Secretary of State home | State Archives home

800 Summer St NE Salem OR 97310
503 373 0701 | Mon-Fri: 8am-4:45pm

Oregon State Archives

Oregon Bulletin

August 1, 2011

Oregon Health Authority
Chapter 943

Rule Caption: Rulemaking procedures and delegation of rulemaking authority for Oregon Health Authority.

Adm. Order No.: OHA 1-2011

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11

Notice Publication Date: 5-1-2011

Rules Adopted: 943-001-0005, 943-001-0007

Subject: These rules bring the agency into compliance with current statutes related to rulemaking filings and delegation of rulemaking authority requirements. The Authority is adopting these rules in Chapter 943 which applies to administrative rules for the Authority agency-wide. These rules conform with the Notice of Proposed Rulemaking and temporary rule filing requirements in ORS chapter 183.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-001-0005

Notice of Proposed Rulemaking and Adoption of Temporary Rules

(1) Except as provided in ORS 183.335(7) or (12) or 183.341, before permanently adopting, amending, or repealing an administrative rule, the Authority shall give notice of the intended action:

(a) To legislators specified in ORS 183.335(15) at least 49 days before the effective date of the rule;

(b) To persons on the interested parties lists described in section (2) of this rule for the pertinent OAR chapter or pertinent subtopics or programs within an OAR chapter at least 28 days before the effective date of the rule;

(c) In the Secretary of State’s Bulletin referred to in ORS 183.360 at least 21 days before the effective date of the rule;

(d) To other persons, agencies, or organizations that the Authority is required to provide an opportunity to comment pursuant to state statute or federal law or as a requirement of receiving federal funding, at least 28 days before the effective date of the rule;

(e) To the Associated Press and the Capitol Press Room at least 28 days before the effective date of the rule; and

(f) In addition to the above, the Authority may send notice of intended action to other persons, agencies, or organizations that the Authority , in its discretion, believes to have an interest in the subject matter of the proposed rule at least 28 days before the effective date of the rule.

(2) Pursuant to ORS 183.335(8), the Authority shall maintain an interested parties list for each OAR chapter of rules for which the Authority has administrative responsibility, and an interested parties list for subtopics or programs within those chapters. A person, group, or entity that desires to be placed on the list to receive notices regarding proposed permanent adoption, amendment, or repeal of a rule must make the request in writing or by electronic mail to the rules coordinator for the chapter. The request must include either a mailing address or an electronic mail address to which notices may be sent.

(3) Notices under this rule may be sent by hand delivery, state shuttle, postal mail, electronic mail, or facsimile. The Authority recognizes state shuttle as “mail” and may use this means to notify other state agencies.

(a) An email notification under section (1) of this rule may consist of any of the following:

(A) An email that attaches the Notice of Proposed Rulemaking or Notice of Proposed Rulemaking Hearing and Statement of Need and Fiscal Impact.

(B) An email that includes a link within the body of the email, allowing direct access online to the Notice of Proposed Rulemaking or Notice of Proposed Rulemaking Hearing and Statement of Need and Fiscal Impact.

(C) An email with specific instructions within the body of the email, usually including an electronic Universal Resource Locator (URL) address, to find the Notice of Proposed Rulemaking or Notice of Proposed Rulemaking Hearing and Statement of Need and Fiscal Impact.

(b) The Authority may use facsimile as an added means of notification, if necessary. Notification by facsimile under section (1) of this rule shall include the Notice of Proposed Rulemaking or Notice of Proposed Rulemaking Hearing and Statement of Need and Fiscal Impact, or specific instructions to locate these documents online.

(c) The Authority shall honor all written requests that notification be sent by postal mail instead of electronically if a mailing address is provided.

(4) If the Authority adopts or suspends a temporary rule, the Authority shall notify:

(a) Legislators specified in ORS 183.335(15);

(b) Persons on the interested parties list described in section (2) of this rule for the pertinent OAR chapter, subtopics, or programs within an OAR chapter;

(c) Other persons, agencies, or organizations that the Authority is required to notify pursuant to state statute or federal law or as a requirement of receiving federal funding; and

(d) The Associated Press and the Capitol Press Room; and

(e) In addition to the above, the Authority may send notice to other persons, agencies, or organizations that the Authority, in its discretion, believes to have an interest in the subject matter of the temporary rulemaking.

(5) In lieu of providing a copy of the rule or rules as proposed with the notice of intended action or notice concerning the adoption of a temporary rule, the Authority may state how and where a copy may be obtained on paper, by electronic mail, or from a specified web site.

Stat. Auth: ORS 183.341 & 413.042

Stats. Implemented: ORS 183.330, 183.335, & 183.341

Hist.: OHA 1-2011, f. & cert. ef. 7-1-11

943-001-0007

Delegation of Rulemaking Authority

Any officer or employee of the Oregon Health Authority who is identified on a completed Delegation of Authority form signed by the Director or Deputy Director of the Authority and filed with the Secretary of State, Administrative Rules Unit, is vested with the authority to adopt, amend, repeal, or suspend administrative rules as provided on that form until the delegation is revoked by the Director or Deputy Director of the Authority, or the person leaves employment with the Authority.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 183.325

Stat. Auth: ORS 183.341 & 413.042

Stats. Implemented: ORS 183.330, 183.335, & 183.341

Hist.: OHA 1-2011, f. & cert. ef. 7-1-11

Rule Caption: Authorization for Authority employees to appear on behalf of the Authority in contested case hearings.

Adm. Order No.: OHA 2-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-001-0009

Subject: Provides authorization for Authority employees or officers (lay representatives) to appear on behalf of the Authority in contested case hearings. Prohibits Authority lay representatives from making legal arguments and explains process for submitting legal argument when necessary.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-001-0009

Lay Representation in Contested Case Hearings

(1) Contested case hearings are conducted in accordance with the Attorney General’s model rules at OAR 137-003-0501 to 0700. Subject to the approval of the Attorney General, an officer or employee of the Oregon Health Authority (Authority) is authorized to appear on behalf of the agency in the following types of hearings conducted by the Authority:

(a) Eligibility and termination determinations related to medical assistance coverage.

(b) Suspension, reduction, or denial of medical assistance services, prior authorization, or medical management decisions.

(d) Eligibility for or termination of health insurance premium assistance, or determination of subsidy levels.

(e) Provider issues including provider enrollment or denial of enrollment, overpayment determinations, audits, and sanctions.

(f) Other administrative actions including criminal background checks, hardship waivers related to medical assistance, client overpayments related to medical assistance.

(g) Oregon State Hospital’s involuntary administration of a significant procedure to a patient or resident.

(2) The agency representative may not make legal argument on behalf of the agency.

(a) “Legal argument” includes arguments on:

(A) The jurisdiction of the agency to hear the contested case;

(B) The constitutionality of a statute or rule or the application of a constitutional requirement to an agency; and

(b) “Legal argument” does not include presentation of motions, evidence, examination and cross-examination of witnesses or presentation of factual arguments or arguments on:

(A) The application of the statutes or rules to the facts in the contested case;

(B) Comparison of prior actions of the agency in handling similar situations;

(D) The admissibility of evidence;

(E) The correctness of procedures being followed in the contested case hearing.

(3) When an agency officer or employee appears on behalf of the Authority, the administrative law judge shall advise the representative of the manner in which objections may be made and matters preserved for appeal. Such advice is of a procedural nature and does not change applicable law on waiver or the duty to make timely objection. Where such objections involve legal argument, the administrative law judge provide reasonable opportunity for the agency officer or employee to consult legal counsel and permit the Authority’s legal counsel to file written legal argument within a reasonable time after the conclusion of the hearing.

Stat. Auth: ORS 413.042

Stats Implemented: ORS 183.452

Hist.: OHA 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Oregon Health Authority Shared Service and
Cooperative Relationships with Department of Human Services.

Adm. Order No.: OHA 3-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-001-0020

Subject: HB 2009 (2009) created the Oregon Health Authority and transferred to the Authority the Department of Human Services’ (Department) Divisions with respect to health and health care. Effective July 1, 2011 the Authority adopts these operational and programmatic rules to assure continuity as a part of the operational transfer from functions previously performed by the Department as a result of HB 2009(2009).

Among the functions transferred to the Authority is the medical assistance program. This rule provides for continuity in the relationship between the Authority and the Department when working together in the administration of the medical assistance program and that the Authority and Department shall work cooperatively in the administration of the medical assistance program, including making determinations of eligibility and service e need for medical assistance. This rule also explains that the Authority designated the Department as the operating agency for home and community-based waiver services and as an Organized Health Care Delivery System.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-001-0020

Oregon Health Authority Shared Service and Cooperative Relationships with Department of Human Services

(1) The Oregon Health Authority (Authority) will cooperate and collaborate with the Department of Human Services (Department) in order to effectively coordinate services to individuals, families and communities and realize operational efficiencies in the administration of services that are shared between them (“shared services”).

(2) For all the programs, functions, and duties with respect to health or health care (generally described in Oregon Laws 2009, chapter 595, section 19(1)(a)), transferred to the Authority from the Department (“transferred program”) or for shared services, the Authority declares that:

(a) All transferred program rules shall remain in effect until superceded by adoption of Authority rules or adoption of rules by the Authority coordinating shared services with the Department.

(b) All transferred program administration, policies, and procedures remain in effect pending the completion of review and adoption by the Authority or adoption of such policies and procedures related to coordination of shared services with the Department.

(c) Any judicial or administrative action, proceeding, contested case hearing, or administrative review matters, or new action, proceeding, or matter involving or relating to the duties or powers transferred to the Authority are the responsibility of the Authority.

(d) Rights and obligations legally incurred under transferred program contracts, leases, and business transactions remain legally valid and are the responsibility of the Authority.

(e) Statutorily required filings, notices or service of papers, applications, notices or other documents to be mailed, provided to, or served on the Authority shall be mailed, provided to, or served on the Authority. Any notices required by ORS 113.145, 114.525 and 130.370 to be sent to the Authority may be consolidated with similar notices to the Department and sent to the Estate Administration Unit of the Department. Any notices required by ORS 416.530 to be sent to the Authority may be consolidated with similar notices to the Department and sent to the Personal Injury Lien Unit of the Department Any consolidated notice shall be considered notice to the Authority as long as the Authority’s interest or claim in the matter is identified in the notice consistent with requirements in applicable statute.

(f) A reference to an Administrator or Assistant Director in any transferred program rule of the Authority means the Director of the Authority’s program that is covered by that chapter of the Oregon Administrative Rules or the Authority’s program specified in the rule.

(3) As the state Medicaid agency for the administration of funds from Titles XIX and XXI of the Social Security Act, the Authority is charged with the administration of the medical assistance program. The Authority is responsible for facilitating outreach and enrollment efforts to connect eligible individuals with all available publicly funded health programs.

(a) The Authority and the Department recognize that there are many points of interconnection between their programs and the individuals who receive services through these programs. In addition, there are areas of natural connection between the Authority and the Department based upon the former and current structures of the Department in the administration of the medical assistance program.

(b) The Authority shall work cooperatively with the Department in the administration of the medical assistance program and to facilitate the outreach and enrollment in the program, including making determinations of eligibility and service need for medical assistance. The Authority has designated the Department as the operating agency for home and community-based waiver services and as an Organized Health Care Delivery System.

(c) The Authority and the Department are authorized by state law to delegate to each other any duties, functions and powers that they deem necessary for the efficient and effective operation of their respective functions. The Authority and the Department will work together to adopt rules to assure that medical assistance eligibility requirements, procedures, and determinations are consistent across both agencies. The Authority has authorized the Department to determine medical eligibility for medical assistance. Where that responsibility is given to the Department under ORS Chapter 411, the Department has delegated to the Authority the duties, functions, and powers to make medical eligibility determinations in accordance with OAR 410-120-0006.

(d) Where statute establishes duties and functions of the Authority or the Department in relation to medical assistance as a public assistance program, the Authority and the Department shall cooperate in the effective administration of the program.

Stat. Auth.: ORS 413.042; Other Auth. HB 2009, 2009 OL, Ch. 595, Sec. 19-25

Stats. Implemented: ORS 413.032

Hist.: OHA 3-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Allows the Oregon Health Authority to receive reimbursement for providing public records.

Adm. Order No.: OHA 4-2011

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11

Notice Publication Date: 5-1-2011

Rules Adopted: 943-003-0000, 943-003-0010

Subject: Allows the Authority, in order to comply with request for public records, to establish fees, in policy, to reimburse Authority costs of providing public records. Limits amount of fee to $25 that the Authority may charge to comply with request unless the Authority provides the requestor with notification of estimated amount of fee and requestor confirms that requestor wants the Authority to proceed with making records available.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-003-0000

Definitions

The following definitions apply to Oregon Administrative Rule 943-003-0010 unless otherwise indicated:

(1) “Authority” means the Oregon Health Authority.

(2) “Designee” means any officer or employee of the Authority, appointed by the Director to respond to requests for reduction or waiver of fees for public records of the Authority.

(3) “Director” means the Director of the Authority.

(4) “Person” means any natural person, corporation, partnership, firm, or association.

(5) “Photocopy(ing)” means a photograph, microphotograph and any other reproduction on paper or film in any scale, or the process of reproducing, in the form of a photocopy, a public record.

(6) “Public record” includes any writing that contains information relating to the conduct of the public’s business that is prepared, owned, used or retained by the Authority regardless of physical form or characteristics.

(7) “Requestor” means a person requesting inspection, copies, or other reproduction of a public record of the Authority.

(8) “Writing” means handwriting, typewriting, printing, photographing and every means of recording, including letters, words, pictures, sounds, or symbols, or combination thereof, and all papers, maps, files, facsimiles or electronic recordings. It includes information stored on computer tape, microfiche, photographs, films, tape or videotape or that is maintained in a machine readable or electronic form.

Stat. Auth: ORS 192.430, 413.042

Stats. Implemented: ORS192.430 & 192.440

Hist.: OHA 4-2011 f. & cert. ef. 7-1-11

943-003-0010

Fees for Inspection or Copies of Public Records and Oregon Health Authority Publications; Other Services

(1) The Authority may charge a fee reasonably calculated to reimburse the Authority for the cost of making public records available:

(a) Costs include but are not limited to:

(A) The services and supplies used in making the records available;

(B) The time spent locating the requested records, reviewing the records, and redacting, or separating material exempt from disclosure;

(D) Copying records;

(E) Certifying copies of records;

(F) Summarizing, compiling, or organizing the public records to meet the person’s request;

(G) Searching for and reviewing records even if the records subsequently are determined to be exempt from disclosure;

(H) Postal and freight charges for shipping the copies of the public records, sent first class or bulk rate based on weight;

(I) Indirect costs or third party charges associated with copying and preparing the public records; and

(J) Costs associated with electronic retrieval of records.

(b) When a Department of Justice review of the records is requested by the Authority, the Authority may charge a fee equal to the Attorney General’s charge for the time spent by the attorney reviewing the public records, redacting material from the records, and segregating the public records into exempt and nonexempt records. A fee will not be charged for the cost of time spent by an attorney in determining the application of the provisions of ORS 192.410 to 192.505;

(c) Staff time shall be calculated based on the hourly rate of pay and fringe benefits for the position of the person performing the work;

(d) The cost for publications shall be based on the actual costs of development, printing, and distribution, as determined by the Authority;

(e) The cost for a public records request requiring the Authority to access the State’s mainframe computer system, may include but not be limited to costs for computer usage time, data transfer costs, disk work space costs, programming, and fixed portion costs for printing and tape drive usage.

(2) The Authority shall establish a list of fees used to charge requestors for the costs of preparing and making available public records for the following:

(a) Photocopies;

(b) Facsimile copies. The Authority may limit the transmission to thirty pages;

(c) Electronic copies, diskettes, DVDs, and other electronically generated materials. The Authority shall determine what electronic media for reproduction of computer records shall be used and whether the electronic media is to be provided by the Authority or the requestor;

(d) Audio or video cassettes;

(e) Publications.

(3) The Authority shall review the list of fees established in policy from time to time in order to assure that the fees reflect current Authority costs.

(4) No additional fee shall be charged for providing records or documents in an alternative format when required by the Americans with Disabilities Act.

(5) The Authority shall notify requestors of the estimated fees for making the public records available for inspection or for providing copies to the requestor. If the estimated fees exceed $25, the Authority shall provide written notice and will not act further to respond to the request until the requestor notifies the Authority, in writing, to proceed with making the records available:

(a) The Authority may require that all or a portion of the estimated fees be paid before the Authority may proceed with making the record available;

(b) The Authority may require that actual costs of making the record available be paid before the record is made available for inspection or copies provided.

(6) The Director or designee may reduce or waive fees when a determination is made that the waiver or reduction of fees is in the public interest because making the records available primarily benefits the general public. Factors that may be taken into account in making such a determination include, but are not limited to:

(a) The overall costs to be incurred by the Authority is negligible; or

(b) Supplying the requested records or documents is within the normal scope of Authority activity; or

(d) Discovery requests made as part of pending administrative, judicial, or arbitration proceedings.

(7) If the Authority denies an initial verbal request for waiver or reduction of fees, the requestor may submit a written request. If the Authority subsequently denies the written request for a waiver or reduction of fees, the requestor may petition the Attorney General for a review of the denial pursuant to the provisions of ORS 192.440(6) and 192.450.

Stat. Auth: ORS 192.430, 413.042

Stats. Implemented: ORS 192.430,192.440 and 192.450

Hist.: OHA 4-2011 f. & cert. ef. 7-1-11

Rule Caption: Prohibiting Discrimination Against Individuals with Disabilities Process for Requesting Reasonable Modifications.

Adm. Order No.: OHA 5-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-005-0000, 943-005-0005, 943-005-0010, 943-005-0015, 943-005-0020, 943-005-0025, 943-005-0030

Subject: These rules establish an Oregon Health Authority (Authority) policy of non-discrimination on the basis of disability in accordance with the Americans with Disabilities Act of 1990 (ADA) and Section 504 of the Rehabilitation Act of 1973. The rules also explain the process for individuals to request reasonable modifications and how to file a complaint of alleged discrimination.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-005-0000

Purpose

These rules (OAR 943-005-0000 through 943-005-0030) establish an Oregon Health Authority policy of non-discrimination on the basis of disability in accordance with the Americans with Disabilities Act of 1990 (ADA) and Section 504 of the Rehabilitation Act of 1973.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-005-0005

Definitions

The following definitions apply to OAR 943-005-0000 through 943-005-0030:

(1) “Alternate Format Communication” means printed material converted to a communication style that meets the accessibility needs of individuals with disabilities to achieve “effective communication.” The types of alternate format that the Oregon Health Authority offers include but are not limited to: large print, Braille, audiotape, electronic format (E-mail attachment, diskette, or CD-ROM) and oral presentation.

(2) “Americans with Disabilities Act” is a comprehensive federal law passed in 1990, which prohibits discrimination on the basis of disability in employment, programs and services provided by state and local governments; goods and services provided by private companies; commercial facilities; telecommunications and transportation. The ADA was crafted upon a body of existing legislation, particularly the Rehabilitation Act of 1973 (Section 504), which states that no recipient of federal financial assistance may discriminate against qualified individuals with disabilities solely because of a disability. (Public Law 101-336)

(3) “An Individual with a Disability” means an individual who:

(a) Has a physical or mental impairment that substantially limits one or more major life activities; or

(b) Has a record or history of such an impairment; or

(4) “Authority” means the Oregon Health Authority.

(5) “Auxiliary Aids or Services” mean devices or services that meet the accessibility needs of individuals with hearing, cognitive or speech impairments to achieve “effective communication.” The types of auxiliary aids and services that the Authority offers include but are not limited to: qualified sign language interpreters, text telephone (TTYs), oral presentation, note takers and communication through computer keyboarding.

(6) “Direct threat” means a significant risk to the health or safety of others that cannot be eliminated or reduced to an accepted level through the provision of auxiliary aids and services or through reasonably modifying policies, practices or procedures, that person is not considered a qualified individual with a disability and may be excluded from Authority programs services or activities.

(7) “Federal Discrimination Complaint” means a complaint by a client, client applicant or specific class of individuals or their representative filed with a federal agency alleging an act of discrimination by a public entity.

(8) “Qualified Individual with a Disability” means an individual who can meet the essential eligibility requirements for the program, service or activity with or without reasonable modification of rules, policies or procedures, or the provision of auxiliary aids and services.

(9) “Reasonable Modifications” means a modification of policies, practices or procedures made to a program or service that allows an individual with a disability to participate equally in the program or benefit from the service.

(10) “Report of Discrimination” means a report filed with the Authority by a client, client applicant or specific class of individuals or their representative alleging an act of discrimination by the Authority or an Authority contractor, their agents or subcontractors, or a governmental entity under intergovernmental agreement with the Authority, regarding delivery of Authority services, programs or activities that are subject to Title II of the ADA or Section 504 of the Rehabilitation Act.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-005-0010

Non-discrimination

(1) No qualified individual with a disability shall, on the basis of disability, be discriminated against, be excluded from participation in, or be denied the benefits of the services, programs or activities of the Authority. In providing any benefit or service, the Authority may not, directly or through contractual or other arrangements, on the basis of a disability deny a qualified individual the opportunity to participate in a service, program or activity or to receive the benefit or services offered. The Authority may not discriminate against a qualified individual with a disability, on the basis of disability in the granting of licenses and certificates.

(2) The Authority shall provide services, programs and activities in the most integrated setting appropriate to the needs of qualified individuals with disabilities within the context of the program being administered. For purposes of this section, “Integrated Setting” means a setting that enables individuals with disabilities to interact with non-disabled persons to the fullest extent possible.

(3) The Authority may not require a qualified individual with a disability to participate in services, programs, or activities that are separate or different, despite the existence of permissibly separate or different programs or activities.

(4) The Authority may not apply eligibility criteria or standards that screen out or tend to screen out an individual with a disability from fully and equally enjoying any goods or services, unless such criteria can be shown to be necessary for the provision of those goods and services or is determined by the Authority to be a legitimate safety requirement.

