OAR 407-014-0030
Client Privacy Rights
(1)
Rights of clients to access their information. Clients may access, inspect, and obtain a copy of information on their own cases in Department files or records, consistent with federal and state law.(a)
A client may request access by completing the Access to Records Request form, or by providing sufficient information to accomplish this request.(b)
Clients may request access to their own information that is kept by the Department by using a personal identifier such as the client’s name or Department case number.(c)
If the Department maintains information in a record that includes information about other people, the client may see information only about himself or herself.(d)
If a person identified in the file is a minor child of the client, and the client is authorized under Oregon law to have access to the minor’s information or to act on behalf of the minor for making decisions about the minor’s care, the client may obtain information about the minor.(e)
If the requestor of information is recognized under Oregon law as a the client’s guardian or custodian and is authorized under Oregon law to have access to the client’s information or to act on behalf of the client for making decisions about the client’s services or care, the Department shall release information to the requestor.(f)
For individuals with disabilities or mental illnesses, the named system in ORS 192.517 (Access to records of individual with disability or individual with mental illness), to protect and advocate the rights of individuals with developmental disabilities under Part C of the Developmental Disabilities Assistance and Bill of Rights Act (42 U.S.C. 6041 et seq.) and the rights of individuals with mental illness under the Protection and Advocacy for Individuals with Mental Illness Act (42 U.S.C. 10801 et seq.), shall have access to all records defined in ORS 192.515 (Definitions for ORS 192.515 and 192.517).(g)
The Department may deny a client’s access to their own PHI if federal law prohibits the disclosure. Clients may access, inspect, and obtain a copy of health information on their own case in Department files or records except for the following:(A)
Psychotherapy notes;(B)
Information compiled in reasonable anticipation of, or for use in civil, criminal, or administrative proceedings;(C)
Information that is subject to the federal Clinical Labs Improvement Amendments of 1988, or exempt pursuant to 42 CFR 493.3(a)(2);(D)
Information that the Department believes, in good faith, can cause harm to the client, participant, or to any other person; and(E)
Documents protected by attorney work-product privilege.(h)
The Department may deny a client access to information that was obtained under a promise of confidentiality from a person other than a health care provider to the extent that access would reveal the source of the information.(i)
The Department may deny a client access to information, if the Department gives the client a right to have the denial reviewed when:(A)
A licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may endanger the life or physical safety of the client or another person;(B)
The information makes reference to another person, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may cause substantial harm to the client or to another person; or(C)
The request for access is made by the client’s personal representative, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that allowing the personal representative access to the information may cause substantial harm to the client or to another person.(j)
If the Department denies access under section (1)(i) of this rule, the client may have the decision reviewed by a licensed health care professional (for health information) or other designated staff (for other information) not directly involved in making the original denial decision.(A)
The Department must promptly refer a client’s request for review to the designated reviewer.(B)
The reviewer must determine, within the 30 or 60-day time limits stated in section (1)(k)(A) and (B) of this rule, whether to approve or deny the client’s request for access.(C)
Based on the reviewer’s decision, the Department shall:(i)
Promptly notify the client in writing of the reviewer’s determination; and(ii)
If approved, take action to carry out the reviewer’s determination.(k)
The Department must act on a client’s request for access no later than 30 days after receiving the request, except as provided in this section and in the case of written accounts under ORS 179.505 (Disclosure of written accounts by health care services provider), which must be disclosed within five days.(A)
In cases where the information is not maintained or accessible to the Department on-site, and does not fall under ORS 179.505 (Disclosure of written accounts by health care services provider), the Department must act on the client’s request no later than 60 days after receiving the request.(B)
If the Department is unable to act within the 30 or 60-day limits, the Department may extend this time period a maximum of 30 additional days, subject to the following:(i)
The Department must notify the client in writing of the reasons for the delay and the date by which the Department shall act on the request.(ii)
The Department shall use only one 30-day extension.(l)
If the Department grants the client’s request, in whole or in part, the Department must inform the client of the access decision and provide the requested access.(A)
