OAR 407-014-0050
Business Associate


The Department is a business associate of the Authority. The Authority is the single state Medicaid agency, but the Department performs or assists in the performance of key components of the medical assistance program under the supervision of the Authority including but not limited to eligibility determinations for the medical assistance program and supervising the long-term and community-based services for seniors and people with disabilities. The Department also provides certain health care operations services for the Authority. In doing so, the Department is a business associate of the Authority. As a business associate of the Authority, the Department is authorized to use and disclose protected health information to perform or assist the Authority in the performance of its covered functions. However, as a business associate, the Department is subject to the privacy requirements described in these rules.


As a business associate of the Authority implementing the requirements of the medical assistance program, the Department may disclose an individual’s PHI to its contractors or providers, and may allow its contractors or providers to create or receive an individual’s PHI on behalf of the Department if the contract or agreement that complies with applicable federal and state law. In some limited circumstances, the Department may determine that the Department is a business associate of a covered entity. A business associate relationship with the Department requires additional contractual disclosure and privacy provisions that must be incorporated into the contract pursuant to 45 CFR part 164-504(e)(1).


A contract with a business associate must comply with OAR 125-055-0100 (Purpose — HIPAA Privacy and Security Rule Implementation; HITECH Act Implementation.) to 125-055-0130 (Standards in Individual Contracts) and the qualified service organization requirements in 42 CFR part 2.11.
Last Updated

Jun. 8, 2021

Rule 407-014-0050’s source at or​.us