OAR 407-120-0170
Confidentiality and Security
(1)
Individually Identifiable Health Information. All providers, PHPs, and allied agencies are responsible for ensuring the confidentiality of individually identifiable health information, consistent with the requirements of the privacy statutes and regulations, and shall take reasonable action to prevent any unauthorized disclosure of confidential information by a provider, PHP, allied agency, or other agent. A provider, web portal submitter, trading partner, EDI submitter, or other agent must comply with any and all applicable privacy statutes and regulations relating to confidential information.(2)
General Requirements for Electronic Submitters. A provider (web portal submitter), trading partner (EDI submitter), or other agent must maintain adequate security procedures to prevent unauthorized access to data, data transmissions, security access codes, or the Department’s information system, and must immediately notify the Department of all unauthorized attempts by any individual or entity to obtain access to or otherwise tamper with the data, data transmissions, security access codes, or the Department’s information system.(3)
Notice of Unauthorized Disclosures. All providers, PHPs, and allied agencies must promptly notify the Department of all unlawful or unauthorized disclosures of confidential information that come to its agents’ attention, and shall cooperate with the Department if corrective action is required by the Department. The Department will promptly notify a provider, PHP, or allied agency of all unlawful or unauthorized disclosures of confidential information in relation to a provider, PHP, or allied agency that come to the Department’s or its agents’ attention, and will cooperate with a provider, PHP, or allied agency if corrective action is required.(4)
Wrongful use of the web portal, EDI systems, or the Department’s network and information system, or wrongful use or disclosure of confidential information by a provider, allied agency, electronic submitters, or their agents may result in the immediate suspension or revocation of any access granted under these rules or other Department rules, at the sole discretion of the Department.(5)
A provider, allied agency, PHP, or electronic submitter must report to the Department’s Information Security Office at dhsinfo.security@state.or.us and to the Department program contact individual, any privacy or security incidents that compromise, damage, or cause a loss of protection to confidential information, information assets, or the Department’s network and security system. Reports must be made in the following manner:(a)
No later than five business days from the date on which a provider, allied agency, PHP, or electronic submitter becomes aware of the incident; and(b)
Provide the results of the incident assessment findings and resolution strategies no later than 30 business days after the report is due under section (4)(a).(6)
A provider, allied agency, PHP, or electronic submitter must comply with the Department’s requests for corrective action concerning a privacy or security incident and with applicable laws requiring mitigation of harm caused by the unauthorized use or disclosure of confidential information.
Source:
Rule 407-120-0170 — Confidentiality and Security, https://secure.sos.state.or.us/oard/view.action?ruleNumber=407-120-0170.