OAR 407-014-0000
Definitions
(1)
“Administrative hearing” means an oral proceeding before an administrative law judge in a contested case hearing.(2)
“Authority” means the Oregon Health Authority.(3)
“Authorization” means permission from an individual or his or her personal representative giving the Department of Human Services (Department) authorization to obtain, release or use information about the individual from third parties for specified purposes or to disclose information to a third party specified by the individual.(4)
“Business associate” means an individual or entity performing any function or activity on behalf of the Authority, including the Department, involving the use or disclosure of protected health information (PHI) and is not a member of the Authority’s workforce.(a)
For purposes of the definition of “business associate,” “function or activity” includes but is not limited to program administration, claims processing or administration, data analysis, utilization review, quality assurance, billing, legal, actuarial, accounting, consulting, data processing, management, administrative, accreditation, financial services, and similar services for which the Authority may contract or obtain by interagency agreement, if access to PHI is involved.(b)
Business associates do not include licensees or providers unless the licensee or provider also performs some function or activity on behalf of the Authority.(5)
“Client” means an individual who requests or receives services from the Department. This includes but is not limited to applicants for or recipients of public assistance, minors and adults receiving protective services, individuals who are committed to the custody of the Department, children in the custody of the Department receiving services on a voluntary basis, and children committed to the custody of the Department.(6)
“Client information” means personal information relating to a client that the Department may maintain in one or more locations and in various forms, reports, or documents, or stored or transmitted by electronic media.(7)
“Collect” or “Collection” means the assembling of personal information through interviews, forms, reports, or other information sources.(8)
“Contract” means a written agreement between the Department and a person or entity setting forth the rights and obligations of the parties including but not limited to contracts, licenses, agreements, interagency agreements, and intergovernmental agreements.(9)
“Correctional institution” means any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by contract with the federal government, a state, or an Indian tribe for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. “Other persons held in lawful custody” include juvenile offenders, adjudicated delinquents, aliens detained awaiting deportation, witnesses, or others awaiting charges or trial.(10)
“Corrective action” means an action that a business associate must take to remedy a breach or violation of the business associate’s obligations under the business associate’s contractual requirement, including but not limited to reasonable steps that must be taken to cure the breach or end the violation.(11)
“Covered entity” means health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction that is subject to federal Health Insurance Portability and Accountability Act (HIPAA) requirements, as those terms are defined and used in the HIPAA regulations, 45 CFR parts 160 and 164.(12)
“De-identified data” means client information from which the Department or other entity has deleted, redacted, or blocked identifiers so the remaining information cannot reasonably be used to identify an individual.(13)
“Department” means the Department of Human Services.(14)
“Department workforce” means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Department, is under the direction and control of the Department, whether or not they are paid by the Department.(15)
“Disclose” means the release, transfer, relay, provision of access to, or conveying of client information to any individual or entity outside the Department.(16)
“Health care” means care, services, or supplies related to the health of an individual. Health care includes but is not limited to preventive, diagnostic, therapeutic, rehabilitative, maintenance, palliative care, counseling services, assessment, or procedures with respect to the physical or mental condition, or functional status of an individual, or that affects the structure or function of the body and the sale or dispensing of a drug, device, equipment, or other prescribed item.(17)
“Health care operations” means any activities of a covered entity to the extent that the activities are related to health care, Medicaid, or any other health care related programs, services, or activities administered by the covered entity and includes:(a)
Conducting quality assessment and improvement activities, including income evaluation and development of clinical guidelines;(b)
Population-based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting health care providers and patients with information about treatment alternatives, and related functions that do not include treatment;(c)
Reviewing the competence of qualifications of health care professionals, evaluating practitioner, provider, and health plan performance; and conducting training programs in which students and trainees in areas of health care learn under supervision to practice or improve their skills, accreditation, certification, licensing, or credentialing activities;(d)
Underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract for Medicaid or health care related services;(e)
Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs, and disclosure to the Medicaid Fraud Unit pursuant to 43 CFR part 455.21;(f)
Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the covered entity, including administration, development, or improvement of methods of payments or health care coverage; and(g)
Business management and general administrative activities of the covered entity, including but not limited to:(A)
Management activities relating to implementation of and compliance with the requirements of HIPAA;(B)
Customer service, including providing data analysis;(C)
Resolution of internal grievances, including administrative hearings and the resolution of disputes from patients or enrollees regarding the quality of care and eligibility for services; and(D)
Creating de-identified data or a limited data set.(18)
“Health oversight agency” means an agency or authority of the federal government, a state, territory, political subdivision of a state or territory, Indian tribe, or a person or entity acting under a grant of authority from or by contract with the public agency, including employees or agents of the public agency or its contractors or grantees that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. When performing these functions, the Department acts as a health oversight agency for the purposes of these rules.(19)
“HIPAA” means the Title II, Subtitle F of the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et seq, and the federal regulations adopted to implement the Act.(20)
“Individual” means the person who is the subject of information collected, used, or disclosed by the Department.(21)
“Individually identifying information” means any single item or compilation of information or data that indicates or reveals the identity of an individual, either specifically (such as the individual’s name or social security number), or from which the individual’s identity can be reasonably ascertained.(22)
