OAR 943-014-0015
Covered Entity Status for Purposes of the HIPAA Privacy Rules


(1)

These rules address information that, among other things, may be Protected Health Information that is protected by the HIPAA Privacy Rules. For purposes of HIPAA Privacy Rules, the Authority is a hybrid entity because the Authority performs functions that are covered by HIPAA (“health care components”) and functions that are not covered by HIPAA. The Authority’s health care components consist of the functions that are included in the definition of a covered entity, as follows:

(a)

The Authority in its capacity as the state Medicaid agency for the administration of the Medicaid program under Title XIX of the Social Security Act and the Children’s Health Insurance Program under Title XXI of the Act and the medical assistance program as described in ORS chapter 414.

(b)

The Health Care for All Oregon Children program;

(c)

The Family Health Insurance Assistance Program established in ORS 414.841 to 414.864;

(d)

Any medical assistance or premium assistance programs reimbursed with Medicaid or the Children’s Health Insurance Program funds operated by the Authority;

(e)

The Oregon State Hospital and Blue Mountain Recovery Center;

(f)

The high risk pools administered by the Oregon Medical Insurance Pool Board and the Office of Private Health Partnerships;

(g)

The Breast and Cervical Cancer Program and the Wise Woman Program;

(h)

The Public Health Laboratory;

(i)

The Medicaid Management Information system and information technology systems associated with the administration and management of the health care components listed above; and

(j)

The ombudsman and other administrative and health care operations functions associated with the administration and management of the health care components listed above.

(2)

The Authority administers many aspects of the medical assistance program with the assistance of the Department, including but not limited to eligibility determinations for the medical assistance program and supervising the long-term and community-based services for seniors and people with disabilities. The Department also provides certain health care operations services for the Authority. In doing so, the Department is a business associate of the Authority. As a business associate of the Authority, the Department is authorized to use and disclose protected health information to perform or assist the Authority in the performance of its covered functions.

(3)

When these rules of the Authority apply to PHI that is subject to the HIPAA Privacy and Security rules, a reference to the Authority may also include the actions of the Department acting as the Authority’s business associate.

Source: Rule 943-014-0015 — Covered Entity Status for Purposes of the HIPAA Privacy Rules, https://secure.­sos.­state.­or.­us/oard/view.­action?ruleNumber=943-014-0015.

Last Updated

Jun. 8, 2021

Rule 943-014-0015’s source at or​.us