Loading
The Oregon Administrative Rules contain OARs filed through November 15, 2014
 
QUESTIONS ABOUT THE CONTENT OR MEANING OF THIS AGENCY'S RULES?
CLICK HERE TO ACCESS RULES COORDINATOR CONTACT INFORMATION

 

OREGON HEALTH AUTHORITY

 

DIVISION 14

PRIVACY AND CONFIDENTIALITY

Privacy of Protected Information

943-014-0000

Definitions

The following definitions apply to OAR 943-014-0000 to 943-014-0070:

(1) “Administrative Hearing” means an oral proceeding before an administrative law judge in a contested case hearing.

(2) “Authority” means the Oregon Health Authority.

(3) “Authority Workforce” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Authority, is under the direction and control of the Authority, whether or not they are paid by the Authority.

(4) “Authorization” means permission from an individual or his or her personal representative giving the Authority, and others named on the form, authorization to obtain, release or use information about the individual from third parties for specified purposes or to disclose information to a third party specified by the individual.

(5) “Business Associate” means an individual or entity performing any function or activity on behalf of the Authority involving the use or disclosure of protected health information (PHI) and is not a member of the Authority’s workforce.

(a) “Function or activity” includes but is not limited to program administration, claims processing or administration, data analysis, utilization review, quality assurance, billing, legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, financial services, and similar services for which the Authority may contract or obtain by interagency agreement, if access to PHI is involved.

(b) Business associates do not include licensees or providers unless the licensee or provider also performs some function or activity on behalf of the Authority.

(6) “Client” means an individual who requests or receives program benefits or direct services from the Authority, including but not limited to services requested in connection with the administration of the medical assistance program, and individuals who apply for or are admitted to a state hospital or who are committed to the custody of the Authority,

(7) “Client Information” means personal information relating to a client that the Authority may maintain in one or more locations and in various forms, reports, or documents, or stored or transmitted by electronic media.

(8) “Collect” or “Collection” means the assembling of personal information through interviews, forms, reports, or other information sources.

(9) “Contract” means a written agreement between the Authority and a person or entity setting forth the rights and obligations of the parties including but not limited to contracts, licenses, agreements, interagency agreements, and intergovernmental agreements.

(10) “Correctional Institution” means any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by contract with the federal government, a state, or an Indian tribe for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. “Other persons held in lawful custody” include juvenile offenders, adjudicated delinquents, aliens detained awaiting deportation, witnesses, or others awaiting charges or trial.

(11) “Corrective Action” means an action that a business associate must take to remedy a breach or violation of the business associate’s obligations under the business associate’s contractual requirement, including but not limited to reasonable steps that must be taken to cure the breach or end the violation.

(12) “Covered Entity” means health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction that is subject to federal Health Insurance Portability and Accountability Act (HIPAA) requirements, as those terms are defined and used in the HIPAA regulations, 45 CFR parts 160 and 164.

(13) “De-identified Data” means client information from which the Authority or other entity has deleted, redacted, or blocked identifiers so the remaining information cannot reasonably be used to identify an individual.

(14) “Department” means the Department of Human Services.

(15) “Disclose” means the release, transfer, relay, provision of access to, or conveying of client information to any individual or entity outside the Authority.

(16) “Health Care” means care, services, or supplies related to the health of an individual. Health care includes but is not limited to preventive, diagnostic, therapeutic, rehabilitative, maintenance, palliative care, counseling services, assessment, or procedures with respect to the physical or mental condition, or functional status of an individual, or that affects the structure or function of the body and the sale or dispensing of a drug, device, equipment, or other prescribed item.

(17) “Health Care Operations” means any activities of the Authority to the extent that the activities are related to health care, Medicaid, or any other health care related programs, services, or activities administered by the Authority and include:

(a) Conducting quality assessment and improvement activities, including income evaluation and development of clinical guidelines;

(b) Population-based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(c) Reviewing the competence of qualifications of health care professionals, evaluating practitioner, provider, and health plan performance; and conducting training programs in which students and trainees in areas of health care learn under supervision to practice or improve their skills, accreditation, certification, licensing, or credentialing activities;

(d) Underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract for Medicaid or health care related services;

(e) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs, and disclosure to the Medicaid Fraud Unit pursuant to 43 CFR part 455.21;

(f) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the Authority, including administration, development, or improvement of methods of payments or health care coverage; and

(g) Business management and general administrative activities of the Authority, including but not limited to:

(A) Management activities relating to implementation of and compliance with the requirements of HIPAA;

(B) Customer service, including providing data analysis;

(C) Resolution of internal grievances, including administrative hearings and the resolution of disputes from patients or enrollees regarding the quality of care and eligibility for services; and

(D) Creating de-identified data or a limited data set.

(18) “Health Oversight Agency” means an agency or authority of the federal government, a state, territory, political subdivision of a state or territory, Indian tribe, or a person or entity acting under a grant of authority from or by contract with the public agency, including employees or agents of the public agency or its contractors or grantees that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. When performing these functions, the Authority acts as a health oversight agency for the purposes of these rules.

(19) “HIPAA” means the Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et seq, and the federal regulations adopted to implement the Act.

(20) “Individual” means the person who is the subject of information collected, used, or disclosed by the Authority.

(21) “Individually Identifying Information” means any single item or compilation of information or data that indicates or reveals the identity of an individual, either specifically (such as the individual’s name or social security number), or from which the individual’s identity can be reasonably ascertained.

(22) “Information” means personal information relating to an individual, a participant, or an Authority client.

(23) “Inmate” means a person incarcerated in or otherwise confined in a correctional institution. An individual is no longer an inmate when released on parole, probation, supervised release, or is otherwise no longer in custody.

(24) “Institutional Review Board (IRB)” means a specially constituted review body established or designated by an entity in accordance with 45 CFR part 46 to protect the welfare of human subjects recruited to participate in biomedical or behavioral research. The IRB must be registered with the Office for Human Research Protection.

(25) “Law Enforcement Official” means an officer or employee of any agency or authority of the federal government, a state, territory, political subdivision of a state or territory, or Indian tribe who is empowered by law to:

(a) Investigate and conduct an official inquiry into a potential violation of law; or

(b) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

(26) “Licensee” means a person or entity that applies for or receives a license, certificate, registration, or similar authority from the Authority to perform or conduct a service, activity, or function.

(27) “Minimum Necessary” means the least amount of information, when using or disclosing confidential client information, that is needed to accomplish the intended purpose of the use, disclosure, or request.

(28) “Participant” means individual’s participating in Authority population-based services, programs, and activities that serve the general population, but who do not receive program benefits or direct services received by a client. Examples of participants include but are not limited to an individual whose birth certificate is recorded with Department of Vital Statistics, the subjects of public health studies, immunization or cancer registries, newborn screening, and other public health services, and individuals who contact Authority hotlines or the ombudsman for general public information services.

(29) “Payment” means any activities undertaken by the Authority related to a client to whom health care is provided in order to:

(a) Obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the Medicaid program or other publicly funded health care services; and

(b) Obtain or provide reimbursement for the provision of health care.

(30) Payment activities mean:

(a) Determinations of eligibility or coverage, including coordination of benefits or the determination of cost sharing amounts, and adjudication of health benefit or health care claims;

(b) Risk adjusting amounts due which are based on enrollee health status and demographic characteristics;

(c) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing;

(d) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(e) Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services; and

(f) Disclosure to consumer reporting agencies relating to collection of premiums or reimbursement including name and address, date of birth, payment history, account number, and name and address of the health care provider or health plan.

(31) “Personal Representative” means a person who has authority to act on behalf of an individual in making decisions related to health care.

(32) “Protected Health Information (PHI)” means any individually identifiable health information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Any data transmitted or maintained in any other form or medium by covered entities, including paper records, fax documents, all oral communications, or any other form, such as screen prints of eligibility information, printed e-mails containing identified individual’s health information, claim or billing information, or hard copy birth or death certificates. PHI does not include school records that are subject to the Family Educational Rights and Privacy Act and employment records held in the Authority’s role as an employer.

(33) “Protected Information” means any participant or client information that the Authority may have in its records or files that must be safeguarded pursuant to Authority policy. This includes but is not limited to individually identifying information.

(34) “Provider” means a person or entity that may seek reimbursement from the Authority as a provider of services to Authority clients pursuant to a contract. For purposes of these rules, reimbursement may be requested on the basis of claims or encounters or other means of requesting payment.

(35) “Psychotherapy Notes” mean notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversations during a private counseling session, or group, joint, or family counseling session, when the notes are separated from the rest of the individual’s record. Psychotherapy notes do not include medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress to date.

(36) “Public Health Agency” means a public agency, including the Authority, or a person or entity acting under a grant of authority from or by contract with the Authority or public agency that performs or conducts one or more of the following essential functions that characterize public health programs, services, or activities:

(a) Monitor health status to identify community health problems;

(b) Diagnose and investigate health problems and health hazards in the community;

(A) Inform, educate, and empower people about health issues;

(B) Mobilize community partnerships to identify and solve health problems;

(C) Develop policies and plans that support individual and community health efforts;

(D) Enforce laws and regulations that protect health and ensure safety;

(E) Direct individuals to needed personal health services and assure the provision of health care when otherwise unavailable;

(F) Ensure a competent public health and personal health care workforce;

(G) Evaluate the effectiveness, accessibility, and quality of personal and population-based health services; and

(H) Perform research for new insights and innovative solutions to health problems.

(37) “Public Health Authority” means an agency or authority of the federal government, a state, territory, political subdivision of a state or territory, Indian tribe, or a person or entity acting under a grant of authority from or by contract with the public agency, including the employees or agents of the public agency, or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. When performing functions as a public health agency, the Authority acts as a public health authority for purposes of these rules.

(38) “Re-disclosure” means the disclosure of information to a person, an Authority program, an Authority subcontracted entity, or other entity or person other than what was originally authorized.

(39) “Research” means systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalized knowledge.

(40) “Required by Law” means a duty or responsibility that federal or state law specifies that a person or entity must perform or exercise. Required by law includes but is not limited to court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or rules that require the production of information, including statutes or rules that require such information if payment is sought under a government program providing public benefits.

