for
security and privacy of the information.
(7) “Network
and Information System” means the State of Oregon’s computer infrastructure,
which provides personal communications, client records and other sensitive information
assets, regional, wide area and local area networks, and the internetworking of
various types of networks on behalf of the Authority.
(8) “User”
means any individual authorized by the Authority to access a network and
information system or information asset.
(9) “Organization”
means any entity authorized by the Authority to access a network and
information system or information asset.
Stat.
Auth.: ORS 413.042
Stats.
Implemented: ORS 182.122
Hist.: OHA
16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. &
cert. ef. 12-1-11
943-014-0310
Information
Access
The
organization or user shall utilize the Authority access control process for all
requested and approved access. The Authority shall notify the user of each
approval or denial. When approved, the Authority shall provide the user with a
unique login identifier to access the network and information system or
information asset. The Authority may authorize the use of a generic login
identifier.
Stat.
Auth.: ORS 413.042
Stats.
Implemented: ORS 182.122
Hist.: OHA
16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. &
cert. ef. 12-1-11
943-014-0315
Security
Information Assets
(1) No
organization or user shall access an information asset for any purpose other
than that specifically authorized by the Authority access control process.
(2) Except
as specified or approved by the Authority, no organization or user shall alter,
delete, or destroy any information asset.
(3) The
organization shall prohibit unauthorized access by their staff, contractors,
agents, or others to the network and information systems, or Authority
information assets, and shall implement safeguards to prevent unauthorized
access in accordance with section (4) of this rule.
(4) The
organization shall develop a security risk management plan. The organization
shall ensure that the plan includes, but is not limited to the following:
(a)
Administrative, technical, and physical safeguards commonly found in the
International Standards Organization 27002: 2005 security standard or National
Institute of Standards and Technology (NIST) 800 Series;
(b)
Standards established in accordance with HIPAA Security Rules, 45 CFR Parts 160
and 164, applicable to an organization or user regarding the security and
privacy of a client record, any information asset, or network and information
system;
(c) The
organization’s privacy and security policies;
(d)
Controls and safeguards that address the security of equipment and storage of
any information asset accessed to prevent inadvertent destruction, disclosure,
or loss;
(e)
Controls and safeguards that ensure the security of an information asset,
regardless of the media, as identified below:
(A) The
user keeps Authority-assigned access control requirements such as
identification of authorized users and access control information (passwords
and personal identification numbers (PIN’s)), in a secure location until access
is terminated;
(B) Upon
request of the Authority, the organization makes available all information
about the user’s use or application of the access controlled network and
information system or information asset; and
(C) The
organization or user ensures the proper handling, storage, and disposal of any
information asset obtained or reproduced, and, when the authorized use of that
information ends, is consistent with any applicable record retention
requirements.
(f)
Existing security plans developed to address other regulatory requirements,
such as Sarbanes-Oxley Act of 2002 (PL 107-204), Title V of Gramm Leach Bliley
Act of 1999, Statement on Auditing Standards (SAS) number 70, will be deemed
acceptable as long as they address the above requirements.
(5) The
Authority may request additional information related to the organization’s
security measures.
(6) The
organization or user must immediately notify the Authority when access is no
longer required, and immediately cease access to or use of all information
assets or network and information systems.
Stat.
Auth.: ORS 413.042
Stats.
Implemented: ORS 182.122
Hist.: OHA
16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. &
cert. ef. 12-1-11
943-014-0320
User
Responsibility
The
organization or user shall not make any root level changes to any Authority or
State of Oregon network and information system. The Authority recognizes that
some application users have root level access to certain functions to allow the
user to diagnose problems (such as startup or shutdown operations, disk
layouts, user additions, deletions or modifications, or other operation) that
require root privileges. This access does not give the user the right to make
any changes normally restricted to root without explicit written permission
from the Authority.
(1) Use and
disclosure of any Authority information asset is strictly limited to the
minimum information necessary to perform the requested and authorized service.
(2) The
organization shall have established privacy and security measures that meet or
exceed the standards set forth in the Authority privacy and information
security policies, available from the Authority, regarding the disclosure of an
information asset.
(3) The
organization or user shall comply with all security and privacy federal and
state laws, rules, and regulations applicable to the access granted.
(4) The
organization shall make the security risk plan available to the Authority for
review upon request.
