OAR 407-014-0010
Purpose
(1)
The purpose of these rules (OAR 407-014-000 to 407-014-0070 (De-identification of Client Information and Use of Limited Data Sets under Data Use Agreements)) is to govern the collection, use, and disclosure of protected information by the Department about individuals and to explain the rights and specific actions that individuals may take or request to be taken regarding the uses and disclosures of their protected information. These rules also set forth Department requirements governing the use and disclosure of PHI for purposes of HIPAA, 42 USC 1320-d through 1320d-8, Pub L 104-191, sec. 262 and 264, and the implementing HIPAA privacy rules, 45 CFR parts 160 and 164.(2)
Except as provided in section (1) of this rule, state and federal statutes, rules, and policies that govern the administration of Department programs, services, and activities continue to govern the use and disclosure of protected information in those Department programs, services, and activities.(3)
In the event that it is not possible to comply with the requirements of both sections (1) and (2) of this rule, the Department shall act in accordance with whichever federal or state law imposes a stricter requirement regarding the privacy or safeguarding of information and which provides the greater protection or access to the individual who is the subject of the information, unless one of the following applies:(a)
Public health. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, birth, or death; public health surveillance; or public health investigation or intervention.(b)
Child abuse. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of child abuse.(c)
State regulatory reporting. Nothing in these rules shall be construed to limit the ability of the State of Oregon or the Department to require a health plan to report, or to provide access to information for management audits, financial audits, program monitoring, facility licensure or certification, or individual licensure or certification.(4)
The Department may collect, maintain, use, transmit, share, and disclose information about any individual to the extent authorized by law to administer Department programs, services, and activities.(5)
The Department may use and disclose information about licensees or providers consistent with federal and state laws and regulations. Information regarding the qualifications of licensees and providers are public records.(a)
When the Department obtains information about individuals that relates to determining payment responsibility when a provider submits a request for payment to the Department, the Department shall safeguard the information consistent with federal and state laws and regulations and Department policies.(b)
The Department may review the performance of licensees and providers in the conduct of their health oversight activities and shall safeguard information obtained about individuals obtained during those activities in accordance with federal and state laws and regulations and Department policies.
Source:
Rule 407-014-0010 — Purpose, https://secure.sos.state.or.us/oard/view.action?ruleNumber=407-014-0010.