(41) “Treatment” means the provision, coordination, or management of heath care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.

(42) “Use” means the sharing of individual information within an Authority program or the sharing of individual information between program staff and administrative staff that support or oversee the program.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065
Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0010

Purpose

(1) The purpose of these rules (OAR 943-014-000 to 943-014-0070) is to govern the collection, use, and disclosure of protected information by the Authority about individuals and to explain the rights and specific actions that individuals may take or request to be taken regarding the uses and disclosures of their protected information. These rules also set forth the Authority’s requirements governing the use and disclosure of PHI for purposes of HIPAA, 42 USC 1320-d through 1320d-8, Pub L 104-191, sec. 262 and 264, and the implementing HIPAA privacy rules, 45 CFR parts 160 and 164, applicable to the Authority’s health care components.

(2) Except as provided in section (1) of this rule, state and federal statutes, rules, and policies that govern the administration of Authority programs, services, and activities continue to govern the use and disclosure of protected information in those Authority programs, services, and activities.

(3) In the event that it is not possible to comply with the requirements of both sections (1) and (2) of this rule, the Authority shall act in accordance with whichever federal or state law imposes a stricter requirement regarding the privacy or safeguarding of information and which provides the greater protection or access to the individual who is the subject of the information, unless one of the following applies:

(a) Public health. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, birth, or death; public health surveillance; or public health investigation or intervention.

(b) Child abuse. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of child abuse.

(c) State regulatory reporting. Nothing in these rules shall be construed to limit the ability of the State of Oregon or the Authority to require a health plan to report, or to provide access to information for management audits, financial audits, program monitoring, facility licensure or certification, or individual licensure or certification.

(4) The Authority may collect, maintain, use, transmit, share, and disclose information about any individual to the extent authorized by law to administer Authority programs, services, and activities.

(5) The Authority may use and disclose information about licensees or providers consistent with federal and state laws and regulations. Information regarding the qualifications of licensees and providers are public records.

(a) When the Authority obtains information about individuals that relates to determining payment responsibility when a provider submits a request for payment to the Authority, the Authority shall safeguard the information consistent with federal and state laws and regulations and Authority policies.

(b) The Authority may review the performance of licensees and providers in the conduct of its health oversight activities and shall safeguard information obtained about individuals obtained during those activities in accordance with federal and state laws and regulations and Authority policies.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065
Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0015

Covered Entity Status for Purposes of the HIPAA Privacy Rules

(1) These rules address information that, among other things, may be Protected Health Information that is protected by the HIPAA Privacy Rules. For purposes of HIPAA Privacy Rules, the Authority is a hybrid entity because the Authority performs functions that are covered by HIPAA (“health care components”) and functions that are not covered by HIPAA. The Authority’s health care components consist of the functions that are included in the definition of a covered entity, as follows:

(a) The Authority in its capacity as the state Medicaid agency for the administration of the Medicaid program under Title XIX of the Social Security Act and the Children’s Health Insurance Program under Title XXI of the Act and the medical assistance program as described in ORS chapter 414.

(b) The Health Care for All Oregon Children program;

(c) The Family Health Insurance Assistance Program established in ORS 414.841 to 414.864;

(d) Any medical assistance or premium assistance programs reimbursed with Medicaid or the Children’s Health Insurance Program funds operated by the Authority;

(e) The Oregon State Hospital and Blue Mountain Recovery Center;

(f) The high risk pools administered by the Oregon Medical Insurance Pool Board and the Office of Private Health Partnerships;

(g) The Breast and Cervical Cancer Program and the Wise Woman Program;

(h) The Public Health Laboratory;

(i) The Medicaid Management Information system and information technology systems associated with the administration and management of the health care components listed above; and

(j) The ombudsman and other administrative and health care operations functions associated with the administration and management of the health care components listed above.

(2) The Authority administers many aspects of the medical assistance program with the assistance of the Department, including but not limited to eligibility determinations for the medical assistance program and supervising the long-term and community-based services for seniors and people with disabilities. The Department also provides certain health care operations services for the Authority. In doing so, the Department is a business associate of the Authority. As a business associate of the Authority, the Department is authorized to use and disclose protected health information to perform or assist the Authority in the performance of its covered functions.

(3) When these rules of the Authority apply to PHI that is subject to the HIPAA Privacy and Security rules, a reference to the Authority may also include the actions of the Department acting as the Authority’s business associate.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065
Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0020

Uses and Disclosures of Client or Participant Protected Information

(1) Uses and disclosures with individual authorization. The Authority must obtain a completed and signed authorization for release of information from the individual, or the individual’s personal representative, before obtaining or using protected information about an individual from a third party or disclosing protected information about the individual to a third party.

(a) Uses and disclosures must be consistent with what the individual has approved on the signed authorization form approved by the Authority.

(b) An individual may revoke an authorization at any time. The revocation must be in writing and signed by the individual, except that substance abuse treatment patients may orally revoke an authorization to disclose information obtained from substance abuse treatment programs. No revocation shall apply to information already released while the authorization was valid and in effect.

(2) Uses and disclosures without authorization. The Authority may use and disclose information without written authorization in the following circumstances:

(a) The Authority may disclose information to individuals who have requested disclosure to themselves of their information, if the individual has the right to access the information under OAR 943-014-0030(6).

(b) If the law requires or permits the disclosure, and the use and disclosure complies with, and is limited to, the relevant requirements of the relevant law.

(c) For treatment, payment, and health care operations the Authority may disclose the following information:

(A) Activities involving the current treatment of an individual, for the Authority or health care provider;

(B) Payment activities, for the Authority, covered entity, or health care provider;

(C) Protected health information for the purpose of health care operations; and

(D) Substance abuse treatment information, if the recipient has a Qualified Service Organization Agreement with the Authority.

(d) Psychotherapy notes. The Authority may only use and disclose psychotherapy notes in the following circumstances:

(A) In the Authority’s supervised counseling training programs;

(B) In connection with oversight of the originator of the psychotherapy notes; or

(C) To defend the Authority in a legal action or other proceeding brought by the individual.

(e) Public health activities.

(A) The Authority may disclose an individual’s protected information to appropriate entities or persons for governmental public health activities and for other purposes including but not limited to:

(i) A governmental public health authority that is authorized by law to collect or receive protected information for the purpose of preventing or controlling disease, injury, or disability. This includes but is not limited to reporting disease, injury, and vital events such as birth or death; and the conducting of public health surveillance, investigations, and interventions;

(ii) An official of a foreign government agency that is acting in collaboration with a governmental public health authority;

(iii) A governmental public health authority, or other government authority that is authorized by law to receive reports of child abuse or neglect;

(iv) A person subject to the jurisdiction of the federal Food and Drug Administration (FDA), regarding an FDA-regulated product or activity for which that person is responsible for activities related to the quality, safety, or effectiveness of an FDA-regulated product or activity; or

(v) A person who may have been exposed to a communicable disease, or may be at risk of contracting or spreading a disease or condition, if the Authority or other public health authority is authorized to notify the person as necessary in conducting a public health intervention or investigation.

(B) Where state or federal law prohibits or restricts use and disclosure of information obtained or maintained for public health purposes, the Authority shall deny the use and disclosure.

(f) Child abuse reporting and investigation. If the Authority has reasonable cause to believe that a child is a victim of abuse or neglect, the Authority may disclose protected information to appropriate governmental authorities authorized by law to receive reports of child abuse or neglect.

(g) Adult abuse reporting and investigation. If the Authority has reasonable cause to believe that a vulnerable adult is a victim of abuse or neglect, the Authority may disclose information, as required by law, to a government authority or regulatory agency authorized by law to receive reports of abuse or neglect including but not limited to a social service or protective services agency authorized by law to receive such reports. Vulnerable adults are adults age 65 or older and persons with disabilities.

(h) Health oversight activities. The Authority may disclose information without authorization for health oversight activities, including audits; civil, criminal, or administrative investigations, prosecutions, licensing or disciplinary actions; Medicaid fraud; or other necessary oversight activities.

(i) Administrative and court hearings, grievances, investigations, and appeals.

(A) The Authority may use or disclose information for an investigation, administrative or court hearing, grievance, or appeal about an individual’s eligibility or right to receive Authority benefits or services.

(B) If the Authority has obtained information in performing its duties as a health oversight agency, public health authority, or public benefit program, the Authority may use or disclose that information in an administrative or court hearing consistent with the other privacy requirements applicable to that program, service, or activity.

(j) Court orders. The Authority may disclose information for judicial or administrative proceedings in response to a court order, subpoena, discovery request, or other legal process. If a court orders the Authority to conduct a mental examination pursuant to ORS 161.315, 161.365, 161.370, or orders the Authority to provide any other report or evaluation to the court, the examination, report, or evaluation shall be deemed to be required by law for purposes of HIPAA.

(k) Law enforcement purposes. For limited law enforcement purposes, the Authority may report certain injuries or wounds; provide information to identify or locate a suspect, victim, or witness; alert law enforcement of a death as a result of criminal conduct; and provide information which constitutes evidence of criminal conduct on Authority premises.

(A) The Authority may provide client information to a law enforcement officer in any of the following situations:

(i) The law enforcement officer is involved in carrying out any investigation, criminal, or civil proceedings connected with administering the program from which the information is sought;

(ii) An Authority employee may disclose information from personal knowledge that does not come from the client’s interaction with the Authority;

(iii) The disclosure is authorized by statute or administrative rule;

(iv) The information informs law enforcement of a death as a result of criminal conduct;

(v) The information constitutes evidence of criminal conduct on Authority premises; or

(vi) The disclosure is necessary to protect the client or others, and the client poses a threat to his or her safety or to the safety of others.

(B) Except as provided in section (2)(k)(C) of this rule, the Authority may give a client’s current address, Social Security number, and photo to a law enforcement officer if the law enforcement officer makes the request in the course of official duty, supplies the client’s name, and states that the client:

(i) Is a fugitive felon or is violating parole, probation, or post-prison supervision;

(ii) For all public assistance programs, has information that is necessary for the officer to conduct official duties, and the location or apprehension of the client is within the officer’s official duties; or

(C) If domestic violence has been identified in the household, the Authority may not release information about a victim of domestic violence unless a member of the household is either wanted as a fugitive felon or is violating parole, probation, or post-prison supervision.