(5) The
organization or user shall report to the Authority all privacy or security
incidents by the user that compromise, damage, or cause a loss of protection to
the Authority information assets or the network and information systems. The
incident report shall be made no later than five business days from the date on
which the user becomes aware of such incident. The user shall provide the
Authority a written report which must include the results of the incident
assessment findings and resolution strategies.
(6)
Wrongful use of a network and information system, or wrongful use or disclosure
of an Authority information asset by the organization or user may cause the
immediate suspension or revocation of any access granted, at the sole
discretion of the Authority without advance notice.
(7) The
organization or user shall comply with the Authority’s request for corrective
action concerning a privacy or security incident and with laws requiring
mitigation of harm caused by the unauthorized use or disclosure of confidential
information, if any.
Stat.
Auth.: ORS 413.042
Stats.
Implemented: ORS 182.122
Hist.: OHA
16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. &
cert. ef. 12-1-11
Rule Caption: Review Process When Self-Defense Asserted to a “Substantiated” Finding at State
Hospitals and State Operated Programs.
Adm. Order No.: OHA 28-2011
Filed with Sec. of State: 12-1-2011
Certified to be Effective: 12-4-11
Notice Publication Date: 11-1-2011
Rules Adopted: 943-045-0000
Rules Repealed: 943-045-0000(T)
Subject: This rule adopts and incorporates by reference the
Department of Human Services’ Review of Substantiated Physical Abuse When
Self-Defense is Asserted at State Hospitals and State Operated Residential
24-hour Programs rules: chapter 407-0000 through 0110.
HB
2009 (2009) created the Oregon Health Authority and transferred to the Authority
the Department of Human Services’ (Department) Divisions responsible for health
and health care. Effective July 1, 2011 the Authority needs to adopt and
incorporate by reference the Department’s rules which provide the Authority
with the legal authority to conduct abuse investigations with respect to
individuals residing in state hospitals and state operated 24-hour programs.
These rules set forth the review process when self defense is asserted by
individuals in response to a “substantiated” determination.
Rules Coordinator: Evonne Alderete—(503) 932-9663
943-045-0000
Review of
Substantiated Physical Abuse When Self-Defense is Asserted at State Hospitals
Protective
service investigations and review of findings of alleged abuse in state
hospitals are handled by the Office of Investigations and Training (OIT) State
hospitals are administered by the Oregon Health Authority (Authority).
(1) The
Authority adopts and incorporates by reference OAR 407-045-0000 to 407-045-0110
(Review of Substantiated Physical Abuse When Self-Defense is Asserted at State
Hospitals.
(2) Any
reference to any rule from OAR 407-045-0000 to 407-045-0110 in rules or
contracts of the Authority are deemed to be references to the requirements of
this rule, and shall be construed to apply to employees, volunteers, providers,
or contractors that work at those locations that are administered by the
Authority.
(3)
References in OAR 407-045-0000 to 407-045-0110 to the Department of Human
Services (Department) or to the Authority shall be construed to be references
to either or both agencies.
(4) The
Authority authorizes the Department to act on its behalf in carrying out
protective service investigations and review of findings of alleged abuse at
those locations that are administered by the Authority.
(5) Appeals
will be handled by the Authority under the procedures set out in OAR
407-045-0000 to 407-045-0110, however, references to agency actions or
decisions that qualify as orders under ORS 183.310(6) that are issued by “the
Department” or by “the Director” are hereby incorporated as references to “the
Oregon Health Authority” and “the Authority Director.”
(6)
References in OAR 407-045-0000 to 407-045-0110 to the Human Services Abuse
Review Committee (HSARC), the OIT Substantiation Review Committee (OSRC) or “Office
of Developmental Disability Services Review Committee” (ODDSRC) shall be
construed to be references to committees for either the Department or the
Authority.
Stat.
Auth.: ORS 179.040 & 413.042
Other
Auth.: HB 2009, OL Ch. 595, sce. 19-25
Stats.
Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.755 - 430.768
Hist.:
Hist.: OHA 10-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 28-2011,
f. 12-1-11, cert. ef. 12-4-11
Rule Caption: Abuse or Mistreatment Reporting and Protective Services in Community Programs
for Adults with Mental Illness.
