Oregon Bulletin
Rule
Caption: Privacy Rules Setting Forth
General Procedures Governing the Collection, Use and Disclosure of Protected
Information.
Adm.
Order No.: DHSD 11-2011
Filed with Sec. of
State: 12-16-2011
Certified to be
Effective: 12-16-11
Notice Publication
Date: 11-1-2011
Rules Adopted: 407-014-0015
Rules Amended: 407-014-0000, 407-014-0020, 407-014-0030,
407-014-0040, 407-014-0050, 407-014-0060, 407-014-0070
Rules Repealed: 407-014-0000(T), 407-014-0015(T), 407-014-0020(T),
407-014-0030(T), 407-014-0040(T), 407-014-0050(T), 407-014-0060(T),
407-014-0070(T)
Subject: These rules govern the collection, use and disclosure
of protected information by the Department about individuals and to explain the
rights and specific actions that individuals may take or request to be taken
regarding the uses and disclosures of their protected information. The adoption
and amendment of these rules also set forth Department requirements governing
the use and disclosure of protected health information for purposes of HIPAA,
42 USC 1320-d through 1320d-8, Pub L 104-191, sec. 262 and 264, and the
implementing HIPAA privacy rules, 45 CFR parts 160 and 164. Adoption of these
rules will repeal the temporary rules, currently in effect since July 1, 2011.
Rules Coordinator: Jennifer Bittel—(503) 947-5250
407-014-0000
Definitions
The following definitions apply to OAR 407-014-0000 to
407-014-0070:
(1) “Administrative hearing” means an oral proceeding
before an administrative law judge in a contested case hearing.
(2) “Authority” means the Oregon Health Authority.
(3) “Authorization” means permission from an individual
or his or her personal representative giving the Department of Human Services
(Department) authorization to obtain, release or use information about the
individual from third parties for specified purposes or to disclose information
to a third party specified by the individual.
(4) “Business associate” means an individual or entity
performing any function or activity on behalf of the Authority, including the
Department, involving the use or disclosure of protected health information (PHI)
and is not a member of the Authority’s workforce.
(a) For purposes of the definition of “business
associate,” “function or activity” includes but is not limited to program
administration, claims processing or administration, data analysis, utilization
review, quality assurance, billing, legal, actuarial, accounting, consulting,
data processing, management, administrative, accreditation, financial services,
and similar services for which the Authority may contract or obtain by
interagency agreement, if access to PHI is involved.
(b) Business associates do not include licensees or
providers unless the licensee or provider also performs some function or
activity on behalf of the Authority.
(5) “Client” means an individual who requests or
receives services from the Department. This includes but is not limited to
applicants for or recipients of public assistance, minors and adults receiving
protective services, individuals who are committed to the custody of the
Department, children in the custody of the Department receiving services on a
voluntary basis, and children committed to the custody of the Department.
(6) “Client information” means personal information
relating to a client that the Department may maintain in one or more locations
and in various forms, reports, or documents, or stored or transmitted by
electronic media.
(7) “Collect” or “Collection” means the assembling of
personal information through interviews, forms, reports, or other information
sources.
(8) “Contract” means a written agreement between the
Department and a person or entity setting forth the rights and obligations of
the parties including but not limited to contracts, licenses, agreements,
interagency agreements, and intergovernmental agreements.
(9) “Correctional institution” means any penal or
correctional facility, jail, reformatory, detention center, work farm, halfway
house, or residential community program center operated by contract with the
federal government, a state, or an Indian tribe for the confinement or
rehabilitation of persons charged with or convicted of a criminal offense or
other persons held in lawful custody. “Other persons held in lawful custody”
include juvenile offenders, adjudicated delinquents, aliens detained awaiting
deportation, witnesses, or others awaiting charges or trial.
(10) “Corrective action” means an action that a
business associate must take to remedy a breach or violation of the business
associate’s obligations under the business associate’s contractual requirement,
including but not limited to reasonable steps that must be taken to cure the
breach or end the violation.
(11) “Covered entity” means health plans, health care
clearinghouses, and health care providers who transmit any health information
in electronic form in connection with a transaction that is subject to federal
Health Insurance Portability and Accountability Act (HIPAA) requirements, as
those terms are defined and used in the HIPAA regulations, 45 CFR parts 160 and
164.
(12) “De-identified data” means client information from
which the Department or other entity has deleted, redacted, or blocked
identifiers so the remaining information cannot reasonably be used to identify
an individual.
(13) “Department” means the Department of Human
Services.
(14) “Department workforce” means employees,
volunteers, trainees, and other persons whose conduct, in the performance of
work for the Department, is under the direction and control of the Department,
whether or not they are paid by the Department.
(15) “Disclose” means the release, transfer, relay,
provision of access to, or conveying of client information to any individual or
entity outside the Department.
(16) “Health care” means care, services, or supplies
related to the health of an individual. Health care includes but is not limited
to preventive, diagnostic, therapeutic, rehabilitative, maintenance, palliative
care, counseling services, assessment, or procedures with respect to the
physical or mental condition, or functional status of an individual, or that affects
the structure or function of the body and the sale or dispensing of a drug,
device, equipment, or other prescribed item.
(17) “Health care operations” means any activities of a
covered entity to the extent that the activities are related to health care,
Medicaid, or any other health care related programs, services, or activities
administered by the covered entity and includes:
(a) Conducting quality assessment and improvement
activities, including income evaluation and development of clinical guidelines;
(b) Population-based activities related to improving
health or reducing health care costs, protocol development, case management and
care coordination, contacting health care providers and patients with
information about treatment alternatives, and related functions that do not
include treatment;
(c) Reviewing the competence of qualifications of
health care professionals, evaluating practitioner, provider, and health plan
performance; and conducting training programs in which students and trainees in
areas of health care learn under supervision to practice or improve their
skills, accreditation, certification, licensing, or credentialing activities;
(d) Underwriting, premium rating, and other activities
relating to the creation, renewal, or replacement of a contract for Medicaid or
health care related services;
(e) Conducting or arranging for medical review, legal
services, and auditing functions, including fraud and abuse detection and
compliance programs, and disclosure to the Medicaid Fraud Unit pursuant to 43
CFR part 455.21;
(f) Business planning and development, such as
conducting cost-management and planning-related analyses related to managing
and operating the covered entity, including administration, development, or
improvement of methods of payments or health care coverage; and
(g) Business management and general administrative
activities of the covered entity, including but not limited to:
(A) Management activities relating to implementation of
and compliance with the requirements of HIPAA;
(B) Customer service, including providing data
analysis;
(C) Resolution of internal grievances, including
administrative hearings and the resolution of disputes from patients or
enrollees regarding the quality of care and eligibility for services; and
(D) Creating de-identified data or a limited data set.
(18) “Health oversight agency” means an agency or
authority of the federal government, a state, territory, political subdivision
of a state or territory, Indian tribe, or a person or entity acting under a grant
of authority from or by contract with the public agency, including employees or
agents of the public agency or its contractors or grantees that is authorized
by law to oversee the health care system or government programs in which health
information is necessary to determine eligibility or compliance, or to enforce
civil rights laws for which health information is relevant. When performing
these functions, the Department acts as a health oversight agency for the
purposes of these rules.
(19) “HIPAA” means the Title II, Subtitle F of the
Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et
seq, and the federal regulations adopted to implement the Act.
(20) “Individual” means the person who is the subject
of information collected, used, or disclosed by the Department.
(21) “Individually identifying information” means any
single item or compilation of information or data that indicates or reveals the
identity of an individual, either specifically (such as the individual’s name
or social security number), or from which the individual’s identity can be
reasonably ascertained.
(22) “Information” means personal information relating
to an individual, a participant, or a Department client.
(23) “Inmate” means a person incarcerated in or otherwise
confined in a correctional institution. An individual is no longer an inmate
when released on parole, probation, supervised release, or is otherwise no
longer in custody.
(24) “Institutional Review Board (IRB)” means a
specially constituted review body established or designated by an entity in
accordance with 45 CFR part 46 to protect the welfare of human subjects
recruited to participate in biomedical or behavioral research. The IRB must be
registered with the Office for Human Research Protection.
(25) “Law enforcement official” means an officer or
employee of any agency or authority of the federal government, a state,
territory, political subdivision of a state or territory, or Indian tribe who
is empowered by law to:
(a) Investigate and conduct an official inquiry into a
potential violation of law; or
(b) Prosecute or otherwise conduct a criminal, civil,
or administrative proceeding arising from an alleged violation of law.
(26) “Licensee” means a person or entity that applies
for or receives a license, certificate, registration, or similar authority from
the Department to perform or conduct a service, activity, or function.
(27) “Minimum necessary” means the least amount of
information, when using or disclosing confidential client information that is needed
to accomplish the intended purpose of the use, disclosure, or request.
(28) “Participant” means individuals participating in
Department population-based services, programs, and activities that serve the
general population, but who do not receive program benefits or direct services
received by a client. Examples of participants include individuals who contact
Department hotlines or the ombudsman for general public information services.
(29) “Payment” means any activities undertaken by a
covered entity related to a client to whom health care is provided in order to:
(a) Obtain premiums or to determine or fulfill its
responsibility for coverage and provision of benefits under the Medicaid
program or other publicly funded health care services; and
(b) Obtain or provide reimbursement for the provision
of health care.
(30) “Payment activities” means:
(a) Determinations of eligibility or coverage,
including coordination of benefits or the determination of cost sharing
amounts, and adjudication of health benefit or health care claims;
(b) Risk adjusting amounts due which are based on
enrollee health status and demographic characteristics;
(c) Billing, claims management, collection activities,
obtaining payment under a contract for reinsurance, and related health care
data processing;
(d) Review of health care services with respect to
medical necessity, coverage under a health plan, appropriateness of care, or
justification of charges;
(e) Utilization review activities, including
pre-certification and pre-authorization of services, concurrent and
retrospective review of services; and
(f) Disclosure to consumer reporting agencies related
to collection of premiums or reimbursement including name and address, date of
birth, payment history, account number, and name and address of the health care
provider or health plan.