(D) For purposes of this subsection, a fugitive felon is a person fleeing to avoid prosecution or custody for a crime, or an attempt to commit a crime, that would be classified as a felony.

(E) For purposes of this section, a law enforcement officer is an employee of the Oregon State Police, a county sheriff’s department, or a municipal police department, whose official duties include arrest authority.

(l) Use and disclosure of information about deceased individuals.

(A) The Authority may disclose individual information to a coroner or medical examiner for the purpose of identifying a deceased individual, determining cause of death, or other duties authorized by law.

(B) The Authority may disclose individual information to funeral directors as needed to carry out their duties regarding the decedent. The Authority may also disclose individual information prior to, and in anticipation of, the death.

(m) Organ or tissue donation. The Authority may disclose individual information to organ procurement organizations or other entities engaged in procuring, banking, or transplanting cadaver organs, eyes, or tissue for the purpose of facilitating transplantation.

(n) Research. The Authority may disclose individual information without authorization for research purposes, as specified in OAR 943-014-0060.

(o) Threat to health or safety. To avert a serious threat to health or safety the Authority may disclose individual information if:

(A) The Authority believes in good faith that the information is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

(B) The report is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

(p) National security and intelligence. The Authority may disclose information to authorized federal officials for lawful intelligence, counterintelligence, and other national security activities.

(q) Correctional institutions and law enforcement custody situations. The Authority may disclose information to a correctional institution or a law enforcement official having lawful custody of an inmate or other person, for the limited purpose of providing health care or ensuring the health or safety of the person or other inmates.

(r) Emergency treatment. In case of an emergency, the Authority may disclose individual information to the extent needed to provide emergency treatment.

(s) Government entities providing public benefits. The Authority may disclose eligibility and other information to governmental entities administering a government program providing public benefits.

(3) Authorization not required if opportunity to object given. The Authority may use and disclose an individual’s information without authorization if the Authority informs the individual in advance and gives the individual an opportunity to either agree or refuse or restrict the use and disclosure.

(a) These disclosures are limited to disclosure of information to a family member, other relative, close personal friend of the individual, or any other person named by the individual, subject to the following limitations:

(A) The Authority may disclose only the protected information that directly relates to the person’s involvement with the individual’s care or payment for care.

(B) The Authority may use and disclose protected information for notifying, identifying, or locating a family member, personal representative, or other person responsible for care of the individual, regarding the individual’s location, general condition, or death. For individuals who had resided at one time at the state training center, OAR 411-320-0090(6) addresses family reconnection.

(C) If the individual is present for, or available prior to, a use and disclosure, the Authority may disclose the protected information if the Authority:

(i) Obtains the individual’s agreement;

(ii) Provides the individual an opportunity to object to the disclosure, and the individual does not object; or

(iii) Reasonably infers from the circumstances that the individual does not object to the disclosure.

(D) If the individual is not present, or the opportunity to object to the use and disclosure cannot practicably be provided due to the individual’s incapacity or an emergency situation, the Authority may disclose the information if, using professional judgment, the Authority determines that the use and disclosure is in the individual’s best interests.

(b) Exception. For individuals referred to or receiving substance abuse treatment, mental health, or vocational rehabilitation services, the Authority shall not use or disclose information without written authorization, unless disclosure is otherwise permitted under 42 CFR part 2, 34 CFR 361.38, or ORS 179.505.

(c) Personal representative. The Authority must treat a personal representative as the individual for purposes of these rules, except that:

(A) A personal representative must be authorized under state law to act on behalf of the individual with respect to use and disclosure of information. The Authority may require a personal representative to provide a copy of the documentation authorizing the person to act on behalf of the individual.

(B) The Authority may elect not to treat a person as a personal representative of an individual if:

(i) The Authority has a reasonable belief that the individual has been or may be subjected to domestic violence, abuse, or neglect by the person;

(ii) The Authority, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.

(4) Redisclosure. The Authority must inform the individual that information held by the Authority and authorized by the individual for disclosure may be subject to redisclosure and no longer protected by these rules.

(5) Specific written authorization. If the use or disclosure of information requires an authorization, the authorization must specify that the Authority may use or disclose vocational rehabilitation records, alcohol and drug records, HIV/AIDS records, genetics information, and mental health or developmental disability records held by publicly funded providers.

(a) Pursuant to federal regulations at 42 CFR part 2 and 34 CFR 361.38, the Authority may not make further disclosure of vocational rehabilitation and alcohol and drug rehabilitation information without the specific written authorization of the individual to whom it pertains.

(b) Pursuant to ORS 433.045 and OAR 333-012-0270, the Authority may not make further disclosure of individual information pertaining to HIV/AIDS.

(c) Pursuant to ORS 192.531 to 192.549, the Authority may not make further disclosure pertaining to genetic information.

(6) Verification of person or entity requesting information. The Authority may not disclose information about an individual without first verifying the identity of the person or entity requesting the information, unless the Authority workforce member fulfilling the request already knows the person or has already verified identity.

(7) Whistleblowers. The Authority may disclose an individual’s protected health information under the HIPAA privacy rules under the following circumstances:

(a) The Authority workforce member or business associate believes in good faith that the Authority has engaged in conduct that is unlawful or that otherwise violates professional standards or Authority policy, or that the care, services, or conditions provided by the Authority could endanger Authority staff, individuals in Authority care, or the public; and

(b) The disclosure is to a government oversight agency or public health authority, or an attorney of an Authority workforce member or business associate retained for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct alleged under section (7)(a) above; and

(c) Nothing in this rule is intended to interfere with ORS 659A.200 to 659A.224 describing the circumstances applicable to disclosures by Authority workforce or business associates.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065
Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0030

Client Privacy Rights

(1) Rights of clients to access their information. Clients may access, inspect, and obtain a copy of information on their own cases in Authority files or records, consistent with federal and state law.

(a) A client may request access by completing the Access to Records Request form, or by providing sufficient information to accomplish this request.

(b) Clients may request access to their own information that is kept by the Authority by using a personal identifier such as the client’s name or Authority case number.

(c) If the Authority maintains information in a record that includes information about other people, the client may see information only about himself or herself.

(d) If a person identified in the file is a minor child of the client, and the client is authorized under Oregon law to have access to the minor’s information or to act on behalf of the minor for making decisions about the minor’s care, the client may obtain information about the minor.

(e) If the requestor of information is recognized under Oregon law as a the client’s guardian or custodian and is authorized under Oregon law to have access to the client’s information or to act on behalf of the client for making decisions about the client’s services or care, the Authority shall release information to the requestor.

(f) For individuals with disabilities or mental illnesses, the named system in ORS 192.517, to protect and advocate the rights of individuals with developmental disabilities under Part C of the Developmental Disabilities Assistance and Bill of Rights Act (42 U.S.C. 6041 et seq.) and the rights of individuals with mental illness under the Protection and Advocacy for Individuals with Mental Illness Act (42 U.S.C. 10801 et seq.), shall have access to all records defined in ORS 192.515.

(g) The Authority may deny a client’s access to their own PHI if federal law prohibits the disclosure. Clients may access, inspect, and obtain a copy of health information on their own case in Authority files or records except for the following:

(A) Psychotherapy notes;

(B) Information compiled in reasonable anticipation of, or for use in civil, criminal, or administrative proceedings;

(C) Information that is subject to the federal Clinical Labs Improvement Amendments of 1988, or exempt pursuant to 42 CFR 493.3(a)(2);

(D) Information that the Authority believes, in good faith, can cause harm to the client, participant, or to any other person; and

(E) Documents protected by attorney work-product privilege.

(h) The Authority may deny a client access to information that was obtained under a promise of confidentiality from a person other than a health care provider to the extent that access would reveal the source of the information.

(i) The Authority may deny a client access to information, if the Authority gives the client a right to have the denial reviewed when:

(A) A licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may endanger the life or physical safety of the client or another person;

(B) The information makes reference to another person, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may cause substantial harm to the client or to another person; or

(C) The request for access is made by the client’s personal representative, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that allowing the personal representative access to the information may cause substantial harm to the client or to another person.

(j) If the Authority denies access under section (1)(i) of this rule, the client may have the decision reviewed by a licensed health care professional (for health information) or other designated staff (for other information) not directly involved in making the original denial decision.

(A) The Authority must promptly refer a client’s request for review to the designated reviewer.

(B) The reviewer must determine, within the 30 or 60-day time limits stated in section (1)(k)(A) and (B) of this rule, whether to approve or deny the client’s request for access.

(C) Based on the reviewer’s decision, the Authority shall:

(i) Promptly notify the client in writing of the reviewer’s determination; and

(ii) If approved, take action to carry out the reviewer’s determination.

(k) The Authority must act on a client’s request for access no later than 30 days after receiving the request, except as provided in this section and in the case of written accounts under ORS 179.505, which must be disclosed within five days.

(A) In cases where the information is not maintained or accessible to the Authority on-site, and does not fall under ORS 179.505, the Authority must act on the client’s request no later than 60 days after receiving the request.

(B) If the Authority is unable to act within the 30 or 60-day limits, the Authority may extend this time period a maximum of 30 additional days, subject to the following:

(i) The Authority must notify the client in writing of the reasons for the delay and the date by which the Authority shall act on the request.

(ii) The Authority shall use only one 30-day extension.

(l) If the Authority grants the client’s request, in whole or in part, the Authority must inform the client of the access decision and provide the requested access.

(A) If the Authority maintains the same information in more than one format or at more than one location, the Authority may provide the requested information once.

(B) The Authority must provide the requested information in a form or format requested by the client, if readily producible in that form or format. If not readily producible, the Authority shall provide the information in a readable hard-copy format or other format as agreed to by the Authority and the client.