Adm. Order No.: OHA 29-2011
Filed with Sec. of State: 12-1-2011
Certified to be Effective: 12-5-11
Notice Publication Date: 11-1-2011
Rules Adopted: 943-045-0250, 943-045-0260, 943-045-0280, 943-045-0290, 943-045-0300,
943-045-0310, 943-045-0320, 943-045-0330, 943-045-0340, 943-045-0350,
943-045-0360, 943-045-0370
Rules Repealed: 943-045-0250(T), 943-045-0260(T), 943-045-0280(T), 943-045-0290(T),
943-045-0300(T), 943-045-0310(T), 943-045-0320(T), 943-045-0330(T),
943-045-0340(T), 943-045-0350(T), 943-045-0360(T), 943-045-0370(T)
Subject: HB 2009 created the Oregon Health Authority and
transferred to the Authority the Department of Human Services’ Divisions
responsible for health and health care. With the creation of a new agency, the
community programs and community facilities serving adults with mental illness
moved to the Authority. Community programs and facilities serving adults with
developmental disabilities will continue to be governed by the Department of
Human Services’ rule found at OAR 407-045-0250 to 0370. The Authority needs to
adopt these rules to reflect the separation of the Department of Human Services
and Oregon Health Authority.
These
rules also include the definition of mistreatment.
Rules Coordinator: Evonne Alderete—(503) 932-9663
943-045-0250
Purpose
These
rules, OAR 943-045-0250 to 943-045-0370, prescribe standards and procedures for
the investigation of, assessment for, and provision of protective services in
community programs and community facilities, and the nature and content of the
abuse investigation and protective services report.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0260
Definitions
As used in
OAR 943-045-0250 to 943-045-0370, the following definitions apply:
(1) “Abuse
of an adult with mental illness” means:
(a) Death
of an adult caused by other than accidental or natural means or occurring in
unusual circumstances.
(b) “Neglect”
means the active or passive withholding of services necessary to maintain the
health and well-being of an adult, which leads to physical harm of an adult. “Services”
include but are not limited to the provision of food, clothing, medicine,
housing, medical services, assistance with bathing or personal hygiene, or any
other services essential to the well-being of the adult.
(c) “Physical
abuse” means:
(A) Any
physical injury by other than accidental means or that appears to be at
variance with the explanation given for the injury.
(B) Willful
infliction of physical pain or injury.
(C)
Physical abuse is presumed to cause physical injury, including pain, to adults
otherwise incapable of expressing pain.
(D)
Physical abuse does not include physical emergency restraint to prevent
immediate injury to an adult who is in danger of physically harming himself or
herself or others, provided only that the degree of force reasonably necessary
for protection is used for the least amount of time necessary.
(d) “Sexual
abuse” including:
(A) An act
that constitutes a crime under ORS 163.375 (rape in the first degree), 163.405
(sodomy in the first degree), 163.411 (unlawful penetration in the first
degree), 164.415 (sexual abuse in the third degree), 163.425 (sexual abuse in
the second degree, (163.427 (sexual abuse in the first degree), 163.456 (public
indecency) or 163.467 (private indecency).
(B) Sexual
contact with a nonconsenting adult or with an adult considered incapable of
consenting to a sexual act under ORS 163.315.
(C) Sexual
harassment, sexual exploitation, or inappropriate exposure to sexually explicit
material or language including requests for sexual favors. Sexual harassment or
exploitation includes but is not limited to any sexual contact or failure to
discourage sexual contact between an employee of a community facility or
community program, provider, or other caregiver and an adult. For situations
other than those involving an employee, provider, or other caregiver and an
adult, sexual harassment or exploitation means unwelcome physical sexual
contact including requests for sexual favors and other physical conduct
directed toward an adult.
(D) Any
sexual contact between an employee of a facility or paid caregiver and an adult
served by the facility or caregiver. Sexual abuse does not mean consensual
sexual contact between an adult and a paid caregiver who is the spouse or
partner of the adult.
(E) Any
sexual contact that is achieved through force, trickery, threat, or coercion.
(F) As
defined in ORS 163.305, “sexual contact” means any touching of sexual or other
intimate parts of a person or causing such person to touch sexual or other
intimate parts of the actor for the purpose of arousing or gratifying the
sexual desire of either party.