(31) “Personal representative” means a person who has
authority to act on behalf of an individual in making decisions related to
health care.
(32) “Protected Health Information (PHI)” means any individually
identifiable health information, whether oral or recorded in any form or
medium, that is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or university, or
health care clearinghouse and relates to the past, present, or future physical
or mental health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the provision of
health care to an individual. Any data transmitted or maintained in any other
form or medium by covered entities, including paper records, fax documents, all
oral communications, or any other form, such as screen prints of eligibility
information, printed e-mails containing identified individual’s health
information, claim or billing information, or hard copy birth or death
certificates. PHI does not include school records that are subject to the
Family Educational Rights and Privacy Act and employment records held in the
Department’s role as an employer.
(33) “Protected information” means any participant or
client information that the Department may have in its records or files that
must be safeguarded pursuant to federal or state law. This includes but is not
limited to individually identifying information.
(34) “Provider” means a person or entity that may seek
reimbursement from the Department as a provider of services to Department
clients pursuant to a contract. For purposes of these rules, reimbursement may
be requested on the basis of claims or encounters or other means of requesting
payment.
(35) “Psychotherapy notes” means notes recorded in any
medium by a health care provider who is a mental health professional
documenting or analyzing the contents of conversations during a private
counseling session, or group, joint, or family counseling session, when the
notes are separated from the rest of the individual’s record. Psychotherapy
notes do not include medication prescription and monitoring, counseling session
start and stop times, the modalities and frequencies of treatment furnished,
results of clinical tests, and any summary of diagnosis, functional status,
treatment plan, symptoms, prognosis, or progress to date.
(36) “Public health Agency” means a public agency or a
person or entity acting under a grant of authority from or by contract with the
public agency that performs or conducts one or more of the following essential
functions that characterize public health programs, services, or activities:
(a) Monitor health status to identify community health
problems;
(b) Diagnose and investigate health problems and health
hazards in the community;
(A) Inform, educate, and empower people about health
issues;
(B) Mobilize community partnerships to identify and
solve health problems;
(C) Develop policies and plans that support individual
and community health efforts;
(D) Enforce laws and regulations that protect health
and ensure safety;
(E) Direct individuals to needed personal health
services and assure the provision of health care when otherwise unavailable;
(F) Ensure a competent public health and personal
health care workforce;
(G) Evaluate the effectiveness, accessibility, and
quality of personal and population-based health services; and
(H) Perform research for new insights and innovative
solutions to health problems.
(37) “Public health authority” means an agency or
authority of the federal government, a state, territory, political subdivision
of a state or territory, Indian tribe, or a person or entity acting under a
grant of authority from or by contract with the public agency, including the
employees or agents of the public agency, or its contractors, persons, or
entities to whom it has granted authority, that is responsible for public
health matters as part of its official mandate.
(38) “Re-disclosure” means the disclosure of
information to a person, a Department program, a Department subcontracted
entity, or other entity or person other than what was originally authorized.
(39) “Research” means systematic investigation,
including research development, testing, and evaluation, designed to develop or
contribute to generalized knowledge.
(40) “Required by law” means a duty or responsibility
that federal or state law specifies that a person or entity must perform or
exercise. Required by law includes but is not limited to court orders and
court-ordered warrants; subpoenas or summons issued by a court, grand jury, a
governmental or tribal inspector general, or an administrative body authorized
to require the production of information; a civil or an authorized
investigative demand; Medicare conditions of participation with respect to
health care providers participating in the program; and statutes or rules that
require the production of information, including statutes or rules that require
such information if payment is sought under a government program providing
public benefits.
(41) “Treatment” means the provision, coordination, or
management of heath care and related services by one or more health care
providers, including the coordination or management of health care by a health
care provider with a third party, consultation between health care providers
relating to a patient, or the referral of a patient for health care from one
health care provider to another.
(42) “Use” means the sharing of individual information
within a Department program or the sharing of individual information between
program staff and administrative staff that support or oversee the program.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0000 by DHSD 5-2009, f. & cert.
ef. 7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD
11-2011, f. & cert. ef. 12-16-11
407-014-0015
Information Governed by the HIPAA
Privacy Rules
(1) These rules address information that, among other
things, may be PHI that is protected by the HIPAA Privacy Rules. For purposes
of HIPAA Privacy Rules, the Authority is a covered entity, primarily because of
its role as the state Medicaid and Children’s Health Insurance Program.
(2) The Authority administers many aspects of the
medical assistance program with the assistance of the Department, including but
not limited to eligibility determinations for the medical assistance program
and supervising the long-term and community-based services for seniors and
people with disabilities. The Department also provides certain health care
operations services for the Authority. In doing so, the Department is a
business associate of the Authority. As a business associate of the Authority,
the Department is authorized to use and disclose protected health information
to perform or assist the Authority in the performance of its covered functions,
in a manner consistent with these rules.
(3) These rules only apply to information maintained by
the Department as a business associate of the Authority.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: DHSD 2-2011(Temp), f. &
cert. ef. 7-1-11 thru 12-27-11; DHSD 11-2011, f. & cert. ef. 12-16-11
407-014-0020
Uses and Disclosures of Client or
Participant Protected Information
(1) Uses and disclosures with individual authorization.
The Department must obtain a completed and signed authorization for release of
information from the individual, or the individual’s personal representative,
before obtaining or using protected information about an individual from a
third party or disclosing protected information about the individual to a third
party.
(a) Uses and disclosures must be consistent with what
the individual has approved on the signed authorization form approved by the
Department.
(b) An individual may revoke an authorization at any
time. The revocation must be in writing and signed by the individual, except
that substance abuse treatment patients may orally revoke an authorization to
disclose information obtained from substance abuse treatment programs. No
revocation shall apply to information already released while the authorization
was valid and in effect.
(2) Uses and disclosures without authorization. The
Department may use and disclose information without written authorization in
the following circumstances:
(a) The Department may disclose information to
individuals who have requested disclosure to themselves of their information,
if the individual has the right to access the information under OAR
407-014-0030(6).
(b) If the law requires or permits the disclosure, and
the use and disclosure complies with, and is limited to, the relevant
requirements of the relevant law.
(c) For treatment, payment, and health care operations,
the Department may disclose the following information:
(A) Activities involving the current treatment of an
individual, for the Department or health care provider;
(B) Payment activities, for the Department, covered
entity, or health care provider;
(C) Protected health information for the purpose of
health care operations; and
(D) Substance abuse treatment information, if the
recipient has a Qualified Service Organization Agreement with the Department.
(d) Psychotherapy notes. The Department may only use
and disclose psychotherapy notes in the following circumstances:
(A) In the Department’s supervised counseling training
programs;
(B) In connection with oversight of the originator of
the psychotherapy notes; or
(C) To defend the Department in a legal action or other
proceeding brought by the individual.
(e) Public health activities.
(A) The Department may disclose an individual’s
protected information to appropriate entities or persons for governmental
public health activities and for other purposes including but not limited to:
(i) A governmental public health authority that is
authorized by law to collect or receive protected information for the purpose
of preventing or controlling disease, injury, or disability, including but not
limited to reporting disease, injury, and vital events such as birth or death,
and conducting public health surveillance, investigations, and interventions;
(ii) An official of a foreign government agency that is
acting in collaboration with a governmental public health authority;
(iii) A governmental public health authority, or other
government authority that is authorized by law to receive reports of child
abuse or neglect;
(iv) A person subject to the jurisdiction of the
federal Food and Drug Administration (FDA), regarding an FDA-regulated product
or activity for which that person is responsible for activities related to the
quality, safety, or effectiveness of an FDA-regulated product or activity; or
(v) A person who may have been exposed to a
communicable disease, or may be at risk of contracting or spreading a disease
or condition.
(B) Where state or federal law prohibits or restricts
use and disclosure of information obtained or maintained for public health
purposes, the Department shall deny the use and disclosure.
(f) Child abuse reporting and investigation. If the
Department has reasonable cause to believe that a child is a victim of abuse or
neglect, the Department may disclose protected information to appropriate
governmental authorities authorized by law to receive reports of child abuse or
neglect (including reporting to the Department protective services staff if
appropriate). If the Department receives information as the child protective
services agency, the Department may use and disclose the information consistent
with its legal authority and in compliance with any applicable state and
federal regulations.
(g) Adult abuse reporting and investigation. If the
Department has reasonable cause to believe that a vulnerable adult is a victim
of abuse or neglect, the Department may disclose information, as required by
law, to a government authority or regulatory agency authorized by law to
receive reports of abuse or neglect including but not limited to a social
service or protective services agency (which may include the Department)
authorized by law to receive such reports. Vulnerable adults are adults age 65
or older and persons with disabilities. If the Department receives information
as the social services or protective services agency, the Department may use
and disclose the information.
(h) Health oversight activities. The Department may
disclose information without authorization for health oversight activities
including audits; civil, criminal, or administrative investigations,
prosecutions, licensing or disciplinary actions; Medicaid fraud; or other
necessary oversight activities.
(i) Administrative and court hearings, grievances,
investigations, and appeals.
(A) The Department may use or disclose information for
an investigation, administrative or court hearing, grievance, or appeal about
an individual’s eligibility or right to receive Department benefits or
services.
(B) If the Department has obtained information in
performing its duties as a health oversight agency, protective service entity,
or public benefit program, the Department may use or disclose that information
in an administrative or court hearing consistent with the other privacy
requirements applicable to that program, service, or activity.