(C) The Authority may provide the client with a summary of the requested information, in lieu of providing access, or may provide an explanation of the information if access has been provided, if:

(i) The client agrees in advance; and

(ii) The client agrees in advance to pay any fees the Authority may impose, under section (1)(L)(E) of this rule.

(D) The Authority shall arrange with the client for providing the requested access in a time, place, and manner convenient for the client and the Authority.

(E) If a client, or legal guardian or custodian, requests a copy, written summary, or explanation of the requested information, the Authority may impose a reasonable cost-based fee, limited to the following:

(i) Copying the requested information, including the costs of supplies and the labor of copying;

(ii) Postage; and

(iii) Staff time for preparing an explanation or summary of the requested information.

(m) If the Authority denies access, in whole or in part, to the requested information, the Authority must:

(A) Give the client access to any other requested client information, after excluding the information to which access is denied; and

(B) Provide the client with a timely written denial. The denial must:

(i) Be provided within the time limits specified in section (1)(k)(A) and (B) of this rule;

(ii) State the basis of the denial in plain language;

(iii) If the Authority denies access under section (1)(i) of this rule, explain the client’s review rights as specified in section (1)(j) of this rule, including an explanation of how the client may exercise these rights; and

(iv) Provide a description of how the client may file a complaint with the Authority, and if the information is PHI, with the United States Department of Health and Human Services (DHHS), Office for Civil Rights, pursuant to section (7) of this rule.

(n) If the Authority does not maintain the requested information, in whole or in part, and knows where the information is maintained (such as by a medical provider, insurer, other public agency, private business, or other non-Authority entity), the Authority must inform the client where to direct the request for access.

(2) Authority Notice of Privacy Practices. The Authority shall send clients notice about the Authority’s privacy practices as follows:

(a) The Authority shall make available to each client a notice of Authority privacy practices that describes the duty of the Authority to maintain the privacy of PHI and include a description that clearly informs the client of the types of uses and disclosures the Authority is permitted or required to make;

(b) The Authority shall provide all clients in direct care settings a notice of Authority privacy practices and shall request the client’s signature on an acknowledgement of receipt form;

(c) If the Authority revises its privacy practices, the Authority shall make the revised notice available to all clients;

(d) The Authority shall post a copy of the Authority’s Notice of Privacy Practices for public viewing at each Authority worksite and on the Authority website; and

(e) The Authority shall give a paper copy of the Authority’s Notice of Privacy Practices to any individual upon request.

(3) Right to request restrictions on uses or disclosures. Clients may request restrictions on the use or disclosure of their information.

(a) The Authority may deny the client’s request or limit its agreement to a request.

(A) The Authority may not agree to restrict uses or disclosures of information if the restriction would adversely affect the quality of the client’s care or services.

(B) The Authority may not agree to restrict uses or disclosures of information that would limit or prevent the Authority from making or obtaining payment for services.

(b) The Authority may not deny a client’s request to restrict the sharing of records of alcohol and drug treatment or records relating to vocational rehabilitation services with another Authority program.

(c) The Authority shall document the client’s request, and the reasons for granting or denying the request, in the client’s Authority case file.

(d) If the client needs emergency treatment and the restricted protected information is needed to provide the treatment, the Authority may use or disclose the restricted protected information to a provider, for the limited purpose of providing treatment. However, once the emergency situation subsides the Authority shall ask the provider not to redisclose the information.

(e) The Authority may terminate its agreement to a restriction if:

(A) The client agrees to or requests the termination in writing;

(B) The client orally requests or agrees to the termination, and the Authority documents the oral request or agreement in the client’s Authority case file; or

(C) With or without the client’s agreement, the Authority informs the client that the Authority is terminating its agreement to the restriction. Information created or received while the restriction was in place shall remain subject to the restriction.

(4) Rights of clients to request to receive information from the Authority by alternative means or at alternative locations. The Authority must accommodate reasonable requests by clients to receive communications from the Authority by alternative means, such as by mail, e-mail, fax, or telephone, and at an alternative location.

(a) The client must specify the preferred alternative means or location.

(b) The client may submit the request for alternative means or locations either orally or in writing.

(A) If the client makes a request in-person, the Authority shall document the request and ask for the client’s signature.

(B) If the client makes a request by telephone or electronically, the Authority shall document the request and verify the identity of the client.

(c) The Authority may terminate its agreement to an alternative location or method of communication if:

(A) The client agrees to or requests termination of the alternative location or method of communication in writing or orally. The Authority shall document the oral agreement or request in the client’s Authority case file; or

(B) The Authority informs the client that the Authority is terminating its agreement to the alternative location or method of communication because the alternative location or method of communication is not effective. The Authority may terminate its agreement to communicate at the alternative location or by the alternate method if:

(i) The Authority is unable to contact the client at the location or by the method requested; or

(ii) The client fails to respond to payment requests, if applicable.

(5) Right of clients to request amendment of their information. Clients may request that the Authority amend information about themselves in Authority files.

(a) For all amendment requests, the Authority shall have the client complete the approved Authority form.

(b) The Authority may deny the request or limit its agreement to amend.

(c) The Authority must act on the client’s request no later than 60 days after receiving the request. If the Authority is unable to act within 60 days, the Authority may extend this time limit by a maximum of 30 additional days, subject to the following:

(A) The Authority must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Authority shall act on the request; and

(B) The Authority shall use only one 30-day extension.

(d) The program’s medical director, a licensed health care professional designated by the program administrator, or an Authority staff person involved in the client’s case must review the request and any related documentation prior to making a decision to amend a health or medical record.

(e) A staff person designated by the Authority shall review the request and any related documentation prior to making a decision to amend any information that is not a health or medical record.

(f) If the Authority grants the request, in whole or in part, the Authority shall:

(A) Make the appropriate amendment to the information or records, and document the amendment in the client’s Authority file or record;

(B) Provide notice to the client that the amendment has been granted, pursuant to the time limits under section (5)(c) of this rule;

(C) Obtain the client’s agreement to notify other relevant persons or entities with whom the Authority has shared or needs to share the amended information; and

(D) Inform and provide the amendment within a reasonable time to:

(i) Persons named by the client who have received the information and who need the amendment; and

(ii) Persons, including business associates of the Authority, that the Authority knows have the information that is the subject of the amendment and who may have relied, or could foreseeably rely, on the information to the client’s detriment.

(g) The Authority may deny the client’s request for amendment if:

(A) The Authority finds the information to be accurate and complete;

(B) The information was not created by the Authority;

(C) The information is not part of Authority records; or

(D) The information would not be available for inspection or access by the client, pursuant to section (1)(g) and (h) of this rule.

(h) If the Authority denies the amendment request, in whole or in part, the Authority must provide the client with a written denial. The denial must:

(A) Be sent within the time limits specified in section (5)(c) of this rule;

(B) State the basis for the denial, in plain language; and

(C) Explain the client’s right to submit a written statement disagreeing with the denial and how to file the statement. If the client files a statement:

(i) The Authority shall enter the written statement into the client’s Authority case file;

(ii) The Authority may also enter an Authority written rebuttal of the client’s written statement into the client’s Authority case file. The Authority shall send a copy of any written rebuttal to the client;

(iii) The Authority shall include a copy of the statement and any Authority written rebuttal with any future disclosures of the relevant information;

(iv) If a client does not submit a written statement of disagreement, the client may ask that if the Authority makes any further disclosures of the relevant information that the Authority shall also include a copy of the client’s original request for amendment and a copy of the Authority written denial; and

(v) The Authority shall provide information on how the client may file a complaint with the Authority and, if the information is PHI, with DHHS, Office for Civil Rights.

(6) Rights of clients to request an accounting of disclosures of PHI. Clients may receive an accounting of disclosures of PHI that the Authority has made for any period of time, not to exceed six years, preceding the request date for the accounting.

(a) For all requests for an accounting of disclosures, the client may complete the authorized Authority form “Request for Accounting of Disclosures of Health Records”, or provide sufficient information to accomplish this request.

(b) The right to an accounting of disclosures does not apply when the request is:

(A) Authorized by the client;

(B) Made prior to April 14, 2003;

(C) Made to carry out treatment, payment, or health care operations, unless these disclosures are made from an electronic health record;

(D) Made to the client;

(E) Made to persons involved in the client’s care;

(F) Made as part of a limited data set in accordance with OAR 943-014-0070;

(G) Made for national security or intelligence purposes; or

(H) Made to correctional institutions or law enforcement officials having lawful custody of an inmate.

(c) For each disclosure, the accounting must include:

(A) The date of the disclosure;

(B) The name and address, if known, of the person or entit, who received the disclosed information;

(C) A brief description of the information disclosed; and

(D) A brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or, in lieu of a statement, a copy of the client’s written request for a disclosure, if any.

(d) If, during the time period covered by the accounting, the Authority has made multiple disclosures to the same person or entity for the same purpose, the Authority may provide the required information for only the first disclosure. The Authority need not list the same identical information for each subsequent disclosure to the same person or entity if the Authority adds the following information:

(A) The frequency or number of disclosures made to the same person or entity; and

(B) The date of the most recent disclosure during the time period for which the accounting is requested.

(e) The Authority must act on the client’s request for an accounting no later than 60 days after receiving the request. If the Authority is unable to act within 60 days, the Authority may extend this time limit by a maximum of 30 additional days, subject to the following:

(A) The Authority must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Authority shall act on the request; and

(B) The Authority shall use only one 30-day extension.

(f) The Authority shall provide the first requested accounting in any 12-month period without charge. The Authority may charge the client a reasonable cost-based fee for each additional accounting requested by the client within the 12-month period following the first request, if the Authority:

(A) Informs the client of the fee before proceeding with any additional request; and

(B) Allows the client an opportunity to withdraw or modify the request in order to avoid or reduce the fee.

(g) The Authority shall document the information required to be included in an accounting of disclosures, as specified in section (6)(c) of this rule, and retain a copy of the written accounting provided to the client.

(h) The Authority shall temporarily suspend a client’s right to receive an accounting of disclosures that the Authority has made to a health oversight agency or to a law enforcement official, for a length of time specified by the agency or official, if the agency or official provides a written or oral statement to the Authority that the accounting would be reasonably likely to impede their activities. If the agency or official makes an oral request, the Authority shall:

(A) Document the oral request, including the identity of the agency or official making the request.