(5) The Authority shall ensure each program, service, or activity, including public meetings, hearings and events, when viewed in the entirety, is readily accessible to and usable by individuals with disabilities. For purposes of this section, accessible means the ability to approach, enter, operate, participate in, or to use safely and with dignity by a person with a disability.

(6) Nothing in these rules prohibits the Authority from providing benefits or services to individuals with disabilities, or to a particular class of individuals with disabilities, beyond those required by law.

(7) Nothing in these rules requires an individual with a disability to accept a modification, service, opportunity, or benefit provided under these rules that the individual decides not to accept.

(8) The Authority shall provide auxiliary aids and services or alternate format communication to individuals with disabilities where necessary to ensure an equal opportunity to participate in, and enjoy the benefits of, a service, program or activity, unless it would result in a fundamental alteration of the program or an undue financial or administrative burden. Although the Authority shall determine which aid or format, if any, can be provided without fundamental alteration or undue burden, primary consideration should be given to the choice of the requestor.

(9) Except as authorized under specific programs, the Authority is not required to provide personal devices, individually prescribed devices, readers for personal use or study, or services of a personal nature.

(10) The Authority may not assess a charge or fee to an individual with a disability or any group of individuals with disabilities to cover the costs of measures required to provide the individual with the non-discriminatory treatment required by this policy.

(11) The Authority may not deny individuals the opportunity to participate on planning or advisory boards based on their disability.

(12) The Authority may not discriminate against individuals that do not have disabilities themselves, but have a known relationship or association with one or more individuals with disabilities.

(13) The Authority’s determination of direct threat to the health and safety of others must be based on an individualized assessment relying on current medical evidence, or the best available objective evidence that shows:

(a) The nature, duration and severity of the risk,

(b) The probability that a potential injury will actually occur; and

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-005-0015

Illegal Drug Use

(1) Except as provided in section (2) of this rule, OAR 943-005-0000 through 943-005-0030 does not prohibit discrimination against an individual based on that individual’s current illegal use of drugs.

(2) The Authority may not deny health services or services provided in connection with drug rehabilitation to an individual on the basis of that individual’s current use of drugs, if the individual is otherwise entitled to such services. However, a drug rehabilitation or treatment program may deny participation to individuals who engage in illegal use of drugs while they are in the program.

(3) A program may adopt reasonable policies related to drug testing that are designed to ensure that an individual who formerly engaged in the illegal use of drugs is not now engaging in the current illegal use of drugs.

(4) A client with a psychoactive substance use disorder resulting from current illegal use of drugs is not considered to have a disability under OAR 943-005-0000 through 943-005-0030 unless the client has a disability due to another condition.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-005-0020

Reasonable Modifications

(1) The Authority shall make reasonable modifications to policies, practices or procedures of a program, services or activity when the modifications are necessary to avoid discrimination based on disability unless the modification would fundamentally alter the nature of the program, service or activity or create an undue administrative or financial burden.

(2) When providing program access to a qualified individual with a disability would cause a fundamental alteration of the program, service or activity or undue financial or administrative burden, the Authority shall, to the extent the benefit of the program, service or activity can be achieved, provide program access to the point at which the program becomes fundamentally altered or experiences an undue burden.

(3) Alternate format communication is considered to be within the scope of reasonable modifications.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-005-0025

Requesting a Reasonable Modification

(1) To request a reasonable modification to an Authority program, service, or activity a client applicant, client or public member must submit to program staff a request for a reasonable modification to the applicable program. Requests may be made verbally or by completing the Request for Reasonable Modification form.

(2) Upon receipt of a request for modification the Authority shall:

(a) Determine whether additional documentation regarding the claimed disability is needed and request such documentation;

(b) Within 15 working days of the request or the receipt of additional medical documentation, whichever is later, provide to the requestor notification of approval, approval with alternative modifications or denial of the request for reasonable modification. All denials and approvals with alternative modifications that were not requested shall be clearly labeled a “Preliminary Notification Subject to Review.”; and

(3) A “Reasonable Modification Team” (Team) means a two person team appointed by program managers that meet to evaluate a Request for Reasonable Modification decision that either denied the request or approved the request but with modifications other than those requested.

(4) This process may include additional communication with the individual requesting the reasonable modifications.

(5) Preliminary Notifications shall be reviewed by a Reasonable Modification Team, which shall notify the requestor of the final result of the review within 15 working days of the preliminary notification or within 15 working days following receipt of medical or other supporting documentation requested by the Team, whichever is later.

(6) An individual whose request for reasonable modification has been denied or approved with alternative modifications which the individual believes to be inadequate may file a Report of Discrimination with the Authority within 60 days of the final result or file a complaint with the appropriate federal regulatory agency within 180 days of the final result.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-005-0030

Report of Discrimination and Other Remedies Available for Alleged Discrimination

(1) A client or client applicant or specific class of individuals or their representative may file with the Authority a Report of Discrimination based on disability in the following circumstances:

(a) The final result under OAR 943-005-0025 for a Reasonable Modification Request was denied or was approved with an alternative to the requested modification which is believed to be inadequate;

(b) A request for auxiliary aids and services was denied or was approved with an alternative to the request which is believed to be inadequate;

(c) A request for an alternate format communication was denied or was approved with an alternative to the request which is believed to be inadequate;

(d) Inability to access facilities used for Authority programs;

(e) Denial of participation in Authority programs and services.

(2) A Report of Discrimination must be filed within 60 calendar days of the date of the alleged discrimination unless otherwise set forth in these rules

(3) A Report of Discrimination may be submitted verbally or on a Report of Discrimination Form available at any Authority office or by calling any Authority office.

(4) The claim of discrimination shall be investigated and shall include an interview with the complainant. At the conclusion of the investigation, a Letter of Determination shall be issued within 40 calendar days from the receipt of the Discrimination Report.

(5) An individual may appeal the Letter of Determination to the Civil Rights Review Board (CRRB) within 30 calendar days of receiving the Letter of Determination. CRRB means a panel of Authority employees appointed by the Director that reviews the decisions made by the Authority ADA Coordinator or the Civil Rights Investigator on discrimination complaints filed with the Authority.

(6) At the discretion of CRRB, this may include additional communication with the client.

(7) The remedies available under OAR 943-005-0000 through 943-005-0030 are available in addition to other remedies available under state or federal law or Oregon Administrative Rules, except that these remedies must be exhausted where exhaustion is a requirement of seeking remedies in another forum.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 5-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Authority Employees, Volunteers and Contractors Background Checks and Contesting Fitness Determinations.

Adm. Order No.: OHA 6-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-007-0000, 943-007-0500

Subject: These rules adopt and incorporate by reference the Department of Human Services’ Background Check Unit rules chapter 407-007-0000 to 0075; 407-007-0090 to 0100; 407-0200 to 0325; and 407-007-0340 to 0370 for matters that involve employees, volunteers, providers or contractors of the Authority who are subject to background checks before the individual may work, volunteer be employed, hold the position, or provide services.

The Authority needs to adopt OAR 943-007-0500 which explains how an individual may contest a fitness determination.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-007-0000

Criminal History Checks

Employees, volunteers, providers and contractors for the Oregon Health Authority (Authority) are subject to background checks and screening to determine if they have a history of criminal behavior such that they should not be allowed to work, volunteer, be employed, or otherwise perform in positions covered by these rules.

(1) The Authority adopts and incorporates by reference the rules established in: OAR 407-007-0000 to 0075 and 407-007-0090 to 0100 (Employees, Volunteers and Contractors); for those matters that involve employees, volunteers, or contractors of the Authority, except as otherwise provided in this rule.

(2) The Authority adopts and incorporates by reference the rules established in: 407-007-0200 to 0325; and 407-007-0335 to 0370 (Providers) for those matters that involve any entity or agency licensed, certified, registered, or otherwise regulated by the Authority, except as otherwise provided in this rule.

(3) Any reference to any rule from OAR 407-007-0000 to 407-007-0100 in rules or contracts of the Authority are deemed to be references to the requirements of this rule, and shall be construed to apply to employees, volunteers, providers, or contractors of the Authority.

(4) References in OAR 407-007-0000 to 407-007-0370 to the Department of Human Services (Department) or to the Oregon Health Authority shall be construed to be references to either or both agencies.

(5) The Authority authorizes the Department to act on its behalf in carrying out background checks and screening associated with the administration of programs or activities administered by the Authority.

(6) Appeals shall be conducted by the Authority pursuant to OAR 943-007-0500.

Stat. Auth.: ORS 181.534, 181.537, 413.042

Stats. Implemented: ORS 181.534, 181.537, 183.341

Hist.: OHA 6-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-007-0500

Contesting a Final Fitness Determination

(1) A final fitness determination of denied or approved with restrictions is considered an adverse outcome. An SI with an adverse outcome may contest that outcome.

(2) If an SI is denied, the SI may not work, volunteer, be employed, hold the position, provide services or be employed, licensed, certified, or registered or otherwise perform in positions covered by these rules. An SI appealing a restricted approval may only work under the terms of the restriction during the appeal.

(3) If an adverse outcome is changed at any time during the appeal process, the change does not guarantee employment or placement.

(4) An SI may challenge the accuracy or completeness of information provided by the OSP, the FBI, or other agencies reporting information to the Authority, by appealing to the entity providing the information. These challenges are not subject to the Authority’s appeal process.

(5) The SI has the right to represent him or herself or have legal representation during the appeal process. The SI may not be represented by a lay person. In this rule, the term “SI” shall be considered to include the SI’s legal representative.

(6) An SI who is already employed by the Authority at the time of the final fitness determination may appeal through applicable personnel rules, policies, and collective bargaining provisions. The SI’s decision to do so is an election of remedies as to the rights of the SI with respect to the fitness determination and constitutes a waiver of the contested case process described in this rule.

(7) An SI may contest an adverse fitness determination by requesting a contested case hearing. The contested case hearing process is conducted pursuant to ORS 183.411 to 183.497 and the Attorney General’s Uniform and Model Rules of Procedure for the Office of Administrative Hearings (OAH), OAR 137-003-0501 to 137-003-0700.

(a) To request a contested case hearing the SI must complete and sign the Hearing Request form.

(b) The completed and signed form must be received by the Authority within the following time lines:

(A) For Authority employees and SIs offered employment by the Authority, no later than 15 calendar days after the effective date of action listed on the notice of the fitness determination.

(B) For all other SIs, no later than 45 calendar days after the effective date of action listed on the notice of the fitness determination.

(c) If a request for hearing is not timely, the Authority shall determine, based on a written statement from the SI and available information, if there is good cause to proceed with the appeal.

(d) The Authority may refer an untimely request to OAH for a hearing on the issue of timeliness.

(8) The Authority may conduct an administrative review before referring the appeal to OAH.

(a) The SI must participate in the administrative review. Participation may include but is not limited to providing additional information or additional documents requested by the Authority within a specified amount of time.

(b) The administrative review is not open to the public.

(9) The Authority may conduct additional criminal records checks during the contested case hearing process to update or verify the SI’s criminal records. If needed, the Authority may amend the notice of fitness determination during the appeal process while still maintaining the original hearing rights and deadlines.

(10) The Authority shall be represented by a hearing representative in contested case hearings. The Authority may also be represented by the Department of Justice’s Office of the Attorney General.

(a) The Authority shall provide the administrative law judge and the SI a complete copy of available information used during the criminal records checks and fitness determinations. The notice of contested case and prehearing summary and all other documents shall be mailed by regular first class mail.

(b) SIs may not have access to confidential information contained in records collected or developed during the criminal records check process without a protective order limiting further disclosure of the information.

(A) A protective order issued pursuant to this section must be issued by an administrative law judge as provided for in OAR 137-003-0570(8) or by a court of law.

(B) In conjunction with a protective order issued pursuant to this section, individually identifying information relating to clients, witnesses, and other persons identified in abuse investigation reports or other records collected or developed during the criminal records check process shall be redacted prior to disclosure, except for the information identifying the SI.

(d) The administrative law judge shall make a new fitness determination based on the evidence and the contested case hearing record.

(e) The only remedy that an administrative law judge may grant is a fitness determination that the SI is approved, approved with restrictions (if allowed by rule), or denied. Under no circumstances shall the Authority or Qualified Entity (QE) be required to place an SI in any position, nor shall the Authority or QE be required to accept services or enter into a contractual agreement with an SI.

(f) For providers, a hearing pursuant to these rules may be conducted in conjunction with a licensure or certification hearing for the SI.

(11) The result of an appeal is a final order.

(a) The notice of fitness determination becomes the final order as if the SI never requested a hearing in the following situations:

(A) The SI failed to request a hearing in the time allotted in this rule. No other document shall be issued after the notice of fitness determination.

(B) The SI withdraws the request for hearing at any time during the appeal process.

(b) The Authority may make an informal disposition based on the administrative review. The Authority shall issue a final order and new notice of fitness determination. If the resulting fitness determination is an adverse outcome, the appeal shall proceed to a contested case hearing.

(A) The SI may withdraw a hearing request verbally or in writing at any time before the issuance of a final order. A dismissal order due to the withdrawal is effective the date the withdrawal is received by the Authority or OAH. The SI may cancel the withdrawal in writing within 14 calendar days after the date of withdrawal.

(B) The Authority shall dismiss a hearing request when the SI fails to participate in the administrative review. Failure to participate in the administrative review shall result in termination of hearing rights. The order is effective on the due date for participation in the administrative review. The Authority shall review a good cause request to reinstate hearing rights if received in writing by the Authority within 14 calendar days.

(C) The Authority shall dismiss a hearing request when the SI fails to appear at the time and place specified for the contested case hearing. The order is effective on the date scheduled for the hearing. The Authority shall review a good cause request to reinstate hearing rights if received in writing by the Authority within 14 calendar days of the order.

(d) After a hearing, the administrative law judge shall issue a proposed and final order.

(A) If no written exceptions are received by the Authority within 14 calendar days after the service of the proposed and final order, the proposed and final order shall become the final order.

(B) If timely written exceptions to the proposed and final order are received by the Authority, the Authority’s ‘s Director or designee shall consider the exceptions and serve a final order, or request a written response or a revised proposed and final order from the administrative law judge.

(12) Final orders, including dismissal and default orders, are subject to reconsideration or rehearing petitions within 60 calendar days after the final order is served, pursuant to OAR 137-003-0675.

(13) The Authority may provide the QE’s AD with the results of the appeal.

[Publications: Publications referenced are available from the agency.]

Stat. Auth.: ORS 181.534, 181.537, 413.042

Stats. Implemented: ORS 181.534, 181.537, 183.341

Hist.: OHA 6-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Establishment of process for restricting an individual’s access to Authority premises, employees, and visitors.

Adm. Order No.: OHA 7-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-012-0005, 943-012-0010, 943-012-0015, 943-012-0020, 943-012-0025

Subject: Allows the Authority to protect Authority employees, visitors, and its premises from threats or acts of violence. Defines prohibited conduct and establishes criteria for restricting an individual’s access to Authority employees, visitors, and its premises when an individual has engaged in prohibited conduct.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-012-0005

Definitions

The following definitions apply to OAR 943-012-0005 through 943-012-0025:

(1) “Authority” means the Oregon Health Authority.

(2) “Division” means every individual organizational unit within the Authority.

(3) “Employee” means individuals acting in the course and scope of their duties who are on the State of Oregon payroll, contract employees, employees of temporary service agencies, and volunteers. It also includes employees of other government or social service agencies who, at the time they are accompanying an Authority employee on Authority business, are the target of conduct described in OAR 943-012-0010.

(4) “Premises” means any land, building, facility, and other property owned, leased, or in the possession of, and used or controlled by the Authority. When the Authority occupies space in a building occupied by multiple tenants, the definition includes the common areas of the building used by all tenants such as, but not limited to, restrooms, hallways, and food service areas.

(5) “Restriction of Access” means the Authority has limited an individual’s access to specific Authority premises, employees, or methods of communication.

(6) “Weapon” includes, but is not limited to:

(a) A dangerous or deadly weapon as defined in ORS 161.015;

(b) Any other object or substance used in a manner that compromises the safety of Authority employees or visitors on Authority premises;

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-012-0010

Prohibited Conduct

(1) Conduct that may result in restriction of access includes, but is not limited to the following:

(a) Causing or threatening to cause physical injury to Authority employees or visitors;

(b) Engaging in actions which compromise the safety or health of Authority employees or visitors;

(c) Causing or threatening to cause harm to the family or property of an employee or visitors through written, electronic, or verbal communication;

(d) Causing or threatening to cause damage to Authority premises;

(e) Bringing a deadly or dangerous weapon onto the Authority’s premises, unless authorized by ORS chapter 166 to carry a handgun;

(f) Displaying, attempting, or threatening to use any weapon, on or off Authority premises, that compromises the safety of Authority employees or visitors;

(g) Engaging in harassing conduct as defined in ORS 166.065.

(h) Engaging in telephonic harassment as defined in ORS 166.090.

(2) The conduct listed in section (1) is also prohibited if it occurs during employees’ off-work hours and off Authority premises and the prohibited conduct is related to the employee’s work with the Authority.

(3) Prior to issuing a restriction of access notice, the Authority shall make an individualized assessment as to whether the conduct listed in section (1) of this rule is a result of a disability of which the Authority has knowledge and whether the conduct is a “direct threat” to others as described in OAR 943-005-0000 through 943-005-0030. If the Authority determines the disabled individual’s conduct is not a direct threat, the Authority shall explore the possibility of a reasonable accommodation to mitigate the safety risk.

(4) The prohibitions on conduct in this rule do not apply to individuals who are residents of an Authority-operated residential facility.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-012-0015

Continuation of Eligible Services

(1) An individual whose access has been restricted by the Authority shall continue to be provided services for which the individual meets program eligibility requirements by an alternate and effective method of communication as determined by the Authority.

(2) Alternate methods may include telephone, electronic mail, written communication, meeting at a designated secure site, or through the individual’s representative.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-012-0020

Notification

(1) If the Authority determines that it is necessary to restrict access or the methods of communication because of prohibited conduct, the individual will be provided written notification, signed by the assistant director or deputy assistant director of the affected division, and sent by certified mail or other traceable means. The notice shall describe the following:

(a) Conduct giving rise to the restrictions;

(b) The specific premises or parts of premises from which the individual is excluded; or the forms of communication which are restricted;

(d) Contact information for services or appointment scheduling;

(e) The availability of the review process, including notification that individuals with disabilities are entitled to request modification;

(f) The potential criminal consequences for violating the notice of restriction of access; and

(g) The law enforcement agency being notified.

(2) The notice shall be effective upon issuance.

(3) Restrictions on access to Authority premises or methods of communication shall remain in place until the Authority determines the individual no longer poses a threat and issues an official notification of removal.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-012-0025

Authority Review

(1) The Authority shall establish an internal review process to ensure that a notice of restriction of access is warranted prior to issuing a written notice of restriction of access.

(2) Following the Authority’s issuance of a notice of restriction of access, the recipient of the notice may request review of the Authority’s determination. The request must be submitted to the office of the Director of the Authority. The request must be in writing and submitted, by mail or personal delivery, within 15 business days of the date of issuance of the notice of restriction of access. If the request is submitted by mail, it must be postmarked within 15 business days. No particular format is required for the request for review; however, the individual should include specific grounds for requesting the review.

(3) Upon receipt of a request for review, the Director or an assistant director shall review the request and issue a written decision. The review may include an informal conference. The decision shall be issued within ten days of receipt of the request for review.

(4) The Authority’s decision is final.

(5) If the Authority’s decision rules in favor of the individual, the restricted individual’s access restriction shall be immediately lifted. If the decision is unfavorable to the restricted individual, the restricted individual may seek further review after six months have lapsed since the date of issuance by following the process described in this rule.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042, 654.010

Hist.: OHA 7-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Privacy OARs setting forth general procedures governing the collection, use and disclosure of protected information.

Adm. Order No.: OHA 8-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-014-0000, 943-014-0010, 943-014-0015, 943-014-0020, 943-014-0030, 943-014-0040, 943-014-0050, 943-014-0060, 943-014-0070

Subject: These rules govern the collection, use, and disclosure of protected information by the Authority about individuals and to explain the rights and specific actions that individuals may take or request to be taken regarding the uses and disclosures of their protected information. These rules also set forth Authority requirements governing the use and disclosure of protected health information for purposes of HIPAA, 42 USC 1320-d through 1320d-8, Pub L 104-191, sec. 262 and 264, and the implementing HIPAA privacy rules, 45 CFR parts 160 and 164.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-014-0000

Definitions

The following definitions apply to OAR 943-014-0000 to 943-014-0070:

(1) “Administrative Hearing” means an oral proceeding before an administrative law judge in a contested case hearing.

(2) “Authority” means the Oregon Health Authority.

(3) “Authority Workforce” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Authority, is under the direction and control of the Authority, whether or not they are paid by the Authority.

(4) “Authorization” means permission from an individual or his or her personal representative giving the Authority , and others named on the form, authorization to obtain, release or use information about the individual from third parties for specified purposes or to disclose information to a third party specified by the individual.

(5) “Business Associate” means an individual or entity performing any function or activity on behalf of the Authority involving the use or disclosure of protected health information (PHI) and is not a member of the Authority’s workforce.

(a) “Function or activity” includes but is not limited to program administration, claims processing or administration, data analysis, utilization review, quality assurance, billing, legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, financial services, and similar services for which the Authority may contract or obtain by interagency agreement, if access to PHI is involved.

(b) Business associates do not include licensees or providers unless the licensee or provider also performs some function or activity on behalf of the Authority.

(6) “Client” means an individual who requests or receives program benefits or direct services from the Authority, including but not limited to services requested in connection with the administration of the medical assistance program, and individuals who apply for or are admitted to a state hospital or who are committed to the custody of the Authority,

(7) “Client Information” means personal information relating to a client that the Authority may maintain in one or more locations and in various forms, reports, or documents, or stored or transmitted by electronic media.