If the Department maintains the same information in more than one format or at more than one location, the Department may provide the requested information once.(B)
The Department must provide the requested information in a form or format requested by the client, if readily producible in that form or format. If not readily producible, the Department shall provide the information in a readable hard-copy format or other format as agreed to by the Department and the client.(C)
The Department may provide the client with a summary of the requested information, in lieu of providing access, or may provide an explanation of the information if access has been provided, if:(i)
The client agrees in advance; and(ii)
The client agrees in advance to pay any fees the Department may impose, under section (1)(L)(E) of this rule.(D)
The Department shall arrange with the client for providing the requested access in a time, place, and manner convenient for the client and the Department.(E)
If a client, or legal guardian or custodian, requests a copy, written summary, or explanation of the requested information, the Department may impose a reasonable cost-based fee, limited to the following:(i)
Copying the requested information, including the costs of supplies and the labor of copying;(ii)
Postage; and(iii)
Staff time for preparing an explanation or summary of the requested information.(m)
If the Department denies access, in whole or in part, to the requested information, the Department must:(A)
Give the client access to any other requested client information, after excluding the information to which access is denied; and(B)
Provide the client with a timely written denial. The denial must:(i)
Be provided within the time limits specified in section (1)(k)(A) and (B) of this rule;(ii)
State the basis of the denial in plain language;(iii)
If the Department denies access under section (1)(i) of this rule, explain the client’s review rights as specified in section (1)(j) of this rule, including an explanation of how the client may exercise these rights; and(iv)
Provide a description of how the client may file a complaint with the Department, and if the information is PHI, with the United States Department of Health and Human Services (DHHS), Office for Civil Rights, pursuant to section (7) of this rule.(n)
If the Department does not maintain the requested information, in whole or in part, and knows where the information is maintained (such as by a medical provider, insurer, other public agency, private business, or other non-Department entity), the Department must inform the client where to direct the request for access.(2)
Department Notice of Privacy Practices. The Department shall send clients notice about the Department’s privacy practices as follows:(a)
The Department shall make available to each client a notice of Department privacy practices that describes the duty of the Department to maintain the privacy of PHI and include a description that clearly informs the client of the types of uses and disclosures the Department is permitted or required to make;(b)
The Department shall provide all clients in direct care settings a notice of Department privacy practices and shall request the client’s signature on an acknowledgement of receipt form;(c)
If the Department revises its privacy practices, the Department shall make the revised notice available to all clients;(d)
The Department shall post a copy of the Department’s Notice of Privacy Practices for public viewing at each Department worksite and on the Department website; and(e)
The Department shall give a paper copy of the Department’s Notice of Privacy Practices to any individual upon request.(3)
Right to request restrictions on uses or disclosures. Clients may request restrictions on the use or disclosure of their information.(a)
The Department must comply with the restriction if:(A)
Except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and(B)
The protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.(b)
The Department is not required to agree to a restriction if the disclosure is:(A)
Required by law; or(B)
Not to a health plan for purposes of carrying out payment or health care operations.(c)
The Department may not deny a client’s request to restrict the sharing of records of alcohol and drug treatment or records relating to vocational rehabilitation services with another Department program.(d)
The Department shall document the client’s request, and the reasons for granting or denying the request, in the client’s Department case file.(e)
If the client needs emergency treatment and the restricted protected information is needed to provide the treatment, the Department may use or disclose the restricted protected information to a provider, for the limited purpose of providing treatment. However, once the emergency situation subsides, the Department shall ask the provider not to redisclose the information.(f)
The Department may terminate its agreement to a restriction if:(A)
The client agrees to or requests the termination in writing;(B)
The client orally requests or agrees to the termination, and the Department documents the oral request or agreement in the client’s Department case file; or(C)
With or without the client’s agreement, the Department informs the client that the Department is terminating its agreement to the restriction. Information created or received while the restriction was in place shall remain subject to the restriction.(4)