(j) Court orders. The Department may disclose
information for judicial or administrative proceedings in response to a court
order, subpoena, discovery request, or other legal process. If a court orders
the Department to conduct a mental examination pursuant to ORS 161.315, 161.365,
161.370, or 419B.352, or orders the Department to provide any other report or
evaluation to the court, the examination, report, or evaluation shall be deemed
to be required by law for purposes of HIPAA.
(k) Law enforcement purposes. For limited law enforcement
purposes, the Department may report certain injuries or wounds; provide
information to identify or locate a suspect, victim, or witness; alert law
enforcement of a death as a result of criminal conduct; and provide information
which constitutes evidence of criminal conduct on Department premises.
(A) The Department may provide client information to a
law enforcement officer in any of the following situations:
(i) The law enforcement officer is involved in carrying
out any investigation, criminal, or civil proceedings connected with
administering the program from which the information is sought;
(ii) A Department employee may disclose information
from personal knowledge that does not come from the client’s interaction with
the Department;
(iii) The disclosure is authorized by statute or
administrative rule;
(iv) The information informs law enforcement of a death
as a result of criminal conduct;
(v) The information constitutes evidence of criminal
conduct on Department premises; or
(vi) The disclosure is necessary to protect the client
or others, and the client poses a threat to his or her safety or to the safety
of others.
(B) Except as provided in section (2)(k)(C) of this
rule, the Department may give a client’s current address, Social Security number,
and photo to a law enforcement officer if the law enforcement officer makes the
request in the course of official duty, supplies the client’s name, and states
that the client:
(i) Is a fugitive felon or is violating parole,
probation, or post-prison supervision;
(ii) For all public assistance programs, has
information that is necessary for the officer to conduct official duties, and
the location or apprehension of the client is within the officer’s official
duties; or
(iii) For clients only in the SNAP program, has
information that is necessary to conduct an official investigation of a
fugitive felon or person violating parole, probation, or post-prison
supervision.
(C) If domestic violence has been identified in the
household, the Department may not release information about a victim of
domestic violence unless a member of the household is either wanted as a
fugitive felon or is violating parole, probation, or post-prison supervision.
(D) For purposes of this subsection, a fugitive felon
is a person fleeing to avoid prosecution or custody for a crime, or an attempt
to commit a crime, that would be classified as a felony.
(E) For purposes of this section, a law enforcement
officer is an employee of the Oregon State Police, a county sheriff’s
department, or a municipal police department, whose official duties include
arrest authority.
(l) Use and disclosure of information about deceased
individuals.
(A) The Department may disclose individual information
to a coroner or medical examiner for the purpose of identifying a deceased
individual, determining cause of death, or other duties authorized by law.
(B) The Department may disclose individual information
to funeral directors as needed to carry out their duties regarding the
decedent. The Department may also disclose individual information prior to, and
in anticipation of, the death.
(m) Organ or tissue donation. The Department may
disclose individual information to organ procurement organizations or other
entities engaged in procuring, banking, or transplanting cadaver organs, eyes,
or tissue for the purpose of facilitating transplantation.
(n) Research. The Department may disclose individual
information without authorization for research purposes, as specified in OAR
407-014-0060.
(o) Threat to health or safety. To avert a serious
threat to health or safety the Department may disclose individual information
if:
(A) The Department believes in good faith that the
information is necessary to prevent or lessen a serious and imminent threat to
the health or safety of a person or the public; and
(B) The report is to a person or persons reasonably
able to prevent or lessen the threat, including the target of the threat.
(p) National security and intelligence. The Department
may disclose information to authorized federal officials for lawful
intelligence, counterintelligence, and other national security activities.
(q) Correctional institutions and law enforcement
custody situations. The Department may disclose information to a correctional
institution or a law enforcement official having lawful custody of an inmate or
other person, for the limited purpose of providing health care or ensuring the
health or safety of the person or other inmates.
(r) Emergency treatment. In case of an emergency, the
Department may disclose individual information to the extent needed to provide
emergency treatment.
(s) Government entities providing public benefits. The
Department may disclose eligibility and other information to governmental
entities administering a government program providing public benefits.
(3) Authorization not required if opportunity to object
given. The Department may use and disclose an individual’s information without
authorization if the Department informs the individual in advance and gives the
individual an opportunity to either agree or refuse or restrict the use and
disclosure.
(a) These disclosures are limited to disclosure of
information to a family member, other relative, close personal friend of the
individual, or any other person named by the individual, subject to the
following limitations:
(A) The Department may disclose only the protected
information that directly relates to the person’s involvement with the
individual’s care or payment for care.
(B) The Department may use and disclose protected
information for notifying, identifying, or locating a family member, personal
representative, or other person responsible for care of the individual,
regarding the individual’s location, general condition, or death. For
individuals who had resided at one time at the state training center, OAR
411-320-0090(6) addresses family reconnection.
(C) If the individual is present for, or available
prior to, a use and disclosure, the Department may disclose the protected
information if the Department:
(i) Obtains the individual’s agreement;
(ii) Provides the individual an opportunity to object
to the disclosure, and the individual does not object; or
(iii) Reasonably infers from the circumstances that the
individual does not object to the disclosure.
(D) If the individual is not present, or the
opportunity to object to the use and disclosure cannot practicably be provided
due to the individual’s incapacity or an emergency situation, the Department
may disclose the information if, using professional judgment, the Department
determines that the use and disclosure is in the individual’s best interests.
(b) Exception. For individuals referred to or receiving
substance abuse treatment, mental health, or vocational rehabilitation
services, the Department shall not use or disclose information without written
authorization, unless disclosure is otherwise permitted under 42 CFR part 2, 34
CFR 361.38, or ORS 179.505.
(c) Personal representative. The Department must treat
a personal representative as the individual for purposes of these rules, except
that:
(A) A personal representative must be authorized under
state law to act on behalf of the individual with respect to use and disclosure
of information. The Department may require a personal representative to provide
a copy of the documentation authorizing the person to act on behalf of the
individual.
(B) The Department may elect not to treat a person as a
personal representative of an individual if:
(i) The Department has a reasonable belief that the
individual has been or may be subjected to domestic violence, abuse, or neglect
by the person;
(ii) The Department, in the exercise of professional
judgment, decides that it is not in the best interest of the individual to
treat the person as the individual’s personal representative.
(4) Redisclosure. The Department must inform the
individual that information held by the Department and authorized by the
individual for disclosure may be subject to redisclosure and no longer
protected by these rules.
(5) Specific written authorization. If the use or
disclosure of information requires an authorization, the authorization must
specify that the Department may use or disclose vocational rehabilitation
records, alcohol and drug records, HIV/AIDS records, genetics information, and
mental health or developmental disability records held by publicly funded
providers.
(a) Pursuant to federal regulations at 42 CFR part 2
and 34 CFR 361.38, the Department may not make further disclosure of vocational
rehabilitation and alcohol and drug rehabilitation information without the
specific written authorization of the individual to whom it pertains.
(b) Pursuant to ORS 433.045 and OAR 333-012-0270, the
Department may not make further disclosure of individual information pertaining
to HIV/AIDS.
(c) Pursuant to ORS 192.531 to 192.549, the Department
may not make further disclosure pertaining to genetic information.
(6) Verification of person or entity requesting
information. The Department may not disclose information about an individual
without first verifying the identity of the person or entity requesting the
information, unless the Department workforce member fulfilling the request
already knows the person or has already verified identity.
(7) Whistleblowers. The Department may disclose an
individual’s protected health information under the HIPAA privacy rules under
the following circumstances:
(a) The Department workforce member believes in good
faith that the Department has engaged in conduct that is unlawful or that
otherwise violates professional standards or Department policy, or that the
care, services, or conditions provided by the Department could endanger
Department staff, individuals in Department care, or the public; and
(b) The disclosure is to a government oversight agency
or public health authority, or an attorney of a Department workforce member
retained for the purpose of determining the legal options of the workforce
member with regard to the conduct alleged under section (7)(a) above; and
(c) Nothing in this rule is intended to interfere with
ORS 659A.200 to 659A.224 describing the circumstances applicable to disclosures
by the Department’s workforce.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
& 433.045
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0020 by DHSD 5-2009, f. & cert.
ef. 7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD
11-2011, f. & cert. ef. 12-16-11
407-014-0030
Client Privacy Rights
(1) Rights of clients to access their information.
Clients may access, inspect, and obtain a copy of information on their own
cases in Department files or records, consistent with federal and state law.
(a) A client may request access by completing the
Access to Records Request form, or by providing sufficient information to
accomplish this request.
(b) Clients may request access to their own information
that is kept by the Department by using a personal identifier such as the
client’s name or Department case number.
(c) If the Department maintains information in a record
that includes information about other people, the client may see information
only about himself or herself.
(d) If a person identified in the file is a minor child
of the client, and the client is authorized under Oregon law to have access to
the minor’s information or to act on behalf of the minor for making decisions
about the minor’s care, the client may obtain information about the minor.
(e) If the requestor of information is recognized under
Oregon law as a the client’s guardian or custodian and is authorized under
Oregon law to have access to the client’s information or to act on behalf of
the client for making decisions about the client’s services or care, the
Department shall release information to the requestor.
(f) For individuals with disabilities or mental
illnesses, the named system in ORS 192.517, to protect and advocate the rights
of individuals with developmental disabilities under Part C of the
Developmental Disabilities Assistance and Bill of Rights Act (42 U.S.C. 6041 et
seq.) and the rights of individuals with mental illness under the Protection
and Advocacy for Individuals with Mental Illness Act (42 U.S.C. 10801 et seq.),
shall have access to all records defined in ORS 192.515.