(B) Temporarily suspend the client’s request to an accounting of disclosures; and

(C) Limit the temporary suspension to no longer than 30 days from the date of the oral request, unless the agency or official submits a written request specifying a longer time period.

(7) Filing a complaint. Clients may file a complaint with the Authority or, if the information is PHI, with DHHS, Office for Civil Rights.

(a) Upon request, the Authority shall give clients the name and address of the specific person or office of where to submit complaints to DHHS.

(b) The Authority may not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any individual filing a complaint or inquiring about how to file a complaint.

(c) The Authority may not require clients to waive their rights to file a complaint as a condition of providing treatment, payment, enrollment in a health plan, or eligibility for benefits.

(d) The Authority shall designate staff to review and determine action on complaints filed with the Authority.

(e) The Authority shall document, in the client’s Authority case file all complaints, the findings from reviewing each complaint, and the Authority’s actions resulting from the complaint. For each complaint the documentation shall include a description of corrective action that the Authority has taken, if any are necessary, or why corrective action is not needed.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065
Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0040

Minimum Necessary Standards

(1) The Authority shall limit the use and disclosure of protected information to that which is reasonably necessary to accomplish the intended purpose of the use or disclosure which is referred to in these rules as the minimum necessary standard.

(2) This minimum necessary standard is not intended to impede the essential Authority activities of treatment, payment, health care operations, or service delivery.

(3) The minimum necessary standard applies:

(a) When using protected information within the Authority;

(b) When disclosing protected information to a third party in response to a request; or

(c) When requesting protected information from another covered entity.

(4) The minimum necessary standard does not apply to:

(a) Disclosures to or requests by a health care provider for treatment;

(b) Disclosures made to the individual, including disclosures made in response to a request for access or an accounting;

(c) Disclosures made with a valid authorization;

(d) Disclosures made to DHHS for the purposes of compliance and enforcement of federal regulations under 45 CFR part 160 and required for compliance with 45 CFR part 164; or

(e) Uses and disclosures required by law;

(5) When requesting protected information about an individual from another entity, the Authority shall limit requests to those that are reasonably necessary to accomplish the purposes for which the request is made. The Authority shall not request a person’s entire medical record unless the Authority can specifically justify the need for the entire medical record.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065
Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0060

Uses and Disclosures of Protected Information for Research Purposes

The Authority may use and disclose an individual’s information for research purposes as specified in this rule.

(1) All research disclosures are subject to applicable requirements of federal and state laws and rules including but not limited to 45 CFR part 46 and 21 CFR part 50.0 to 50.56, relating to the protection of human research subjects.

(2) The Authority may use and disclose de-identified information or a limited data set for research purposes, pursuant to OAR 943-014-0070.

(3) The Authority may use and disclose information regarding an individual for research purposes with the specific written authorization of the individual. The authorization must meet all requirements in OAR 943-014-0030, and may indicate an expiration date with terms such as “end of research study” or similar language. An authorization for use and disclosure for a research study may be combined with other types of written authorization for the same research study. If research includes treatment, the researcher may require an authorization for use and disclosure for the research as a provision of providing research related treatment.

(4) Notwithstanding section (3) of this rule, the Authority may use and disclose an individual’s information for research purposes without the individual’s written authorization, regardless of the source of funding for the research, provided that:

(a) The Authority obtains documentation that a waiver of an individual’s authorization for release of information requirements has been approved by an IRB registered with the Office for Human Research Protection. Documentation required of an IRB when granting approval of a waiver of an individual’s authorization for release of information must include all criteria specified in 45 CFR part 164.512(i)(2).

(b) A researcher may request access to individual information maintained by the Authority in preparation for research or to facilitate the development of a research protocol in anticipation of research. The Authority may determine whether to permit such use or disclosure, without individual authorization or use of an IRB, pursuant to 45 CFR part 164.512(i)(1)(ii).

(c) A researcher may request access to individual information maintained by the Authority about deceased individuals. The Authority may determine whether to permit such use or disclosure of information about decedents, without individual authorization or use of an IRB, pursuant to 45 CFR part 164.512(i)(1)(iii).

(5) The Authority, as a public health authority, may obtain and use individual information without authorization for the purpose of preventing injury or controlling disease and for the conduct of public health surveillance, investigations, and interventions. The Authority may also collect, use, or disclose information, without individual authorization, to the extent that the collection, use, or disclosure is required by law. When the Authority uses information to conduct studies as a public health authority, no additional individual authorization is required nor does this rule require an IRB or privacy board waiver of authorization based on the HIPAA privacy rules.

(6) The Authority may use and disclose information without individual authorization for studies and data analysis conducted for the Authority’s own quality assurance purposes or to comply with reporting requirements applicable to federal or state funding requirements in accordance with the definition of “Health Care Operations” in 45 CFR part 164.501.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065
Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

943-014-0070

De-identification of Client Information and Use of Limited Data Sets under Data Use Agreements

(1) The Authority may use and disclose information as appropriate for the work of the Authority, without further restriction, if the Authority or another entity has taken steps to de-identify the information pursuant to 45 CFR part 164.514(a) and (b).

(2) The Authority may assign a code or other means of record identification to allow the Authority to re-identify the de-identified information provided that:

(a) The code or other means of record identification is not derived from or related to information about the individual and cannot otherwise be translated to identify the individual; and

(b) The Authority does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

(3) The Authority may use and disclose a limited data set if the Authority enters into a data use agreement with an entity requesting or providing the Authority with a limited data set subject to the requirements of 45 CFR part 164.514(e).

(a) The Authority may use and disclose a limited data set only for the purposes of research, public health, or health care operations. The Authority may use limited data set for its own activities or operations if the Authority has obtained a limited data set that is subject to a data use agreement.

(b) If the Authority knows of a pattern of activity or practice of a limited data set recipient that constitutes a material breach or violation of a data use agreement, the Authority shall take reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, the Authority shall discontinue disclosure of information to the recipient and report the problem to the Secretary of DHHS.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.518 – 192.529, 411.010, 413.032 & 414.065
Hist.: OHA 8-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 22-2011, f. & cert. ef. 9-2-11

Confidentiality and Mediation Communications

943-014-0200

Confidentiality and Inadmissibility of Mediation Communications

(1) The words and phrases used in this rule have the same meaning as given to them in ORS 36.110 and 36.234.

(2) Nothing in this rule affects any confidentiality created by other law. Nothing in this rule relieves a public body from complying with the Public Meetings Law, ORS 192.610 to 192.690. Whether or not they are confidential under this or other rules of the agency, mediation communications are exempt from disclosure under the Public Records Law to the extent provided in 192.410 to 192.505.

(3) This rule applies only to mediations in which the agency is a party or is mediating a dispute as to which the agency has regulatory authority. This rule does not apply when the agency is acting as the "mediator" in a matter in which the agency also is a party as defined in ORS 36.234.

(4) To the extent mediation communications would otherwise be compromise negotiations under ORS 40.190 (OEC Rule 408), those mediation communications are not admissible as provided in ORS 40.190 (OEC Rule 408), notwithstanding any provisions to the contrary in section (9) of this rule.

(5) Mediations Excluded. Sections (6)–(10) of this rule do not apply to:

(a) Mediation of workplace interpersonal disputes involving the interpersonal relationships between this agency's employees, officials or employees and officials, unless a formal grievance under a labor contract, a tort claim notice or a lawsuit has been filed; or

(b) Mediation in which the person acting as the mediator will also act as the hearings officer in a contested case involving some or all of the same matters;

(c) Mediation in which the only parties are public bodies;

(d) Mediation involving two or more public bodies and a private party if the laws, rule or policies governing mediation confidentiality for at least one of the public bodies provide that mediation communications in the mediation are not confidential;

(e) Mediation involving 15 or more parties if the agency has designated that another mediation confidentiality rule adopted by the agency may apply to that mediation.

(6) Disclosures by Mediator. A mediator may not disclose or be compelled to disclose mediation communications in a mediation and, if disclosed, such communications may not be introduced into evidence in any subsequent administrative, judicial or arbitration proceeding unless:

(a) All the parties to the mediation and the mediator agree in writing to the disclosure; or

(b) The mediation communication may be disclosed or introduced into evidence in a subsequent proceeding as provided in subsections (c)–(d), (j)–(l) or (o)–(p) of section (9) of this rule; or

(c) The mediation communication includes information related to the health or safety of any child, then the mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child.

(d) The mediation communication includes information relating to suffering by or commission of abuse upon certain persons and that information would otherwise be required to be reported by a public or private official under the provisions of ORS 124.060 (person 65 years of age or older), 430.765(1) and (2) (person who is mentally ill or developmentally disabled who is 18 years of age or older and receives services from a community program or facility) or 441.640 (person who is a resident in a long-term care facility), in which case that portion of the mediation communication may be disclosed as required by statute.

(7) Confidentiality and Inadmissibility of Mediation Communications. Except as provided in sections (8)–(9) of this rule, mediation communications are confidential and may not be disclosed to any other person, are not admissible in any subsequent administrative, judicial or arbitration proceeding and may not be disclosed during testimony in, or during any discovery conducted as part of a subsequent proceeding, or introduced as evidence by the parties or the mediator in any subsequent proceeding.

(8) Written Agreement. Section (7) of this rule does not apply to a mediation unless the parties to the mediation agree in writing, as provided in this section, that the mediation communications in the mediation will be confidential and/or nondiscoverable and inadmissible. If the mediator is the employee of and acting on behalf of a state agency, the mediator or an authorized agency representative must also sign the agreement. The parties' agreement to participate in a confidential mediation must be in substantially the following form. This form may be used separately or incorporated into an "agreement to mediate." [Form not included. See ED. NOTE.]

(9) Exceptions to confidentiality and inadmissibility.

(a) Any statements, memoranda, work products, documents and other materials, otherwise subject to discovery that were not prepared specifically for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding.

(b) Any mediation communications that are public records, as defined in ORS 192.410(4), and were not specifically prepared for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential or privileged under state or federal law.

