OAR 943-014-0010
Purpose
(1)
The purpose of these rules (OAR 943-014-000 to 943-014-0070 (De-identification of Client Information and Use of Limited Data Sets under Data Use Agreements)) is to govern the collection, use, and disclosure of protected information by the Authority about individuals and to explain the rights and specific actions that individuals may take or request to be taken regarding the uses and disclosures of their protected information. These rules also set forth the Authority’s requirements governing the use and disclosure of PHI for purposes of HIPAA, 42 USC 1320-d through 1320d-8, Pub L 104-191, sec. 262 and 264, and the implementing HIPAA privacy rules, 45 CFR parts 160 and 164, applicable to the Authority’s health care components.(2)
Except as provided in section (1) of this rule, state and federal statutes, rules, and policies that govern the administration of Authority programs, services, and activities continue to govern the use and disclosure of protected information in those Authority programs, services, and activities.(3)
In the event that it is not possible to comply with the requirements of both sections (1) and (2) of this rule, the Authority shall act in accordance with whichever federal or state law imposes a stricter requirement regarding the privacy or safeguarding of information and which provides the greater protection or access to the individual who is the subject of the information, unless one of the following applies:(a)
Public health. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, birth, or death; public health surveillance; or public health investigation or intervention.(b)
Child abuse. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of child abuse.(c)
State regulatory reporting. Nothing in these rules shall be construed to limit the ability of the State of Oregon or the Authority to require a health plan to report, or to provide access to information for management audits, financial audits, program monitoring, facility licensure or certification, or individual licensure or certification.(4)
The Authority may collect, maintain, use, transmit, share, and disclose information about any individual to the extent authorized by law to administer Authority programs, services, and activities.(5)
The Authority may use and disclose information about licensees or providers consistent with federal and state laws and regulations. Information regarding the qualifications of licensees and providers are public records.(a)
When the Authority obtains information about individuals that relates to determining payment responsibility when a provider submits a request for payment to the Authority, the Authority shall safeguard the information consistent with federal and state laws and regulations and Authority policies.(b)
The Authority may review the performance of licensees and providers in the conduct of its health oversight activities and shall safeguard information obtained about individuals obtained during those activities in accordance with federal and state laws and regulations and Authority policies.
Source:
Rule 943-014-0010 — Purpose, https://secure.sos.state.or.us/oard/view.action?ruleNumber=943-014-0010.