Rights of clients to request to receive information from the Department by alternative means or at alternative locations. The Department must accommodate reasonable requests by clients to receive communications from the Department by alternative means, such as by mail, e-mail, fax, or telephone, and at an alternative location.(a)
The client must specify the preferred alternative means or location.(b)
The client may submit the request for alternative means or locations either orally or in writing.(A)
If the client makes a request in-person, the Department shall document the request and ask for the client’s signature.(B)
If the client makes a request by telephone or electronically, the Department shall document the request and verify the identity of the client.(c)
The Department may terminate its agreement to an alternative location or method of communication if:(A)
The client agrees to or requests termination of the alternative location or method of communication in writing or orally. The Department shall document the oral agreement or request in the client’s Department case file; or(B)
The Department informs the client that the Department is terminating its agreement to the alternative location or method of communication because the alternative location or method of communication is not effective. The Department may terminate its agreement to communicate at the alternative location or by the alternate method if:(i)
The Department is unable to contact the client at the location or by the method requested; or(ii)
The client fails to respond to payment requests, if applicable.(5)
Right of clients to request amendment of their information. Clients may request that the Department amend information about themselves in Department files.(a)
For all amendment requests, the Department shall have the client complete the approved Department form.(b)
The Department may deny the request or limit its agreement to amend.(c)
The Department must act on the client’s request no later than 60 days after receiving the request. If the Department is unable to act within 60 days, the Department may extend this time limit by a maximum of 30 additional days, subject to the following:(A)
The Department must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Department shall act on the request; and(B)
The Department shall use only one 30-day extension.(d)
The program’s medical director, a licensed health care professional designated by the program administrator, or a Department staff person involved in the client’s case must review the request and any related documentation prior to making a decision to amend a health or medical record.(e)
A staff person designated by the Department shall review the request and any related documentation prior to making a decision to amend any information that is not a health or medical record.(f)
If the Department grants the request, in whole or in part, the Department shall:(A)
Make the appropriate amendment to the information or records, and document the amendment in the client’s Department file or record;(B)
Provide notice to the client that the amendment has been granted, pursuant to the time limits under section (5)(c) of this rule;(C)
Obtain the client’s agreement to notify other relevant persons or entities with whom the Department has shared or needs to share the amended information; and(D)
Inform and provide the amendment within a reasonable time to:(i)
Persons named by the client who have received the information and who need the amendment; and(ii)
Persons, that the Department knows have the information that is the subject of the amendment and who may have relied, or could foreseeably rely, on the information to the client’s detriment.(g)
The Department may deny the client’s request for amendment if:(A)
The Department finds the information to be accurate and complete;(B)
The information was not created by the Department;(C)
The information is not part of Department records; or(D)
The information would not be available for inspection or access by the client, pursuant to section (1)(g) and (h) of this rule.(h)
If the Department denies the amendment request, in whole or in part, the Department must provide the client with a written denial. The denial must:(A)
Be sent within the time limits specified in section (5)(c) of this rule;(B)
State the basis for the denial, in plain language; and(C)
Explain the client’s right to submit a written statement disagreeing with the denial and how to file the statement. If the client files a statement:(i)
The Department shall enter the written statement into the client’s Department case file;(ii)
The Department may also enter a Department-written rebuttal of the client’s written statement into the client’s Department case file. The Department shall send a copy of any written rebuttal to the client;(iii)
The Department shall include a copy of the statement and any Department-written rebuttal with any future disclosures of the relevant information;(iv)
If a client does not submit a written statement of disagreement, the client may ask that if the Department makes any further disclosures of the relevant information, that the Department shall also include a copy of the client’s original request for amendment and a copy of the Department written denial; and(v)
The Department shall provide information on how the client may file a complaint with the Department and, if the information is PHI, with DHHS, Office for Civil Rights.(6)