(G) An
adult who in good faith is voluntarily under treatment solely by spiritual
means through prayer in accordance with the tenets and practices of a
recognized church or religious denomination by a duly accredited practitioner
shall for this reason alone not be considered subjected to mistreatment.
(2) “Abuse
or Mistreatment Investigation and Protective Services Report” means a completed
report.
(3) “Adult”
means an individual who is 18 years of age or older who:
(a) Has a
mental illness and is receiving services from a community program or facility;
(b)
Receives services in a residential treatment home, residential care facility,
adult foster home, or is in a facility approved by the Addictions and Mental
Health Division (Division) for acute care services or crisis respite when the
adult is in custody in the facility pursuant to ORS 426.072, and;
(c) Is the
alleged abuse or mistreatment victim.
(4) “Adult
Foster Home” means any home licensed by the Authority’s Addictions and Mental
Health Division pursuant to OAR 309-040-0300 et.seq., in which residential care
is provided to five or fewer adults who are not related to the provider by
blood or marriage as described in ORS 443.705 through 443.825.
(5) “Adult
protective services” means the necessary actions taken to prevent abuse or mistreatment
or exploitation of an adult, to prevent self-destructive acts, and to safeguard
an allegedly abused or mistreated adult’s person, property, or funds.
(6) “Authority”
means the Oregon Health Authority.
(7) “Caregiver”
means an individual or facility that has assumed responsibility for all or a
portion of the care of an adult as a result of a contract or agreement.
(8) “Community
facility” means a community residential treatment home, residential care
facility, adult foster home. “Community facility” also means a facility
approved by the Division for acute care services or crisis respite when the
adult is in custody in the facility pursuant to ORS 426.072.
(9) “Community
program” means the community mental health program as established in ORS 430.610
to 430.695.
(10) “Designee”
means the community program.
(11) “Department”
means the Department of Human Services.
(12) “Inconclusive”
means there is insufficient evidence to conclude the alleged abuse or
mistreatment occurred or did not occur by a preponderance of the evidence. The
inconclusive determination may be used only in the following circumstances:
(a) After
diligent efforts have been made, the protective services investigator is unable
to locate the person alleged to have committed the abuse or mistreatment, or
cannot locate the alleged victim or another individual who might have
information critical to the investigation; or
(b)
Relevant records or documents are unavailable, or there is conflicting or
inconsistent information from witnesses, documents, or records with the result
that after the investigation is complete, there is insufficient evidence to
support a substantiated or not substantiated conclusion.
(13) “Law
enforcement agency” means any city or municipal police department, county
sheriff’s office, the Oregon State Police, or any district attorney.
(14) “Mandatory
reporter” means any public or private official who, while acting in an official
capacity, comes in contact with and has reasonable cause to believe that an
adult has suffered abuse, or that any individual with whom the official comes
in contact while acting in an official capacity has abused an adult. Pursuant
to ORS 430.765(2), psychiatrists, psychologists, clergy, and attorneys are not
mandatory reporters with regard to information received through communications
that are privileged under ORS 40.225 to 295.
(15) “Mistreatment”
means mistreatment as defined in OAR 309-035-0105, 309-035-0260 and
309-040-0305.
(16) “Not
substantiated” means the preponderance of evidence establishes the alleged
abuse or mistreatment did not occur.
(17) “Office
of Investigations and Training” (OIT) means the Department’s Shared Services
Division responsible for the investigation of allegations of abuse or
mistreatment made in community programs and community facilities for adults
with mental illness
(18) “Provider
agency” means an entity licensed or certified to provide services to adults in
Adult Foster Homes (AFH), Residential Treatment Homes (RTH) or Residential Care
Facilities (RCF). “Provider agency” also means a facility approved by the
Division for acute care services or crisis respite when the adult is in custody
in the facility pursuant to ORS 426.072.
(19) “Public
or private official” means:
(a)
Physician, naturopathic physician, osteopathic physician, psychologist,
chiropractor, or podiatrist, including any intern or resident;
(b)
Licensed practical nurse, registered nurse, nurse’s aide, home health aide, or
employee of an in-home health services organization;
(c)
Employee of the Authority, Department, county health department, community
mental health or developmental disabilities program, or private agency
contracting with a public body to provide any community services;
(d) Peace
officer;
(e) Member
of the clergy;
(f)
Licensed clinical social worker;
(g)
Physical, speech, or occupational therapist;
(h)
Information and referral, outreach, or crisis worker;
(i)
Attorney;
(j)
Licensed professional counselor or licensed marriage and family therapist;
(k)
Firefighter or emergency medical technician; or
(l) Any
public official who comes in contact with adults in the performance of the
official’s duties.
