Loading
 

 

Oregon Bulletin

October 1, 2013

Oregon Health Authority, Chapter 943

Rule Caption: Outlines conditions for contractor compliance with the business associate requirements of the HIPAA omnibus rule

Adm. Order No.: OHA 1-2013(Temp)

Filed with Sec. of State: 8-23-2013

Certified to be Effective: 8-23-13 thru 2-18-14

Notice Publication Date:

Rules Adopted: 943-014-0400, 943-014-0410, 943-014-0415, 943-014-0420, 943-014-0430, 943-014-0435, 943-014-0440, 943-014-0445, 943-014-0450, 943-014-0455, 943-014-0460, 943-014-0465

Subject: These rules set forth the requirements for the security and disclosure of protected health information by contractors who are business associates of the health care components of the Authority. These rules comply with the business associate provisions of HIPAA, the implementing Privacy and Security Rules, and the HITECH Act.

Rules Coordinator: Evonne Alderete—(503) 932-9663

943-014-0400

Purpose

The purpose of these rules is to set forth the requirements that a contractor who is a business associate of the health care component of the Oregon Health Authority (Authority) must comply with in accordance with the business associate provisions of HIPAA and the implementing Privacy Rule and Security Rule and of the HITECH Act. The Privacy Rule and Security Rule, as amended by the HITECH Act, require a covered entity to obtain certain written assurances from a business associate, as that term is defined in the Privacy Rule and Security Rule, that the business associate must comply with the requirements set forth in 45 CFR 164.502(e) and 164.504(e). The Privacy Rule requires that a covered entity obtain certain written assurances before the business associate may create, receive, maintain or transmit protected health information.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0410

Definitions

For purposes of these rules OAR 943-014-0400 through 943-014-0465, the following definitions apply. Terms not defined here shall have the same meaning given those terms in the Privacy Rule and the Security Rule and the HITECH Act, including, but not limited to, 42 USC Section 17938 and 45 CFR Section 160.103.

(1) “Authority” means the Oregon Health Authority.

(2) “Business Associate” has the meaning given that term in 45 CFR 160.103.

(3) “Contract” means the written agreement between the Authority and a Contractor setting forth the rights and obligations of the parties.

(4) “Covered Entity” has the meaning given that term in 45 CFR 160.103.

(5) “Electronic Media” means:

(a) Electronic storage media; and

(b) Transmission media used to exchange information already in electronic storage media.

(6) “Electronic Protected Health Information” (EPHI) has the meaning given that term in 45 CFR 160.103.

(7) “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d - 1320d-8, Public Law 104-191, sec. 262 and sec. 264.

(8) “HITECH Act” means the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Title XIII of division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (“ARRA”), Public Law 111-5, including any implementing regulations.

(9) “Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

(10) “Protected Health Information”(PHI) has the meaning given that term in 45 CFR 160.103.

(11) “Required by law” has the meaning given that term in 45 CFR section 164.103.

(12) “Secretary” means the Secretary of Health and Human Services (HHS) or designee..

(13) “Security Rule” means the security standards for electronic protected health information found at 45 CFR Parts 160, 162, and 164.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0415

General Business Associate Requirements

A Contractor who is a business associate of the Authority must:

(1) Not use or disclose protected health information or electronic protected health information other than as permitted or required by these rules and the contract, or as required by law.

(2) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to EPHI , to prevent use or disclosure of the PHI other than as provided for by these rules and the contract.

(3) Mitigate, to the extent practicable, any harmful effect that is known to business associate of a use or disclosure of protected health information or electronic protected health information by business associate in violation of the requirements of these rules and the contract.

(4) Report to the Authority, as promptly as possible, any use or disclosure of the protected health information or electronic protected health information not provided for by these rules and the contract of which it becomes aware.

(5) Ensure that any agent, including a subcontractor, to whom it provides protected health information or electronic protected health information created, received, maintained or transmitted by it on behalf of the Authority agrees to the same restrictions and conditions that apply through these rules and the contract to business associate with respect to such information.

(6) Provide access, at the request of the Authority, and in the time and manner designated by the Authority, to protected health information or electronic protected health information in a designated record set, to the Authority or, as directed by the Authority, to an individual in order to meet the requirements under 45 CFR 164.524.

(7) Make any amendment to protected health information or electronic protected health information in a designated record set that the Authority directs or agrees to pursuant to 45 CFR 164.526 at the request of the Authority or an individual, and in the time and manner designated by the Authority.

(8) Make available internal practices, books, and records, including policies and procedures relating to the use and disclosure of protected health information and electronic protected health information created, received, maintained or transmitted by business associate on behalf of the Authority. Such items must be available to the Authority and to the Secretary, in a time and manner designated by the Authority or the Secretary, for purposes of the Secretary determining the Authority’s compliance with the Privacy Rule or Security Rule.