(g) The Department may deny a client’s access to their
own PHI if federal law prohibits the disclosure. Clients may access, inspect,
and obtain a copy of health information on their own case in Department files
or records except for the following:
(A) Psychotherapy notes;
(B) Information compiled in reasonable anticipation of,
or for use in civil, criminal, or administrative proceedings;
(C) Information that is subject to the federal Clinical
Labs Improvement Amendments of 1988, or exempt pursuant to 42 CFR 493.3(a)(2);
(D) Information that the Department believes, in good
faith, can cause harm to the client, participant, or to any other person; and
(E) Documents protected by attorney work-product
privilege.
(h) The Department may deny a client access to
information that was obtained under a promise of confidentiality from a person
other than a health care provider to the extent that access would reveal the
source of the information.
(i) The Department may deny a client access to
information, if the Department gives the client a right to have the denial
reviewed when:
(A) A licensed health care professional (for health
information) or other designated staff (for other information) has determined,
in the exercise of professional judgment, that the information requested may
endanger the life or physical safety of the client or another person;
(B) The information makes reference to another person,
and a licensed health care professional (for health information) or other
designated staff (for other information) has determined, in the exercise of
professional judgment, that the information requested may cause substantial
harm to the client or to another person; or
(C) The request for access is made by the client’s personal
representative, and a licensed health care professional (for health
information) or other designated staff (for other information) has determined,
in the exercise of professional judgment, that allowing the personal
representative access to the information may cause substantial harm to the
client or to another person.
(j) If the Department denies access under section
(1)(i) of this rule, the client may have the decision reviewed by a licensed
health care professional (for health information) or other designated staff
(for other information) not directly involved in making the original denial
decision.
(A) The Department must promptly refer a client’s
request for review to the designated reviewer.
(B) The reviewer must determine, within the 30 or
60-day time limits stated in section (1)(k)(A) and (B) of this rule, whether to
approve or deny the client’s request for access.
(C) Based on the reviewer’s decision, the Department
shall:
(i) Promptly notify the client in writing of the
reviewer’s determination; and
(ii) If approved, take action to carry out the
reviewer’s determination.
(k) The Department must act on a client’s request for
access no later than 30 days after receiving the request, except as provided in
this section and in the case of written accounts under ORS 179.505, which must
be disclosed within five days.
(A) In cases where the information is not maintained or
accessible to the Department on-site, and does not fall under ORS 179.505, the
Department must act on the client’s request no later than 60 days after
receiving the request.
(B) If the Department is unable to act within the 30 or
60-day limits, the Department may extend this time period a maximum of 30
additional days, subject to the following:
(i) The Department must notify the client in writing of
the reasons for the delay and the date by which the Department shall act on the
request.
(ii) The Department shall use only one 30-day
extension.
(l) If the Department grants the client’s request, in
whole or in part, the Department must inform the client of the access decision
and provide the requested access.
(A) If the Department maintains the same information in
more than one format or at more than one location, the Department may provide
the requested information once.
(B) The Department must provide the requested
information in a form or format requested by the client, if readily producible
in that form or format. If not readily producible, the Department shall provide
the information in a readable hard-copy format or other format as agreed to by
the Department and the client.
(C) The Department may provide the client with a
summary of the requested information, in lieu of providing access, or may
provide an explanation of the information if access has been provided, if:
(i) The client agrees in advance; and
(ii) The client agrees in advance to pay any fees the
Department may impose, under section (1)(L)(E) of this rule.
(D) The Department shall arrange with the client for
providing the requested access in a time, place, and manner convenient for the
client and the Department.
(E) If a client, or legal guardian or custodian,
requests a copy, written summary, or explanation of the requested information,
the Department may impose a reasonable cost-based fee, limited to the
following:
(i) Copying the requested information, including the
costs of supplies and the labor of copying;
(ii) Postage; and
(iii) Staff time for preparing an explanation or
summary of the requested information.
(m) If the Department denies access, in whole or in
part, to the requested information, the Department must:
(A) Give the client access to any other requested
client information, after excluding the information to which access is denied;
and
(B) Provide the client with a timely written denial.
The denial must:
(i) Be provided within the time limits specified in
section (1)(k)(A) and (B) of this rule;
(ii) State the basis of the denial in plain language;
(iii) If the Department denies access under section
(1)(i) of this rule, explain the client’s review rights as specified in section
(1)(j) of this rule, including an explanation of how the client may exercise
these rights; and
(iv) Provide a description of how the client may file a
complaint with the Department, and if the information is PHI, with the United
States Department of Health and Human Services (DHHS), Office for Civil Rights,
pursuant to section (7) of this rule.
(n) If the Department does not maintain the requested
information, in whole or in part, and knows where the information is maintained
(such as by a medical provider, insurer, other public agency, private business,
or other non-Department entity), the Department must inform the client where to
direct the request for access.
(2) Department Notice of Privacy Practices. The
Department shall send clients notice about the Department’s privacy practices
as follows:
(a) The Department shall make available to each client
a notice of Department privacy practices that describes the duty of the
Department to maintain the privacy of PHI and include a description that
clearly informs the client of the types of uses and disclosures the Department
is permitted or required to make;
(b) The Department shall provide all clients in direct
care settings a notice of Department privacy practices and shall request the
client’s signature on an acknowledgement of receipt form;
(c) If the Department revises its privacy practices,
the Department shall make the revised notice available to all clients;
(d) The Department shall post a copy of the
Department’s Notice of Privacy Practices for public viewing at each Department
worksite and on the Department website; and
(e) The Department shall give a paper copy of the
Department’s Notice of Privacy Practices to any individual upon request.
(3) Right to request restrictions on uses or
disclosures. Clients may request restrictions on the use or disclosure of their
information.
(a) The Department must comply with the restriction if:
(A) Except as otherwise required by law, the disclosure
is to a health plan for purposes of carrying out payment or health care
operations (and is not for purposes of carrying out treatment); and
(B) The protected health information pertains solely to
a health care item or service for which the health care provider involved has
been paid out of pocket in full.
(b) The Department is not required to agree to a
restriction if the disclosure is:
(A) Required by law; or
(B) Not to a health plan for purposes of carrying out
payment or health care operations.
(c) The Department may not deny a client’s request to
restrict the sharing of records of alcohol and drug treatment or records
relating to vocational rehabilitation services with another Department program.
(d) The Department shall document the client’s request,
and the reasons for granting or denying the request, in the client’s Department
case file.
(e) If the client needs emergency treatment and the
restricted protected information is needed to provide the treatment, the
Department may use or disclose the restricted protected information to a
provider, for the limited purpose of providing treatment. However, once the
emergency situation subsides, the Department shall ask the provider not to
redisclose the information.
(f) The Department may terminate its agreement to a
restriction if:
(A) The client agrees to or requests the termination in
writing;
(B) The client orally requests or agrees to the
termination, and the Department documents the oral request or agreement in the
client’s Department case file; or
(C) With or without the client’s agreement, the
Department informs the client that the Department is terminating its agreement
to the restriction. Information created or received while the restriction was
in place shall remain subject to the restriction.
(4) Rights of clients to request to receive information
from the Department by alternative means or at alternative locations. The
Department must accommodate reasonable requests by clients to receive
communications from the Department by alternative means, such as by mail,
e-mail, fax, or telephone, and at an alternative location.
(a) The client must specify the preferred alternative
means or location.
(b) The client may submit the request for alternative
means or locations either orally or in writing.
(A) If the client makes a request in-person, the
Department shall document the request and ask for the client’s signature.
(B) If the client makes a request by telephone or
electronically, the Department shall document the request and verify the
identity of the client.
(c) The Department may terminate its agreement to an
alternative location or method of communication if:
(A) The client agrees to or requests termination of the
alternative location or method of communication in writing or orally. The
Department shall document the oral agreement or request in the client’s
Department case file; or
(B) The Department informs the client that the
Department is terminating its agreement to the alternative location or method
of communication because the alternative location or method of communication is
not effective. The Department may terminate its agreement to communicate at the
alternative location or by the alternate method if:
(i) The Department is unable to contact the client at
the location or by the method requested; or
(ii) The client fails to respond to payment requests,
if applicable.
(5) Right of clients to request amendment of their
information. Clients may request that the Department amend information about
themselves in Department files.
(a) For all amendment requests, the Department shall
have the client complete the approved Department form.
(b) The Department may deny the request or limit its
agreement to amend.
(c) The Department must act on the client’s request no
later than 60 days after receiving the request. If the Department is unable to
act within 60 days, the Department may extend this time limit by a maximum of
30 additional days, subject to the following:
(A) The Department must notify the client in writing,
within 60 days of receiving the request, of the reasons for the delay and the
date by which the Department shall act on the request; and
(B) The Department shall use only one 30-day extension.
(d) The program’s medical director, a licensed health
care professional designated by the program administrator, or a Department
staff person involved in the client’s case must review the request and any
related documentation prior to making a decision to amend a health or medical
record.
(e) A staff person designated by the Department shall
review the request and any related documentation prior to making a decision to
amend any information that is not a health or medical record.
(f) If the Department grants the request, in whole or
in part, the Department shall:
(A) Make the appropriate amendment to the information
or records, and document the amendment in the client’s Department file or
record;
(B) Provide notice to the client that the amendment has
been granted, pursuant to the time limits under section (5)(c) of this rule;
(C) Obtain the client’s agreement to notify other
relevant persons or entities with whom the Department has shared or needs to
share the amended information; and
(D) Inform and provide the amendment within a
reasonable time to:
(i) Persons named by the client who have received the
information and who need the amendment; and
(ii) Persons, that the Department knows have the
information that is the subject of the amendment and who may have relied, or
could foreseeably rely, on the information to the client’s detriment.