(20) “Residential
Care Facility (RCF)” means a facility licensed by the Division that is operated
to provide services on a 24-hour basis for six or more residents pursuant to
OAR 309-035-0100 et.seq..
(21) “Residential
Treatment Home (RTH)” means a home licensed by the Division that is operated to
provide services on a 24-hour basis for five or fewer residents pursuant to OAR
309-035-0250 et.seq..
(22) “Substantiated”
means that the preponderance of evidence establishes the abuse or mistreatment
occurred.
(23) “Unbiased
investigation” means an investigation that is conducted by a community program
that does not have an actual or potential conflict of interest with the outcome
of the investigation.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0280
Training
for Adults Investigating Reports of Alleged Abuse
(1) The
Authority shall provide sufficient and timely training and consultation to
community programs to ensure that the community program is able to conduct a
thorough and unbiased investigation and reach a conclusion about the abuse.
Training shall include initial and continuing education of any individual
designated to conduct protective services investigations.
(2) The
training shall address the cultural and social diversity of the State of
Oregon.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0290
General
Duties of the Community Program and Initial Action on Report of Alleged Abuse
(1) For the
purpose of carrying out these rules, community programs are Authority
designees.
(2) If
mandatory reporters have reasonable cause to believe abuse of an adult has
occurred, the reporter must report the abuse to the community program, to a
local law enforcement agency, or to the Authority when the reporter believes a
crime may have been committed.
(3) Each
community program shall designate at least one employee to conduct protective
services investigations. Community programs shall require their designated
protective services investigators to participate in training and to demonstrate
an understanding of investigative core competencies.
(4) If the
Authority or community program has reasonable cause to believe abuse or
mistreatment occurred, it must immediately notify the appropriate public
licensing or certifying agency and provide a copy of the abuse investigation
and completed protective services report.
(5) If the
Authority or community program has reasonable cause to believe that an individual
licensed or certified by any state agency to provide care has committed abuse
or mistreatment, it must immediately notify the appropriate state licensing or
certifying agency and provide that agency with a copy of the abuse or
mistreatment investigation and completed protective services report.
(6) The
Authority or community program may share information prior to the completion of
the abuse or mistreatment investigation and protective services report if the
information is necessary for:
(a) The
provision of protective services; or
(b) The
function of licensing and certifying agencies or law enforcement agencies.
(7) Each
community program must establish an after hours reporting system.
(8) Upon
receipt of any report of alleged abuse or mistreatment or upon receipt of a
report of a death that may have been caused by other than accidental or natural
means, the community program must begin:
(a)
Investigation into the nature and cause of the alleged abuse or mistreatment
within one working day of receipt of the report to determine if abuse or
mistreatment occurred or whether a death was caused by abuse or mistreatment;
(b)
Assessment of the need for protective services; and
(c)
Provision of protective services, if protective services are needed.
(9) The
community program receiving a report alleging abuse or mistreatment must
document the information required by ORS 430.743(1) and any additional reported
information. The community program must attempt to elicit the following
information from the individual making a report:
(a) The
name, age, and present location of the adult;
(b) The
names and addresses of the adult’s programs or facilities responsible for the
adult’s care;
(c) The
nature and extent of the alleged abuse or mistreatment, including any evidence
of previous abuse or mistreatment of the adult or evidence of previous abuse or
mistreatment by the person alleged to have committed the abuse or mistreatment;
(d) Any
information that led the individual making the report to suspect abuse or
mistreatment had occurred;
(e) Any
information that the individual believes might be helpful in establishing the
cause of the abuse or mistreatment and the identity of the person alleged to
have committed the abuse or mistreatment; and
(f) The
date of the incident.
(10) The
community program shall maintain all reports of abuse or mistreatment in a
confidential location.
(11) If
there is reason to believe a crime has been committed, the community program
must contact the law enforcement agency with jurisdiction in the county where
the report is made.
