OAR 407-014-0050
Business Associate

(1)

The Department is a business associate of the Authority. The Authority is the single state Medicaid agency, but the Department performs or assists in the performance of key components of the medical assistance program under the supervision of the Authority including but not limited to eligibility determinations for the medical assistance program and supervising the long-term and community-based services for seniors and people with disabilities. The Department also provides certain health care operations services for the Authority. In doing so, the Department is a business associate of the Authority. As a business associate of the Authority, the Department is authorized to use and disclose protected health information to perform or assist the Authority in the performance of its covered functions. However, as a business associate, the Department is subject to the privacy requirements described in these rules.

(2)

As a business associate of the Authority implementing the requirements of the medical assistance program, the Department may disclose an individual’s PHI to its contractors or providers, and may allow its contractors or providers to create or receive an individual’s PHI on behalf of the Department if the contract or agreement that complies with applicable federal and state law. In some limited circumstances, the Department may determine that the Department is a business associate of a covered entity. A business associate relationship with the Department requires additional contractual disclosure and privacy provisions that must be incorporated into the contract pursuant to 45 CFR part 164-504(e)(1).

(3)

A contract with a business associate must comply with OAR 125-055-0100 (Purpose — HIPAA Privacy and Security Rule Implementation; HITECH Act Implementation.) to 125-055-0130 (Standards in Individual Contracts) and the qualified service organization requirements in 42 CFR part 2.11.

Source: Rule 407-014-0050 — Business Associate, https://secure.sos.state.or.us/oard/view.action?ruleNumber=407-014-0050.

407–014–0000
Definitions 407–014–0010
Purpose 407–014–0015
Information Governed by the HIPAA Privacy Rules 407–014–0020
Uses and Disclosures of Client or Participant Protected Information 407–014–0030
Client Privacy Rights 407–014–0040
Minimum Necessary Standards 407–014–0050
Business Associate 407–014–0060
Uses and Disclosures of Protected Information for Research Purposes 407–014–0070
De-identification of Client Information and Use of Limited Data Sets under Data Use Agreements 407–014–0200
Confidentiality and Inadmissibility of Mediation Communications 407–014–0205
Confidentiality and Inadmissibility of Workplace Interpersonal Dispute Mediation Communications 407–014–0300
Scope 407–014–0305
Definitions 407–014–0310
Information Access 407–014–0315
Security Information Assets 407–014–0320
User Responsibility

Last Updated

Jun. 8, 2021

Rule 407-014-0050’s source at or.us

Stay Connected

Join thousands of people who receive monthly site updates.

Get Legal Help

The Oregon State Bar runs a service for finding an attorney in good standing. Initial consultations are usually free or discounted: Lawyer Referral Service

Committed to Public Service

We will always provide free access to the current law. In addition, we provide special support for non-profit, educational, and government users. Through social entrepreneurship, we’re lowering the cost of legal services and increasing citizen access.

Navigate

California:	Codes
Colorado:	C.R.S.
Nevada:	NRS
New York:	Laws
Oregon:	OAR, ORS
Texas:	Statutes
World:	Rome Statute, International Dictionary

Location: https://oregon.public.law/rules/oar_407-014-0050

Original Source: Rule 407-014-0050 — Business Associate, https://secure.sos.state.or.us/oard/view.action?ruleNumber=407-014-0050 (last accessed Jun. 8, 2021).

OAR 407-014-0050 Business Associate

(1)

(2)

(3)

OAR 407-014-0050
Business Associate