Rights of clients to request an accounting of disclosures of PHI. Clients may receive an accounting of disclosures of PHI that the Department has made for any period of time, not to exceed six years, preceding the request date for the accounting.(a)
For all requests for an accounting of disclosures, the client may complete the authorized Department form “Request for Accounting of Disclosures of Health Records,” or provide sufficient information to accomplish this request.(b)
The right to an accounting of disclosures does not apply when the request is:(A)
Authorized by the client;(B)
Made prior to April 14, 2003;(C)
Made to carry out treatment, payment, or health care operations, unless these disclosures are made from an electronic health record;(D)
Made to the client;(E)
Made to persons involved in the client’s care;(F)
Made as part of a limited data set in accordance with OAR 407-014-0070 (De-identification of Client Information and Use of Limited Data Sets under Data Use Agreements);(G)
Made for national security or intelligence purposes; or(H)
Made to correctional institutions or law enforcement officials having lawful custody of an inmate.(c)
For each disclosure, the accounting must include:(A)
The date of the disclosure;(B)
The name and address, if known, of the person or entity who received the disclosed information;(C)
A brief description of the information disclosed; and(D)
A brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or, in lieu of a statement, a copy of the client’s written request for a disclosure, if any.(d)
If, during the time period covered by the accounting, the Department has made multiple disclosures to the same person or entity for the same purpose, the Department may provide the required information for only the first disclosure. The Department need not list the same identical information for each subsequent disclosure to the same person or entity if the Department adds the following information:(A)
The frequency or number of disclosures made to the same person or entity; and(B)
The date of the most recent disclosure during the time period for which the accounting is requested.(e)
The Department must act on the client’s request for an accounting no later than 60 days after receiving the request. If the Department is unable to act within 60 days, the Department may extend this time limit by a maximum of 30 additional days, subject to the following:(A)
The Department must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Department shall act on the request; and(B)
The Department shall use only one 30-day extension.(f)
The Department shall provide the first requested accounting in any 12-month period without charge. The Department may charge the client a reasonable cost-based fee for each additional accounting requested by the client within the 12-month period following the first request, if the Department:(A)
Informs the client of the fee before proceeding with any additional request; and(B)
Allows the client an opportunity to withdraw or modify the request in order to avoid or reduce the fee.(g)
The Department shall document the information required to be included in an accounting of disclosures, as specified in section (6)(c) of this rule, and retain a copy of the written accounting provided to the client.(h)
The Department shall temporarily suspend a client’s right to receive an accounting of disclosures that the Department has made to a health oversight agency or to a law enforcement official, for a length of time specified by the agency or official, if the agency or official provides a written or oral statement to the Department that the accounting would be reasonably likely to impede their activities. If the agency or official makes an oral request, the Department shall:(A)
Document the oral request, including the identity of the agency or official making the request.(B)
Temporarily suspend the client’s request to an accounting of disclosures; and(C)
Limit the temporary suspension to no longer than 30 days from the date of the oral request, unless the agency or official submits a written request specifying a longer time period.(7)
Filing a complaint. Clients may file a complaint with the Department or, if the complaint concerns a violation of the HIPAA Privacy or Security Rule, with DHHS, Office for Civil Rights.(a)
Upon request, the Department shall give clients the name and address of the specific person or office of where to submit complaints to DHHS.(b)
The Department may not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any individual filing a complaint or inquiring about how to file a complaint.(c)
The Department may not require clients to waive their rights to file a complaint as a condition of providing treatment, payment, enrollment in a health plan, or eligibility for benefits.(d)
The Department shall designate staff to review and determine action on complaints filed with the Department.(e)
The Department shall document, in the client’s Department case file, all complaints, the findings from reviewing each complaint, and the Department’s actions resulting from the complaint. For each complaint, the documentation shall include a description of corrective action that the Department has taken, if any are necessary, or why corrective action is not needed.
Source:
Rule 407-014-0030 — Client Privacy Rights, https://secure.sos.state.or.us/oard/view.action?ruleNumber=407-014-0030.