(12) Upon
receipt of a report of abuse or mistreatment, the community program must notify
the case manager providing primary case management services to the adult. The
community program must also notify the guardian of the adult unless doing so
would undermine the integrity of the abuse or mistreatment investigation or a
criminal investigation because the guardian or case manager is suspected of
committing abuse or mistreatment.
(13) If
there is reasonable cause to believe that abuse or mistreatment has occurred,
the community program must determine if the adult is in danger or in need of
immediate protective services and shall provide those services immediately.
Under these circumstances, the community program must also advise the provider
agency or guardian about the allegation, and must include any information
appropriate or necessary for the health, safety, and best interests of the
adult in need of protection.
(14) The
community program shall immediately, but no later than one working day, notify
the Authority it has received a report of abuse or mistreatment, in the format
provided by the Authority.
(15) In
addition to the notification required by section (12) of these rules, if the
community program determines that a report will be assigned for investigation,
the community program must notify the provider agency, guardian, and any other
individual with responsibility for providing services and protection, unless
doing so would compromise the safety, health, or best interests of the adult in
need of protection, or would compromise the integrity of the abuse or
mistreatment investigation or a criminal investigation. The notice shall
include information that the case shall be assigned for investigation, identify
the investigator, and provide information regarding how the assigned
investigator may be contacted. The notice must be provided within five working
days from the date the report was received.
(16) If the
community program determines from the report that there is no reasonable cause
to believe abuse or mistreatment occurred, the community program shall notify
the provider agency within five working days that a protective services
investigation shall not commence and explain the reasons for that decision. The
community program shall document the notice and maintain a record of all
notices.
(17) The
community program or law enforcement agency shall notify the appropriate
medical examiner in cases where the community program or law enforcement agency
finds reasonable cause to believe that an adult has died as a result of abuse
or mistreatment or where the death occurred under suspicious or unknown
circumstances.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0300
Investigation
of Alleged Abuse or Mistreatment
(1)
Investigation of abuse or mistreatment shall be thorough and unbiased.
Community programs may not investigate allegations of abuse or mistreatment
made against employees of the community program. Investigations of community
program staff shall be conducted by the Authority or other community programs
not subject to an actual or potential conflict of interest.
(2) In
conducting an abuse or mistreatment investigation, the investigator must:
(a) Make
in-person contact with the adult;
(b)
Interview the adult, witnesses, the person alleged to have committed the abuse
or mistreatment, and other individuals who may have knowledge of the facts of
the abuse or mistreatment allegation or related circumstances. Interviews must
be conducted in-person where practicable. The investigator must attempt to elicit
the date of birth for each individual interviewed and shall obtain the date of
birth of any person alleged to have committed the alleged abuse or
mistreatment;
(c) Review
all evidence relevant and material to the complaint; and
(d)
Photograph the adult consistent with forensic guidelines, or arrange for the
adult to be photographed, to preserve evidence of the alleged abuse or
mistreatment and of the adult’s physical condition at the time of
investigation, unless the adult knowingly refuses.
(3) All records
necessary for the investigation shall be available to the community program for
inspection and copying. A community facility shall provide community programs
access to employees, the adult, and the premises for investigation purposes.
(4) When a
law enforcement agency is conducting a criminal investigation of the alleged
abuse or mistreatment, the community program shall also perform its own
investigation as long as it does not interfere with the law enforcement agency
investigation under the following circumstances:
(a) There
is potential for action by a licensing or certifying agency;
(b) Timely
investigation by law enforcement is not probable; or
(c) The law
enforcement agency does not complete a criminal investigation.
(5) When a
law enforcement agency is conducting an investigation of the alleged abuse or
mistreatment, the community program must communicate and cooperate with the law
enforcement agency.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0310
Assessment
for and Provision of Protective Services to the Adult
The
community program shall ensure that appropriate and necessary protective
services are provided to the adult to prevent further abuse or mistreatment and
must be undertaken in a manner that is least intrusive to the adult and provide
for the greatest degree of independence available within existing resources.