(8) “Collect” or “Collection” means the assembling of personal information through interviews, forms, reports, or other information sources.

(9) “Contract” means a written agreement between the Authority and a person or entity setting forth the rights and obligations of the parties including but not limited to contracts, licenses, agreements, interagency agreements, and intergovernmental agreements.

(10) “Correctional Institution” means any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by contract with the federal government, a state, or an Indian tribe for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. “Other persons held in lawful custody” include juvenile offenders, adjudicated delinquents, aliens detained awaiting deportation, witnesses, or others awaiting charges or trial.

(11) “Corrective Action” means an action that a business associate must take to remedy a breach or violation of the business associate’s obligations under the business associate’s contractual requirement, including but not limited to reasonable steps that must be taken to cure the breach or end the violation.

(12) “Covered Entity” means health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction that is subject to federal Health Insurance Portability and Accountability Act (HIPAA) requirements, as those terms are defined and used in the HIPAA regulations, 45 CFR parts 160 and 164.

(13) “De-identified Data” means client information from which the Authority or other entity has deleted, redacted, or blocked identifiers so the remaining information cannot reasonably be used to identify an individual.

(14) “Department” means the Department of Human Services.

(15) “Disclose” means the release, transfer, relay, provision of access to, or conveying of client information to any individual or entity outside the Authority.

(16) “Health Care” means care, services, or supplies related to the health of an individual. Health care includes but is not limited to preventive, diagnostic, therapeutic, rehabilitative, maintenance, palliative care, counseling services, assessment, or procedures with respect to the physical or mental condition, or functional status of an individual, or that affects the structure or function of the body and the sale or dispensing of a drug, device, equipment, or other prescribed item.

(17) “Health Care Operations” means any activities of the Authority to the extent that the activities are related to health care, Medicaid, or any other health care related programs, services, or activities administered by the Authority and include:

(a) Conducting quality assessment and improvement activities, including income evaluation and development of clinical guidelines;

(b) Population-based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(c) Reviewing the competence of qualifications of health care professionals, evaluating practitioner, provider, and health plan performance; and conducting training programs in which students and trainees in areas of health care learn under supervision to practice or improve their skills, accreditation, certification, licensing, or credentialing activities;

(d) Underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract for Medicaid or health care related services;

(e) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs, and disclosure to the Medicaid Fraud Unit pursuant to 43 CFR part 455.21;

(f) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the Authority, including administration, development, or improvement of methods of payments or health care coverage; and

(g) Business management and general administrative activities of the Authority, including but not limited to:

(A) Management activities relating to implementation of and compliance with the requirements of HIPAA;

(B) Customer service, including providing data analysis;

(C) Resolution of internal grievances, including administrative hearings and the resolution of disputes from patients or enrollees regarding the quality of care and eligibility for services; and

(D) Creating de-identified data or a limited data set.

(18) “Health Oversight Agency” means an agency or authority of the federal government, a state, territory, political subdivision of a state or territory, Indian tribe, or a person or entity acting under a grant of authority from or by contract with the public agency, including employees or agents of the public agency or its contractors or grantees that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. When performing these functions, the Authority acts as a health oversight agency for the purposes of these rules.

(19) “HIPAA” means the Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et seq, and the federal regulations adopted to implement the Act.

(20) “Individual” means the person who is the subject of information collected, used, or disclosed by the Authority.

(21) “Individually Identifying Information” means any single item or compilation of information or data that indicates or reveals the identity of an individual, either specifically (such as the individual’s name or social security number), or from which the individual’s identity can be reasonably ascertained.

(22) “Information” means personal information relating to an individual, a participant, or an Authority client.

(23) “Inmate” means a person incarcerated in or otherwise confined in a correctional institution. An individual is no longer an inmate when released on parole, probation, supervised release, or is otherwise no longer in custody.

(24) “Institutional Review Board (IRB)” means a specially constituted review body established or designated by an entity in accordance with 45 CFR part 46 to protect the welfare of human subjects recruited to participate in biomedical or behavioral research. The IRB must be registered with the Office for Human Research Protection.

(25) “Law Enforcement Official” means an officer or employee of any agency or authority of the federal government, a state, territory, political subdivision of a state or territory, or Indian tribe who is empowered by law to:

(a) Investigate and conduct an official inquiry into a potential violation of law; or

(b) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

(26) “Licensee” means a person or entity that applies for or receives a license, certificate, registration, or similar authority from the Authority to perform or conduct a service, activity, or function.

(27) “Minimum Necessary” means the least amount of information, when using or disclosing confidential client information, that is needed to accomplish the intended purpose of the use, disclosure, or request.

(28) “Participant” means individual’s participating in Authority population-based services, programs, and activities that serve the general population, but who do not receive program benefits or direct services received by a client. Examples of participants include but are not limited to an individual whose birth certificate is recorded with Department of Vital Statistics, the subjects of public health studies, immunization or cancer registries, newborn screening, and other public health services, and individuals who contact Authority hotlines or the ombudsman for general public information services.

(29) “Payment” means any activities undertaken by the Authority related to a client to whom health care is provided in order to:

(a) Obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the Medicaid program or other publicly funded health care services; and

(b) Obtain or provide reimbursement for the provision of health care.

(30) Payment activities mean:

(a) Determinations of eligibility or coverage, including coordination of benefits or the determination of cost sharing amounts, and adjudication of health benefit or health care claims;

(b) Risk adjusting amounts due which are based on enrollee health status and demographic characteristics;

(c) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing;

(d) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(e) Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services; and

(f) Disclosure to consumer reporting agencies relating to collection of premiums or reimbursement including name and address, date of birth, payment history, account number, and name and address of the health care provider or health plan.

(31) “Personal Representative” means a person who has authority to act on behalf of an individual in making decisions related to health care.

(32) “Protected Health Information (PHI)” means any individually identifiable health information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Any data transmitted or maintained in any other form or medium by covered entities, including paper records, fax documents, all oral communications, or any other form, such as screen prints of eligibility information, printed e-mails containing identified individual’s health information, claim or billing information, or hard copy birth or death certificates. PHI does not include school records that are subject to the Family Educational Rights and Privacy Act and employment records held in the Authority’s role as an employer.

(33) “Protected Information” means any participant or client information that the Authority may have in its records or files that must be safeguarded pursuant to Authority policy. This includes but is not limited to individually identifying information.

(34) “Provider” means a person or entity that may seek reimbursement from the Authority as a provider of services to Authority clients pursuant to a contract. For purposes of these rules, reimbursement may be requested on the basis of claims or encounters or other means of requesting payment.

(35) “Psychotherapy Notes” mean notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversations during a private counseling session, or group, joint, or family counseling session, when the notes are separated from the rest of the individual’s record. Psychotherapy notes do not include medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress to date.

(36) “Public Health Agency” means a public agency, including the Authority, or a person or entity acting under a grant of authority from or by contract with the Authority or public agency that performs or conducts one or more of the following essential functions that characterize public health programs, services, or activities:

(a) Monitor health status to identify community health problems;

(b) Diagnose and investigate health problems and health hazards in the community;

(A) Inform, educate, and empower people about health issues;

(B) Mobilize community partnerships to identify and solve health problems;

(D) Enforce laws and regulations that protect health and ensure safety;

(E) Direct individuals to needed personal health services and assure the provision of health care when otherwise unavailable;

(F) Ensure a competent public health and personal health care workforce;

(G) Evaluate the effectiveness, accessibility, and quality of personal and population-based health services; and

(H) Perform research for new insights and innovative solutions to health problems.

(37) “Public Health Authority” means an agency or authority of the federal government, a state, territory, political subdivision of a state or territory, Indian tribe, or a person or entity acting under a grant of authority from or by contract with the public agency, including the employees or agents of the public agency, or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. When performing functions as a public health agency, the Authority acts as a public health authority for purposes of these rules.

(38) “Re-disclosure” means the disclosure of information to a person, an Authority program, an Authority subcontracted entity, or other entity or person other than what was originally authorized.

(39) “Research” means systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalized knowledge.

(40) “Required by Law” means a duty or responsibility that federal or state law specifies that a person or entity must perform or exercise. Required by law includes but is not limited to court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or rules that require the production of information, including statutes or rules that require such information if payment is sought under a government program providing public benefits.

(41) “Treatment” means the provision, coordination, or management of heath care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.

(42) “Use” means the sharing of individual information within an Authority program or the sharing of individual information between program staff and administrative staff that support or oversee the program.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-014-0010

Purpose

(1) The purpose of these rules (OAR 943-014-000 to 943-014-0070) is to govern the collection, use, and disclosure of protected information by the Authority about individuals and to explain the rights and specific actions that individuals may take or request to be taken regarding the uses and disclosures of their protected information. These rules also set forth the Authority’s requirements governing the use and disclosure of PHI for purposes of HIPAA, 42 USC 1320-d through 1320d-8, Pub L 104-191, sec. 262 and 264, and the implementing HIPAA privacy rules, 45 CFR parts 160 and 164, applicable to the Authority’s health care components.

(2) Except as provided in section (1) of this rule, state and federal statutes, rules, and policies that govern the administration of Authority programs, services, and activities continue to govern the use and disclosure of protected information in those Authority programs, services, and activities.

(3) In the event that it is not possible to comply with the requirements of both sections (1) and (2) of this rule, the Authority shall act in accordance with whichever federal or state law imposes a stricter requirement regarding the privacy or safeguarding of information and which provides the greater protection or access to the individual who is the subject of the information, unless one of the following applies:

(a) Public health. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, birth, or death; public health surveillance; or public health investigation or intervention.

(b) Child abuse. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of child abuse.

(c) State regulatory reporting. Nothing in these rules shall be construed to limit the ability of the State of Oregon or the Authority to require a health plan to report, or to provide access to information for management audits, financial audits, program monitoring, facility licensure or certification, or individual licensure or certification.

(4) The Authority may collect, maintain, use, transmit, share, and disclose information about any individual to the extent authorized by law to administer Authority programs, services, and activities.

(5) The Authority may use and disclose information about licensees or providers consistent with federal and state laws and regulations. Information regarding the qualifications of licensees and providers are public records.

(a) When the Authority obtains information about individuals that relates to determining payment responsibility when a provider submits a request for payment to the Authority, the Authority shall safeguard the information consistent with federal and state laws and regulations and Authority policies.

(b) The Authority may review the performance of licensees and providers in the conduct of its health oversight activities and shall safeguard information obtained about individuals obtained during those activities in accordance with federal and state laws and regulations and Authority policies.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS413.042

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-014-0015

Covered Entity Status for Purposes of the HIPAA Privacy Rules

(1) These rules address information that, among other things, may be Protected Health Information that is protected by the HIPAA Privacy Rules. For purposes of HIPAA Privacy Rules, the Authority is a hybrid entity because the Authority performs functions that are covered by HIPAA (“health care components”) and functions that are not covered by HIPAA. The Authority’s health care components consist of the functions that are included in the definition of a covered entity, as follows:

(a) The Authority in its capacity as the state Medicaid agency for the administration of funds from Titles XIX and XXI of the Social Security Act and the medical assistance program as described in ORS chapter 414;

(b) The Health Care for All Oregon Children program;

(d) Any medical assistance or premium assistance programs reimbursed with Medicaid or the Children’s Health Insurance Program funds operated by the Authority;

(e) The Oregon State Hospital and Blue Mountain Recovery Center;

(f) The Medicaid Management Information system and information technology systems associated with the administration and management of the health care components listed above; and

(g) The ombudsman and other administrative and health care operations functions associated with the administration and management of the health care components listed above.

(2) The Authority administers many aspects of the medical assistance program with the assistance of the Department, including but not limited to eligibility determinations for the medical assistance program and supervising the long-term and community-based services for seniors and people with disabilities. The Department also provides certain health care operations services for the Authority. In doing so, the Department is a business associate of the Authority. As a business associate of the Authority, the Department is authorized to use and disclose protected health information to perform or assist the Authority in the performance of its covered functions.

(3) When these rules of the Authority apply to PHI that is subject to the HIPAA Privacy and Security rules, a reference to the Authority may also include the actions of the Department acting as the Authority’s business associate.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS413.042

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-014-0020

Uses and Disclosures of Client or Participant Protected Information

(1) Uses and disclosures with individual authorization. The Authority must obtain a completed and signed authorization for release of information from the individual, or the individual’s personal representative, before obtaining or using protected information about an individual from a third party or disclosing protected information about the individual to a third party.

(a) Uses and disclosures must be consistent with what the individual has approved on the signed authorization form approved by the Authority.

(b) An individual may revoke an authorization at any time. The revocation must be in writing and signed by the individual, except that substance abuse treatment patients may orally revoke an authorization to disclose information obtained from substance abuse treatment programs. No revocation shall apply to information already released while the authorization was valid and in effect.

(2) Uses and disclosures without authorization. The Authority may use and disclose information without written authorization in the following circumstances:

(a) The Authority may disclose information to individuals who have requested disclosure to themselves of their information, if the individual has the right to access the information under OAR 943-014-0030(6).

(b) If the law requires or permits the disclosure, and the use and disclosure complies with, and is limited to, the relevant requirements of the relevant law.

(A) Activities involving the current treatment of an individual, for the Authority or health care provider;

(B) Payment activities, for the Authority, covered entity, or health care provider;

(D) Substance abuse treatment information, if the recipient has a Qualified Service Organization Agreement with the Authority.

(d) Psychotherapy notes. The Authority may only use and disclose psychotherapy notes in the following circumstances:

(A) In the Authority’s supervised counseling training programs;

(B) In connection with oversight of the originator of the psychotherapy notes; or

(e) Public health activities.

(A) The Authority may disclose an individual’s protected information to appropriate entities or persons for governmental public health activities and for other purposes including but not limited to:

(i) A governmental public health authority that is authorized by law to collect or receive protected information for the purpose of preventing or controlling disease, injury, or disability. This includes but is not limited to reporting disease, injury, and vital events such as birth or death; and the conducting of public health surveillance, investigations, and interventions;

(ii) An official of a foreign government agency that is acting in collaboration with a governmental public health authority;

(iii) A governmental public health authority, or other government authority that is authorized by law to receive reports of child abuse or neglect;

(iv) A person subject to the jurisdiction of the federal Food and Drug Administration (FDA), regarding an FDA-regulated product or activity for which that person is responsible for activities related to the quality, safety, or effectiveness of an FDA-regulated product or activity; or

(v) A person who may have been exposed to a communicable disease, or may be at risk of contracting or spreading a disease or condition, if the Authority or other public health authority is authorized to notify the person as necessary in conducting a public health intervention or investigation.

(B) Where state or federal law prohibits or restricts use and disclosure of information obtained or maintained for public health purposes, the Authority shall deny the use and disclosure.

(f) Child abuse reporting and investigation. If the Authority has reasonable cause to believe that a child is a victim of abuse or neglect, the Authority may disclose protected information to appropriate governmental authorities authorized by law to receive reports of child abuse or neglect.

(g) Adult abuse reporting and investigation. If the Authority has reasonable cause to believe that a vulnerable adult is a victim of abuse or neglect, the Authority may disclose information, as required by law, to a government authority or regulatory agency authorized by law to receive reports of abuse or neglect including but not limited to a social service or protective services agency authorized by law to receive such reports. Vulnerable adults are adults age 65 or older and persons with disabilities.

(h) Health oversight activities. The Authority may disclose information without authorization for health oversight activities, including audits; civil, criminal, or administrative investigations, prosecutions, licensing or disciplinary actions; Medicaid fraud; or other necessary oversight activities.

(i) Administrative and court hearings, grievances, investigations, and appeals.

(A) The Authority may use or disclose information for an investigation, administrative or court hearing, grievance, or appeal about an individual’s eligibility or right to receive Authority benefits or services.

(B) If the Authority has obtained information in performing its duties as a health oversight agency, public health authority, or public benefit program, the Authority may use or disclose that information in an administrative or court hearing consistent with the other privacy requirements applicable to that program, service, or activity.

(j) Court orders. The Authority may disclose information for judicial or administrative proceedings in response to a court order, subpoena, discovery request, or other legal process. If a court orders the Authority to conduct a mental examination pursuant to ORS 161.315, 161.365, 161.370, or orders the Authority to provide any other report or evaluation to the court, the examination, report, or evaluation shall be deemed to be required by law for purposes of HIPAA.

(k) Law enforcement purposes. For limited law enforcement purposes, the Authority may report certain injuries or wounds; provide information to identify or locate a suspect, victim, or witness; alert law enforcement of a death as a result of criminal conduct; and provide information which constitutes evidence of criminal conduct on Authority premises.

(A) The Authority may provide client information to a law enforcement officer in any of the following situations:

(i) The law enforcement officer is involved in carrying out any investigation, criminal, or civil proceedings connected with administering the program from which the information is sought;

(ii) An Authority employee may disclose information from personal knowledge that does not come from the client’s interaction with the Authority;

(iii) The disclosure is authorized by statute or administrative rule;

(iv) The information informs law enforcement of a death as a result of criminal conduct;

(v) The information constitutes evidence of criminal conduct on Authority premises; or

(vi) The disclosure is necessary to protect the client or others, and the client poses a threat to his or her safety or to the safety of others.

(B) Except as provided in section (2)(k)(C) of this rule, the Authority may give a client’s current address, Social Security number, and photo to a law enforcement officer if the law enforcement officer makes the request in the course of official duty, supplies the client’s name, and states that the client:

(i) Is a fugitive felon or is violating parole, probation, or post-prison supervision;

(ii) For all public assistance programs, has information that is necessary for the officer to conduct official duties, and the location or apprehension of the client is within the officer’s official duties; or

(C) If domestic violence has been identified in the household, the Authority may not release information about a victim of domestic violence unless a member of the household is either wanted as a fugitive felon or is violating parole, probation, or post-prison supervision.

(D) For purposes of this subsection, a fugitive felon is a person fleeing to avoid prosecution or custody for a crime, or an attempt to commit a crime, that would be classified as a felony.

(E) For purposes of this section, a law enforcement officer is an employee of the Oregon State Police, a county sheriff’s department, or a municipal police department, whose official duties include arrest authority.

(l) Use and disclosure of information about deceased individuals.

(A) The Authority may disclose individual information to a coroner or medical examiner for the purpose of identifying a deceased individual, determining cause of death, or other duties authorized by law.

(B) The Authority may disclose individual information to funeral directors as needed to carry out their duties regarding the decedent. The Authority may also disclose individual information prior to, and in anticipation of, the death.

(m) Organ or tissue donation. The Authority may disclose individual information to organ procurement organizations or other entities engaged in procuring, banking, or transplanting cadaver organs, eyes, or tissue for the purpose of facilitating transplantation.

(n) Research. The Authority may disclose individual information without authorization for research purposes, as specified in OAR 943-014-0060.

(o) Threat to health or safety. To avert a serious threat to health or safety the Authority may disclose individual information if:

(A) The Authority believes in good faith that the information is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

(B) The report is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

(p) National security and intelligence. The Authority may disclose information to authorized federal officials for lawful intelligence, counterintelligence, and other national security activities.

(q) Correctional institutions and law enforcement custody situations. The Authority may disclose information to a correctional institution or a law enforcement official having lawful custody of an inmate or other person, for the limited purpose of providing health care or ensuring the health or safety of the person or other inmates.

(r) Emergency treatment. In case of an emergency, the Authority may disclose individual information to the extent needed to provide emergency treatment.

(s) Government entities providing public benefits. The Authority may disclose eligibility and other information to governmental entities administering a government program providing public benefits.

(3) Authorization not required if opportunity to object given. The Authority may use and disclose an individual’s information without authorization if the Authority informs the individual in advance and gives the individual an opportunity to either agree or refuse or restrict the use and disclosure.

(a) These disclosures are limited to disclosure of information to a family member, other relative, close personal friend of the individual, or any other person named by the individual, subject to the following limitations:

(A) The Authority may disclose only the protected information that directly relates to the person’s involvement with the individual’s care or payment for care.

(B) The Authority may use and disclose protected information for notifying, identifying, or locating a family member, personal representative, or other person responsible for care of the individual, regarding the individual’s location, general condition, or death. For individuals who had resided at one time at the state training center, OAR 411-320-0090(6) addresses family reconnection.

(C) If the individual is present for, or available prior to, a use and disclosure, the Authority may disclose the protected information if the Authority:

(i) Obtains the individual’s agreement;

(ii) Provides the individual an opportunity to object to the disclosure, and the individual does not object; or

(iii) Reasonably infers from the circumstances that the individual does not object to the disclosure.

(D) If the individual is not present, or the opportunity to object to the use and disclosure cannot practicably be provided due to the individual’s incapacity or an emergency situation, the Authority may disclose the information if, using professional judgment, the Authority determines that the use and disclosure is in the individual’s best interests.

(b) Exception. For individuals referred to or receiving substance abuse treatment, mental health, or vocational rehabilitation services, the Authority shall not use or disclose information without written authorization, unless disclosure is otherwise permitted under 42 CFR part 2, 34 CFR 361.38, or ORS 179.505.

(c) Personal representative. The Authority must treat a personal representative as the individual for purposes of these rules, except that:

(A) A personal representative must be authorized under state law to act on behalf of the individual with respect to use and disclosure of information. The Authority may require a personal representative to provide a copy of the documentation authorizing the person to act on behalf of the individual.

(B) The Authority may elect not to treat a person as a personal representative of an individual if:

(i) The Authority has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by the person;

(ii) The Authority, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.

(4) Redisclosure. The Authority must inform the individual that information held by the Authority and authorized by the individual for disclosure may be subject to redisclosure and no longer protected by these rules.

(5) Specific written authorization. If the use or disclosure of information requires an authorization, the authorization must specify that the Authority may use or disclose vocational rehabilitation records, alcohol and drug records, HIV/AIDS records, genetics information, and mental health or developmental disability records held by publicly funded providers.