(9) Document disclosures of protected health information and electronic protected health information and information related to such disclosures as may be required for the Authority to respond to a request by an individual for an accounting of disclosures in accordance with 45 CFR 164.528.

(10) Provide the Authority or an individual, in a time and manner as designated by the Authority, information collected in accordance with OAR 943-014-0415(9) to permit the Authority to respond to an individual’s request for an accounting of disclosures in accordance with 45 CFR 164.528.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0420

Uses and Disclosures of Protected Health Information by Business Associate

(1) Except as otherwise limited or prohibited by the contract or these rules, a contractor who is a business associate of the Authority may:

(a) Use or disclose protected health information and electronic protected health information to perform functions, activities, or services as specified in the contract and these rules on behalf of the Authority. Such use or disclosure may not violate the Privacy Rule, Security Rule, the HITECH Act, or other applicable federal or state laws or regulations or the minimum necessary policies and procedures of the Authority. All other uses of protected health information and electronic protected health information are prohibited.

(b) Use protected health information and electronic protected health information for the proper management and administration of the business associate contract or to carry out the legal responsibilities of the business associate.

(c) Disclose protected health information and electronic protected health information for the proper management and administration of the business associate, provided disclosures are required by law.

(d) Disclose protected health information and electronic protected health information to a subcontractor if the business associate enters into a business associate agreement with a subcontractor that complies with this rule.

(e) Use protected health information and electronic protected health information to report violations of law to appropriate federal and state authorities, consistent with 45 CFR 164.502(j)(1).

(2) A contractor who is a business associate of the Authority may not aggregate or compile the Authority’s protected health information or electronic protected health information with the protected health information or electronic protected health information of other covered entities unless the contract permits data aggregation services. If the contract permits business associate to provide data aggregation services, business associate may use protected health information to provide data aggregation services requested by the Authority as permitted by 45 CFR 164.504(e)(2)(i)(B) and subject to any limitations contained in these rules. If the Authority requests data aggregation services, business associate may aggregate the Authority’s protected health information with protected heath information of other covered entities that the business associate has in its possession through its capacity as a business associate to other covered entities. This may only be done if the purpose of the aggregation is to provide the Authority with data analysis relating to the Authority’s health care operations. Business associates may not disclose the Authority’s protected health information to another covered entity without the Authority’s express authorization.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0430

Authority Obligations

(1) The Authority must notify business associate of any:

(a) Limitations in its notice of privacy practices in accordance with 45 CFR 164.520, to the extent that such limitation may affect business associate’s use or disclosure of protected health information and electronic protected health information. The Authority may satisfy this obligation by providing business associate with the Authority’s most current Notices of Privacy Practices.

(b) Changes in, or revocation of, permission by an individual to use or disclose protected health information or electronic protected health information, to the extent that such changes may affect business associate’s use or disclosure of protected health information and electronic protected health information.

(c) Restriction to the use or disclosure of protected health information or electronic protected health information that the Authority has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect business associate’s use or disclosure of protected health information or electronic protected health information.

(2) The Authority may not request business associate to use or disclose protected health information or electronic protected health information in any manner that may not be permissible under the Privacy Rule or Security Rule if done by Agency, except as permitted by OAR 943-014-0420.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0435

Security Requirements

Contractors must comply with the Security Rule’s business associate requirements for electronic protected health information and must comply with both the Privacy Rule and the Security Rule requirements applicable to a business associate. In addition the contractor must:

(1) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the Authority, and develop and enforce related policies, procedure, and documentation standards (including designation of a security official).

(2) Enter into a business associate agreement with any agent or subcontractor to whom it provides electronic protected health information to ensure the agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect the information.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0440

Breach

(1) For purposes of this rule, the terms “breach” and “unsecured protected health information” have the meaning set forth in 45 CFR 164.402. A breach must be considered as “discovered” in accordance with 45 CFR 164.404(a)(2) and 45 CFR 164.410(2).

(2) In the event of discovery of a breach of unsecured protected health information a contractor must:

(a) Notify the Authority of the breach. The notification must be made as soon as possible and business associate shall confer with the Authority as soon as practicable thereafter. In no event shall notification to the Authority be later than 30 calendar days after the discovery of breach. Notification shall include identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during the breach and any other information as may be reasonably required by the Authority for the Authority to meet its obligations;

(b) Confer with the Authority as to the preparation and issuance of an appropriate notice to each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired or disclosed as a result of such breach;

(c) Confer with the Authority when the breach involves more than 500 individuals about the preparation and issuance of appropriate notice to prominent media outlets within the State or local jurisdictions;

(d) Make the appropriate notification to individuals affected by the breach and to media outlets as necessary; and

(e) Confer with the Authority about the preparation and issuance of notice to the Secretary of unsecured protected health information acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals, the notice to the Secretary must be provided immediately. Any breach involving less than 500 individuals shall be documented in a log and the log provided to the Secretary annually.