(g) The Department may deny the client’s request for
amendment if:
(A) The Department finds the information to be accurate
and complete;
(B) The information was not created by the Department;
(C) The information is not part of Department records;
or
(D) The information would not be available for
inspection or access by the client, pursuant to section (1)(g) and (h) of this
rule.
(h) If the Department denies the amendment request, in
whole or in part, the Department must provide the client with a written denial.
The denial must:
(A) Be sent within the time limits specified in section
(5)(c) of this rule;
(B) State the basis for the denial, in plain language;
and
(C) Explain the client’s right to submit a written
statement disagreeing with the denial and how to file the statement. If the
client files a statement:
(i) The Department shall enter the written statement
into the client’s Department case file;
(ii) The Department may also enter a Department-written
rebuttal of the client’s written statement into the client’s Department case
file. The Department shall send a copy of any written rebuttal to the client;
(iii) The Department shall include a copy of the
statement and any Department-written rebuttal with any future disclosures of
the relevant information;
(iv) If a client does not submit a written statement of
disagreement, the client may ask that if the Department makes any further
disclosures of the relevant information, that the Department shall also include
a copy of the client’s original request for amendment and a copy of the
Department written denial; and
(v) The Department shall provide information on how the
client may file a complaint with the Department and, if the information is PHI,
with DHHS, Office for Civil Rights.
(6) Rights of clients to request an accounting of
disclosures of PHI. Clients may receive an accounting of disclosures of PHI
that the Department has made for any period of time, not to exceed six years,
preceding the request date for the accounting.
(a) For all requests for an accounting of disclosures,
the client may complete the authorized Department form “Request for Accounting
of Disclosures of Health Records,” or provide sufficient information to
accomplish this request.
(b) The right to an accounting of disclosures does not
apply when the request is:
(A) Authorized by the client;
(B) Made prior to April 14, 2003;
(C) Made to carry out treatment, payment, or health
care operations, unless these disclosures are made from an electronic health
record;
(D) Made to the client;
(E) Made to persons involved in the client’s care;
(F) Made as part of a limited data set in accordance
with OAR 407-014-0070;
(G) Made for national security or intelligence
purposes; or
(H) Made to correctional institutions or law
enforcement officials having lawful custody of an inmate.
(c) For each disclosure, the accounting must include:
(A) The date of the disclosure;
(B) The name and address, if known, of the person or
entity who received the disclosed information;
(C) A brief description of the information disclosed;
and
(D) A brief statement of the purpose of the disclosure
that reasonably informs the client of the basis for the disclosure, or, in lieu
of a statement, a copy of the client’s written request for a disclosure, if
any.
(d) If, during the time period covered by the
accounting, the Department has made multiple disclosures to the same person or
entity for the same purpose, the Department may provide the required
information for only the first disclosure. The Department need not list the
same identical information for each subsequent disclosure to the same person or
entity if the Department adds the following information:
(A) The frequency or number of disclosures made to the
same person or entity; and
(B) The date of the most recent disclosure during the time
period for which the accounting is requested.
(e) The Department must act on the client’s request for
an accounting no later than 60 days after receiving the request. If the
Department is unable to act within 60 days, the Department may extend this time
limit by a maximum of 30 additional days, subject to the following:
(A) The Department must notify the client in writing,
within 60 days of receiving the request, of the reasons for the delay and the
date by which the Department shall act on the request; and
(B) The Department shall use only one 30-day extension.
(f) The Department shall provide the first requested
accounting in any 12-month period without charge. The Department may charge the
client a reasonable cost-based fee for each additional accounting requested by
the client within the 12-month period following the first request, if the
Department:
(A) Informs the client of the fee before proceeding
with any additional request; and
(B) Allows the client an opportunity to withdraw or
modify the request in order to avoid or reduce the fee.
(g) The Department shall document the information
required to be included in an accounting of disclosures, as specified in
section (6)(c) of this rule, and retain a copy of the written accounting
provided to the client.
(h) The Department shall temporarily suspend a client’s
right to receive an accounting of disclosures that the Department has made to a
health oversight agency or to a law enforcement official, for a length of time
specified by the agency or official, if the agency or official provides a
written or oral statement to the Department that the accounting would be
reasonably likely to impede their activities. If the agency or official makes
an oral request, the Department shall:
(A) Document the oral request, including the identity
of the agency or official making the request.
(B) Temporarily suspend the client’s request to an
accounting of disclosures; and
(C) Limit the temporary suspension to no longer than 30
days from the date of the oral request, unless the agency or official submits a
written request specifying a longer time period.
(7) Filing a complaint. Clients may file a complaint
with the Department or, if the complaint concerns a violation of the HIPAA
Privacy or Security Rule, with DHHS, Office for Civil Rights.
(a) Upon request, the Department shall give clients the
name and address of the specific person or office of where to submit complaints
to DHHS.
(b) The Department may not intimidate, threaten,
coerce, discriminate against, or take any other form of retaliatory action
against any individual filing a complaint or inquiring about how to file a
complaint.
(c) The Department may not require clients to waive
their rights to file a complaint as a condition of providing treatment,
payment, enrollment in a health plan, or eligibility for benefits.
(d) The Department shall designate staff to review and
determine action on complaints filed with the Department.
(e) The Department shall document, in the client’s
Department case file, all complaints, the findings from reviewing each
complaint, and the Department’s actions resulting from the complaint. For each
complaint, the documentation shall include a description of corrective action
that the Department has taken, if any are necessary, or why corrective action
is not needed.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0030 by DHSD 5-2009, f. & cert.
ef. 7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD
11-2011, f. & cert. ef. 12-16-11
407-014-0040
Minimum Necessary Standards
(1) The Department shall limit the use and disclosure
of protected information to that which is reasonably necessary to accomplish
the intended purpose of the use or disclosure which is referred to in these
rules as the minimum necessary standard.
(2) This minimum necessary standard is not intended to
impede essential Department activities.
(3) The minimum necessary standard applies:
(a) When using protected information within the
Department;
(b) When disclosing protected information to a third
party in response to a request; or
(c) When requesting protected information from another
covered entity.
(4) The minimum necessary standard does not apply to:
(a) Disclosures to or requests by a health care
provider for treatment;
(b) Disclosures made to the individual, including
disclosures made in response to a request for access or an accounting;
(c) Disclosures made with a valid authorization;
(d) Disclosures made to DHHS for the purposes of
compliance and enforcement of federal regulations under 45 CFR part 160 and
required for compliance with 45 CFR part 164; or
(e) Uses and disclosures required by law;
(5) When requesting protected information about an
individual from another entity, the Department shall limit requests to those
that are reasonably necessary to accomplish the purposes for which the request
is made. The Department shall not request a person’s entire medical record
unless the Department can specifically justify the need for the entire medical
record.
Stat. Auth.: ORS 409.050
Stats. Implemented: 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0040 by DHSD 5-2009, f. & cert.
ef. 7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD
11-2011, f. & cert. ef. 12-16-11
407-014-0050
Business Associate
(1) The Department is a business associate of the
Authority. The Authority is the single state Medicaid agency, but the
Department performs or assists in the performance of key components of the
medical assistance program under the supervision of the Authority including but
not limited to eligibility determinations for the medical assistance program
and supervising the long-term and community-based services for seniors and
people with disabilities. The Department also provides certain health care
operations services for the Authority. In doing so, the Department is a
business associate of the Authority. As a business associate of the Authority,
the Department is authorized to use and disclose protected health information
to perform or assist the Authority in the performance of its covered functions.
However, as a business associate, the Department is subject to the privacy
requirements described in these rules.
(2) As a business associate of the Authority
implementing the requirements of the medical assistance program, the Department
may disclose an individual’s PHI to its contractors or providers, and may allow
its contractors or providers to create or receive an individual’s PHI on behalf
of the Department if the contract or agreement that complies with applicable
federal and state law. In some limited circumstances, the Department may
determine that the Department is a business associate of a covered entity. A
business associate relationship with the Department requires additional
contractual disclosure and privacy provisions that must be incorporated into
the contract pursuant to 45 CFR part 164-504(e)(1).
(3) A contract with a business associate must comply
with OAR 125-055-0100 to 125-055-0130 and the qualified service organization
requirements in 42 CFR part 2.11.
Stat. Auth.: ORS 409.050
Stats. Implemented: 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0050 by DHSD 5-2009, f. & cert.
ef. 7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD
11-2011, f. & cert. ef. 12-16-11
407-014-0060
Uses and Disclosures of Protected
Information for Research Purposes
The Department may use and disclose an individual’s
information for research purposes as specified in this rule.
(1) All research disclosures are subject to applicable
requirements of federal and state laws and rules including but not limited to
45 CFR part 46 and 21 CFR part 50.0 to 50.56, relating to the protection of
human research subjects.
(2) The Department may use and disclose de-identified
information or a limited data set for research purposes, pursuant to OAR
407-014-0070.
(3) The Department may use and disclose information
regarding an individual for research purposes with the specific written
authorization of the individual. The authorization must meet all requirements
in OAR 407-014-0030, and may indicate an expiration date with terms such as
“end of research study” or similar language. An authorization for use and
disclosure for a research study may be combined with other types of written
authorization for the same research study. If research includes treatment, the
researcher may require an authorization for use and disclosure for the research
as a provision of providing research related treatment.
(4) Notwithstanding section (3) of this rule, the
Department may use and disclose an individual’s information for research
purposes without the individual’s written authorization, regardless of the
source of funding for the research, provided that:
(a) The Department obtains documentation that a waiver
of an individual’s authorization for release of information requirements has
been approved by an IRB registered with the Office for Human Research
Protection. Documentation required of an IRB when granting approval of a waiver
of an individual’s authorization for release of information must include all
criteria specified in 45 CFR part 164.512(i)(2).