(c) A mediation communication is not confidential and may be disclosed by any person receiving the communication to the extent that person reasonably believes that disclosing the communication is necessary to prevent the commission of a crime that is likely to result in death or bodily injury to any person. A mediation communication is not confidential and may be disclosed in a subsequent proceeding to the extent its disclosure may further the investigation or prosecution of a felony crime involving physical violence to a person.

(d) Any mediation communication related to the conduct of a licensed professional that is made to or in the presence of a person who, as a condition of his or her professional license, is obligated to report such communication by law or court rule is not confidential and may be disclosed to the extent necessary to make such a report.

(e) The parties to the mediation may agree in writing that all or part of the mediation communications are not confidential or that all or part of the mediation communications may be disclosed and may be introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential, privileged or otherwise prohibited from disclosure under state or federal law.

(f) A party to the mediation may disclose confidential mediation communications to a person if the party's communication with that person is privileged under ORS Chapter 40 or other provision of law. A party to the mediation may disclose confidential mediation communications to a person for the purpose of obtaining advice concerning the subject matter of the mediation, if all the parties agree.

(g) An employee of the agency may disclose confidential mediation communications to another agency employee so long as the disclosure is necessary to conduct authorized activities of the agency. An employee receiving a confidential mediation communication under this subsection is bound by the same confidentiality requirements as apply to the parties to the mediation.

(h) A written mediation communication may be disclosed or introduced as evidence in a subsequent proceeding at the discretion of the party who prepared the communication so long as the communication is not otherwise confidential under state or federal law and does not contain confidential information from the mediator or another party who does not agree to the disclosure.

(i) In any proceeding to enforce, modify or set aside a mediation agreement, a party to the mediation may disclose mediation communications and such communications may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of mediation communications or agreements to persons other than the parties to the agreement.

(j) In an action for damages or other relief between a party to the mediation and a mediator or mediation program, mediation communications are not confidential and may be disclosed and may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of the mediation communications or agreements.

(k) When a mediation is conducted as part of the negotiation of a collective bargaining agreement, the following mediation communications are not confidential and such communications may be introduced into evidence in a subsequent administrative, judicial or arbitration proceeding:

(A) A request for mediation; or

(B) A communication from the Employment Relations Board Conciliation Service establishing the time and place of mediation; or

(C) A final offer submitted by the parties to the mediator pursuant to ORS 243.712; or

(D) A strike notice submitted to the Employment Relations Board.

(l) To the extent a mediation communication contains information the substance of which is required to be disclosed by Oregon statute, other than ORS 192.410 to 192.505, that portion of the communication may be disclosed as required by statute.

(m) Written mediation communications prepared by or for the agency or its attorney are not confidential and may be disclosed and may be introduced as evidence in any subsequent administrative, judicial or arbitration proceeding to the extent the communication does not contain confidential information from the mediator or another party, except for those written mediation communications that are:

(A) Attorney-client privileged communications so long as they have been disclosed to no one other than the mediator in the course of the mediation or to persons as to whom disclosure of the communication would not waive the privilege; or

(B) Attorney work product prepared in anticipation of litigation or for trial; or

(C) Prepared exclusively for the mediator or in a caucus session and not given to another party in the mediation other than a state agency; or

(D) Prepared in response to the written request of the mediator for specific documents or information and given to another party in the mediation; or

(E) Settlement concepts or proposals, shared with the mediator or other parties.

(n) A mediation communication made to the agency may be disclosed and may be admitted into evidence to the extent the Agency Director, or designee determines that disclosure of the communication is necessary to prevent or mitigate a serious danger to the public's health or safety, and the communication is not otherwise confidential or privileged under state or federal law.

(o) The terms of any mediation agreement are not confidential and may be introduced as evidence in a subsequent proceeding, except to the extent the terms of the agreement are exempt from disclosure under ORS 192.410 to 192.505, a court has ordered the terms to be confidential under ORS 17.095 or state or federal law requires the terms to be confidential.

(p) The mediator may report the disposition of a mediation to the agency at the conclusion of the mediation so long as the report does not disclose specific confidential mediation communications. The agency or the mediator may use or disclose confidential mediation communications for research, training or educational purposes, subject to the provisions of ORS 36.232(4).

(q) The mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child or person 65 years of age or older, person who is mentally ill or developmentally disabled and receives services from a community program or facility as defined in ORS 430.735 or person who is a resident of a long-term care facility.

(10) When a mediation is subject to section (7) of this rule, the agency will provide to all parties to the mediation and the mediator a copy of this rule or a citation to the rule and an explanation of where a copy of the rule may be obtained. Violation of this provision does not waive confidentiality or inadmissibility.

[ED. NOTE: Forms referenced are available from the agency.]

Stat. Authority: ORS 413.042
Stats. Implemented: ORS 36.224, 36.228, 36.230, 36.232 & 36.234
Hist.: OHA 9-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 25-2011, f. 10-31-11, cert. ef. 11-1-11

943-014-0205

Confidentiality and Inadmissibility of Workplace Interpersonal Dispute Mediation Communications

(1) This rule applies to workplace interpersonal disputes, which are disputes involving the interpersonal relationships between this agency's employees, officials or employees and officials. This rule does not apply to disputes involving the negotiation of labor contracts or matters about which a formal grievance under a labor contract, a tort claim notice or a lawsuit has been filed.

(2) The words and phrases used in this rule have the same meaning as given to them in ORS 36.110 and 36.234.

(3) Nothing in this rule affects any confidentiality created by other law.

(4) To the extent mediation communications would otherwise be compromise negotiations under ORS 40.190 (OEC Rule 408), those mediation communications are not admissible as provided in ORS 40.190 (OEC Rule 408), notwithstanding any provisions to the contrary in section (9) of this rule.

(5) Disclosures by Mediator. A mediator may not disclose or be compelled to disclose mediation communications in a mediation and, if disclosed, such communications may not be introduced into evidence in any subsequent administrative, judicial or arbitration proceeding unless:

(a) All the parties to the mediation and the mediator agree in writing to the disclosure; or

(b) The mediation communication may be disclosed or introduced into evidence in a subsequent proceeding as provided in subsections (c) or (h)–(j) of section (7) of this rule; or

(c) The mediation communication includes information related to the health or safety of any child, then the mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child.

(d) The mediation communication includes information relating to suffering by or commission of abuse upon certain persons and that information would otherwise be required to be reported by a public or private official under the provisions of ORS 124.060 (person 65 years of age or older), 430.765(1) and (2) (person who is mentally ill or developmentally disabled who is 18 years of age or older and receives services from a community program or facility) or 441.640 (person who is a resident in a long-term care facility), in which case that portion of the mediation communication may be disclosed as required by statute.

(6) Confidentiality and Inadmissibility of Mediation Communications. Except as provided in section (7) of this rule, mediation communications in mediations involving workplace interpersonal disputes are confidential and may not be disclosed to any other person, are not admissible in any subsequent administrative, judicial or arbitration proceeding and may not be disclosed during testimony in, or during any discovery conducted as part of a subsequent proceeding, or introduced into evidence by the parties or the mediator in any subsequent proceeding so long as:

(a) The parties to the mediation and the agency have agreed in writing to the confidentiality of the mediation; and

(b) The person agreeing to the confidentiality of the mediation on behalf of the agency:

(A) Is neither a party to the dispute nor the mediator; and

(B) Is designated by the agency to authorize confidentiality for the mediation; and

(C) Is at the same or higher level in the agency than any of the parties to the mediation or who is a person with responsibility for human resources or personnel matters in the agency, unless the agency head or member of the governing board is one of the persons involved in the interpersonal dispute, in which case the Governor or the Governor's designee.

(7) Exceptions to confidentiality and inadmissibility.

(a) Any statements, memoranda, work products, documents and other materials, otherwise subject to discovery that were not prepared specifically for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding.

(b) Any mediation communications that are public records, as defined in ORS 192.410(4), and were not specifically prepared for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential or privileged under state or federal law.

(c) A mediation communication is not confidential and may be disclosed by any person receiving the communication to the extent that person reasonably believes that disclosing the communication is necessary to prevent the commission of a crime that is likely to result in death or bodily injury to any person. A mediation communication is not confidential and may be disclosed in a subsequent proceeding to the extent its disclosure may further the investigation or prosecution of a felony crime involving physical violence to a person.

(d) The parties to the mediation may agree in writing that all or part of the mediation communications are not confidential or that all or part of the mediation communications may be disclosed and may be introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential, privileged or otherwise prohibited from disclosure under state or federal law.

(e) A party to the mediation may disclose confidential mediation communications to a person if the party's communication with that person is privileged under ORS chapter 40 or other provision of law. A party to the mediation may disclose confidential mediation communications to a person for the purpose of obtaining advice concerning the subject matter of the mediation, if all the parties agree.

(f) A written mediation communication may be disclosed or introduced as evidence in a subsequent proceeding at the discretion of the party who prepared the communication so long as the communication is not otherwise confidential under state or federal law and does not contain confidential information from the mediator or another party who does not agree to the disclosure.

(g) In any proceeding to enforce, modify or set aside a mediation agreement, a party to the mediation may disclose mediation communications and such communications may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of mediation communications or agreements to persons other than the parties to the agreement.

(h) In an action for damages or other relief between a party to the mediation and a mediator or mediation program, mediation communications are not confidential and may be disclosed and may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of the mediation communications or agreements.

(i) To the extent a mediation communication contains information the substance of which is required to be disclosed by Oregon statute, other than ORS 192.410 to 192.505, that portion of the communication may be disclosed as required by statute.

(j) The mediator may report the disposition of a mediation to the agency at the conclusion of the mediation so long as the report does not disclose specific confidential mediation communications. The agency or the mediator may use or disclose confidential mediation communications for research, training or educational purposes, subject to the provisions of ORS 36.232(4).

(k) The mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child or person 65 years of age or older, person who is mentally ill or developmentally disabled and receives services from a community program or facility as defined in ORS 430.735 or person who is a resident of a long-term care facility.