(a) Pursuant to federal regulations at 42 CFR part 2 and 34 CFR 361.38, the Authority may not make further disclosure of vocational rehabilitation and alcohol and drug rehabilitation information without the specific written authorization of the individual to whom it pertains.

(b) Pursuant to ORS 433.045 and OAR 333-012-0270, the Authority may not make further disclosure of individual information pertaining to HIV/AIDS.

(6) Verification of person or entity requesting information. The Authority may not disclose information about an individual without first verifying the identity of the person or entity requesting the information, unless the Authority workforce member fulfilling the request already knows the person or has already verified identity.

(7) Whistleblowers. The Authority may disclose an individual’s protected health information under the HIPAA privacy rules under the following circumstances:

(a) The Authority workforce member or business associate believes in good faith that the Authority has engaged in conduct that is unlawful or that otherwise violates professional standards or Authority policy, or that the care, services, or conditions provided by the Authority could endanger Authority staff, individuals in Authority care, or the public; and

(b) The disclosure is to a government oversight agency or public health authority, or an attorney of an Authority workforce member or business associate retained for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct alleged under section (7)(a) above; and

(c) Nothing in this rule is intended to interfere with ORS 659A.200 to 659A.224 describing the circumstances applicable to disclosures by Authority workforce or business associates.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS413.042

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-014-0030

Client Privacy Rights

(1) Rights of clients to access their information. Clients may access, inspect, and obtain a copy of information on their own cases in Authority files or records, consistent with federal and state law.

(a) A client may request access by completing the Access to Records Request form, or by providing sufficient information to accomplish this request.

(b) Clients may request access to their own information that is kept by the Authority by using a personal identifier such as the client’s name or Authority case number.

(c) If the Authority maintains information in a record that includes information about other people, the client may see information only about himself or herself.

(d) If a person identified in the file is a minor child of the client, and the client is authorized under Oregon law to have access to the minor’s information or to act on behalf of the minor for making decisions about the minor’s care, the client may obtain information about the minor.

(e) If the requestor of information is recognized under Oregon law as a the client’s guardian or custodian and is authorized under Oregon law to have access to the client’s information or to act on behalf of the client for making decisions about the client’s services or care, the Authority shall release information to the requestor.

(f) For individuals with disabilities or mental illnesses, the named system in ORS 192.517, to protect and advocate the rights of individuals with developmental disabilities under Part C of the Developmental Disabilities Assistance and Bill of Rights Act (42 U.S.C. 6041 et seq.) and the rights of individuals with mental illness under the Protection and Advocacy for Individuals with Mental Illness Act (42 U.S.C. 10801 et seq.), shall have access to all records defined in ORS 192.515.

(g) The Authority may deny a client’s access to their own PHI if federal law prohibits the disclosure. Clients may access, inspect, and obtain a copy of health information on their own case in Authority files or records except for the following:

(A) Psychotherapy notes;

(B) Information compiled in reasonable anticipation of, or for use in civil, criminal, or administrative proceedings;

(C) Information that is subject to the federal Clinical Labs Improvement Amendments of 1988, or exempt pursuant to 42 CFR 493.3(a)(2);

(D) Information that the Authority believes, in good faith, can cause harm to the client, participant, or to any other person; and

(E) Documents protected by attorney work-product privilege.

(h) The Authority may deny a client access to information that was obtained under a promise of confidentiality from a person other than a health care provider to the extent that access would reveal the source of the information.

(i) The Authority may deny a client access to information, if the Authority gives the client a right to have the denial reviewed when:

(A) A licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may endanger the life or physical safety of the client or another person;

(B) The information makes reference to another person, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may cause substantial harm to the client or to another person; or

(C) The request for access is made by the client’s personal representative, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that allowing the personal representative access to the information may cause substantial harm to the client or to another person.

(j) If the Authority denies access under section (1)(i) of this rule, the client may have the decision reviewed by a licensed health care professional (for health information) or other designated staff (for other information) not directly involved in making the original denial decision.

(A) The Authority must promptly refer a client’s request for review to the designated reviewer.

(B) The reviewer must determine, within the 30 or 60-day time limits stated in section (1)(k)(A) and (B) of this rule, whether to approve or deny the client’s request for access.

(i) Promptly notify the client in writing of the reviewer’s determination; and

(ii) If approved, take action to carry out the reviewer’s determination.

(k) The Authority must act on a client’s request for access no later than 30 days after receiving the request, except as provided in this section and in the case of written accounts under ORS 179.505, which must be disclosed within five days.

(A) In cases where the information is not maintained or accessible to the Authority on-site, and does not fall under ORS 179.505, the Authority must act on the client’s request no later than 60 days after receiving the request.

(B) If the Authority is unable to act within the 30 or 60-day limits, the Authority may extend this time period a maximum of 30 additional days, subject to the following:

(i) The Authority must notify the client in writing of the reasons for the delay and the date by which the Authority shall act on the request.

(ii) The Authority shall use only one 30-day extension.

(l) If the Authority grants the client’s request, in whole or in part, the Authority must inform the client of the access decision and provide the requested access.

(A) If the Authority maintains the same information in more than one format or at more than one location, the Authority may provide the requested information once.

(B) The Authority must provide the requested information in a form or format requested by the client, if readily producible in that form or format. If not readily producible, the Authority shall provide the information in a readable hard-copy format or other format as agreed to by the Authority and the client.

(C) The Authority may provide the client with a summary of the requested information, in lieu of providing access, or may provide an explanation of the information if access has been provided, if:

(i) The client agrees in advance; and

(ii) The client agrees in advance to pay any fees the Authority may impose, under section (1)(L)(E) of this rule.

(D) The Authority shall arrange with the client for providing the requested access in a time, place, and manner convenient for the client and the Authority.

(E) If a client, or legal guardian or custodian, requests a copy, written summary, or explanation of the requested information, the Authority may impose a reasonable cost-based fee, limited to the following:

(i) Copying the requested information, including the costs of supplies and the labor of copying;

(ii) Postage; and

(iii) Staff time for preparing an explanation or summary of the requested information.

(m) If the Authority denies access, in whole or in part, to the requested information, the Authority must:

(A) Give the client access to any other requested client information, after excluding the information to which access is denied; and

(B) Provide the client with a timely written denial. The denial must:

(i) Be provided within the time limits specified in section (1)(k)(A) and (B) of this rule;

(ii) State the basis of the denial in plain language;

(iii) If the Authority denies access under section (1)(i) of this rule, explain the client’s review rights as specified in section (1)(j) of this rule, including an explanation of how the client may exercise these rights; and

(iv) Provide a description of how the client may file a complaint with the Authority, and if the information is PHI, with the United States Department of Health and Human Services (DHHS), Office for Civil Rights, pursuant to section (7) of this rule.

(n) If the Authority does not maintain the requested information, in whole or in part, and knows where the information is maintained (such as by a medical provider, insurer, other public agency, private business, or other non-Authority entity), the Authority must inform the client where to direct the request for access.

(2) Authority Notice of Privacy Practices. The Authority shall send clients notice about the Authority’s privacy practices as follows:

(a) The Authority shall make available to each client a notice of Authority privacy practices that describes the duty of the Authority to maintain the privacy of PHI and include a description that clearly informs the client of the types of uses and disclosures the Authority is permitted or required to make;

(b) The Authority shall provide all clients in direct care settings a notice of Authority privacy practices and shall request the client’s signature on an acknowledgement of receipt form;

(c) If the Authority revises its privacy practices, the Authority shall make the revised notice available to all clients;

(d) The Authority shall post a copy of the Authority’s Notice of Privacy Practices for public viewing at each Authority worksite and on the Authority website; and

(e) The Authority shall give a paper copy of the Authority’s Notice of Privacy Practices to any individual upon request.

(3) Right to request restrictions on uses or disclosures. Clients may request restrictions on the use or disclosure of their information.

(a) The Authority may deny the client’s request or limit its agreement to a request.

(A) The Authority may not agree to restrict uses or disclosures of information if the restriction would adversely affect the quality of the client’s care or services.

(B) The Authority may not agree to restrict uses or disclosures of information that would limit or prevent the Authority from making or obtaining payment for services.

(b) The Authority may not deny a client’s request to restrict the sharing of records of alcohol and drug treatment or records relating to vocational rehabilitation services with another Authority program.

(c) The Authority shall document the client’s request, and the reasons for granting or denying the request, in the client’s Authority case file.

(d) If the client needs emergency treatment and the restricted protected information is needed to provide the treatment, the Authority may use or disclose the restricted protected information to a provider, for the limited purpose of providing treatment. However, once the emergency situation subsides the Authority shall ask the provider not to redisclose the information.

(e) The Authority may terminate its agreement to a restriction if:

(A) The client agrees to or requests the termination in writing;

(B) The client orally requests or agrees to the termination, and the Authority documents the oral request or agreement in the client’s Authority case file; or

(C) With or without the client’s agreement, the Authority informs the client that the Authority is terminating its agreement to the restriction. Information created or received while the restriction was in place shall remain subject to the restriction.

(4) Rights of clients to request to receive information from the Authority by alternative means or at alternative locations. The Authority must accommodate reasonable requests by clients to receive communications from the Authority by alternative means, such as by mail, e-mail, fax, or telephone, and at an alternative location.

(a) The client must specify the preferred alternative means or location.

(b) The client may submit the request for alternative means or locations either orally or in writing.

(A) If the client makes a request in-person, the Authority shall document the request and ask for the client’s signature.

(B) If the client makes a request by telephone or electronically, the Authority shall document the request and verify the identity of the client.

(A) The client agrees to or requests termination of the alternative location or method of communication in writing or orally. The Authority shall document the oral agreement or request in the client’s Authority case file; or

(B) The Authority informs the client that the Authority is terminating its agreement to the alternative location or method of communication because the alternative location or method of communication is not effective. The Authority may terminate its agreement to communicate at the alternative location or by the alternate method if:

(i) The Authority is unable to contact the client at the location or by the method requested; or

(ii) The client fails to respond to payment requests, if applicable.

(5) Right of clients to request amendment of their information. Clients may request that the Authority amend information about themselves in Authority files.

(a) For all amendment requests, the Authority shall have the client complete the approved Authority form.

(b) The Authority may deny the request or limit its agreement to amend.

(c) The Authority must act on the client’s request no later than 60 days after receiving the request. If the Authority is unable to act within 60 days, the Authority may extend this time limit by a maximum of 30 additional days, subject to the following:

(A) The Authority must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Authority shall act on the request; and

(B) The Authority shall use only one 30-day extension.

(d) The program’s medical director, a licensed health care professional designated by the program administrator, or an Authority staff person involved in the client’s case must review the request and any related documentation prior to making a decision to amend a health or medical record.

(e) A staff person designated by the Authority shall review the request and any related documentation prior to making a decision to amend any information that is not a health or medical record.

(f) If the Authority grants the request, in whole or in part, the Authority shall:

(A) Make the appropriate amendment to the information or records, and document the amendment in the client’s Authority file or record;

(B) Provide notice to the client that the amendment has been granted, pursuant to the time limits under section (5)(c) of this rule;

(C) Obtain the client’s agreement to notify other relevant persons or entities with whom the Authority has shared or needs to share the amended information; and

(D) Inform and provide the amendment within a reasonable time to:

(i) Persons named by the client who have received the information and who need the amendment; and

(ii) Persons, including business associates of the Authority, that the Authority knows have the information that is the subject of the amendment and who may have relied, or could foreseeably rely, on the information to the client’s detriment.

(g) The Authority may deny the client’s request for amendment if:

(A) The Authority finds the information to be accurate and complete;

(B) The information was not created by the Authority;

(D) The information would not be available for inspection or access by the client, pursuant to section (1)(g) and (h) of this rule.

(h) If the Authority denies the amendment request, in whole or in part, the Authority must provide the client with a written denial. The denial must:

(A) Be sent within the time limits specified in section (5)(c) of this rule;

(B) State the basis for the denial, in plain language; and

(C) Explain the client’s right to submit a written statement disagreeing with the denial and how to file the statement. If the client files a statement:

(i) The Authority shall enter the written statement into the client’s Authority case file;

(ii) The Authority may also enter an Authority written rebuttal of the client’s written statement into the client’s Authority case file. The Authority shall send a copy of any written rebuttal to the client;

(iii) The Authority shall include a copy of the statement and any Authority written rebuttal with any future disclosures of the relevant information;

(iv) If a client does not submit a written statement of disagreement, the client may ask that if the Authority makes any further disclosures of the relevant information that the Authority shall also include a copy of the client’s original request for amendment and a copy of the Authority written denial; and

(v) The Authority shall provide information on how the client may file a complaint with the Authority and, if the information is PHI, with DHHS, Office for Civil Rights.

(6) Rights of clients to request an accounting of disclosures of PHI. Clients may receive an accounting of disclosures of PHI that the Authority has made for any period of time, not to exceed six years, preceding the request date for the accounting.

(a) For all requests for an accounting of disclosures, the client may complete the authorized Authority form “Request for Accounting of Disclosures of Health Records”, or provide sufficient information to accomplish this request.

(b) The right to an accounting of disclosures does not apply when the request is:

(A) Authorized by the client;

(B) Made prior to April 14, 2003;

(C) Made to carry out treatment, payment, or health care operations, unless these disclosures are made from an electronic health record;

(D) Made to the client;

(E) Made to persons involved in the client’s care;

(F) Made as part of a limited data set in accordance with OAR 943-014-0070;

(G) Made for national security or intelligence purposes; or

(H) Made to correctional institutions or law enforcement officials having lawful custody of an inmate.

(A) The date of the disclosure;

(B) The name and address, if known, of the person or entit, who received the disclosed information;

(D) A brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or, in lieu of a statement, a copy of the client’s written request for a disclosure, if any.

(d) If, during the time period covered by the accounting, the Authority has made multiple disclosures to the same person or entity for the same purpose, the Authority may provide the required information for only the first disclosure. The Authority need not list the same identical information for each subsequent disclosure to the same person or entity if the Authority adds the following information:

(A) The frequency or number of disclosures made to the same person or entity; and

(B) The date of the most recent disclosure during the time period for which the accounting is requested.

(e) The Authority must act on the client’s request for an accounting no later than 60 days after receiving the request. If the Authority is unable to act within 60 days, the Authority may extend this time limit by a maximum of 30 additional days, subject to the following:

(A) The Authority must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Authority shall act on the request; and

(B) The Authority shall use only one 30-day extension.

(f) The Authority shall provide the first requested accounting in any 12-month period without charge. The Authority may charge the client a reasonable cost-based fee for each additional accounting requested by the client within the 12-month period following the first request, if the Authority:

(A) Informs the client of the fee before proceeding with any additional request; and

(B) Allows the client an opportunity to withdraw or modify the request in order to avoid or reduce the fee.

(g) The Authority shall document the information required to be included in an accounting of disclosures, as specified in section (6)(c) of this rule, and retain a copy of the written accounting provided to the client.

(h) The Authority shall temporarily suspend a client’s right to receive an accounting of disclosures that the Authority has made to a health oversight agency or to a law enforcement official, for a length of time specified by the agency or official, if the agency or official provides a written or oral statement to the Authority that the accounting would be reasonably likely to impede their activities. If the agency or official makes an oral request, the Authority shall:

(A) Document the oral request, including the identity of the agency or official making the request.

(B) Temporarily suspend the client’s request to an accounting of disclosures; and

(C) Limit the temporary suspension to no longer than 30 days from the date of the oral request, unless the agency or official submits a written request specifying a longer time period.

(7) Filing a complaint. Clients may file a complaint with the Authority or, if the information is PHI, with DHHS, Office for Civil Rights.

(a) Upon request, the Authority shall give clients the name and address of the specific person or office of where to submit complaints to DHHS.

(b) The Authority may not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any individual filing a complaint or inquiring about how to file a complaint.

(c) The Authority may not require clients to waive their rights to file a complaint as a condition of providing treatment, payment, enrollment in a health plan, or eligibility for benefits.

(d) The Authority shall designate staff to review and determine action on complaints filed with the Authority.

(e) The Authority shall document, in the client’s Authority case file all complaints, the findings from reviewing each complaint, and the Authority’s actions resulting from the complaint. For each complaint the documentation shall include a description of corrective action that the Authority has taken, if any are necessary, or why corrective action is not needed.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-014-0040

Minimum Necessary Standards

(1) The Authority shall limit the use and disclosure of protected information to that which is reasonably necessary to accomplish the intended purpose of the use or disclosure which is referred to in these rules as the minimum necessary standard.

(2) This minimum necessary standard is not intended to impede the essential Authority activities of treatment, payment, health care operations, or service delivery.

(3) The minimum necessary standard applies:

(a) When using protected information within the Authority;

(b) When disclosing protected information to a third party in response to a request; or

(4) The minimum necessary standard does not apply to:

(a) Disclosures to or requests by a health care provider for treatment;

(b) Disclosures made to the individual, including disclosures made in response to a request for access or an accounting;

(d) Disclosures made to DHHS for the purposes of compliance and enforcement of federal regulations under 45 CFR part 160 and required for compliance with 45 CFR part 164.; or

(e) Uses and disclosures required by law;

(5) When requesting protected information about an individual from another entity, the Authority shall limit requests to those that are reasonably necessary to accomplish the purposes for which the request is made. The Authority shall not request a person’s entire medical record unless the Authority can specifically justify the need for the entire medical record.

Stat. Auth.: ORS 413.042

Stats. Implemented: 413.042

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-014-0050

Business Associate

(1) The Authority may disclose an individual’s PHI to a business associate, and may allow a business associate to create or receive an individual’s PHI on behalf of the Authority if the Authority and the business associate first enter into a contract that complies with applicable federal and state law. In some limited circumstances, the Authority may determine that the Authority is a business associate of a covered entity. A business associate relationship with the Authority requires additional contractual disclosure and privacy provisions that must be incorporated into the contract pursuant to 45 CFR part 164-504 (e)(1)

(2) A contract with a business associate must comply with OAR 125-055-0100 to 125-055-0130 and the qualified service organization requirements in 42 CFR part 2.11.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-014-0060

Uses and Disclosures of Protected Information for Research Purposes

The Authority may use and disclose an individual’s information for research purposes as specified in this rule.

(1) All research disclosures are subject to applicable requirements of federal and state laws and rules including but not limited to 45 CFR part 46 and 21 CFR part 50.0 to 50.56, relating to the protection of human research subjects.

(2) The Authority may use and disclose de-identified information or a limited data set for research purposes, pursuant to OAR 943-014-0070.

(3) The Authority may use and disclose information regarding an individual for research purposes with the specific written authorization of the individual. The authorization must meet all requirements in OAR 943-014-0030, and may indicate an expiration date with terms such as “end of research study” or similar language. An authorization for use and disclosure for a research study may be combined with other types of written authorization for the same research study. If research includes treatment, the researcher may require an authorization for use and disclosure for the research as a provision of providing research related treatment.

(4) Notwithstanding section (3) of this rule, the Authority may use and disclose an individual’s information for research purposes without the individual’s written authorization, regardless of the source of funding for the research, provided that:

(a) The Authority obtains documentation that a waiver of an individual’s authorization for release of information requirements has been approved by an IRB registered with the Office for Human Research Protection. Documentation required of an IRB when granting approval of a waiver of an individual’s authorization for release of information must include all criteria specified in 45 CFR part 164.512(i)(2).

(b) A researcher may request access to individual information maintained by the Authority in preparation for research or to facilitate the development of a research protocol in anticipation of research. The Authority may determine whether to permit such use or disclosure, without individual authorization or use of an IRB, pursuant to 45 CFR part 164.512(i)(1)(ii).

(c) A researcher may request access to individual information maintained by the Authority about deceased individuals. The Authority may determine whether to permit such use or disclosure of information about decedents, without individual authorization or use of an IRB, pursuant to 45 CFR part 164.512(i)(1)(iii).

(5) The Authority, as a public health authority, may obtain and use individual information without authorization for the purpose of preventing injury or controlling disease and for the conduct of public health surveillance, investigations, and interventions. The Authority may also collect, use, or disclose information, without individual authorization, to the extent that the collection, use, or disclosure is required by law. When the Authority uses information to conduct studies as a public health authority, no additional individual authorization is required nor does this rule require an IRB or privacy board waiver of authorization based on the HIPAA privacy rules.

(6) The Authority may use and disclose information without individual authorization for studies and data analysis conducted for the Authority’s own quality assurance purposes or to comply with reporting requirements applicable to federal or state funding requirements in accordance with the definition of “Health Care Operations” in 45 CFR part 164.501.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-014-0070

De-identification of Client Information and Use of Limited Data Sets under Data Use Agreements

(1) The Authority may use and disclose information as appropriate for the work of the Authority, without further restriction, if the Authority or another entity has taken steps to de-identify the information pursuant to 45 CFR part 164.514(a) and (b).

(2) The Authority may assign a code or other means of record identification to allow the Authority to re-identify the de-identified information provided that:

(a) The code or other means of record identification is not derived from or related to information about the individual and cannot otherwise be translated to identify the individual; and,

(b) The Authority does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

(3) The Authority may use and disclose a limited data set if the Authority enters into a data use agreement with an entity requesting or providing the Authority with a limited data set subject to the requirements of 45 CFR part 164.514(e).

(a) The Authority may use and disclose a limited data set only for the purposes of research, public health, or health care operations. The Authority may use limited data set for its own activities or operations if the Authority has obtained a limited data set that is subject to a data use agreement.

(b) If the Authority knows of a pattern of activity or practice of a limited data set recipient that constitutes a material breach or violation of a data use agreement, the Authority shall take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, the Authority shall discontinue disclosure of information to the recipient and report the problem to the Secretary of DHHS.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 413.042

Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Confidentiality and Inadmissibility of Mediation and Workplace Interpersonal Dispute Mediation and Communication.