(b) A researcher may request access to individual
information maintained by the Department in preparation for research or to
facilitate the development of a research protocol in anticipation of research.
The Department may determine whether to permit such use or disclosure, without
individual authorization or use of an IRB, pursuant to 45 CFR part
164.512(i)(1)(ii).
(c) A researcher may request access to individual
information maintained by the Department about deceased individuals. The
Department may determine whether to permit such use or disclosure of
information about decedents, without individual authorization or use of an IRB,
pursuant to 45 CFR part 164.512(i)(1)(iii).
(5) The Department may collect, use, or disclose
information, without individual authorization, to the extent that the
collection, use, or disclosure is required by law. When the Department uses
information to conduct studies as required by law, no additional individual
authorization is required nor does this rule require an IRB or privacy board
waiver of authorization based on the HIPAA privacy rules.
(6) The Department may use and disclose information
without individual authorization for studies and data analysis conducted for
the Department’s own quality assurance purposes or to comply with reporting
requirements applicable to federal or state funding requirements in accordance
with the definition of “health care operations” in 45 CFR part 164.501.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0060 by DHSD 5-2009, f. & cert.
ef. 7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD
11-2011, f. & cert. ef. 12-16-11
407-014-0070
De-identification of Client
Information and Use of Limited Data Sets under Data Use Agreements
(1) The Department may use and disclose information as
appropriate for the work of the Department, without further restriction, if the
Department or another entity has taken steps to de-identify the information
pursuant to 45 CFR part 164.514(a) and (b).
(2) The Department may assign a code or other means of
record identification to allow the Department to re-identify the de-identified
information provided that:
(a) The code or other means of record identification is
not derived from or related to information about the individual and cannot
otherwise be translated to identify the individual; and,
(b) The Department does not use or disclose the code or
other means of record identification for any other purpose, and does not
disclose the mechanism for re-identification.
(3) The Department may use and disclose a limited data
set if the Department enters into a data use agreement with an entity
requesting or providing the Department with a limited data set subject to the
requirements of 45 CFR part 164.514(e).
(a) The Department may use and disclose a limited data
set for the purposes of research. The Department may use limited data set for
its own activities or operations if the Department has obtained a limited data
set that is subject to a data use agreement.
(b) If the Department knows of a pattern of activity or
practice of a limited data set recipient that constitutes a material breach or
violation of a data use agreement, the Department shall take reasonable steps
to cure the breach or end the violation. If such steps are unsuccessful, the
Department shall discontinue disclosure of information to the recipient and
report the problem to the appropriate authority.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0070 by DHSD 5-2009, f. & cert.
ef. 7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD
11-2011, f. & cert. ef. 12-16-11
Rule
Caption: Department of Human Services’
Cooperative Relationship with the Oregon Health Authority.
Adm.
Order No.: DHSD 12-2011
Filed with Sec. of
State: 12-27-2011
Certified to be
Effective: 12-27-11
Notice Publication
Date: 12-1-2011
Rules Adopted: 407-043-0020
Rules Repealed: 407-043-0020(T)
Subject: HB 2009 (2009) created the Oregon Health Authority and
transferred to the Authority the Department of Human Services’ (Department)
divisions with respect to health and health care. The Department is adopting
these operational and programmatic rules to assure continuity as a part of the
operational transfer from functions previously performed by the Department as a
result of HB 2009 (2009). Adoption of this rule will repeal the temporary rule
in effect since July 1, 2011.
Among the
functions transferred to the Authority is the medical assistance program. This
rule provides for continuity in the relationship between the Department and the
Authority when working together in the administration of the medical assistance
program and that the Department and the Authority shall work cooperatively in
the administration of the medical assistance program, including making
determinations of eligibility and service need for medical assistance. This
rule also explains that the Authority designated the Department as the operating
agency for home and community-based waiver services and as an Organized Health
Care Delivery System.
Rules Coordinator: Jennifer Bittel—(503) 947-5250
407-043-0020
Cooperative Relationship with
Oregon Health Authority
(1) The Department of Human Services (Department) will
cooperate and collaborate with Oregon Health Authority (Authority) in order to
effectively coordinate services to individuals, families and communities and
realize operational efficiencies in the administration of services that can be
shared between them (“shared services”).
(2) In any Department rules, policies, or procedures
that refer to the programs, functions, and duties that were formerly part of
the Department that were transferred to the Authority, such reference shall be
considered a reference to the Authority.
(3) The Department acknowledges that the Authority is
the state Medicaid agency and the state Children’s Health Insurance Program
agency, authorized by state statute to administer the medical assistance
program. The Authority is also responsible for facilitating outreach and
enrollment efforts to connect eligible individuals with all available publicly
funded health programs.
(a) The Department and the Authority recognize that
there are many points of interconnection between their programs and the
individuals who receive services through these programs. In addition, there are
areas of natural connection between the Department and the Authority based upon
the former structure of the Department.
(b) The Department shall continue to work cooperatively
with the Authority in the administration of the medical assistance program,
including determinations of eligibility and service need for medical
assistance. The Authority has designated the Department as the operating agency
for the home and community-based waivers and as an Organized Health Care
Delivery System.
(c) The Department and the Authority are authorized by
state law to delegate to each other any duties, functions, and powers that they
deem necessary for the efficient and effective operation of their respective
functions. The Department and the Authority will work together to adopt rules
to assure that medical assistance eligibility requirements, procedures, and
determinations are consistent across both agencies. The Authority has
authorized the Department to determine medical eligibility for medical
assistance. Where that responsibility is given to the Department under ORS
Chapter 411, the Department has delegated to the Authority the duties,
functions and powers to make medical eligibility determinations in accordance
with OAR 410-120-0006.
(d) Where statute establishes duties and functions of
the Department or the Authority in relation to medical assistance as a public
assistance program, the Department and the Authority will cooperate in the
effective administration of the program.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 413.032
Hist.: DHSD 3-2011(Temp), f. &
cert. ef. 7-1-11 thru 12-27-11; DHSD 12-2011, f. & cert. ef. 12-27-11
Rule
Caption: Amendments to Electronic Data
Transmission (EDT) Rules.
Adm.
Order No.: DHSD 13-2011
Filed with Sec. of
State: 12-27-2011
Certified to be
Effective: 12-27-11
Notice Publication
Date: 12-1-2011
Rules Amended: 407-120-0100, 407-120-0112, 407-120-0114,
407-120-0150, 407-120-0200
Rules Repealed: 407-120-0100(T), 407-120-0112(T), 407-120-0114(T),
407-120-0150(T), 407-120-0200(T)
Subject: The Department of Human Services (Department) is
amending these rules to ensure the Department’s EDT rules compliment the
functionality of the Oregon Replacement Medicaid Management Information System
(MMIS) in conjunction with the Health Insurance Portability and Accountability
Act (HIPAA) transactions and codes set standards for the exchange of electronic
data. Adoption of these rules will repeal the temporary rules currently in
effect since July 1, 2011.
Rules Coordinator: Jennifer Bittel—(503) 947-5250
407-120-0100
Definitions
The following definitions apply to OAR 407-120-0100
through 407-120-0200:
(1) “Access” means the ability or means necessary to
read, write, modify, or communicate data or information or otherwise use any
information system resource.
(2) “Agent” means a third party or organization that
contracts with a provider, allied agency, or prepaid health plan (PHP) to
perform designated services in order to facilitate a transaction or conduct
other business functions on its behalf. Agents include billing agents, claims
clearinghouses, vendors, billing services, service bureaus, and accounts
receivable management firms. Agents may also be clinics, group practices, and
facilities that submit billings on behalf of providers but the payment is made
to a provider, including the following: an employer of a provider, if a
provider is required as a condition of employment to turn over his fees to the
employer; the facility in which the service is provided, if a provider has a
contract under which the facility submits the claim; or a foundation, plan, or
similar organization operating an organized health care delivery system, if a
provider has a contract under which the organization submits the claim. Agents
may also include electronic data transmission submitters.
(3) “Allied Agency” means local and regional allied
agencies and includes local mental health authority, community mental health
programs, Oregon Youth Authority, Department of Corrections, local health
departments, schools, education service districts, developmental disability
service programs, area agencies on aging, federally recognized American Indian
tribes, and other governmental agencies or regional authorities that have a
contract (including an interagency, intergovernmental, or grant agreement, or
an agreement with an American Indian tribe pursuant to ORS 190.110) with the
Department to provide for the delivery of services to covered individuals and
that request to conduct electronic data transactions in relation to the
contract.
(4) “Clinic” means a group practice, facility, or
organization that is an employer of a provider, if a provider is required as a
condition of employment to turn over his fees to the employer; the facility in
which the service is provided, if a provider has a contract under which the
facility submits the claim; or a foundation, plan, or similar organization
operating an organized health care delivery system, if a provider has a
contract under which the organization submits the claim; and the group
practice, facility, or organization is enrolled with the Department, and
payments are made to the group practice, facility, or organization. If the
entity solely submits billings on behalf of providers and payments are made to
each provider, then the entity is an agent.
(5) “Confidential Information” means information
relating to covered individuals which is exchanged by and between the
Department, a provider, PHP, clinic, allied agency, or agents for various
business purposes, but which is protected from disclosure to unauthorized
individuals or entities by applicable state and federal statutes such as ORS
344.600, 410.150, 411.320, 418.130, or the Health Insurance Portability and
Accountability Act of 1996, Public Law 104-191 and its implementing
regulations. These statutes and regulations are collectively referred to as
“Privacy Statutes and Regulations.”