Assessment for the provision of protective services may include:
(1)
Arranging for the immediate protection of the adult;
(2)
Contacting the adult to assess his or her ability to protect his or her own
interest or give informed consent;
(3)
Determining the ability of the adult to understand the nature of the protective
service and his or her willingness to accept services;
(4)
Coordinating evaluations to determine or verify the adult’s physical and mental
status, if necessary;
(5)
Assisting in and arranging for appropriate services and alternative living
arrangements;
(6)
Assisting in or arranging the medical, legal, financial, or other necessary
services to prevent further abuse or mistreatment;
(7)
Providing advocacy to assure the adult’s rights and entitlements are protected;
and
(8)
Consulting with the community facility, program, or others as appropriate in
developing recommendations or requirements to prevent further abuse or
mistreatment.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0320
Abuse or
Mistreatment Investigation and Protective Services Report
(1) The
Authority shall provide abuse or mistreatment investigation and protective
services report formats.
(2) Upon
completion of the investigation and within 45 calendar days of the date the
community program has assigned a report alleging abuse or mistreatment for
investigation, the community programs shall prepare an abuse or mistreatment
investigation and protective services report. This 45-day time period does not
include an additional five-working day period allowing OIT to review and
approve the report. The protective services report shall include:
(a) A
statement of the allegations being investigated, including the date, location,
and time;
(b) A list
of protective services provided to the adult;
(c) An
outline of steps taken in the investigation, a list of all witnesses
interviewed, and a summary of the information provided by each witness;
(d) A
summary of findings and conclusion concerning the allegation of abuse or mistreatment;
(e) A
specific finding of “substantiated,” “inconclusive,” or “not substantiated”;
(f) A plan
of action necessary to prevent further abuse or mistreatment of the adult;
(g) Any
additional corrective action required by the community program and deadlines
for completing these actions;
(h) A list
of any notices made to licensing or certifying agencies;
(i) The
name and title of the individual completing the report; and
(j) The
date the report is written.
(3) In
cases where, for good cause shown, the protective services investigator cannot
complete the report within 45 days, the investigator shall submit a request for
time extension to OIT.
(a) An
extension may be granted for good cause shown which includes but is not limited
to:
(A) When
law enforcement is conducting an investigation;
(B) A
material party or witness is temporarily unavailable;
(C) New
evidence is discovered;
(D) The
investigation is complex (e.g. large numbers of witnesses need to be
interviewed taking into account scheduling difficulties and limitations,
consultation with experts, or a detailed review of records over an extended
period of time is required); or
(E) For
some other mitigating reason.
(b) When
granting an extension, OIT shall consult with the program about the need for an
extension and determine the length of the extension as necessary.
(c) The
community program shall notify the provider agency and guardian when an
extension is granted and advise them of the new report due date.
(4) A copy
of the final abuse or mistreatment investigation and protective services report
shall be provided to the Authority within five working days of the report’s
completion and approval by OIT.
(5) The
community program must provide notice of the outcome of the investigation, or
assure that notice is provided to the alleged victim, guardian, provider
agency, accused person, and to any law enforcement agency which previously
received notice of the initial report. Notice of outcome shall be provided to a
reporter upon the reporter’s request. Notice of outcome must be made within
five working days after the date the case is completed and approved by OIT. The
community program must document how the notice was provided.
(6) A
centralized record of all abuse or mistreatment investigation and protective
services reports shall be maintained by community programs for all abuse or
mistreatment investigations conducted in their county, and by the Authority for
all abuse or mistreatment investigations in the state.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0330
Disclosure
of the Abuse Investigation and Protective Services Report and Related Documents
(1)
Portions of the abuse or mistreatment investigation and protective services
report and underlying investigatory documents are confidential and are not available
for public inspection. Pursuant to ORS 430.763, names of abuse or mistreatment
reporters, witnesses, and the alleged abuse or mistreatment victim are
confidential and shall not be available for public inspection. Investigatory
documents, including portions of the abuse or mistreatment investigation and
protective services report that contains “individually identifiable health
information,” as that term is defined under ORS 192.519 and 45 CFR160.103, are
confidential under federal Health Insurance Portability and Accountability Act
(HIPAA) privacy rules, 45 CFR Parts 160 and 164, and ORS 192.520 and
179.505-179.509.
(2)
Notwithstanding section (1) of this rule, the Authority shall make confidential
information available, including any photographs if appropriate, to any law
enforcement agency, public agency that licenses or certifies facilities or
licenses or certifies the individuals practicing therein, and any public agency
providing protective services for the adult. The Authority shall make the protective
services report and underlying investigatory materials available to any private
agency providing protective services for the adult and to the protection and
advocacy system designated pursuant to ORS 192.517(1).