Adm. Order No.: OHA 9-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-014-0200, 943-014-0205

Subject: HB 2009 (2009) created the Oregon Health Authority (Authority) and transferred to the Authority the Department of Human Services’ (Department) Divisions with respect to health and health care. Effective July 1, 2011 the Authority is adopting its own operational and programmatic rules as a part of the operational transfer from functions previously performed by the Department as a result of HB 2009(2009). These rule adoptions duplicate the rules in the Department’s chapter 407 and provide legal authority for the Authority to conduct business. These rules set forth the requirements, responsibilities, and duties of the Authority related to the disclosure of communications received as a result of mediations and workplace interpersonal dispute mediations. Those same requirements, responsibilities, and duties remain in the Department of Human Services OAR chapter 407 regarding disclosure of communications received as a result of mediation.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-014-0200

Confidentiality and Inadmissibility of Mediation Communications

(1) The words and phrases used in this rule have the same meaning as given to them in ORS 36.110 and 36.234.

(2) Nothing in this rule affects any confidentiality created by other law. Nothing in this rule relieves a public body from complying with the Public Meetings Law, ORS 192.610 to 192.690. Whether or not they are confidential under this or other rules of the agency, mediation communications are exempt from disclosure under the Public Records Law to the extent provided in ORS 192.410 to 192.505.

(3) This rule applies only to mediations in which the agency is a party or is mediating a dispute as to which the agency has regulatory authority. This rule does not apply when the agency is acting as the “mediator” in a matter in which the agency also is a party as defined in ORS 36.234.

(4) To the extent mediation communications would otherwise be compromise negotiations under ORS 40.190 (OEC Rule 408), those mediation communications are not admissible as provided in ORS 40.190 (OEC Rule 408), notwithstanding any provisions to the contrary in section (9) of this rule.

(5) Mediations Excluded. Sections (6)-(10) of this rule do not apply to:

(a) Mediation of workplace interpersonal disputes involving the interpersonal relationships between this agency’s employees, officials or employees and officials, unless a formal grievance under a labor contract, a tort claim notice or a lawsuit has been filed; or

(b) Mediation in which the person acting as the mediator will also act as the hearings officer in a contested case involving some or all of the same matters;

(d) Mediation involving two or more public bodies and a private party if the laws, rule or policies governing mediation confidentiality for at least one of the public bodies provide that mediation communications in the mediation are not confidential;

(e) Mediation involving 15 or more parties if the agency has designated that another mediation confidentiality rule adopted by the agency may apply to that mediation.

(6) Disclosures by Mediator. A mediator may not disclose or be compelled to disclose mediation communications in a mediation and, if disclosed, such communications may not be introduced into evidence in any subsequent administrative, judicial or arbitration proceeding unless:

(a) All the parties to the mediation and the mediator agree in writing to the disclosure; or

(b) The mediation communication may be disclosed or introduced into evidence in a subsequent proceeding as provided in subsections (c)-(d), (j)-(l) or (o)-(p) of section (9) of this rule; or

(c) The mediation communication includes information related to the health or safety of any child, then the mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child.

(d) The mediation communication includes information relating to suffering by or commission of abuse upon certain persons and that information would otherwise be required to be reported by a public or private official under the provisions of ORS 124.060 (person 65 years of age or older), 430.765 (1) and (2) (person who is mentally ill or developmentally disabled who is 18 years of age or older and receives services from a community program or facility) or 441.640 (person who is a resident in a long-term care facility), in which case that portion of the mediation communication may be disclosed as required by statute.

(7) Confidentiality and Inadmissibility of Mediation Communications. Except as provided in sections (8)-(9) of this rule, mediation communications are confidential and may not be disclosed to any other person, are not admissible in any subsequent administrative, judicial or arbitration proceeding and may not be disclosed during testimony in, or during any discovery conducted as part of a subsequent proceeding, or introduced as evidence by the parties or the mediator in any subsequent proceeding.

(8) Written Agreement. Section (7) of this rule does not apply to a mediation unless the parties to the mediation agree in writing, as provided in this section, that the mediation communications in the mediation will be confidential and/or nondiscoverable and inadmissible. If the mediator is the employee of and acting on behalf of a state agency, the mediator or an authorized agency representative must also sign the agreement. The parties’ agreement to participate in a confidential mediation must be in substantially the following form. This form may be used separately or incorporated into an “agreement to mediate.” [Form not included. See ED. NOTE.]

(9) Exceptions to confidentiality and inadmissibility.

(a) Any statements, memoranda, work products, documents and other materials, otherwise subject to discovery that were not prepared specifically for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding.

(b) Any mediation communications that are public records, as defined in ORS 192.410(4), and were not specifically prepared for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential or privileged under state or federal law.

(c) A mediation communication is not confidential and may be disclosed by any person receiving the communication to the extent that person reasonably believes that disclosing the communication is necessary to prevent the commission of a crime that is likely to result in death or bodily injury to any person. A mediation communication is not confidential and may be disclosed in a subsequent proceeding to the extent its disclosure may further the investigation or prosecution of a felony crime involving physical violence to a person.

(d) Any mediation communication related to the conduct of a licensed professional that is made to or in the presence of a person who, as a condition of his or her professional license, is obligated to report such communication by law or court rule is not confidential and may be disclosed to the extent necessary to make such a report.

(e) The parties to the mediation may agree in writing that all or part of the mediation communications are not confidential or that all or part of the mediation communications may be disclosed and may be introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential, privileged or otherwise prohibited from disclosure under state or federal law.

(f) A party to the mediation may disclose confidential mediation communications to a person if the party’s communication with that person is privileged under ORS chapter 40 or other provision of law. A party to the mediation may disclose confidential mediation communications to a person for the purpose of obtaining advice concerning the subject matter of the mediation, if all the parties agree.

(g) An employee of the agency may disclose confidential mediation communications to another agency employee so long as the disclosure is necessary to conduct authorized activities of the agency. An employee receiving a confidential mediation communication under this subsection is bound by the same confidentiality requirements as apply to the parties to the mediation.

(h) A written mediation communication may be disclosed or introduced as evidence in a subsequent proceeding at the discretion of the party who prepared the communication so long as the communication is not otherwise confidential under state or federal law and does not contain confidential information from the mediator or another party who does not agree to the disclosure.

(i) In any proceeding to enforce, modify or set aside a mediation agreement, a party to the mediation may disclose mediation communications and such communications may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of mediation communications or agreements to persons other than the parties to the agreement.

(j) In an action for damages or other relief between a party to the mediation and a mediator or mediation program, mediation communications are not confidential and may be disclosed and may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of the mediation communications or agreements.

(k) When a mediation is conducted as part of the negotiation of a collective bargaining agreement, the following mediation communications are not confidential and such communications may be introduced into evidence in a subsequent administrative, judicial or arbitration proceeding:

(A) A request for mediation; or

(B) A communication from the Employment Relations Board Conciliation Service establishing the time and place of mediation; or

(D) A strike notice submitted to the Employment Relations Board.

(l) To the extent a mediation communication contains information the substance of which is required to be disclosed by Oregon statute, other than ORS 192.410 to 192.505, that portion of the communication may be disclosed as required by statute.

(m) Written mediation communications prepared by or for the agency or its attorney are not confidential and may be disclosed and may be introduced as evidence in any subsequent administrative, judicial or arbitration proceeding to the extent the communication does not contain confidential information from the mediator or another party, except for those written mediation communications that are:

(A) Attorney-client privileged communications so long as they have been disclosed to no one other than the mediator in the course of the mediation or to persons as to whom disclosure of the communication would not waive the privilege; or

(B) Attorney work product prepared in anticipation of litigation or for trial; or

(C) Prepared exclusively for the mediator or in a caucus session and not given to another party in the mediation other than a state agency; or

(D) Prepared in response to the written request of the mediator for specific documents or information and given to another party in the mediation; or

(E) Settlement concepts or proposals, shared with the mediator or other parties.

(n) A mediation communication made to the agency may be disclosed and may be admitted into evidence to the extent the Agency Director, or designee determines that disclosure of the communication is necessary to prevent or mitigate a serious danger to the public’s health or safety, and the communication is not otherwise confidential or privileged under state or federal law.

(o) The terms of any mediation agreement are not confidential and may be introduced as evidence in a subsequent proceeding, except to the extent the terms of the agreement are exempt from disclosure under ORS 192.410 to 192.505, a court has ordered the terms to be confidential under ORS 17.095 or state or federal law requires the terms to be confidential.

(p) The mediator may report the disposition of a mediation to the agency at the conclusion of the mediation so long as the report does not disclose specific confidential mediation communications. The agency or the mediator may use or disclose confidential mediation communications for research, training or educational purposes, subject to the provisions of ORS 36.232(4).

(q) The mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child or person 65 years of age or older, person who is mentally ill or developmentally disabled and receives services from a community program or facility as defined in ORS 430.735 or person who is a resident of a long-term care facility.

(10) When a mediation is subject to section (7) of this rule, the agency will provide to all parties to the mediation and the mediator a copy of this rule or a citation to the rule and an explanation of where a copy of the rule may be obtained. Violation of this provision does not waive confidentiality or inadmissibility.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 36.224, 36.228, 36.230, 36.232 & 36.234

Hist.: OHA 9-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-014-0205

Confidentiality and Inadmissibility of Workplace Interpersonal Dispute Mediation Communications

(1) This rule applies to workplace interpersonal disputes, which are disputes involving the interpersonal relationships between this agency’s employees, officials or employees and officials. This rule does not apply to disputes involving the negotiation of labor contracts or matters about which a formal grievance under a labor contract, a tort claim notice or a lawsuit has been filed.

(2) The words and phrases used in this rule have the same meaning as given to them in ORS 36.110 and 36.234.

(3) Nothing in this rule affects any confidentiality created by other law.

(5) Disclosures by Mediator. A mediator may not disclose or be compelled to disclose mediation communications in a mediation and, if disclosed, such communications may not be introduced into evidence in any subsequent administrative, judicial or arbitration proceeding unless:

(a) All the parties to the mediation and the mediator agree in writing to the disclosure; or

(b) The mediation communication may be disclosed or introduced into evidence in a subsequent proceeding as provided in subsections (c) or (h)-(j) of section (7) of this rule; or

(6) Confidentiality and Inadmissibility of Mediation Communications. Except as provided in section (7) of this rule, mediation communications in mediations involving workplace interpersonal disputes are confidential and may not be disclosed to any other person, are not admissible in any subsequent administrative, judicial or arbitration proceeding and may not be disclosed during testimony in, or during any discovery conducted as part of a subsequent proceeding, or introduced into evidence by the parties or the mediator in any subsequent proceeding so long as:

(a) The parties to the mediation and the agency have agreed in writing to the confidentiality of the mediation; and

(b) The person agreeing to the confidentiality of the mediation on behalf of the agency:

(A) Is neither a party to the dispute nor the mediator; and

(B) Is designated by the agency to authorize confidentiality for the mediation; and

(C) Is at the same or higher level in the agency than any of the parties to the mediation or who is a person with responsibility for human resources or personnel matters in the agency, unless the agency head or member of the governing board is one of the persons involved in the interpersonal dispute, in which case the Governor or the Governor’s designee.

(7) Exceptions to confidentiality and inadmissibility.

(d) The parties to the mediation may agree in writing that all or part of the mediation communications are not confidential or that all or part of the mediation communications may be disclosed and may be introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential, privileged or otherwise prohibited from disclosure under state or federal law.

(e) A party to the mediation may disclose confidential mediation communications to a person if the party’s communication with that person is privileged under ORS chapter 40 or other provision of law. A party to the mediation may disclose confidential mediation communications to a person for the purpose of obtaining advice concerning the subject matter of the mediation, if all the parties agree.

(f) A written mediation communication may be disclosed or introduced as evidence in a subsequent proceeding at the discretion of the party who prepared the communication so long as the communication is not otherwise confidential under state or federal law and does not contain confidential information from the mediator or another party who does not agree to the disclosure.

(g) In any proceeding to enforce, modify or set aside a mediation agreement, a party to the mediation may disclose mediation communications and such communications may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of mediation communications or agreements to persons other than the parties to the agreement.

(h) In an action for damages or other relief between a party to the mediation and a mediator or mediation program, mediation communications are not confidential and may be disclosed and may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of the mediation communications or agreements.

(i) To the extent a mediation communication contains information the substance of which is required to be disclosed by Oregon statute, other than ORS 192.410 to 192.505, that portion of the communication may be disclosed as required by statute.

(j) The mediator may report the disposition of a mediation to the agency at the conclusion of the mediation so long as the report does not disclose specific confidential mediation communications. The agency or the mediator may use or disclose confidential mediation communications for research, training or educational purposes, subject to the provisions of ORS 36.232(4).

(k) The mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child or person 65 years of age or older, person who is mentally ill or developmentally disabled and receives services from a community program or facility as defined in ORS 430.735 or person who is a resident of a long-term care facility.

(7) The terms of any agreement arising out of the mediation of a workplace interpersonal dispute are confidential so long as the parties and the agency so agree in writing. Any term of an agreement that requires an expenditure of public funds, other than expenditures of $1,000 or less for employee training, employee counseling or purchases of equipment that remain the property of the agency, may not be made confidential.

(8) When a mediation is subject to section (6) of this rule, the agency will provide to all parties to the mediation and to the mediator a copy of this rule or an explanation of where a copy may be obtained. Violation of this provision does not waive confidentiality or inadmissibility.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 36.224, 36.228, 36.230, 36.232 & 36.234

Hist.: OHA 9-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Review Process When Self-Defense Asserted to a “Substantiated” physical at State Hospitals and State Operated Programs.

Adm. Order No.: OHA 10-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-045-0000

Subject: This rule adopts and incorporates by reference the Department of Human Services’ Review of Substantiated Physical Abuse When Self-Defense is Asserted at State Hospitals and State Operated Residential 24-hour Programs rules: chapter 407-0000 through 0110.

HB 2009 (2009) created the Oregon Health Authority and transferred to the Authority the Department of Human Services’ (Department) Divisions with respect to health and health care. Effective July 1, 2011 the Authority needs to adopt and incorporate by reference the Department’s rules which provide the Authority with the legal authority to conduct abuse investigations with respect to individuals residing in state hospitals and state operated 24-hour programs. These rules set forth the review process when self defense is asserted by individuals in response to “substantiated” determination.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-045-0000

Review of Substantiated Physical Abuse When Self-Defense is Asserted at State Hospitals

Protective service investigations and review of findings of alleged abuse in state hospitals are handled by the Office of Investigations and Training (OIT) State hospitals are administered by the Oregon Health Authority (Authority).

(1) The Authority adopts and incorporates by reference OAR 407-045-0000 to 407-045-0110 (Review of Substantiated Physical Abuse When Self-Defense is Asserted at State Hospitals.

(2) Any reference to any rule from OAR 407-045-0000 to 407-045-0110 in rules or contracts of the Authority are deemed to be references to the requirements of this rule, and shall be construed to apply to employees, volunteers, providers, or contractors that work at those locations that are administered by the Authority.

(3) References in OAR 407-045-0000 to 407-045-0110 to the Department of Human Services (Department) or to the Authority shall be construed to be references to either or both agencies.

(4) The Authority authorizes the Department to act on its behalf in carrying out protective service investigations and review of findings of alleged abuse at those locations that are administered by the Authority.

(5) Appeals will be handled by the Authority under the procedures set out in OAR 407-045-0000 to 407-045-0110, however, references to agency actions or decisions that qualify as orders under ORS 183.310(6) that are issued by “the Department” or by “the Director” are hereby incorporated as references to “the Oregon Health Authority” and “the Authority Director.”

(6) References in OAR 407-045-0000 to 407-045-0110 to the Human Services Abuse Review Committee (HSARC), the OIT Substantiation Review Committee (OSRC) or “Office of Developmental Disability Services Review Committee” (ODDSRC) shall be construed to be references to committees for either the Department or the Authority.

Stat. Auth.: ORS 179.040 & 413.042

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.755 - 430.768

Hist.: Hist.: OHA 10-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Abuse Reporting and Protective Services in Community Programs and Community Facilities.

Adm. Order No.: OHA 11-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-045-0250, 943-045-0260, 943-045-0280, 943-045-0290, 943-045-0300, 943-045-0310, 943-045-0320, 943-045-0330, 943-045-0340, 943-045-0350, 943-045-0360, 943-045-0370

With the creation of a new agency, the community programs and community facilities serving adults with mental illness moved to the Authority. Community programs and facilities serving adults with developmental disabilities will continue to be governed by the Department of Human Services’ rule found at OAR 407-045-0250 to 0370. These rules are needed to reflect the separation of the Department of Human Services and Oregon Health Authority.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-045-0250

Purpose

These rules, OAR 943-045-0250 to 943-045-0370, prescribe standards and procedures for the investigation of, assessment for, and provision of protective services in community programs and community facilities, and the nature and content of the abuse investigation and protective services report.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0260

Definitions

As used in OAR 943-045-0250 to 943-045-0370, the following definitions apply:

(1) “Abuse of an adult with developmental disabilities” means:

(a) “Abandonment” including desertion or willful forsaking by a person who has assumed responsibility for providing care, when that desertion or forsaking results in harm or places the adult at risk of serious harm.

(b) Death of an adult caused by other than accidental or natural means or occurring in unusual circumstances.

(A) Wrongfully taking the assets, funds, or property belonging to or intended for the use of an adult.

(B) Alarming an adult by conveying a threat to wrongfully take or appropriate money or property of the adult if the adult would reasonably believe that the threat conveyed would be carried out.

(C) Misappropriating, misusing, or transferring without authorization any money from any account held jointly or singly by an adult.

(D) Failing to use the income or assets of an adult effectively for the support and maintenance of the adult. “Effectively” means use of income or assets for the benefit of the adult.

(d) “Involuntary seclusion” means the involuntary seclusion of an adult for the convenience of a caregiver or to discipline the adult. Involuntary seclusion may include placing restrictions on an adult’s freedom of movement by restriction to his or her room or a specific area, or restriction from access to ordinarily accessible areas of the facility, residence, or program, unless agreed to by the Individual Support Plan (ISP) team included in an approved Behavior Support Plan (BSP) or included in a brokerage plan’s specialized support. Restriction may be permitted on an emergency or short term basis when an adult’s presence would pose a risk to health or safety.

(e) “Neglect” including:

(A) Active or passive failure to provide the care, supervision, or services necessary to maintain the physical and mental health of an adult that creates a significant risk of harm or results in actual harm to an adult. Services include but are not limited to the provision of food, clothing, medicine, housing, medical services, assistance with bathing or personal hygiene, or any other services essential to the well-being of the adult

(B) Failure of a caregiver to make a reasonable effort to protect an adult from abuse.

(f) “Physical abuse” means:

(A) Any physical injury by other than accidental means or that appears to be at variance with the explanation given for the injury.

(B) Willful infliction of physical pain or injury.

(C) Physical abuse is presumed to cause physical injury, including pain, to adults otherwise incapable of expressing pain.

(g) “Sexual abuse” including:

(A) Sexual contact with a nonconsenting adult or with an adult considered incapable of consenting to a sexual act under ORS 163.315.

(B) Sexual harassment, sexual exploitation, or inappropriate exposure to sexually explicit material or language including requests for sexual favors. Sexual harassment or exploitation includes but is not limited to any sexual contact or failure to discourage sexual contact between an employee of a community facility or community program, provider, or other caregiver and an adult. For situations other than those involving an employee, provider, or other caregiver and an adult, sexual harassment or exploitation means unwelcome physical sexual contact and other physical conduct directed toward an adult.

(C) Any sexual contact between an employee of a facility or paid caregiver and an adult served by the facility or caregiver. Sexual abuse does not mean consensual sexual contact between an adult and a paid caregiver who is the spouse or partner of the adult.

(D) Any sexual contact that is achieved through force, trickery, threat, or coercion.

(E) Any sexual contact between an adult with a developmental disability and a relative of the person with a developmental disability other than a spouse or partner. “Relative” means a parent, grandparent, children, brother, sister, uncle, aunt, niece, nephew, half brother, half sister, stepparent, or stepchild.

(F) As defined in ORS 163.305, “sexual contact” means any touching of the sexual or other intimate parts of a person or causing such person to touch the sexual or other intimate parts of the actor for the purpose of arousing or gratifying the sexual desire of either party.

(h) “Wrongful restraint” means:

(A) A wrongful use of a physical or chemical restraint, excluding an act of restraint prescribed by a licensed physician, by any adult support team approved plan, or in connection with a court order.

(B) “Wrongful restraint” does not include physical emergency restraint to prevent immediate injury to an adult who is in danger of physically harming himself or herself or others, provided only that the degree of force reasonably necessary for protection is used for the least amount of time necessary.

(i) “Verbal abuse” includes threatening significant physical harm or causing emotional harm to an adult through the use of:

(A) Derogatory or inappropriate names, insults, verbal assaults, profanity, or ridicule.

(B) Harassment, coercion, punishment, deprivation, threats, implied threats, intimidation, humiliation, mental cruelty, or inappropriate sexual comments.

(C) A threat to withhold services or supports, including an implied or direct threat of termination of services. “Services” include but are not limited to the provision of food, clothing, medicine, housing, medical services, assistance with bathing or personal hygiene, or any other services essential to the well-being of an adult.

(D) For purposes of this section, verbal conduct includes but is not limited to the use of oral, written, or gestured communication that is directed to an adult or within their hearing distance, or sight if gestured, regardless of their ability to comprehend. In this circumstance the assessment of the conduct is based on a reasonable person standard.

(E) The emotional harm that can result from verbal abuse may include but is not limited to anguish, distress, or fear.

(j) An adult who in good faith is voluntarily under treatment solely by spiritual means through prayer in accordance with the tenets and practices of a recognized church or religious denomination by a duly accredited practitioner shall for this reason alone not be considered subjected to abuse.

(2) “Abuse of an adult with mental illness” means:

(a) Death of an adult caused by other than accidental or natural means or occurring in unusual circumstances.