(8) The terms of any agreement arising out of the mediation of a workplace interpersonal dispute are confidential so long as the parties and the agency so agree in writing. Any term of an agreement that requires an expenditure of public funds, other than expenditures of $1,000 or less for employee training, employee counseling or purchases of equipment that remain the property of the agency, may not be made confidential.

(9) When a mediation is subject to section (6) of this rule, the agency will provide to all parties to the mediation and to the mediator a copy of this rule or an explanation of where a copy may be obtained. Violation of this provision does not waive confidentiality or inadmissibility.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 36.224, 36.228, 36.230, 36.232 & 36.234
Hist.: OHA 9-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; OHA 25-2011, f. 10-31-11, cert. ef. 11-1-11

Information Assets Access Control

943-014-0300

Scope

These rules (OAR 943-014-0300 through 943-014-0320) apply to an organization or individual seeking or receiving access to Authority information assets or network and information systems for the purpose of carrying out a business transaction between the Authority and the user.

(1) These rules are intended to complement, and not supersede, access control or security requirements in the Authority's Electronic Data Transmission rules, OAR 943-120-0100 to 943-120-0200, and whichever rule is more specific shall control.

(2) The confidentiality of specific information and the conditions for use and disclosure of specific information are governed by other laws and rules, including but not limited to the Authority's rules for the privacy of protected information, OAR 943-014-0000 to 943-014-0070.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 182.122
Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. & cert. ef. 12-1-11

943-014-0305

Definitions

For purpose of these rules, the following terms have definitions set forth below. All other terms not defined in this section shall have the meaning used in the Health Insurance Portability and Accountability Act (HIPAA) security rules found at 45 CFR ¦ 164.304:

(1) "Access" means the ability or the means necessary to read, communicate, or otherwise use any Authority information asset.

(2) "Access Control Process" means Authority forms and processes used to authorize a user, identify their job assignment, and determine the required access.

(3) "Authority" means the Oregon Health Authority.

(4) "Client Records" means any client, applicant, or participant information regardless of the media or source, provided by the Authority to the user, or exchanged between the Authority and the user.

(5) "Incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of any network and information system or Authority information asset including, but not limited to unauthorized disclosure of information; failure to protect user's identification (ID) provided by the Authority; or, theft of computer equipment that uses or stores any Authority information asset.

(6) "Information Asset" means any information, also known as data, provided through the Authority, regardless of the source or media, which requires measures for security and privacy of the information.

(7) "Network and Information System" means the State of Oregon's computer infrastructure, which provides personal communications, client records and other sensitive information assets, regional, wide area and local area networks, and the internetworking of various types of networks on behalf of the Authority.

(8) "User" means any individual authorized by the Authority to access a network and information system or information asset.

(9) "Organization" means any entity authorized by the Authority to access a network and information system or information asset.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 182.122
Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. & cert. ef. 12-1-11

943-014-0310

Information Access

The organization or user shall utilize the Authority access control process for all requested and approved access. The Authority shall notify the user of each approval or denial. When approved, the Authority shall provide the user with a unique login identifier to access the network and information system or information asset. The Authority may authorize the use of a generic login identifier.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 182.122
Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. & cert. ef. 12-1-11

943-014-0315

Security Information Assets

(1) No organization or user shall access an information asset for any purpose other than that specifically authorized by the Authority access control process.

(2) Except as specified or approved by the Authority, no organization or user shall alter, delete, or destroy any information asset.

(3) The organization shall prohibit unauthorized access by their staff, contractors, agents, or others to the network and information systems, or Authority information assets, and shall implement safeguards to prevent unauthorized access in accordance with section (4) of this rule.

(4) The organization shall develop a security risk management plan. The organization shall ensure that the plan includes, but is not limited to the following:

(a) Administrative, technical, and physical safeguards commonly found in the International Standards Organization 27002: 2005 security standard or National Institute of Standards and Technology (NIST) 800 Series;

(b) Standards established in accordance with HIPAA Security Rules, 45 CFR Parts 160 and 164, applicable to an organization or user regarding the security and privacy of a client record, any information asset, or network and information system;

(c) The organization’s privacy and security policies;

(d) Controls and safeguards that address the security of equipment and storage of any information asset accessed to prevent inadvertent destruction, disclosure, or loss;

(e) Controls and safeguards that ensure the security of an information asset, regardless of the media, as identified below:

(A) The user keeps Authority-assigned access control requirements such as identification of authorized users and access control information (passwords and personal identification numbers (PIN's)), in a secure location until access is terminated;

(B) Upon request of the Authority, the organization makes available all information about the user’s use or application of the access controlled network and information system or information asset; and

(C) The organization or user ensures the proper handling, storage, and disposal of any information asset obtained or reproduced, and, when the authorized use of that information ends, is consistent with any applicable record retention requirements.

(f) Existing security plans developed to address other regulatory requirements, such as Sarbanes-Oxley Act of 2002 (PL 107-204), Title V of Gramm Leach Bliley Act of 1999, Statement on Auditing Standards (SAS) number 70, will be deemed acceptable as long as they address the above requirements.

(5) The Authority may request additional information related to the organization’s security measures.

(6) The organization or user must immediately notify the Authority when access is no longer required, and immediately cease access to or use of all information assets or network and information systems.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 182.122
Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. & cert. ef. 12-1-11

943-014-0320

User Responsibility

The organization or user shall not make any root level changes to any Authority or State of Oregon network and information system. The Authority recognizes that some application users have root level access to certain functions to allow the user to diagnose problems (such as startup or shutdown operations, disk layouts, user additions, deletions or modifications, or other operation) that require root privileges. This access does not give the user the right to make any changes normally restricted to root without explicit written permission from the Authority.

(1) Use and disclosure of any Authority information asset is strictly limited to the minimum information necessary to perform the requested and authorized service.

(2) The organization shall have established privacy and security measures that meet or exceed the standards set forth in the Authority privacy and information security policies, available from the Authority, regarding the disclosure of an information asset.

(3) The organization or user shall comply with all security and privacy federal and state laws, rules, and regulations applicable to the access granted.

(4) The organization shall make the security risk plan available to the Authority for review upon request.

(5) The organization or user shall report to the Authority all privacy or security incidents by the user that compromise, damage, or cause a loss of protection to the Authority information assets or the network and information systems. The incident report shall be made no later than five business days from the date on which the user becomes aware of such incident. The user shall provide the Authority a written report which must include the results of the incident assessment findings and resolution strategies.

(6) Wrongful use of a network and information system, or wrongful use or disclosure of an Authority information asset by the organization or user may cause the immediate suspension or revocation of any access granted, at the sole discretion of the Authority without advance notice.

(7) The organization or user shall comply with the Authority's request for corrective action concerning a privacy or security incident and with laws requiring mitigation of harm caused by the unauthorized use or disclosure of confidential information, if any.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 182.122
Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; OHA 27-2011, f. & cert. ef. 12-1-11

Business Associates

943-014-0400

Purpose

These rules set requirements for contractors who are business associates of the health care component of the Oregon Health Authority (Authority) as described in OAR 943-014-0015. Business associates must comply with these rules, the business associate provisions of the Health Insurance Portability and Accountability Act (HIPAA) and HIPAA’s implementing regulations. HIPAA requires covered entities to comply with the requirements set forth in 45 CFR 164.502(e) and 164.504(e) by obtaining certain written assurances from the business associates.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0410

Definitions

As used in OAR 943-014-0400 through 943-014-0465 the following definitions apply. Terms not defined here shall have the same meaning given those terms in the Privacy Rule and the Security Rule, 45 CFR 160 and 164.

(1) “Authority” means the Oregon Health Authority.

(2) “Breach” has the meaning given that term in 45 CFR 164.402.

(3) "Business associate" has the meaning given that term in 45 CFR 160.103.

(4) "Contract" means the written agreement between the Authority and a contractor describing the rights and obligations of the parties.

(5) "Covered entity" has the meaning given that term in 45 CFR 160.103.

(6) “Electronic media” means:

(a) Data stored in electronic format; and

(b) Transmission media used to exchange information already stored in electronic format.

(7) “Electronic protected health information” (EPHI) has the meaning given that term in 45 CFR 160.103.

(8) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d - 1320d-8, Public Law 104-191, sec. 262 and sec. 264.

(9) “HITECH Act” means the Health Information Technology for Economic and Clinical Health Act, Title XIII of division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, including any implementing regulations.

(10) "Privacy rule" means the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E.

(11) “Protected health information” (PHI) has the meaning given that term in 45 CFR 160.103.

(12) “Required by law” has the meaning given that term in 45 CFR 164.103.

(13) “Secretary” means the Secretary of Health and Human Services (HHS) or designee.

(14) “Security rule” means the security standards for electronic protected health information found at 45 CFR Parts 160, and 164.

(15) “Unsecured protected health information” has the meaning given that term in 45 CFR 164.402

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0415

General Business Associate Requirements

A contractor who is a business associate of the Authority shall:

(1) Not use or disclose protected health information or electronic protected health information except as permitted or required by these rules and the contract, or as required by law.

(2) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of protected health information other than as provided for by these rules and the contract.

(3) Mitigate, to the extent practicable, any known harmful effect of a use or disclosure of protected health information or electronic protected health information by the business associate in violation of the requirements of these rules and the contract.

(4) Report to the Authority any use or disclosure of protected health information or electronic protected health information not provided for by these rules and the contract as soon as possible after the contractor becomes aware of the use or disclosure.

(5) Ensure that any agent or subcontractor that creates, receives, maintains or transmits protected health information on behalf of the contractor, agrees to the same restrictions and conditions that apply to the business associate through these rules and the contract with respect to the information created, received, maintained or transmitted on behalf of the contractor.

(6) Provide access, as directed by the Authority and in the time and manner designated by the Authority, to protected health information or electronic protected health information in a designated record set to the Authority or to an individual in compliance with the requirements of 45 CFR 164.524.

(7) Make any amendment to protected health information or electronic protected health information in a designated record set that the Authority directs or agrees to pursuant to 45 CFR 164.526. These amendments will be made in the manner designated by the Authority within 10 business days of receiving direction from the Authority.