(3) Except as set forth in section (4) of this rule, notifications required by this rule must be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach. Any notice must be provided in the manner and content required by 45 CFR 164.404 through 164.410.

(4) Any notification required by this rule may be delayed by a law enforcement official in accordance with the HITECH Act, section 13402(g).

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0445

Violations

(1) When the Authority learns about a business associate’s material breach of the requirements of these rules the Authority shall:

(a) Notify business associate of the breach and specify a reasonable opportunity in the notice for business associate to cure the breach or end the violation. The Authority may terminate the contract if business associate does not cure the breach or end the violation within the time specified by the Authority;

(b) Immediately terminate the contract if business associate has breached a material term of these rules and cure is not possible in the Authority’s reasonable judgment; and

(c) Notify the Secretary of violations or terminations as required by HIPAA, the implementing Privacy and Security Rules or HITECH.

(2) The rights and remedies provided in these rules are in addition to the rights and remedies provided in the contract.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0450

Termination of Contract

(1) Except as provided in section (2) of this rules, upon termination of the contract for any reason, business associate shall, at the Authority’s option, return or destroy all protected health information and electronic protected health information received from the Authority, or created, maintained or received by business associate on the Authority’s behalf. This provision shall apply to protected health information and electronic protected health information that is in the possession of subcontractors or agents of business associate. Business associate may not retain copies of the protected health information and electronic protected health information.

(2) If the business associate determines that returning or destroying the protected health information or electronic protected health information is infeasible, business associate shall provide to the Authority notification of the conditions that make return or destruction infeasible. Upon the Authority ‘s written acknowledgement that return or destruction of protected health information or electronic protected health information is infeasible, business associate shall extend the protections to the information. Business associate shall limit further uses and disclosures of the information to those purposes that make the return or destruction infeasible, for as long as business associate maintains the protected information.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0455

Order of Precedence

(1) These rules shall be interpreted as broadly as necessary to implement and comply with HIPAA, the Privacy Rule and the Security Rule, and the HITECH Act. Any ambiguity in these rules shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the Privacy Rule and the Security Rule, and the HITECH Act.

(2) If a conflict between these rules and the provisions of the contract arises, these rules shall take precedence.

(3) If a conflict between the provisions of the contract and the Privacy Rule or the Security Rule or the HITECH Act arises, the Privacy Rule and the Security Rule and the HITECH Act shall take precedence.

(4) If there is conflict between these rules and the Privacy Rule or the Security Rule or the HITECH Act the Privacy Rule and the Security Rule and the HITECH Act shall control.

(5) The requirements set forth in this rule are in addition to any other provisions of law applicable to the contract. These rules shall not supersede any other federal or state law or regulation governing the legal relationship of the parties, or the confidentiality of records or information, except to the extent that HIPAA and the HITECH Act preempt those laws or regulations. Any ambiguity in the contract shall be resolved to permit the Authority and business associate to implement and comply with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0460

Methods of Compliance

In addition to incorporating the business associate requirements contained in this rule in its contracts with business associates, the Authority may comply with these rules in any of the following ways:

(1) Memorandum of Understanding. If the Authority and business associate are government entities, the parties may enter into a memorandum of understanding that accomplishes the objectives of these rules and meets the business associate requirements of the privacy rule and Security rule.

(2) Amendment. The Authority may execute an amendment or rider that amends the Authority’s contract and that contains the contract provisions required by these rules.

(3) Required by Law. If a business associate is required by law to perform a function or activity on the Authority’s behalf or provide a service described in the definition of business associate to the Authority, the Authority may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of these rules. In those circumstances, the Authority shall attempt in good faith to obtain satisfactory assurances required by OAR 943-014-0453 45 CFR 164.502(e). If the attempt fails, document the attempt and the reasons that assurances cannot be obtained.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

943-014-0465

Standards in Individual Contracts

The Authority and business associate may enter into a contract that contains more stringent standards than those set forth in these rules as long as the standards do not violate the requirements of the Privacy Rule or the Security Rule or the HITECH Act, and the contract receives approval from the Oregon Department of Justice.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556-581, 413.032, 413.042 & 414.065 413.042

Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14

Notes
1.) This online version of the OREGON BULLETIN is provided for convenience of reference and enhanced access. The official, record copy of this publication is contained in the original Administrative Orders and Rulemaking Notices filed with the Secretary of State, Archives Division. Discrepancies, if any, are satisfied in favor of the original versions. Use the OAR Revision Cumulative Index found in the Oregon Bulletin to access a numerical list of rulemaking actions after November 15, 2012.

2.) Copyright 2013 Oregon Secretary of State: Terms and Conditions of Use

Oregon Secretary of State • 136 State Capitol • Salem, OR 97310-0722
Phone: (503) 986-1523 • Fax: (503) 986-1616 • oregon.sos@state.or.us

© 2013 State of Oregon All Rights Reserved​