(b) “Neglect” including:

(A) Active or passive failure to provide the care, supervision, or services necessary to maintain the physical and mental health of an adult that results in actual harm or significant mental injury to an adult. “Services” include but are not limited to the provision of food, clothing, medicine, housing, medical services, assistance with bathing or personal hygiene, or any other services essential to the well-being of the adult.

(B) Failure of a caregiver to make a reasonable effort to protect an adult from abuse.

(A) Any physical injury by other than accidental means or that appears to be at variance with the explanation given for the injury.

(B) Willful infliction of physical pain or injury.

(C) Physical abuse is presumed to cause physical injury, including pain, to adults otherwise incapable of expressing pain.

(d) “Sexual abuse” including:

(A) Sexual contact with a nonconsenting adult or with an adult considered incapable of consenting to a sexual act under ORS 163.315.

(B) Sexual harassment, sexual exploitation, or inappropriate exposure to sexually explicit material or language including requests for sexual favors. Sexual harassment or exploitation includes but is not limited to any sexual contact or failure to discourage sexual contact between an employee of a community facility or community program, provider, or other caregiver and an adult. For situations other than those involving an employee, provider, or other caregiver and an adult, sexual harassment or exploitation means unwelcome physical sexual contact including requests for sexual favors and other physical conduct directed toward an adult.

(D) Any sexual contact that is achieved through force, trickery, threat, or coercion.

(E) As defined in ORS 163.305, “sexual contact” means any touching of sexual or other intimate parts of a person or causing such person to touch sexual or other intimate parts of the actor for the purpose of arousing or gratifying the sexual desire of either party.

(e) For the purpose of section (2) of this rule, the following definitions apply:

(A) “Employee” means an individual who provides a program service or who takes part in a program service and who receives wages, a salary, or is otherwise paid by the program for providing the service.

(B) “Program staff” means an employee or individual who, by contract with the program, provides a service and who has the applicable competencies, qualifications, and certification, required by the Integrated Services and Supports Rule (ISSR) (OAR 309-032-1500 to 309-032-1565) to provide the service.

(C) “Provider” means a qualified individual or an organizational entity operated by or contractually affiliated with a community mental health program, or contracted directly with the Authority’s Addictions and Mental Health Division (Division ) for the direct delivery of mental health services and supports.

(D) “Volunteer” means an individual who provides a program service or who takes part in a program service and who is not an employee of the program and is not paid for services. The services must be non-clinical unless the individual has the required credentials to provide a clinical service.

(E) In addition to the definitions of abuse in section (2)(a) through (d), abuse also has the following meanings for employees, program staff, providers, and volunteers:

(i) “Abandonment” including desertion or willful forsaking by an individual who has assumed responsibility for providing care when the desertion or forsaking results in harm or places the adult at a risk of serious harm.

(ii) “Financial exploitation” including:

(I) Wrongfully taking the assets, funds, or property belonging to or intended for the use of an adult.

(II) Alarming an adult by conveying a threat to wrongfully take or appropriate money or property of the adult if the adult would reasonably believe that the threat conveyed would be carried out.

(III) Misappropriating, misusing, or transferring without authorization any money from any account held jointly or singly by an adult.

(IV) Failing to use the income or assets of an adult effectively for the support and maintenance of the adult. “Effectively” means use of income or assets for the benefit of the adult.

(iii) “Involuntary Seclusion” means the involuntary seclusion of an adult for the convenience of a caregiver or to discipline the adult. Involuntary seclusion may include placing restrictions on an adult’s freedom of movement by restriction to his or her room or a specific area or restriction from access to ordinarily accessible areas of the facility, residence, or program unless agreed to by the treatment plan. Restriction may be permitted on an emergency or short term basis when an adult’s presence would pose a risk to health or safety.

(iv) “Neglect” including active or passive failure to provide the care, supervision, or services necessary to maintain the physical and mental health of an adult that creates a significant risk of harm to an adult or results in actual harm or significant mental injury to an adult. Services include but are not limited to the provision of food, clothing, medicine, housing, medical services, assistance with bathing or personal hygiene, or any other services essential to the well-being of the adult.

(v) “Verbal abuse” includes threatening significant physical harm or causing emotional harm to an adult through the use of:

(I) Derogatory or inappropriate names, insults, verbal assaults, profanity, or ridicule.

(II) Harassment, coercion, punishment, deprivation, threats, implied threats, intimidation, humiliation, mental cruelty, or inappropriate sexual comments.

(III) A threat to withhold services or supports, including an implied or direct threat of termination of services. “Services” include but are not limited to the provision of food, clothing, medicine, housing, medical services, assistance with bathing or personal hygiene, or any other services essential to the well-being of an adult.

(IV) For purposes of this section, verbal conduct includes but is not limited to the use of oral, written, or gestured communication that is directed to an adult or within their hearing distance or sight, regardless of their ability to comprehend. In this circumstance the assessment of the conduct is based on a reasonable person standard.

(V) The emotional harm that can result from verbal abuse may include but is not limited to anguish, distress, or fear.

(vi) “Wrongful restraint” means:

(I) A wrongful use of a physical or chemical restraint excluding an act of restraint prescribed by a licensed physician pursuant to OAR 309-033-0730.

(II) Abuse does not include physical emergency restraint to prevent immediate injury to an adult who is in danger of physically harming himself or herself or others, provided that only the degree of force reasonably necessary for protection is used for the least amount of time necessary.

(F) An adult who in good faith is voluntarily under treatment solely by spiritual means through prayer in accordance with the tenets and practices of a recognized church or religious denomination by a duly accredited practitioner shall for this reason alone not be considered subjected to abuse.

(3) “Abuse Investigation and Protective Services Report” means a completed report.

(4) “Adult” means an adult who is 18 years of age or older who:

(a) Has a developmental disability and is currently receiving services from a community program or facility or was previously determined eligible for services as an adult by a community program or facility; or

(b) Has a mental illness and is receiving services from a community program or facility.

(c) Receives services from a community program or facility or care provider which is licensed or certified by or contracts with the Authority or Department; and

(d) Is the alleged abuse victim.

(5) “Adult protective services” means the necessary actions taken to prevent abuse or exploitation of an adult, to prevent self-destructive acts, and to safeguard an allegedly abused adult’s person, property, or funds.

(6) “Authority” means the Oregon Health Authority.

(7) “Brokerage” or “Support service brokerage” means an entity, or distinct operating unit within an existing entity, that performs the functions listed in OAR 411-340-0120(1)(a) to (g) associated with planning for and implementation of support services for an adult with developmental disabilities.

(8) “Caregiver” means an individual or facility that has assumed responsibility for all or a portion of the care of an adult as a result of a contract or agreement.

(9) “Community facility” means a community residential treatment home or facility, community residential facility, adult foster home, community residential training home or facility, or a facility approved by AMH for acute care services or crisis respite.

(10) “Community program” means the community mental health or developmental disabilities program as established in ORS 430.610 to 430.695.

(11) “Designee” means the community program.

(12) “Department” means the Department of Human Services.

(13) “Inconclusive” means there is insufficient evidence to conclude the alleged abuse occurred or did not occur by a preponderance of the evidence. The inconclusive determination may be used only in the following circumstances:

(a) After diligent efforts have been made, the protective services investigator is unable to locate the person alleged to have committed the abuse, or cannot locate the alleged victim or another individual who might have information critical to the investigation; or

(b) Relevant records or documents are unavailable, or there is conflicting or inconsistent information from witnesses, documents, or records with the result that after the investigation is complete, there is insufficient evidence to support a substantiated or not substantiated conclusion.

(14) “Law enforcement agency” means any city or municipal police department, county sheriff’s office, the Oregon State Police, or any district attorney.

(15) “Mandatory reporter” means any public or private official who, while acting in an official capacity, comes in contact with and has reasonable cause to believe that an adult has suffered abuse, or that any individual with whom the official comes in contact while acting in an official capacity has abused an adult. Pursuant to ORS 430.765(2), psychiatrists, psychologists, clergy, and attorneys are not mandatory reporters with regard to information received through communications that are privileged under ORS 40.225 to 20.295.

(16) “Not substantiated” means the preponderance of evidence establishes the alleged abuse did not occur.

(17) “OIT” means the Department’s Office of Investigations and Training.

(18) “Provider agency” means an entity licensed or certified to provide services, or which is responsible for the management of services to clients.

(19) “Public or private official” means:

(a) Physician, naturopathic physician, osteopathic physician, psychologist, chiropractor, or podiatrist, including any intern or resident;

(b) Licensed practical nurse, registered nurse, nurse’s aide, home health aide, or employee of an in-home health services organization;

(c) Employee of the Authority, Department, county health department, community mental health or developmental disabilities program, or private agency contracting with a public body to provide any community services;

(d) Peace officer;

(e) Member of the clergy;

(f) Licensed clinical social worker;

(g) Physical, speech, or occupational therapist;

(h) Information and referral, outreach, or crisis worker;

(i) Attorney;

(j) Firefighter or emergency medical technician; or

(k) Any public official who comes in contact with adults in the performance of the official’s duties.

(20) “Substantiated” means that the preponderance of evidence establishes the abuse occurred.

(21) “Unbiased investigation” means an investigation that is conducted by a community program that does not have an actual or potential conflict of interest with the outcome of the investigation.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0280

Training for Adults Investigating Reports of Alleged Abuse

(1) The Authority shall provide sufficient and timely training and consultation to community programs to ensure that the community program is able to conduct a thorough and unbiased investigation and reach a conclusion about the abuse. Training shall include initial and continuing education of any individual designated to conduct protective services investigations.

(2) The training shall address the cultural and social diversity of the State of Oregon.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: Hist.: OHA 10-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0290

General Duties of the Community Program and Initial Action on Report of Alleged Abuse

(1) For the purpose of carrying out these rules, community programs are Authority designees.

(2) If mandatory reporters have reasonable cause to believe abuse has occurred, the reporter must report the abuse to the community program and to a local law enforcement agency when the reporter believes a crime may have been committed.

(3) Each community program shall designate at least one employee to conduct protective services investigations. Community programs shall require their designated protective services investigators to participate in training and to demonstrate an understanding of investigative core competencies.

(4) If the Authority or community program has reasonable cause to believe abuse occurred, it must immediately notify the appropriate public licensing or certifying agency and provide a copy of the abuse investigation and completed protective services report.

(5) If the Authority or community program has reasonable cause to believe that an individual licensed or certified by any state agency to provide care has committed abuse, it must immediately notify the appropriate state licensing or certifying agency and provide that agency with a copy of the abuse investigation and completed protective services report.

(6) The Authority or community program may share information prior to the completion of the abuse investigation and protective services report if the information is necessary for:

(a) The provision of protective services; or

(b) The function of licensing and certifying agencies or law enforcement agencies.

(7) Each community program must establish an after hours reporting system.

(8) Upon receipt of any report of alleged abuse or upon receipt of a report of a death that may have been caused by other than accidental or natural means, the community program must begin:

(a) Investigation into the nature and cause of the alleged abuse within one working day of receipt of the report to determine if abuse occurred or whether a death was caused by abuse;

(b) Assessment of the need for protective services; and

(9) The community program receiving a report alleging abuse must document the information required by ORS 430.743(1) and any additional reported information. The community program must attempt to elicit the following information from the individual making a report:

(a) The name, age, and present location of the adult;

(b) The names and addresses of the adult’s programs or facilities responsible for the adult’s care;

(c) The nature and extent of the alleged abuse, including any evidence of previous abuse of the adult or evidence of previous abuse by the person alleged to have committed the abuse;

(d) Any information that led the individual making the report to suspect abuse had occurred;

(e) Any information that the individual believes might be helpful in establishing the cause of the abuse and the identity of the person alleged to have committed the abuse; and

(f) The date of the incident.

(10) The community program shall maintain all reports of abuse in a confidential location.

(11) If there is reason to believe a crime has been committed, the community program must contact the law enforcement agency with jurisdiction in the county where the report is made.

(12) If there is reasonable cause to believe that abuse has occurred, the community program must determine if the adult is in danger or in need of immediate protective services and shall provide those services immediately. Under these circumstances, the community program must also advise the provider agency, brokerage, or guardian about the allegation, and must include any information appropriate or necessary for the health, safety, and best interests of the adult in need of protection.

(13) The community program shall immediately, but no later than one working day, notify the Authority it has received a report of abuse, in the format provided by the Authority.

(14) If the community program determines from the report that there is no reasonable cause to believe abuse occurred, the community program shall notify the provider agency or brokerage within five working days that a protective services investigation shall not commence and explain the reasons for that decision. The community program shall document the notice and maintain a record of all notices.

(15) If the community program determines that a report will be assigned for investigation, the community program must notify the provider agency, brokerage, guardian, and any other individual with responsibility for providing services and protection, unless doing so would compromise the safety, health, or best interests of the adult in need of protection, or would compromise the integrity of the abuse investigation or a criminal investigation. The notice shall include information that the case shall be assigned for investigation, identify the investigator, and provide information regarding how the assigned investigator may be contacted. The notice must be provided within five working days from the date the report was received.

(16) The community program or law enforcement agency shall notify the appropriate medical examiner in cases where the community program or law enforcement agency finds reasonable cause to believe that an adult has died as a result of abuse or where the death occurred under suspicious or unknown circumstances.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0300

Investigation of Alleged Abuse

(1) Investigation of abuse shall be thorough and unbiased. Community programs may not investigate allegations of abuse made against employees of the community program. Investigations of community program staff shall be conducted by the Authority or other community programs not subject to an actual or potential conflict of interest.

(2) In conducting an abuse investigation, the investigator must:

(a) Make in-person contact with the adult;

(b) Interview the adult, witnesses, the person alleged to have committed the abuse, and other individuals who may have knowledge of the facts of the abuse allegation or related circumstances. Interviews must be conducted in-person where practicable. The investigator must attempt to elicit the date of birth for each individual interviewed and shall obtain the date of birth of any person alleged to have committed the alleged abuse;

(d) Photograph the adult consistent with forensic guidelines, or arrange for the adult to be photographed, to preserve evidence of the alleged abuse and of the adult’s physical condition at the time of investigation, unless the adult knowingly refuses.

(3) All records necessary for the investigation shall be available to the community program for inspection and copying. A community facility shall provide community programs access to employees, the adult, and the premises for investigation purposes.

(4) When a law enforcement agency is conducting a criminal investigation of the alleged abuse, the community program shall also perform its own investigation as long as it does not interfere with the law enforcement agency investigation under the following circumstances:

(a) There is potential for action by a licensing or certifying agency;

(b) Timely investigation by law enforcement is not probable; or

(5) When a law enforcement agency is conducting an investigation of the alleged abuse, the community program must communicate and cooperate with the law enforcement agency.

Stat. Auth.: ORS 179.040 & 413.042

Stats. Implemented: ORS 430.735–430.765, 443.400–443.460, 443.705–443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0310

Assessment for and Provision of Protective Services to the Adult

The community program shall ensure that appropriate and necessary protective services are provided to the adult to prevent further abuse and must be undertaken in a manner that is least intrusive to the adult and provide for the greatest degree of independence available within existing resources. Assessment for the provision of protective services may include:

(1) Arranging for the immediate protection of the adult;

(2) Contacting the adult to assess his or her ability to protect his or her own interest or give informed consent;

(3) Determining the ability of the adult to understand the nature of the protective service and his or her willingness to accept services;

(4) Coordinating evaluations to determine or verify the adult’s physical and mental status, if necessary;

(5) Assisting in and arranging for appropriate services and alternative living arrangements;

(6) Assisting in or arranging the medical, legal, financial, or other necessary services to prevent further abuse;

(7) Providing advocacy to assure the adult’s rights and entitlements are protected; and

(8) Consulting with the community facility, program, brokerage, or others as appropriate in developing recommendations or requirements to prevent further abuse.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0320

Abuse Investigation and Protective Services Report

(1) The Authority shall provide abuse investigation and protective services report formats.

(2) Upon completion of the investigation and within 45 calendar days of the date the community program determines a report alleging abuse shall be assigned for investigation, the community programs shall prepare an abuse investigation and protective services report. This 45-day time period does not include an additional five-working day period allowing OIT to review and approve the report. The protective services report shall include:

(a) A statement of the allegations being investigated, including the date, location, and time;

(b) A list of protective services provided to the adult;

(c) An outline of steps taken in the investigation, a list of all witnesses interviewed, and a summary of the information provided by each witness;

(d) A summary of findings and conclusion concerning the allegation of abuse;

(e) A specific finding of “substantiated,” “inconclusive,” or “not substantiated”;

(f) A plan of action necessary to prevent further abuse of the adult;

(g) Any additional corrective action required by the community program and deadlines for completing these actions;

(h) A list of any notices made to licensing or certifying agencies;

(i) The name and title of the individual completing the report; and

(j) The date the report is written.

(3) In cases where, for good cause shown, the protective services investigator cannot complete the report within 45 days, the investigator shall submit a request for time extension to OIT.

(a) An extension may be granted for good cause shown which includes but is not limited to:

(A) When law enforcement is conducting an investigation;

(B) A material party or witness is temporarily unavailable;

(D) The investigation is complex (e.g. large numbers of witnesses need to be interviewed taking into account scheduling difficulties and limitations, consultation with experts, or a detailed review of records over an extended period of time is required); or

(E) For some other mitigating reason.

(b) When granting an extension, OIT shall consult with the program about the need for an extension and determine the length of the extension as necessary.

(c) The community program shall notify the provider agency, brokerage, and guardian when an extension is granted and advise them of the new report due date.

(4) A copy of the final abuse investigation and protective services report shall be provided to the Authority or Department within five working days of the report’s completion and approval by OIT.

(5) The community program must provide notice of the outcome of the investigation, or assure that notice is provided to the alleged victim, guardian, provider agency and brokerage, accused person, and to any law enforcement agency which previously received notice of the initial report. Notice of outcome shall be provided to a reporter upon the reporter’s request. Notice of outcome must be made within five working days after the date the case is completed and approved by OIT. The community program must document how the notice was provided.

(6) A centralized record of all abuse investigation and protective services reports shall be maintained by community programs for all abuse investigations conducted in their county, and by the Authority or Department for all abuse investigations in the state.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0330

Disclosure of the Abuse Investigation and Protective Services Report and Related Documents

(1) Portions of the abuse investigation and protective services report and underlying investigatory documents are confidential and are not available for public inspection. Pursuant to ORS 430.763, names of abuse reporters, witnesses, and the alleged abuse victim are confidential and shall not be available for public inspection. Investigatory documents, including portions of the abuse investigation and protective services report that contains “individually identifiable health information,” as that term is defined under ORS 192.519 and 45 CFR160.103, are confidential under federal Health Insurance Portability and Accountability Act (HIPAA) privacy rules, 45 CFR Parts 160 and 164, and ORS 192.520 and 179.505-179.509.

(2) Notwithstanding section (1) of this rule, the Authority shall make confidential information available, including any photographs if appropriate, to any law enforcement agency, public agency that licenses or certifies facilities or licenses or certifies the individuals practicing therein, and any public agency providing protective services for the adult. The Authority shall make the protective services report and underlying investigatory materials available to any private agency providing protective services for the adult and to the protection and advocacy system designated pursuant to ORS 192.517(1).

(3) Individuals or entities receiving confidential information pursuant to this rule shall maintain the confidentiality of the information and shall not redisclose the confidential information to unauthorized individuals or entities, as required by state or federal law.

(4) The community program shall prepare a redacted version of the final completed abuse investigation report within 10 days after the date of the final report. The redacted report shall not contain any confidential information which is prohibited from disclosure pursuant to state or federal law. The redacted report shall be submitted to the provider agency and brokerage.

(5) The community program shall provide a redacted version of the written report to the public for inspection upon written request.

(6) When the abuse investigation and protective services report is conducted by a community program as the Authority’s designee, the protective services investigation may be disclosed pursuant to this rule either by the community program or the Authority.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0340

Prohibition Against Retaliation

(1) A community facility, community program, or individual shall not retaliate against any individual who reports suspected abuse in good faith, including the adult.

(2) Any community facility, community program, or individual that retaliates against any individual because of a report of suspected abuse shall be liable, according to ORS 430.755, in a private action to that individual for actual damages and, in addition, a civil penalty up to $1,000, notwithstanding any other remedy provided by law.

(3) Any adverse action creates a presumption of retaliation if taken within 90 days of a report of abuse. For purposes of this sub-section, “adverse action” means any action taken by a community facility, community program, or individual involved in a report against the individual making the report or against the adult because of the report and includes but is not limited to:

(a) Discharge or transfer from the community facility, except for clinical reasons;

(b) Termination of employment;

(d) Restriction or prohibition of access to the community facility or its residents.

(4) Adverse action may also be evidence of retaliation after 90 days even though the presumption no longer applies.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0350

Immunity of Individuals Making Reports in Good Faith

(1) Any individual who makes a good faith report and who had reasonable grounds for making the report shall have immunity from civil liability with respect to having made the report.

(2) The reporter shall have the same immunity in any judicial proceeding resulting from the report as may be available in that proceeding.

(3) An individual who has personal knowledge that an employee or former employee of the adult was found to have committed abuse is immune from civil liability for the disclosure to a prospective employer of the employee of known facts concerning the abuse.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0360

Authority Investigation of Alleged Abuse

(1) If determined necessary or appropriate, the Authority may conduct an investigation rather than allow the community program to investigate the alleged abuse or in addition to the investigation by the community program. Under such circumstances, the community program must receive authorization from the Authority before conducting any separate investigation.

(2) The community program shall make all records necessary for the investigation available to the Authority for inspection and copying. The community facilities and community programs must provide the Authority access to employees, the adult, and the premises for investigation purposes.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0370

County Multidisciplinary Teams

(1) The community program must participate in its county Multidisciplinary Team (MDT) to coordinate and collaborate on protective services for the abuse of adults with developmental disabilities or mental illness or both.