(3)
Individuals or entities receiving confidential information pursuant to this
rule shall maintain the confidentiality of the information and shall not
redisclose the confidential information to unauthorized individuals or
entities, as required by state or federal law.
(4) The
community program shall prepare a redacted version of the final completed abuse
or mistreatment investigation report within 10 days after the date of the final
report. The redacted report shall not contain any confidential information
which is prohibited from disclosure pursuant to state or federal law. The
redacted report shall be submitted to the provider agency.
(5) The
community program shall provide a redacted version of the written report to the
public for inspection upon written request.
(6) When
the abuse or mistreatment investigation and protective services report is
conducted by a community program as the Authority’s designee, the protective
services investigation may be disclosed pursuant to this rule either by the
community program or the Authority.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0340
Prohibition
Against Retaliation
(1) A
community facility, community program, or individual shall not retaliate
against any individual who reports suspected abuse or mistreatment in good
faith, including the adult.
(2) Any
community facility, community program, or individual that retaliates against
any individual because of a report of suspected abuse or mistreatment shall be
liable, according to ORS 430.755, in a private action to that individual for
actual damages and, in addition, a civil penalty up to $1,000, notwithstanding
any other remedy provided by law.
(3) Any
adverse action creates a presumption of retaliation if taken within 90 days of
a report of abuse or mistreatment. For purposes of this sub-section, “adverse
action” means any action taken by a community facility, community program, or
individual involved in a report against the individual making the report or
against the adult because of the report and includes but is not limited to:
(a)
Discharge or transfer from the community facility, except for clinical reasons;
(b)
Termination of employment;
(c)
Demotion or reduction in remuneration for services; or
(d)
Restriction or prohibition of access to the community facility or its
residents.
(4) Adverse
action may also be evidence of retaliation after 90 days even though the
presumption no longer applies.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0350
Immunity of
Individuals Making Reports in Good Faith
(1) Any
individual who makes a good faith report and who had reasonable grounds for
making the report shall have immunity from civil liability with respect to
having made the report.
(2) The
reporter shall have the same immunity in any judicial proceeding resulting from
the report as may be available in that proceeding.
(3) An
individual who has personal knowledge that an employee or former employee of
the adult was found to have committed abuse is immune from civil liability for
the disclosure to a prospective employer of the employee of known facts
concerning the abuse.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0360
Authority
Investigation of Alleged Abuse or Mistreatment
(1) If
determined necessary or appropriate, the Authority may conduct an investigation
rather than allow the community program to investigate the alleged abuse or
mistreatment or in addition to the investigation by the community program.
Under such circumstances, the community program must receive authorization from
the Authority before conducting any separate investigation.
(2) The
community program shall make all records necessary for the investigation available
to the Authority for inspection and copying. The community facilities and
community programs must provide the Authority access to employees, the adult,
and the premises for investigation purposes.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
943-045-0370
County
Multidisciplinary Teams
(1) The
community program must participate in its county Multidisciplinary Team (MDT)
to coordinate and collaborate on protective services for the abuse of adults
with developmental disabilities or mental illness or both.
(2) All
confidential information protected by state and federal law that is shared or
obtained by MDT members in the exercise of their duties on the MDT is
confidential and may not be further disclosed except as permitted by law.
(3) The
community program or OIT shall provide an annual report to the MDT reporting
the number of investigated and substantiated allegations of abuse of adults and
the number referred to law enforcement in the county.
Stat.
Auth.: ORS 179.040 & 413.042, 414.715 & 430.731
Stats.
Implemented: ORS 413.032, 430.735–430.765, 443.400 – 443.460,
443.705 – 443.825
Hist.: OHA
11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 29-2011, f.
12-1-11, cert. ef. 12-5-11
Notes
1.) This online version of the OREGON BULLETIN is provided for convenience of reference and enhanced access. The official, record copy of this publication is contained in the original Administrative Orders and Rulemaking Notices filed with the Secretary of State, Archives Division. Discrepancies, if any, are satisfied in favor of the original versions. Use the OAR Revision Cumulative Index found in the Oregon Bulletin to access a numerical list of rulemaking actions after November 15, 2011.
2.) Copyright 2012 Oregon Secretary of State: Terms and Conditions of Use |