(6) “Contract” means a specific written agreement
between the Department and a provider, PHP, clinic, or allied agency that
provides or manages the provision of services, goods, or supplies to covered
individuals and where the Department and a provider, PHP, clinic, or allied agency
may exchange data. A contract specifically includes, without limitation, a
Department provider enrollment agreement, fully capitated heath plan managed
care contract, dental care organization managed care contract, mental health
organization managed care contract, chemical dependency organization managed
care contract, physician care organization managed care contract, a county
financial assistance agreement, or any other applicable written agreement,
interagency agreement, intergovernmental agreement, or grant agreement between
the Department and a provider, PHP, clinic, or allied agency.
(7) “Covered Entity” means a health plan, health care
clearing house, health care provider, or allied agency that transmits any
health information in electronic form in connection with a transaction,
including direct data entry (DDE), and who must comply with the National
Provider Identifier (NPI) requirements of 45 CFR 162.402 through 162.414.
(8) “Covered Individual” means individuals who are
eligible for payment of certain services or supplies provided to them or their
eligible dependents by or through a provider, PHP, clinic, or allied agency
under the terms of a contract applicable to a governmental program for which
the Department processes or administers data transmissions.
(9) “Data” means a formalized representation of
specific facts or concepts suitable for communication, interpretation, or
processing by individuals or by automatic means.
(10) Data Transmission” means the transfer or exchange
of data between the Department and a web portal or electronic data interchange
(EDI) submitter by means of an information system which is compatible for that
purpose and includes without limitation, web portal, EDI, electronic remittance
advice (ERA), or electronic media claims (EMC) transmissions.
(11) “Department” means the Department of Human
Services.
(12) “Department Network and Information Systems” means
the Department’s computer infrastructure that provides personal communications,
confidential information, regional, wide area and local networks, and the
internetworking of various types of networks on behalf of the Department.
(13) “Direct Data Entry (DDE)” means the process using
dumb terminals or computer browser screens where data is directly keyed into a
health plan’s computer by a provider or its agent, such as through the use of a
web portal.
(14) “Electronic Data Interchange (EDI)” means the
exchange of business documents from application to application in a federally
mandated format or, if no federal standard has been promulgated, using bulk
transmission processes and other formats as the Department designates for EDI
transactions. For purposes of these rules (OAR 407-120-0100 through
407-120-0200), EDI does not include electronic transmission by web portal.
(15) “Electronic Data Interchange Submitter” means an
individual or entity authorized to establish the electronic media connection
with the Department to conduct an EDI transaction. An EDI submitter may be a
trading partner or an agent of a trading partner.
(16) “Electronic Media” means electronic storage media
including memory devices in computers or computer hard drives; any removable or
transportable digital memory medium such as magnetic tape or disk, optical
disk, or digital memory card; or transmission media used to exchange
information already in electronic storage media. Transmission media includes
but is not limited to the internet (wide-open), extranet (using internet
technology to link a business with information accessible only to collaborating
parties), leased lines, dial-up lines, private networks, and the physical
movement of removable or transportable electronic storage media. Certain
transmissions, including paper via facsimile and voice via telephone, are not
considered transmissions by electronic media because the information being
exchanged did not exist in electronic form before transmission.
(17) “Electronic Media Claims (EMC)” means an
electronic media means of submitting claims or encounters for payment of
services or supplies provided by a provider, PHP, clinic, or allied agency to a
covered individual.
(18) “Electronic Remittance Advice (ERA)” means an
electronic file in X12 format containing information pertaining to the
disposition of a specific claim for payment of services or supplies rendered to
covered individuals which are filed with the Department on behalf of covered
individuals by providers, clinics, or allied agencies. The documents include,
without limitation, the provider name and address, individual name, date of
service, amount billed, amount paid, whether the claim was approved or denied,
and if denied, the specific reason for the denial. For PHPs, the remittance
advice file contains information on the adjudication status of encounter claims
submitted.
(19) “Electronic Data Transaction (EDT)” means a
transaction governed by the Health Insurance Portability and Accountability Act
(HIPAA) transaction rule, conducted by either web portal or EDI.
(20) “Envelope” means a control structure in a mutually
agreed upon format for the electronic interchange of one or more encoded data
transmissions either sent or received by an EDI submitter or the Department.
(21) “HIPAA Transaction Rule” means the standards for
electronic transactions at 45 CFR Part 160 and 162 (version in effect on January
1, 2008) adopted by the Department of Health and Human Services (DHHS) to
implement the Health Insurance Portability and Accountability Act of 1996, 42
USC 1320d et. seq.
(22) “Incident” means the attempted or successful
unauthorized access, use, disclosure, modification, or destruction of an
information system or information asset including but not limited to
unauthorized disclosure of information, failure to protect user IDs, and theft
of computer equipment using or storing Department information assets or
confidential information.
(23) “Individual User Profile (IUP)” means Department
forms used to authorize a user, identify their job assignment, and the required
access to the Department’s network and information system. It generates a
unique security access code used to access the Department’s network and
information system.
(24) “Information Asset” means all information, also
known as data, provided through the Department, regardless of the source, which
requires measures for security and privacy of the information.
(25) “Information System” means an interconnected set
of information resources under the same direct management control that shares
common functionality. A system normally includes hardware, software,
information, data, applications, communications, and trained personnel
necessary for successful data transmission.
(26) “Lost or Indecipherable Transmission” means a data
transmission which is never received by or cannot be processed to completion by
the receiving party in the format or composition received because it is garbled
or incomplete, regardless of how or why the message was rendered garbled or
incomplete.
(27) “Mailbox” means the term used by the Department to
indicate trading partner-specific locations on the Department’s secure file transfer
protocol (SFTP) server to deposit and retrieve electronic data identified by a
unique Department assigned trading partner number.
(28) “Password” means the alpha-numeric codes assigned
to an EDI submitter by the Department for the purpose of allowing access to the
Department’s information system, including the web portal, for the purpose of
successfully executing data transmissions or otherwise carrying out the express
terms of a trading partner agreement or provider enrollment agreement and these
rules.
(29) “Personal Identification Number (PIN)” means the
alpha-numeric codes assigned to web portal submitters by the Department for the
purpose of allowing access to the Department’s information system, including
the web portal, for the purpose of successfully executing DDE, data
transmissions, or otherwise carrying out the express terms of a trading partner
agreement, provider enrollment agreement, and these rules.
(30) “Prepaid Health Plan (PHP) or Plan” means a
managed health care, dental care, chemical dependency, physician care
organization, or mental health care organization that contracts with the
Department on a case managed, prepaid, capitated basis under the Oregon Health
Plan (OHP).
(31) “Provider” means an individual, facility,
institution, corporate entity, or other organization which supplies or provides
for the supply of services, goods or supplies to covered individuals pursuant
to a contract, including but not limited to a provider enrollment agreement
with the Department. A provider does not include billing providers as used in
the Division of Medical Assistance (DMAP) general rules. DMAP billing providers
are defined in these rules as agents, except for DMAP billing providers that
are clinics.
(32) “Provider Enrollment Agreement” means an agreement
between the Department and a provider for payment for the provision of covered
services to covered individuals.
(33) “Registered Transaction” means each type of EDI
transaction applicable to a trading partner that must be registered with the
Department before it can be tested or approved for EDI transmission.
(34) “Security Access Codes” means the alpha-numeric
codes assigned by the Department to the web portal submitter or EDI submitter
for the purpose of allowing access to the Department’s information system,
including the web portal, to execute data transmissions or otherwise carry out
the express terms of a trading partner agreement, provider enrollment
agreement, and these rules. Security access codes may include passwords, PINs,
or other codes.
(35) “Source Documents” means documents or electronic
files containing underlying data which is or may be required as part of a data
transmission with respect to a claim for payment of charges for medical services
or supplies provided to a covered individual, or with respect to any other
transaction. Examples of data contained within a specific source document
include but are not limited to an individual’s name and identification number,
claim number, diagnosis code for the services provided, dates of service,
service procedure description, applicable charges for the services provided,
and a provider’s, PHP’s, clinic’s, or allied agency’s name, identification
number, and signature.
(36) “Standard” means a rule, condition, or requirement
describing the following information for products, systems, or practices:
(a) Classification of components;
(b) Specification of materials, performance, or
operations; or
(c) Delineation of procedures.
(37) “Standards for Electronic Transactions” mean a
transaction that complies with the applicable standard adopted by DHHS to
implement standards for electronic transactions.
(38) “Submitter” means a provider, PHP, clinic, or
allied agency that may or may not have entered into a trading partner agreement
depending upon whether the need is to exchange electronic data transactions or
access the Department’s web portal.
(39) “Transaction” means the exchange of data between
the Department and a provider using web portal access or a trading partner
using electronic media to carry out financial or administrative activities.
(40) “Trade Data Log” means the complete written
summary of data and data transmissions exchanged between the Department and an
EDI submitter during the period of time a trading partner agreement is in
effect and includes but is not limited to sender and receiver information, date
and time of transmission, and the general nature of the transmission.
(41) “Trading Partner” means a provider, PHP, clinic,
or allied agency that has entered into a trading partner agreement with the
Department in order to satisfy all or part of its obligations under a contract
by means of EDI, ERA, or EMC, or any other mutually agreed means of electronic
exchange or transfer of data.
(42) “Trading Partner Agreement (TPA)” means a specific
written request by a provider, PHP, clinic, or allied agency to conduct EDI
transactions that governs the terms and conditions for EDI transactions in the
performance of obligations under a contract. A provider, PHP, clinic, or allied
agency that has executed a TPA will be referred to as a trading partner in
relation to those functions.
(43) “User” means any individual or entity authorized
by the Department to access network and information systems or information assets.
(44) “User Identification Security (UIS)” means a
control method required by the Department to ensure that only authorized users
gain access to specified information assets. One method of control is the use
of passwords and PINs with unique user identifications.