(2) All confidential information protected by state and federal law that is shared or obtained by MDT members in the exercise of their duties on the MDT is confidential and may not be further disclosed except as permitted by law.

(3) The community program or OIT shall provide an annual report to the MDT reporting the number of investigated and substantiated allegations of abuse of adults and the number referred to law enforcement in the county.

Stat. Auth.: ORS 179.040 & 413.042, 430.731, 414.715

Other Auth.: HB 2009, OL Ch. 595, sce. 19-25

Stats. Implemented: ORS 413.032, 430.735 - 430.765, 443.400 - 443.460, 443.705 - 443.825

Hist.: OHA 11-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Abuse Reporting and Protective Services for Individuals in State Hospitals.

Adm. Order No.: OHA 12-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-045-0400, 943-045-0410, 943-045-0420, 943-045-0430, 943-045-0440, 943-045-0450, 943-045-0460, 943-045-0470, 943-045-0480, 943-045-0490, 943-045-0500, 943-045-0510, 943-045-0520

With the creation of a new agency, the state hospitals serving individuals with mental illness moved to the Authority. These rules are needed to reflect the separation of the Department of Human Services and Oregon Health Authority.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-045-0400

Purpose

The purpose of these rules is to establish a policy prohibiting abuse and to define procedures for reporting, investigating, and resolving alleged incidents of abuse of individuals in state hospitals.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0410

Definitions

(1) “Abuse” means any act or absence of action by a staff or visitor inconsistent with prescribed treatment and care that violates the well-being or dignity of the individual.

(2) “Authority” means the Oregon Health Authority.

(3) “Derogatory” means an expression of a low opinion or a disparaging remark.

(4) “Director” means the Director of the Oregon Health Authority’s Addictions and Mental Health Division or their designee.

(5) “Disrespectful” means lacking regard or concern; or to treat as unworthy or lacking value as a human being.

(6) “Division” means the Oregon Health Authority’s Addictions and Mental Health Division.

(7) “Employee” means an individual employed by the state and subject to rules for employee conduct.

(8) “Inconclusive” means there is insufficient evidence to conclude the alleged abuse occurred or did not occur by a preponderance of the evidence.

(9) “Individual” means a person who is receiving services at a state hospital for people with mental illness.

(10) “Not Substantiated” means the preponderance of evidence establishes the alleged abuse did not occur.

(11) “Office of Investigations and Training (OIT)”means the Department of Human Services’ office responsible for the investigation of allegations of abuse made at state hospitals on behalf of the Authority.

(12) “Staff” means employees, contractors and their employees, and volunteers.

(13) “Substantiated” means that the preponderance of evidence establishes the abuse occurred.

(14) “Superintendent” refers to the chief executive officer of a state hospital who serves as the designee of the Director to receive allegations of abuse concerning individuals and his or her designee.

(15) “Visitor” means all others persons not included as staff who visit the facility for business purposes or to visit individuals or staff.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0420

General Policy

(1) The Authority believes every individual is deserving of safe, respectful and dignified treatment provided in a caring environment. To that end, all employees, volunteers, contractors and their employees, as well as visitors shall conduct themselves in such a manner that individuals are free from abuse.

(2) In these rules, the term “abuse” is given a broad definition because of the unique vulnerability of individuals served by the Authority. While some examples are listed later in these rules (including specific conduct listed in ORS 430.735(1)), it must be clearly understood that all possible situations cannot be anticipated and each case must be evaluated based on the particular facts available.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0430

Policy Regarding Abuse

(1) All forms of Abuse Prohibited. Staff, visitors, volunteers, contractors and their employees must continually be aware of the potential for abuse in interactions with individuals.

(2) Listed below are examples of the type of conduct which constitutes abuse. This list of examples is by no means exhaustive and represents general categories of prohibited conduct. Conduct of a like or similar nature is also obviously prohibited. Examples include, but are not limited to:

(a) Physical Abuse: Examples include hitting, kicking, scratching, pinching, choking, spanking, pushing, slapping, twisting of head, arms, or legs, tripping, the use of physical force which is unnecessary or excessive or other physical contact with an individual inconsistent with prescribed treatment or care;

(b) Verbal Abuse: Verbal conduct may be abusive because of either the manner of communicating with or the content of the communication with individuals. Examples include yelling, ridicule, harassment, coercion, threats, intimidation, cursing, foul language or other forms of communication which are derogatory or disrespectful of the individual, or remarks intended to provoke a negative response by the individual;

(c) Abuse by Failure to Act: This includes neglecting the care of the individual resulting in death (including suicide), physical or psychological harm, or a significant risk of harm to the individual either by failing to provide authorized and prescribed treatment or by failing to intervene when an individual needs assistance such as denying food or drink or leaving the individual unattended when staff presence is mandated;

(d) Sexual Abuse: Examples include:

(A) Contact of a sexual nature between staff and individuals;

(B) Failure to discourage sexual advances toward staff by individuals; and

(C) Permitting the sexual exploitation of individuals or use of individual sexual activity for staff entertainment or other improper purpose.

(e) Condoning Abuse: Permitting abusive conduct toward an individual by any other staff, individual, or person; and

(f) Statutory Terms of Abuse: As defined in ORS 430.735: any death caused by other than accidental or natural means; any physical injury caused by other than accidental means, or that appears to be at variance with the explanation given of the injury; willful infliction of physical pain or injury, sexual harassment or exploitation, including but not limited to any sexual contact between an employee of a facility or community program and an adult, and neglect that leads to physical harm or significant mental injury through withholding of services necessary to maintain health and well being.

(3) At times, persons may be required to utilize self-defense. This includes control procedures that are designed to minimize physical injury to the individual or other persons. Employees must use the least restrictive procedures necessary under the circumstances for dealing with an individual’s behaviors or defending against an individual’s attack. Abuse does not include acts of self-defense or defense of an individual or other person in response to the use or imminent use of physical force provided that only the degree of force reasonably necessary for protection is used. When excessively severe methods of control are used or when any conduct designed as self-defense is carried beyond what is necessary under the circumstances to protect the individual or other persons from further violence or assault, then that conduct then becomes abuse.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0440

Reporting Requirements

(1) Oregon law requires mandatory reports and investigations of allegations of abuse of individuals with disabilities. Therefore, any person who has reasonable cause to believe that an incident of abuse has occurred to an individual residing at a state hospital must immediately report the incident according to the procedures set forth in the applicable state hospital policy on abuse reporting.

(2) Any person participating in good faith in reporting alleged abuse and who has reasonable grounds for reporting has immunity from any civil liability that otherwise might be imposed or incurred based on the reporting or the content of the report under ORS 430.753(1).

(3) The identity of the person reporting alleged abuse is confidential. The Authority or OIT may reveal the names of abuse reporters to law enforcement agencies, public agencies who certify or license facilities or persons practicing therein, public agencies providing services to the individuals, private agencies providing protective services for the individuals, and the protection and advocacy system for individuals designated by federal law. The identity of the person reporting alleged abuse may also be disclosed in certain legal proceedings including, but not limited to, Human Resources or other administrative proceedings and criminal prosecution.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0450

Preliminary Procedures

(1) Once a report of alleged abuse is made, the following steps shall be taken to ensure both a proper investigation and appropriate action are taken to ensure that individuals are free from any threat of abuse:

(a) No later than two hours after receipt of the allegation except for circumstances with good cause the Superintendent shall notify OIT of the report of alleged abuse. OIT shall determine whether the allegation, if true, would fit within the definition of abuse. This determination shall be made in consultation with the Superintendent. The determination must be made by OIT within 24 hours of receipt of the report of abuse;

(b) If the allegation is determined not to fit the definition of abuse, the Superintendent may take other appropriate action, such as a referral to Human Resources for review as a performance issue, worksite training, or take other systemic measures to resolve problems identified;

(c) The Superintendent with OIT shall ensure that if the allegation meets the definition of child abuse under ORS 419B.005, or elder abuse under ORS 124.050 that the allegation has been reported to the appropriate agency.

(2) Immediately and no later than 24 hours after determining that the allegation falls within the definition of abuse under this policy or other applicable laws, the Superintendent shall:

(a) Provide appropriate protective services to the individual that may include arranging for immediate protection of the individual and the provision of appropriate services including medical, legal, or other services necessary to prevent further abuse;

(b) Determine with OIT if there is reason to believe that an investigation by an appropriate law enforcement agency is necessary, and if so, request that such agency determine whether there is reason to believe a crime has been committed;

(d) Promptly notify the legal guardian (of an adjudicated incapacitated individual) of the alleged incident and give an explanation of the procedures that will be used to investigate and resolve the matter; as well as the hospital’s responsibility and plan to provide appropriate protective services;

(e) Contact the Director if the individual has sustained serious injury.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0460

Investigation by the Office of Investigations and Training

(1) Investigation of allegations of abuse shall be thorough and unbiased. OIT shall conduct an investigation of the allegation.

(2) OIT shall conduct interviews with any party alleging an incident of abuse, the individual allegedly abused, and the person accused. OIT shall also include interviews with persons appearing to be involved in or having knowledge of the alleged abuse or surrounding circumstances.

(3) All records necessary for the investigation shall be available to OIT for inspection and copying. OIT shall collect information which has relevance to the alleged event. This may include, but is not limited to, individual or facility records, statements, diagrams, photographs, and videos.

(4) If the facts in the case are disputed and a law enforcement agency does not conduct a timely investigation or complete a criminal investigation, OIT shall determine the manner and methods of conducting the investigation.

(5) When a law enforcement agency is conducting a criminal investigation of the alleged abuse, OIT shall also perform its own investigation unless OIT is advised by the law enforcement agency that a concurrent OIT investigation would interfere with the criminal investigation.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0470

Abuse Investigation Report

(1) OIT shall complete the investigation and submit a draft report to the Superintendent within 30 calendar days after initiating an investigation. The investigation must be completed within 30 calendar days unless the Director grants an extension. The Director may grant an extension for good cause shown when law enforcement is conducting an investigation, when a key party is unavailable, new evidence is discovered, the investigation is complex (e.g. large numbers of witnesses need to be interviewed, taking into account scheduling difficulties and limitations, consultation with experts, or a detailed review of records over an extended period of time is required) or for some other mitigating reason. The Director shall determine the length of the extension.

(2) The Superintendent and OIT shall review the OIT or law enforcement investigation report. The Superintendent and OIT shall also review and discuss any other relevant reports or information.

(3) OIT shall determine whether the evidence substantiates the allegation of abuse. In some instances, OIT may determine that the evidence is inconclusive. The determination must be made within 15 calendar days from completion of the draft investigation report, unless a key party is unavailable, additional evidence is discovered, or the Director grants an extension for some other mitigating reason. Any determination not made within the 15-day period must be made as soon as reasonably possible thereafter.

(4) Once this review is complete, OIT shall prepare a final report, which shall include:

(a) A statement of the allegations being investigated, including the date, location and time;

(b) A list of protective services provided to the adult;

(c) An outline of steps taken in the investigation, a list of all witnesses interviewed and a summary of the information provided by each witness;

(d) A summary of evidence and conclusion concerning the allegation of abuse;

(e) A specific finding of substantiated, inconclusive, or not substantiated;

(f) A plan of action necessary to prevent further abuse of the individual;

(g) Any additional corrective action required by the hospital and deadlines for the completion of these actions;

(h) A list of any notices made to licensing or certifying agencies;

(i) The name and title of the person completing the report; and

(i) The date written.

(5) If the allegation of abuse is substantiated, the Superintendent shall direct that appropriate action be taken against the responsible person commensurate with the seriousness of the conduct and any aggravating or mitigating circumstances, including consideration of previous conduct of record. If Human Resources are involved, as necessary to comply with laws related to employee rights, additional investigation may be conducted.

(6) If the allegations are found to be inconclusive; the Superintendent may request a review by Human Resources to determine the need for any training or disciplinary action, as warranted by the facts and any follow-up investigative work.

(7) The Superintendent shall ensure that appropriate documentation exists as to the action taken as a result of an abuse investigation.

(8) The Superintendent shall ensure that a copy of the law enforcement investigation report is forwarded to OIT.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0480

Disclosure of Investigation Report and Related Documents

(1) Investigation reports prepared by OIT are subject to the following:

(a) Portions of the abuse investigation report and investigatory documents are confidential and not available for public inspection. Pursuant to ORS 430.763, names of persons who make reports of abuse, witnesses, and the alleged abuse victim are confidential and shall not be available for public inspection. Investigatory documents, including portions of the abuse investigation report that contains “Individually identifiable health information”, as that term is defined under ORS 192.519 and 45 CFR160.103, are confidential under HIPAA privacy rules, 45 CFR Part 160 and 164, and ORS 192.520 and 179.505 to 509.

(b) Notwithstanding subsection (a) of this rule, the Authority and OIT shall make the confidential information, including any photographs, available, if appropriate, to any law enforcement agency, to any public agency that licenses or certifies facilities or licenses or certifies the persons practicing therein, and to any public agency providing protective services for the adult. The Authority and OIT shall also make the protective services report and underlying investigatory materials available to any private agency providing protective services for the adult and to the protection and advocacy system designated pursuant to ORS 192.517(1).

(c) Persons or entities receiving confidential information pursuant to this rule must maintain the confidentiality of the information and may not redisclose the confidential information to unauthorized persons or entities, as required by state or federal law.

(d) When the report is completed, a redacted version of the abuse investigation report not containing any confidential information, the disclosure of which would be prohibited by state or federal law shall be available for public inspection.

(2) The OIT report shall be disclosed by OIT or the Superintendent to:

(a) The Director of the Division and

(b) Any person designated by the Superintendent for purposes related to the proper administration of the state hospital such as assessing patterns of abuse or to respond to personnel actions and may be disclosed in the Superintendent’s discretion;

(d) The guardian of an adjudicated incapacitated person; and

(e) The person who allegedly abused the individual.

(3) Copies of all reports shall be maintained by the Superintendent separate from employee personnel files. The chart of the individual allegedly abused must contain a reference to the report sufficient to enable authorized persons to retrieve and review the report.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0490

Consequences of Abuse

(1) All persons shall be subject to appropriate action if found responsible for:

(a) Abusing an individual;

(b) Failing to report an alleged incident of abuse; or

(2) Any discipline of an employee as a result of the above-described conduct must be in conformance with any applicable standards contained in state law or in a Collective Bargaining Agreement.

(3) Any employee dismissed for violating the abuse policy may not be rehired in any capacity, may not be permitted to visit or have any type of contact with individuals.

(4) Any volunteer found violating the abuse policy may be denied visitation or any other contact with individuals.

(5) The Authority may immediately terminate the contract of any contractor found violating the abuse policy. Any employee of the contractor found violating the abuse policy may be excluded from the grounds and may be subject to appropriate disciplinary action by the employer.

(6) Any visitor found in violation of the abuse policy may be excluded from the grounds and will be subject to other appropriate actions as determined by the Superintendent.

(7) Any employee, volunteer, contractor, contractor’s employee, or visitor may be subject to criminal prosecution depending on the outcome of any allegation referred to law enforcement for investigation.

(8) Any staff found to have violated the abuse policy shall be reported to any appropriate professional licensing or certification boards or associations.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0500

Notice of Abuse Policy

(1) Upon admission each individual, and guardian if any, and family must be informed orally and in writing of the rights, policies, abuse definitions and procedures concerning prohibition of abuse of individuals.

(2) A clear and simple statement of the title and number of this policy and how to seek advice about its content must be prominently displayed in areas frequented by individuals at the state hospital..

(3) All staff shall be provided a copy of this rule, either at the commencement of their employment, or duties, or, for current staff, within 90 days of the effective date of this rule and once a year thereafter. All staff must sign a form acknowledging receipt of this information on the date of receipt.

(4) A summary of this policy shall be posted in the state hospital in areas regularly frequented by visitors and in a manner designed to notify visitors of the policy. Copies of the complete policy shall be provided to visitors upon request.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0510

Retaliation

(1) No state hospital staff or other person shall retaliate against any person who reports in good faith suspected abuse or against the individual with respect to any report.

(2) Any state hospital staff or other person who retaliates against any person because of a report of suspected abuse or neglect shall be liable according to ORS 430.755, in a private action to that person for actual damages and, in addition, may be subject to a penalty of up to $1,000, notwithstanding any other remedy provided by law.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-045-0520

Quality Assurance Review

(1) The State Hospitals shall report on critical indicators, identified by the Authority; and on quality improvement activities undertaken to improve any identified issues.

(2) These reports must be provided to the Authority monthly.

(3) Representatives from the State Hospitals and OIT shall meet quarterly with the Authority’s Director or designee. They shall regularly review quality indicators and any other Authority generated information regarding the abuse and neglect system in the State Hospitals.

(4) The Authority must make the information part of any quality improvement activities of the Authority.

Stat. Auth.: ORS 179.040, 413.042

Stats. Implemented: ORS 179.390, 426.385, 427.031, 430.210, 430.735-430.768

Hist.: OHA 12-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

Rule Caption: Electronic Data Transmission (EDT) Rule.

Adm. Order No.: OHA 13-2011(Temp)

Filed with Sec. of State: 7-1-2011

Certified to be Effective: 7-1-11 thru 12-27-11

Notice Publication Date:

Rules Adopted: 943-120-0100, 943-120-0110, 943-120-0112, 943-120-0114, 943-120-0116, 943-120-0118, 943-120-0120, 943-120-0130, 943-120-0140, 943-120-0150, 943-120-0160, 943-120-0165, 943-120-0170, 943-120-0180, 943-120-0190, 943-120-0200

Subject: The Oregon Health Authority (Authority) needs to adopt these rules to ensure the Authority’s EDT rules compliment the functionality of the Oregon Replacement Medicaid Management Information System (MMIS) in conjunction with the Health Insurance Portability and Accountability Act (HIPAA) transactions and codes set standards for the exchange of electronic data.

Rules Coordinator: Kym Gasper—(503) 945-6302

943-120-0100

Definitions

The following definitions apply to OAR 943-120-0100 through 943-120-0200:

(1) “Access” means the ability or means necessary to read, write, modify, or communicate data or information or otherwise use any information system resource.

(2) “Agent” means a third party or organization that contracts with a provider, allied agency, or prepaid health plan (PHP) to perform designated services in order to facilitate a transaction or conduct other business functions on its behalf. Agents include billing agents, claims clearinghouses, vendors, billing services, service bureaus, and accounts receivable management firms. Agents may also be clinics, group practices, and facilities that submit billings on behalf of providers but the payment is made to a provider, including the following: an employer of a provider, if a provider is required as a condition of employment to turn over his fees to the employer; the facility in which the service is provided, if a provider has a contract under which the facility submits the claim; or a foundation, plan, or similar organization operating an organized health care delivery system, if a provider has a contract under which the organization submits the claim. Agents may also include electronic data transmission submitters.

(3) “Allied Agency” means local and regional allied agencies and includes local mental health authority, community mental health programs, Oregon Youth Authority, Department of Corrections, local health departments, schools, education service districts, developmental disability service programs, area agencies on aging, federally recognized American Indian tribes, and other governmental agencies or regional authorities that have a contract (including an interagency, intergovernmental, or grant agreement, or an agreement with an American Indian tribe pursuant to ORS 190.110) with the Oregon Health Authority to provide for the delivery of services to covered individuals and that request to conduct electronic data transactions in relation to the contract.

(4) “Authority” means the Oregon Health Authority.

(5) “Authority Network and Information Systems” means the Authority’s computer infrastructure that provides personal communications, confidential information, regional, wide area and local networks, and the internetworking of various types of networks on behalf of the Authority.

(6) “Clinic” means a group practice, facility, or organization that is an employer of a provider, if a provider is required as a condition of employment to turn over his fees to the employer; the facility in which the service is provided, if a provider has a contract under which the facility submits the claim; or a foundation, plan, or similar organization operating an organized health care delivery system, if a provider has a contract under which the organization submits the claim; and the group practice, facility, or organization is enrolled with the Authority, and payments are made to the group practice, facility, or organization. If the entity solely submits billings on behalf of providers and payments are made to each provider, then the entity is an agent.

(7) “Confidential Information” means information relating to covered individuals which is exchanged by and between the Authority, a provider, PHP, clinic, allied agency, or agents for various business purposes, but which is protected from disclosure to unauthorized individuals or entities by applicable state and federal statutes such as ORS 344.600, 410.150, 411.320, 418.130, or the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and its implementing regulations. These statutes and regulations are collectively referred to as “Privacy Statutes and Regulations.”

(8) “Contract” means a specific written agreement between the Authority and a provider, PHP, clinic, or allied agency that provides or manages the provision of services, goods, or supplies to covered individuals and where the Authority and a provider, PHP, clinic, or allied agency may exchange data. A contract specifically includes, without limitation, an Authority provider enrollment agreement, fully capitated heath plan managed care contract, dental care organization managed care contract, mental health organization managed care contract, chemical dependency organization managed care contract, physician care organization managed care contract, a county financial assistance agreement, or any other applicable written agreement, interagency agreement, intergovernmental agreement, or grant agreement between the Authority and a provider, PHP, clinic, or allied agency.

(9) “Covered Entity” means a health plan, health care clearing house, health care provider, or allied agency that transmits any health information in electronic form in connection with a transaction, including direct data entry (DDE), and who must comply with the National Provider Identifier (NPI) requirements of 45 CFR 162.402 through 162.414.

(10) “Covered Individual” means individuals who are eligible for payment of certain services or supplies provided to them or their eligible dependents by or through a provider, PHP, clinic, or allied agency under the terms of a contract applicable to a governmental program for which the Authority processes or administers data transmissions.

(11) “Data” means a formalized representation of specific facts or concepts suitable for communication, interpretation, or processing by individuals or by automatic means.

(12) “Data Transmission” means the transfer or exchange of data between the Authority and a web portal or electronic data interchange (EDI) submitter by means of an information system which is compatible for that purpose and includes without limitation, web portal, EDI, electronic remittance advice (ERA), or electronic media claims (EMC) transmissions.