(8) Make available internal practices, books, and records, including policies and procedures relating to the use and disclosure of protected health information and electronic protected health information created, received, maintained or transmitted by the business associate on behalf of the Authority. These items must be available to the Authority and to the Secretary, in a time and manner designated by the Authority or the Secretary, for purposes of the Secretary determining the Authority’s compliance with the Privacy Rule or Security Rule.

(9) Document disclosures of protected health information and electronic protected health information and information related to such disclosures as may be required for the Authority to respond to a request by an individual for an accounting of disclosures in accordance with 45 CFR 164.528.

(10) Provide the Authority or an individual, within 10 business days of receiving direction from the Authority in a manner designated by the Authority, information collected in accordance with OAR 943-014-0415(9) to permit the Authority to respond to an individual’s request for an accounting of disclosures in accordance with 45 CFR 164.528.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0420

Uses and Disclosures of Protected Health Information by Business Associate

(1) Except as otherwise limited or prohibited by the contract or these rules, a contractor who is a business associate of the Authority may:

(a) Use or disclose protected health information and electronic protected health information to perform functions, activities, or services as specified in the contract and these rules on behalf of the Authority.

(b) Use protected health information and electronic protected health information for the proper management and administration of the business associate contract or to carry out the business associate’s legal responsibilities.

(c) Disclose protected health information and electronic protected health information for the proper management and administration of the business associate, provided disclosures are required by law.

(d) Disclose protected health information and electronic protected health information to a subcontractor if the business associate and subcontractor enter into a business associate agreement that complies with this rule.

(e) Use or disclose protected health information and electronic protected health information to report violations of law to appropriate federal and state authorities, consistent with 45 CFR 164.502(j)(1).

(2) All other use or disclosure of protected health information and electronic protected health information are prohibited.

(3) A contractor who is a business associate of the Authority may not aggregate or compile the Authority's protected health information or electronic protected health information with the protected health information or electronic protected health information of other covered entities unless the contract permits data aggregation services.

(a) If the contract permits a business associate to provide data aggregation services, a business associate may use protected health information to provide data aggregation services requested by the Authority as permitted by 45 CFR 164.504(e)(2)(i)(B) and subject to any limitations contained in these rules.

(b) If the Authority requests data aggregation services, a business associate may aggregate the Authority’s protected health information with protected heath information of other covered entities that the business associate has in its possession through its capacity as a business associate to other covered entities.

(c) The business associate may only aggregate data for the purpose of providing the Authority with analysis relating to the Authority’s health care operations.

(4) Business associates may not disclose the Authority’s protected health information to another covered entity without the Authority’s express authorization.

(5) Use or disclosure of protected health information or electronic protected health information in accordance with any section of this rule may not violate the Privacy Rule, Security Rule, the HITECH Act, or other applicable federal or state laws or regulations or the minimum necessary policies and procedures of the Authority.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0430

Authority Obligations

(1) To the extent that a business associate's use or disclosure of protected health information and electronic protected health information may be affected, the Authority shall notify business associate of:

(a) Limitations in its notice of privacy practices in accordance with 45 CFR 164.520. The Authority may satisfy this obligation by providing business associate with the Authority’s most current Notices of Privacy Practices.

(b) Changes in, or revocation of, permission by an individual to use or disclose protected health information or electronic protected health information.

(c) Restrictions to the use or disclosure of protected health information or electronic protected health information that the Authority has agreed to in accordance with 45 CFR 164.522.

(2) The Authority may not request that a business associate use or disclose protected health information or electronic protected health information in any manner that is not permissible under the Privacy Rule or Security Rule if done by the Authority, except as permitted by OAR 943-014-0420.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0435

Contractor Security Requirements

(1) Contractors must comply with the Security Rule’s business associate requirements for electronic protected health information and must comply with both the Privacy Rule and the Security Rule requirements applicable to a business associate.

(2) Contractors must:

(a) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the protected health information and electronic protected health information that it creates, receives, maintains, or transmits on behalf of the Authority.

(b) Develop and enforce policies, procedures, and documentation standards (including designation of a security official) related to the administrative, physical, and technical safeguards that protect electronic protected health information.

(c) When required by OAR 943-014-0415(5), enter into a business associate agreement with any agent or subcontractor to ensure the agent or subcontractor agrees to implement reasonable and appropriate safeguards to protect electronic protected health information the contractor provides.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0440

Breach

(1) For the purposes of this rule a breach is considered “discovered” in accordance with 45 CFR 164.404(a)(2) and 45 CFR 164.410(2).

(2) In the event a breach of unsecured protected health information is discovered, a contractor must:

(a) Notify the Authority of the breach.

(A) The notification must be made as soon as possible and business associate shall confer with the Authority as soon as practicable thereafter.

(B) The notification must be made to the Authority no later than 30 calendar days after the discovery of breach.

(C) Notification shall include identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during the breach.

(D) Notification shall include steps taken to mitigate harm, steps taken to reasonably ensure a like breach will not occur in the future, and any other information that may be reasonably required by the Authority for the Authority to meet its obligations.

(b) Confer with the Authority regarding preparing and issuing an appropriate notice to each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach.

(c) Confer with the Authority regarding preparing and issuing an appropriate notice to prominent media outlets within the state or local jurisdictions when the breach involves more than 500 individuals.

(d) Make the appropriate notification to media outlets and individuals affected by the breach as necessary.

(e) Confer with the Authority regarding preparing and issuing notice of the breach to the Secretary.

(A) If the breach involves 500 or more individuals, the notice to the Secretary must be provided immediately.

(B) Any breach involving less than 500 individuals shall be documented in a log and the log provided to the Secretary annually, no later than 60 calendar days after December 31 of each year.

(3) Except as set forth in section (5) of this rule, notifications required by this rule must be made without unreasonable delay and no later than 60 calendar days after the discovery of a breach.

(4) Notice must be provided in the manner and content required by 45 CFR 164.404 through 164.410.

(5) Any notification required by this rule may be delayed by a law enforcement official in accordance with the 45 CFR 164.412.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0445

Violations

(1) When the Authority learns about a business associate’s failure to comply with these rules the Authority shall notify the business associate of the rule violation and provide a reasonable opportunity for the business associate to remedy or end the violation.

(2) The Authority may terminate the contract if business associate does not cure the breach or end the violation within the time specified by the Authority.

(3) The Authority shall immediately terminate the contract if business associate has violated these rules and remedy is not possible in the Authority’s reasonable judgment.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0450

Termination of Contract

(1) Except as provided in section (2) of this rule, upon termination of the contract for any reason, the business associate shall, at the request of the Authority, return or destroy all protected health information and electronic protected health information created, maintained or received by the business associate from the Authority or on the Authority’s behalf.

(a) This section shall apply to protected health information and electronic protected health information that is in the possession of subcontractors or agents of the business associate.

(b) Business associate may not retain copies of the protected health information and electronic protected health information.

(2) If the business associate determines that returning or destroying the protected health information or electronic protected health information is not feasible, the business associate shall provide the Authority notification of the conditions that make return or destruction not feasible.

(a) Upon the Authority's written acknowledgement that return or destruction of protected health information or electronic protected health information is not feasible, the business associate shall continue to provide the protections to the information required by these rules and the contract.

(b) Business associate shall limit further uses and disclosures of the information to those purposes that make the return or destruction not feasible, for as long as the business associate maintains the protected information.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0455

Order of Precedence

(1) These rules shall be interpreted as broadly as necessary to implement and comply with HIPAA, the Privacy Rule, the Security Rule, and the HITECH Act.

(2) Any ambiguity in these rules shall be resolved in favor of a meaning that complies and is consistent with HIPAA, the Privacy Rule, the Security Rule, and the HITECH Act.

(3) Any ambiguity in the contract shall be resolved to permit the Authority and business associate to implement and comply with HIPAA, the HITECH Act, the Privacy Rule and the Security Rule.

(4) If a conflict arises between these rules and the provisions of the contract, these rules shall control.

(5) If a conflict arises between the provisions of the contract and the Privacy Rule, the Security Rule, or the HITECH Act, the Privacy Rule, the Security Rule, and the HITECH Act shall control.

(6) If conflict arises between these rules and the Privacy Rule, Security Rule, or HITECH Act, the Privacy Rule, Security Rule, and the HITECH Act shall control.

(7) These rules shall not supersede any other federal or state law or regulation governing the legal relationship of the parties, or the confidentiality of records or information, except to the extent that HIPAA and the HITECH Act preempt those laws or regulations.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0460

Authority Compliance Methods

The Authority may comply with these rules:

(1) By incorporating the business associate requirements contained in this rule into its contracts with business associates or by referencing these rules.

(2) By entering into a memorandum of understanding that accomplishes the objectives of these rules and meets the business associate requirements of the Privacy Rule and Security Rule, if the business associate is a government entity.

(3) By executing an amendment or rider that contains the contract provisions required by these rules or references to these rules and that amends the Authority’s contract with the business associate.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

943-014-0465

Standards in Individual Contracts

(1) The Authority and a business associate may enter into a contract that contains more strict standards than those set forth in these rules as long as the standards do not violate the requirements of the Privacy Rule, Security Rule, or the HITECH Act, and the contract receives approval from the Oregon Department of Justice.

(2) If the Authority and a business associate enter into a contract containing more strict standards than those set forth in these rules, the business associate shall require subcontractors who are business associates to comply with the stricter standards.

Stat. Auth.: ORS 413.042
Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065
Hist.: OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14


The official copy of an Oregon Administrative Rule is contained in the Administrative Order filed at the Archives Division, 800 Summer St. NE, Salem, Oregon 97310. Any discrepancies with the published version are satisfied in favor of the Administrative Order. The Oregon Administrative Rules and the Oregon Bulletin are copyrighted by the Oregon Secretary of State. Terms and Conditions of Use

Oregon Secretary of State • 136 State Capitol • Salem, OR 97310-0722
Phone: (503) 986-1523 • Fax: (503) 986-1616 • oregon.sos@state.or.us

© 2013 State of Oregon All Rights Reserved​