(45) “Web Portal” means a site on the World Wide Web
that typically provides secure access with personalized capabilities to its
visitors and a pathway to other content designed for use with the Department’s
specific DDE applications.
(46) “Web Portal Submitter” means an individual or
entity authorized to establish an electronic media connection with the
Department to conduct a DDE transaction. A web portal submitter may be a
provider or a provider’s agent.
Stat. Auth.: ORS 409.050 &
414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f.
& cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03;
DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from
410-001-0100, DHSD 1-2008, f. & cert. ef. 2-1-08; DHSD 5-2011(Temp), f.
& cert. ef. 7-1-11 thru 12-27-11; DHSD 13-2011, f. & cert. ef. 12-27-11
407-120-0112
Scope and Sequence of Electronic
Data Transmission Rules
(1) The Department communicates with and receives
communications from its providers, PHPs, and allied agencies using a variety of
methods appropriate to the services being provided, the nature of the entity
providing the services, and constantly changing technology. These rules
describe some of the basic ways that the Department will exchange data
electronically. Additional details may be provided in the Department’s access
control rules, provider-specific rules, or the applicable contract documents.
(2) Access to eligibility information about covered individuals
may occur using one or more of the following methods:
(a) Automated voice response, via a telephone;
(b) Web portal access;
(c) EDI submitter access; or
(d) Point of sale (POS) for pharmacy providers.
(3) Claims for which the Department is responsible for
payment or encounter submissions made to the Department may occur using one or
more of the following methods:
(a) Paper, using the form specified in the provider
specific rules and supplemental billing guidance. Providers may submit paper
claims, except that pharmacy providers are required to use the POS process for
claims submission and PHPs are required to use the 837 electronic formats;
(b) Web portal access;
(c) EDI submitter access; or
(d) POS for pharmacy providers.
(4) Department informational updates, provider record
updates, depository for PHP reports, or EDT as specified by the Department for
contract compliance.
(5) Other Department network and information system
access is governed by specific program requirements, which may include but is
not limited to IUP access. Affected providers, PHPs, and allied agencies will
be separately instructed about the access and requirements. Incidents are
subject to these rules.
(6) Providers and allied agencies that continue to use
only paper formats for claims transactions are only subject to the
confidentiality and security rule, OAR 407-120-0170.
Stat. Auth.: ORS 409.050 &
414.065
Stats. Implemented: ORS 414.065
Hist.: DHSD 13-2007(Temp), f.
12-31-07, cert. ef. 1-1-08 thru 6-28-08; DHSD 1-2008, f. & cert. ef.
2-1-08; DHSD 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD
13-2011, f. & cert. ef. 12-27-11
407-120-0114
Provider Enrollment Agreement
(1) When a provider applies to enroll, the application
form will include information about how to participate in the web portal for
use of DDE and automated voice response (AVR) inquiries. The enrollment
agreement will include a section describing the process that will permit the
provider, once enrolled, to participate in DDE over the Internet using the secure
Department web portal. This does not include providers enrolled through the use
of the DMAP 3108 Managed Care Plan and FFS Non Paid Provider Application.
(2) When the provider number is issued by the
Department, the provider will also receive two PINs: one that may be used to
access the web portal and one that may be used for AVR.
(a) If the PINs are not activated within 60 days of
issuance, the Department will initiate a process to inactivate the PIN. If the
provider wants to use PIN-based access to the web portal or AVR after
deactivation, the provider must submit an update form to obtain another PIN.
(b) Activating the PIN will require Internet access and
the provider must supply security data that will be associated with the use of
the PIN.
(c) Providers using the PIN are responsible for
protecting the confidentiality and security of the PIN pursuant to OAR
407-120-0170.
Stat. Auth.: ORS 409.050 &
414.065
Stats. Implemented: ORS 414.065
Hist.: DHSD 13-2007(Temp), f.
12-31-07, cert. ef. 1-1-08 thru 6-28-08; DHSD 1-2008, f. & cert. ef.
2-1-08; DHSD 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD
13-2011, f. & cert. ef. 12-27-11
407-120-0150
Testing — EDI Transactions
(1) When a trading partner or authorized EDI submitter
registers an EDI transaction with the Department, the Department may require
testing before authorizing the transaction. Testing may include third party and
business-to-business testing. An EDI submitter must be able to demonstrate its
capacity to send and receive each transaction type for which it has registered.
The Department will reject any EDI transaction if an EDI submitter either
refuses or fails to comply with the Department testing requirements.
(2) The Department may require EDI submitters to
complete compliance testing at an EDI submitter’s expense for each transaction
type if either the Department or an EDI submitter has experienced a change to
hardware or software applications by entering into business-to-business
testing.
(3) When third party or business-to-business testing is
completed to the Department’s satisfaction, the Department will notify an EDI
submitter that it will register and accept the transactions in the production
environment. This notification authorizes an EDI submitter to submit the
registered EDI transactions to the Department for processing and response, as
applicable. If there are any changes in the trading partner or EDI submitter
authorization, profile data or EDI registration information on file with the
Department, updated information must be submitted to the Department as required
in OAR 407-120-0190.
(4) Testing will be conducted using secure electronic
media communications methods.
(5) An EDI submitter may be required to re-test with
the Department if the Department format changes or if the EDI submitter format
changes.
Stat. Auth.: ORS 409.050 &
414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f.
& cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03;
DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from
410-001-0150, DHSD 1-2008, f. & cert. ef. 2-1-08; DHSD 5-2011(Temp), f.
& cert. ef. 7-1-11 thru 12-27-11; DHSD 13-2011, f. & cert. ef. 12-27-11
407-120-0200
Department System Administration
(1) No individual or entity shall be registered to
conduct a web portal or an EDI transaction with the Department except as
authorized under these the rules. Eligibility and continued participation as a
provider, PHP, allied agency, or web portal submitter in the conduct of DDE
transactions, or as a trading partner or EDI submitter in the conduct of
registered transactions, is conditioned on the execution and delivery of the
documents required in these rules, the continued accuracy of that information
consistent with OAR 407-120-0190, and compliance with a requirements of these
rules. Data, including confidential information, governed by these rules may be
used for purposes related to treatment, payment, and health care operations and
for the administration of programs or services by the Department.
(2) In addition to the requirements of section (1) of
this rule, in order to qualify as a trading partner:
(a) An individual or entity must be a Department
provider, PHP, clinic, or allied agency pursuant to a current valid contract;
and
(b) A provider, PHP, clinic, or allied agency must have
submitted an executed TPA and all related documentation, including the
application for authorization, that identifies and authorizes an EDI submitter.
(3) In addition to the requirements of section (1) of
this rule, in order to qualify as an EDI submitter:
(a) A trading partner must have identified the
individual or entity as an authorized EDI submitter in the application for
authorization;
(b) If a trading partner identifies itself as an EDI
submitter, the application for authorization must include the information
required in the “Trading Partner Authorization of EDI Submitter” and the “EDI
Submitter Information”; and
(c) If a trading partner uses an agent as an EDI
submitter, the application for authorization must include the information
described in section (3)(b) and the signed EDI submitter certification.
(4) The EDI registration process described in these
rules provides the Department with essential profile information that the
Department may use to confirm that a trading partner or EDI submitter is not
otherwise excluded or disqualified from submitting EDI transactions to the
Department.
(5) Nothing in these rules or a TPA prevents the Department
from requesting additional information from a trading partner or an EDI
submitter to determine their qualifications or eligibility for registration as
a trading partner or EDI submitter.
(6) The Department shall deny a request for
registration as a trading partner or for authorization of an EDI submitter or
an EDI registration if it finds any of the following:
(a) A trading partner or EDI submitter has
substantially failed to comply with the applicable administrative rules or
laws;
(b) A trading partner or EDI submitter has been
convicted of (or entered a plea of nolo contendre) a felony or misdemeanor
related to a crime or violation of federal or state public assistance laws or
privacy statutes or regulations;
(c) A trading partner or EDI submitter is excluded from
participation in the Medicare program, as determined by the DHHS secretary; or
(d) A trading partner or EDI submitter fails to meet
the qualifications as a trading partner or EDI submitter.
(7) Failure to comply with these rules, trading partner
agreement, or EDI submitter certification or failure to provide accurate
information on an application or certification may also result in sanctions and
payment recovery pursuant to applicable Department program contracts or rules.
(8) For providers using the DDE submission system by
the Department web portal, failure to comply with the terms of these rules, a
web portal registration form, or failure to provide accurate information on the
registration form may result in sanctions or payment recovery pursuant to the
applicable Department program contracts or rules.
Stat. Auth.: ORS 409.050 &
414.065
Stats. Implemented: ORS 414.065
Hist.: OMAP 25-2003(Temp), f.
& cert. ef. 3-21-03 thru 9-8-03; OMAP 55-2003, f. & cert. ef. 8-22-03;
DMAP 30-2007(Temp), f. 12-31-07, cert. ef. 1-1-08 thru 6-28-08; Renumbered from
410-001-0200, DHSD 1-2008, f. & cert. ef. 2-1-08; DHSD 5-2011(Temp), f.
& cert. ef. 7-1-11 thru 12-27-11; DHSD 13-2011, f. & cert. ef. 12-27-11
Notes
1.) This online version of the OREGON BULLETIN is provided for convenience of reference and enhanced access. The official, record copy of this publication is contained in the original Administrative Orders and Rulemaking Notices filed with the Secretary of State, Archives Division. Discrepancies, if any, are satisfied in favor of the original versions. Use the OAR Revision Cumulative Index found in the Oregon Bulletin to access a numerical list of rulemaking actions after November 15, 2011.
2.) Copyright 2012 Oregon Secretary of State: Terms and Conditions of Use |