(13) “Department” means the Department of Human Services.

(14) “Direct Data Entry (DDE)” means the process using dumb terminals or computer browser screens where data is directly keyed into a health plan’s computer by a provider or its agent, such as through the use of a web portal.

(15) “Electronic Data Interchange (EDI)” means the exchange of business documents from application to application in a federally mandated format or, if no federal standard has been promulgated, using bulk transmission processes and other formats as the Authority designates for EDI transactions. For purposes of these rules (OAR 943-120-0100 through 943-120-0200), EDI does not include electronic transmission by web portal.

(16) “Electronic Data Interchange Submitter” means an individual or entity authorized to establish the electronic media connection with the Authority to conduct an EDI transaction. An EDI submitter may be a trading partner or an agent of a trading partner.

(17) “Electronic Media” means electronic storage media including memory devices in computers or computer hard drives; any removable or transportable digital memory medium such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media includes but is not limited to the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable or transportable electronic storage media. Certain transmissions, including paper via facsimile and voice via telephone, are not considered transmissions by electronic media because the information being exchanged did not exist in electronic form before transmission.

(18) “Electronic Media Claims (EMC)” means an electronic media means of submitting claims or encounters for payment of services or supplies provided by a provider, PHP, clinic, or allied agency to a covered individual.

(19) “Electronic Remittance Advice (ERA)” means an electronic file in X12 format containing information pertaining to the disposition of a specific claim for payment of services or supplies rendered to covered individuals which are filed with the Authority on behalf of covered individuals by providers, clinics, or allied agencies. The documents include, without limitation, the provider name and address, individual name, date of service, amount billed, amount paid, whether the claim was approved or denied, and if denied, the specific reason for the denial. For PHPs, the remittance advice file contains information on the adjudication status of encounter claims submitted.

(20) “Electronic Data Transaction (EDT)” means a transaction governed by the Health Insurance Portability and Accountability Act (HIPAA) transaction rule, conducted by either web portal or EDI.

(21) “Envelope” means a control structure in a mutually agreed upon format for the electronic interchange of one or more encoded data transmissions either sent or received by an EDI submitter or the Authority.

(22) “HIPAA Transaction Rule” means the standards for electronic transactions at 45 CFR Part 160 and 162 (version in effect on January 1, 2008) adopted by the Department of Health and Human Services (DHHS) to implement the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et. seq.

(23) “Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of an information system or information asset including but not limited to unauthorized disclosure of information, failure to protect user IDs, and theft of computer equipment using or storing Authority information assets or confidential information.

(24) “Individual User Profile (IUP)” means Authority forms used to authorize a user, identify their job assignment, and the required access to the Authority’s network and information system. It generates a unique security access code used to access the Authority’s network and information system.

(25) “Information Asset” means all information, also known as data, provided through the Authority, regardless of the source, which requires measures for security and privacy of the information.

(26) “Information System” means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and trained personnel necessary for successful data transmission.

(27) “Lost or Indecipherable Transmission” means a data transmission which is never received by or cannot be processed to completion by the receiving party in the format or composition received because it is garbled or incomplete, regardless of how or why the message was rendered garbled or incomplete.

(28) “Mailbox” means the term used by the Authority to indicate trading partner-specific locations on the Authority’s secure file transfer protocol (SFTP) server to deposit and retrieve electronic data identified by a unique Authority assigned trading partner number.

(29) “Password” means the alpha-numeric codes assigned to an EDI submitter by the Authority for the purpose of allowing access to the Authority’s information system, including the web portal, for the purpose of successfully executing data transmissions or otherwise carrying out the express terms of a trading partner agreement or provider enrollment agreement and these rules.

(30) “Personal Identification Number (PIN)” means the alpha-numeric codes assigned to web portal submitters by the Authority for the purpose of allowing access to the Authority’s information system, including the web portal, for the purpose of successfully executing DDE, data transmissions, or otherwise carrying out the express terms of a trading partner agreement, provider enrollment agreement, and these rules.

(31) “Prepaid Health Plan (PHP) or Plan” means a managed health care, dental care, chemical dependency, physician care organization, or mental health care organization that contracts with the Authority on a case managed, prepaid, capitated basis under the Oregon Health Plan (OHP).

(32) “Provider” means an individual, facility, institution, corporate entity, or other organization which supplies or provides for the supply of services, goods or supplies to covered individuals pursuant to a contract, including but not limited to a provider enrollment agreement with the Authority. A provider does not include billing providers as used in the Division of Medical Assistance (DMAP) general rules. DMAP billing providers are defined in these rules as agents, except for DMAP billing providers that are clinics.

(33) “Provider Enrollment Agreement” means an agreement between the Authority and a provider for payment for the provision of covered services to covered individuals.

(34) “Registered Transaction” means each type of EDI transaction applicable to a trading partner that must be registered with the Authority before it can be tested or approved for EDI transmission.

(35) “Security Access Codes” means the alpha-numeric codes assigned by the Authority to the web portal submitter or EDI submitter for the purpose of allowing access to the Authority’s information system, including the web portal, to execute data transmissions or otherwise carry out the express terms of a trading partner agreement, provider enrollment agreement, and these rules. Security access codes may include passwords, PINs, or other codes.

(36) “Source Documents” means documents or electronic files containing underlying data which is or may be required as part of a data transmission with respect to a claim for payment of charges for medical services or supplies provided to a covered individual, or with respect to any other transaction. Examples of data contained within a specific source document include but are not limited to an individual’s name and identification number, claim number, diagnosis code for the services provided, dates of service, service procedure description, applicable charges for the services provided, and a provider’s, PHP’s, clinic’s, or allied agency’s name, identification number, and signature.

(37) “Standard” means a rule, condition, or requirement describing the following information for products, systems, or practices:

(a) Classification of components;

(b) Specification of materials, performance, or operations; or

(38) “Standards for Electronic Transactions” mean a transaction that complies with the applicable standard adopted by DHHS to implement standards for electronic transactions.

(39) “Submitter” means a provider, PHP, clinic, or allied agency that may or may not have entered into a Trading Partner Agreement depending upon whether the need is to exchange Electronic Data Transactions or access the Authority’s Web Portal.

(40) “Transaction” means the exchange of data between the Authority and a provider using web portal access or a trading partner using electronic media to carry out financial or administrative activities.

(41) “Trade Data Log” means the complete written summary of data and data transmissions exchanged between the Authority and an EDI submitter during the period of time a trading partner agreement is in effect and includes but is not limited to sender and receiver information, date and time of transmission, and the general nature of the transmission.

(42) “Trading Partner” means a provider, PHP, clinic, or allied agency that has entered into a trading partner agreement with the Authority in order to satisfy all or part of its obligations under a contract by means of EDI, ERA, or EMC, or any other mutually agreed means of electronic exchange or transfer of data.

(43) “Trading Partner Agreement (TPA)” means a specific written request by a provider, PHP, clinic, or allied agency to conduct EDI transactions that governs the terms and conditions for EDI transactions in the performance of obligations under a contract. A provider, PHP, clinic, or allied agency that has executed a TPA will be referred to as a trading partner in relation to those functions.

(44) “User” means any individual or entity authorized by the Authority to access network and information systems or information assets.

(45) “User Identification Security (UIS)” means a control method required by the Authority to ensure that only authorized users gain access to specified information assets. One method of control is the use of passwords and PINs with unique user identifications.

(46) “Web Portal” means a site on the World Wide Web that provides secure access with personalized capabilities to its visitors and a pathway to other content designed for use with the Authority specific DDE applications.

(47) “Web Portal Submitter” means an individual or entity authorized to establish an electronic media connection with the Authority to conduct a DDE transaction. A web portal submitter may be a provider or a provider’s agent.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-120-0110

Purpose

(1) These rules establish requirements applicable to providers, PHPs, and allied agencies that want to conduct electronic data transactions with the Authority. These rules govern the conduct of all web portal or EDI transactions with the Authority. These rules only apply to services or items that are paid for by the Authority. If the service or item is paid for by a plan or an allied agency, these rules do not apply.

(2) These rules establish the Authority’s electronic data transaction requirements for purposes of the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d–1320d-8, Public Law 104-191, sec. 262 and sec. 264, and the implementing standards for electronic transactions rules. Where a federal HIPAA standard has been adopted for an electronic data transaction, this rule implements and does not alter the federal standard.

(3) These rules establish procedures that must be followed by any provider, PHP, or allied agency in the event of a security or privacy incident, regardless of whether the incident is related to the use of an electronic data transaction.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-120-0112

Scope and Sequence of Electronic Data Transmission Rules

(1) The Authority communicates with and receives communications from its providers, PHPs, and allied agencies using a variety of methods appropriate to the services being provided, the nature of the entity providing the services, and constantly changing technology. These rules describe some of the basic ways that the Authority will exchange data electronically. Additional details may be provided in the Authority’s access control rules, provider-specific rules, or the applicable contract documents.

(2) Access to eligibility information about covered individuals may occur using one or more of the following methods:

(a) Automated voice response, via a telephone;

(b) Web portal access;

(d) Point of sale (POS) for pharmacy providers.

(3) Claims for which the Authority is responsible for payment or encounter submissions made to the Authority may occur using one or more of the following methods:

(a) Paper, using the form specified in the provider specific rules and supplemental billing guidance. Providers may submit paper claims, except that pharmacy providers are required to use the POS process for claims submission and PHPs are required to use the 837 electronic formats;

(b) Web portal access;

(d) POS for pharmacy providers.

(4) Authority informational updates, provider record updates, depository for PHP reports, or EDT as specified by the Authority for contract compliance.

(5) Other Authority network and information system access is governed by specific program requirements, which may include but is not limited to IUP access. Affected providers, PHPs, and allied agencies will be separately instructed about the access and requirements. Incidents are subject to these rules.

(6) Providers and allied agencies that continue to use only paper formats for claims transactions are only subject to the confidentiality and security rule, OAR 943-120-0170.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-120-0114

Provider Enrollment Agreement

(1) When a provider applies to enroll, the application form will include information about how to participate in the web portal for use of DDE and automated voice response (AVR) inquiries. The enrollment agreement will include a section describing the process that will permit the provider, once enrolled, to participate in DDE over the Internet using the secure Authority web portal. This does not include providers enrolled through the use of the DMAP 3108 Managed Care Plan and FFS Non Paid Provider Application.

(2) When the provider number is issued by the Authority, the provider will also receive two PINs: one that may be used to access the web portal and one that may be used for AVR.

(a) If the PINs are not activated within 60 days of issuance, the Authority will initiate a process to inactivate the PIN. If the provider wants to use PIN-based access to the web portal or AVR after deactivation, the provider must submit an update form to obtain another PIN.

(b) Activating the PIN will require Internet access and the provider must supply security data that will be associated with the use of the PIN.

(c) Providers using the PIN are responsible for protecting the confidentiality and security of the PIN pursuant to OAR 943-120-0170.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-120-0116

Web Portal Submitter

(1) Any provider activating their web portal access for web portal submission may be a web portal submitter. The provider will be referred to as the web portal submitter when functioning in that capacity, and shall be required to comply with these rules governing web portal submitters.

(2) The authorized signer of the provider enrollment agreement shall be the individual who is responsible for the provider’s DDE claims submission process.

(a) If a provider submits their own claims directly, the provider will be referred to as the web portal submitter when functioning in that capacity and shall be required to comply with these rules governing web portal submitters.

(b) If a provider uses an agent or clinic to submit DDE claims using the Authority’s web portal, the agent or clinic will be referred to as the web portal submitter when functioning in that capacity and shall be required to comply with these rules governing web portal submitters.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-120-0118

Conduct of Direct Data Entry Using Web Portal

(1) The web portal submitter is responsible for the conduct of the DDE transactions submitted on behalf of the provider, as follows:

(a) Accuracy of Web Portal Submissions. The web portal submitter must take reasonable care to ensure that data and DDE transmissions are timely, complete, accurate, and secure, and must take reasonable precautions to prevent unauthorized access to the information system or the DDE transmission. The Authority will not correct or modify an incorrect DDE transaction prior to processing. The transactions may be rejected and the web portal submitter will be notified of the rejection.

(b) Cost of Equipment. The web portal submitter and the Authority must bear their own information system costs. The web portal submitter must, at their own expense, obtain access to Internet service that is compatible with and has the capacity for secure access to the Authority’s web portal. Web portal submitters must pay their own costs for all charges, including but not limited to charges for equipment, software and services, Internet connection and use time, terminals, connections, telephones, and modems. The Authority is not responsible for providing technical assistance for access to or use of Internet web portal services or the processing of a DDE transaction.

(c) Format of DDE Transactions. The web portal submitter must send and receive all data transactions in the Authority’s approved format. Any attempt to modify or alter the DDE transaction format may result in denial of web portal access.

(d) Re-submissions. The web portal submitter must maintain source documents and back-up files or other means sufficient to re-create a data transmission in the event that re-creation becomes necessary for any purpose, within timeframes required by federal or state law, or by contractual agreement. Back ups, archives, or related files are subject to the terms of these rules to the same extent as the original data transmission.

(2) Security and Confidentiality. To protect security and confidentiality, web portal submitters must comply with the following:

(a) Refrain from copying, reverse engineering, disclosing, publishing, distributing, or altering any data or data transmissions, except as permitted by these rules or the contract, or use the same for any purpose other than that which the web portal submitter was specifically given access and authorization by the Authority or the provider.

(b) Refrain from obtaining access by any means to any data or the Authority’s network and information system for any purpose other than that which the web portal submitter has received express authorization to receive access. If the web portal submitter receives data or data transmissions from the Authority which are clearly not intended for the receipt of web portal submitter, the web portal submitter will immediately notify the Authority and make arrangements to return or re-transmit the data or data transmission to the Authority. After re-transmission, the web portal submitter must immediately delete the data contained in the data transmission from its information system.

(c) Install necessary security precautions to ensure the security of the DDE transmission or records relating to the information system of either the Authority or the web portal submitter when the information system is not in active use by the web portal submitter.

(d) Protect and maintain, at all times, the confidentiality of security access codes issued by the Authority. Security access codes are strictly confidential and specifically subject, without limitation, to all of the restrictions in OAR 943-120-0170. The Authority may change the designated security access codes at any time and in any manner as the Authority in its sole discretion considers necessary.

(e) Install, maintain, and use security measures for confidential information transmitted between a provider and the web portal submitter if a provider uses an agent or clinic as the web portal submitter.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-120-0120

Registration Process — EDI Transactions

(1) The EDI transaction process is preferred by providers, PHPs, and allied agencies for conducting batch or real time transactions, rather than the individual data entry process used for DDE. EDI registration is an administrative process governed by these rules. The EDI registration process begins with the submission of a TPA by a provider, PHP, clinic, or allied agency, including all requirements and documentation required by these rules.

(2) Trading partners must be Authority providers, PHPs, clinics, or allied agencies with a current Authority contract. The Authority will not accept a TPA from individuals or entities who do not have a current contract with the Authority.

(a) The Authority may receive and hold the TPA for individuals or entities that have submitted a provider enrollment agreement or other pending contract, subject to the satisfactory execution of the pending document.

(b) Termination, revocation, suspension, or expiration of the contract will result in the concurrent termination, revocation, suspension, or expiration of the TPA without any additional notice; except that the TPA will remain in effect to the extent necessary for a trading partner or the Authority to complete obligations involving EDI under the contract for dates of service when the contract was in effect. Contracts that are periodically renewed or extended do not require renewal or extension of the TPA unless there is a lapse of time between contracts.

(c) Failure to identify a current Authority contract during the registration process will result in a rejection of the TPA. The Authority will verify that the contract numbers identified by a provider, PHP, clinic, or allied agency are current contracts.

(d) If contract number or contract status changes, the trading partner must provide the Authority with updated information within five business days of the change in contract status. If the Authority determines that a valid contract no longer exists, the Authority shall discontinue EDI transactions applicable for any time period in which the contract no longer exists; except that the TPA will remain in effect to the extent necessary for the trading partner or the Authority to complete obligations involving EDI under the contract for dates of service when the contract was in effect.

(3) Trading Partner Agreement. To register as a trading partner with the Authority, a provider, PHP, clinic, or allied agency must submit a signed TPA to the Authority.

(4) Application for Authorization. In addition to the requirements of section (3) of this rule, a trading partner must submit an application for authorization to the Authority. The application provides specific identification and legal authorization from the trading partner for an EDI submitter to conduct EDI transactions on behalf of a trading partner.

(5) Trading Partner Agents. A trading partner may use agents to facilitate the electronic transmission of data. If a trading partner will be using an agent as an EDI submitter, the application for authorization required under section (4) of this rule must identify and authorize an EDI submitter and must include the EDI certification signed by an EDI submitter before the Authority may accept electronic submission from or send electronic transmission to an EDI submitter.

(6) EDI Registration. In addition to the requirements of section (3) of this rule, a trading partner must also submit its EDI registration form. This form requires the trading partner or its authorized EDI submitter to register an EDI submitter and the name and type of EDI transaction they are prepared to conduct. Signature of the trading partner or authorized EDI submitter is required on the EDI registration form. The registration form will also permit the trading partner to identify the individuals or EDI submitters who are authorized to submit or receive EDI registered transactions.

(7) Review and Acceptance Process. The Authority will review the documentation provided to determine compliance with sections (1) through (6) of this rule. The information provided may be subject to verification by the Authority. When the Authority determines that the information complies with these rules, the Authority will notify the trading partner and EDI submitter by email about any testing or other requirements applicable to place the registered transaction into a production environment.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-120-0130

Trading Partner as EDI Submitter — EDI Transactions

(1) A trading partner may be an EDI submitter. Registered trading partners that also qualify as an EDI submitter may submit their own EDI transactions directly to the Authority. A trading partner will be referred to as an EDI submitter when functioning in that capacity and will be required to comply with applicable EDI submitter rules, except as provided in section (3) of this rule.

(2) Authorization and Registration Designating Trading Partner as EDI Submitter. Before acting as an EDI submitter, a trading partner must designate in the application for application that they are an EDI submitter who is authorized to send and receive data transmissions in the performance of EDI transactions. A trading partner must complete the “Trading Partner Application for Authorization to Submit EDI Transactions” and the “EDI Submitter Information” required in the application. A trading partner must also submit the EDI registration form identifying them as an EDI submitter. A trading partner must notify the Authority of any material changes in the information no less than ten days prior to the effective date of the change.

(3) EDI Submitter Certification Conditions. Where a trading partner is acting as its own EDI submitter, the trading partner is not required to submit the EDI submitter certification conditions in the application for authorization applicable to agents.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-120-0140

Trading Partner Agents as EDI Submitters — EDI Transactions

(1) Responsibility for Agents. If a trading partner uses the services of an agent, including but not limited to an EDI submitter in any capacity in order to receive, transmit, store, or otherwise process data or data transmissions or perform related activities, a trading partner shall be fully responsible to the Authority for the agent’s acts.

(2) Notices Regarding EDI Submitter. Prior to the commencement of an EDI submitter’s services, a trading partner must designate in the application for authorization the specific EDI submitters that are authorized to send and receive data transmissions in the performance of EDI transactions of a trading partner. A trading partner must complete the “Trading partner Authorization of EDI Submitter” and the “EDI Submitter Information” required in the application. A trading partner must also submit the EDI registration form identifying and providing information about an EDI submitter. A trading partner or authorized EDI submitter must notify the Authority of any material changes in the EDI submitter authorization or information no less than five days prior to the effective date of the changes.

(3) EDI Submitter Authority. A trading partner must authorize the actions that an EDI submitter may take on behalf of a trading partner. The application for authorization permits a trading partner to authorize which decisions may only be made by a trading partner and which decisions are authorized to be made by an EDI submitter. The EDI submitter information authorized in the application for authorization will be recorded by the Authority in an EDI submitter profile. The Authority may reject EDI transactions from an EDI submitter acting without authorization from a trading partner.

(4) EDI Submitter Certification Conditions. Each authorized EDI submitter acting as an agent of a trading partner must execute and comply with the EDI submitter certification conditions that are incorporated into the application for authorization. Failure to include the signed EDI submitter certification conditions with the application shall result in a denial of EDI submitter authorization by the Authority. Failure of an EDI submitter to comply with the EDI submitter certification conditions may result in termination of EDI submitter registration for EDI transactions with the Authority.

(5) EDI Submitters Responsibilities. In addition to the requirements of section (1) of this rule, a trading partner is responsible for ensuring that an EDI submitter makes no unauthorized changes in the data content of all data transmissions or the contents of an envelope, and that an EDI submitter will take all appropriate measures to maintain the timeliness, accuracy, truthfulness, confidentiality, security, and completeness of each data transmission. A trading partner is responsible for ensuring that its EDI submitters are specifically advised of, and will comply with, the terms of these rules and any TPA.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 414.065

Hist.: OHA 13-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11

943-120-0150

Testing — EDI Transactions

(1) When a trading partner or authorized EDI submitter registers an EDI transaction with the Authority, the Authority may require testing before authorizing the transaction. Testing may include third party and business-to-business testing. An EDI submitter must be able to demonstrate its capacity to send and receive each transaction type for which it has registered. The Authority will reject any EDI transaction if an EDI submitter either refuses or fails to comply with the Authority testing requirements.

(2) The Authority may require EDI submitters to complete compliance testing at an EDI submitter’s expense for each transaction type if either the Authority or an EDI submitter has experienced a change to hardware or software applications by entering into business-to-business testing.

(3) When third party and/or business-to-business testing is completed to the Authority’s satisfaction, the Authority will notify an EDI submitter that it will register and accept the transactions in the production environment. This notification authorizes an EDI submitter to submit the registered EDI transactions to the Authority for processing and response, as applicable. If there are any changes in the trading partner or EDI submitter authorization, profile data or EDI registration information on file with the Authority, updated information must be submitted to the Authority as required in OAR 943-120-0190.

(4) Testing will be conducted using secure electronic media communications methods.

(5) An EDI submitter may be required to re-test with th