“Information” means personal information relating to an individual, a participant, or a Department client.(23)
“Inmate” means a person incarcerated in or otherwise confined in a correctional institution. An individual is no longer an inmate when released on parole, probation, supervised release, or is otherwise no longer in custody.(24)
“Institutional Review Board (IRB)” means a specially constituted review body established or designated by an entity in accordance with 45 CFR part 46 to protect the welfare of human subjects recruited to participate in biomedical or behavioral research. The IRB must be registered with the Office for Human Research Protection.(25)
“Law enforcement official” means an officer or employee of any agency or authority of the federal government, a state, territory, political subdivision of a state or territory, or Indian tribe who is empowered by law to:(a)
Investigate and conduct an official inquiry into a potential violation of law; or(b)
Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.(26)
“Licensee” means a person or entity that applies for or receives a license, certificate, registration, or similar authority from the Department to perform or conduct a service, activity, or function.(27)
“Minimum necessary” means the least amount of information, when using or disclosing confidential client information that is needed to accomplish the intended purpose of the use, disclosure, or request.(28)
“Participant” means individuals participating in Department population-based services, programs, and activities that serve the general population, but who do not receive program benefits or direct services received by a client. Examples of participants include individuals who contact Department hotlines or the ombudsman for general public information services.(29)
“Payment” means any activities undertaken by a covered entity related to a client to whom health care is provided in order to:(a)
Obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the Medicaid program or other publicly funded health care services; and(b)
Obtain or provide reimbursement for the provision of health care.(30)
“Payment activities” means:(a)
Determinations of eligibility or coverage, including coordination of benefits or the determination of cost sharing amounts, and adjudication of health benefit or health care claims;(b)
Risk adjusting amounts due which are based on enrollee health status and demographic characteristics;(c)
Billing, claims management, collection activities, obtaining payment under a contract for reinsurance, and related health care data processing;(d)
Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;(e)
Utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services; and(f)
Disclosure to consumer reporting agencies related to collection of premiums or reimbursement including name and address, date of birth, payment history, account number, and name and address of the health care provider or health plan.(31)
“Personal representative” means a person who has authority to act on behalf of an individual in making decisions related to health care.(32)
“Protected Health Information (PHI)” means any individually identifiable health information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Any data transmitted or maintained in any other form or medium by covered entities, including paper records, fax documents, all oral communications, or any other form, such as screen prints of eligibility information, printed e-mails containing identified individual’s health information, claim or billing information, or hard copy birth or death certificates. PHI does not include school records that are subject to the Family Educational Rights and Privacy Act and employment records held in the Department’s role as an employer.(33)
“Protected information” means any participant or client information that the Department may have in its records or files that must be safeguarded pursuant to federal or state law. This includes but is not limited to individually identifying information.(34)
“Provider” means a person or entity that may seek reimbursement from the Department as a provider of services to Department clients pursuant to a contract. For purposes of these rules, reimbursement may be requested on the basis of claims or encounters or other means of requesting payment.(35)
“Psychotherapy notes” means notes recorded in any medium by a health care provider who is a mental health professional documenting or analyzing the contents of conversations during a private counseling session, or group, joint, or family counseling session, when the notes are separated from the rest of the individual’s record. Psychotherapy notes do not include medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress to date.(36)
“Public health Agency” means a public agency or a person or entity acting under a grant of authority from or by contract with the public agency that performs or conducts one or more of the following essential functions that characterize public health programs, services, or activities:(a)
Monitor health status to identify community health problems;(b)
Diagnose and investigate health problems and health hazards in the community;(A)
Inform, educate, and empower people about health issues;(B)
Mobilize community partnerships to identify and solve health problems;(C)
Develop policies and plans that support individual and community health efforts;(D)
Enforce laws and regulations that protect health and ensure safety;(E)
Direct individuals to needed personal health services and assure the provision of health care when otherwise unavailable;(F)
Ensure a competent public health and personal health care workforce;(G)
Evaluate the effectiveness, accessibility, and quality of personal and population-based health services; and(H)
Perform research for new insights and innovative solutions to health problems.(37)
“Public health authority” means an agency or authority of the federal government, a state, territory, political subdivision of a state or territory, Indian tribe, or a person or entity acting under a grant of authority from or by contract with the public agency, including the employees or agents of the public agency, or its contractors, persons, or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.(38)
“Re-disclosure” means the disclosure of information to a person, a Department program, a Department subcontracted entity, or other entity or person other than what was originally authorized.(39)
“Research” means systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalized knowledge.(40)
“Required by law” means a duty or responsibility that federal or state law specifies that a person or entity must perform or exercise. Required by law includes but is not limited to court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or rules that require the production of information, including statutes or rules that require such information if payment is sought under a government program providing public benefits.(41)
“Treatment” means the provision, coordination, or management of heath care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another.(42)
“Use” means the sharing of individual information within a Department program or the sharing of individual information between program staff and administrative staff that support or oversee the program.
Source:
Rule 407-014-0000 — Definitions, https://secure.sos.state.or.us/oard/view.action?ruleNumber=407-014-0000.