OAR 943-014-0030
Client Privacy Rights


(1)

Rights of clients to access their information. Clients may access, inspect, and obtain a copy of information on their own cases in Authority files or records, consistent with federal and state law.

(a)

A client may request access by completing the Access to Records Request form, or by providing sufficient information to accomplish this request.

(b)

Clients may request access to their own information that is kept by the Authority by using a personal identifier such as the client’s name or Authority case number.

(c)

If the Authority maintains information in a record that includes information about other people, the client may see information only about himself or herself.

(d)

If a person identified in the file is a minor child of the client, and the client is authorized under Oregon law to have access to the minor’s information or to act on behalf of the minor for making decisions about the minor’s care, the client may obtain information about the minor.

(e)

If the requestor of information is recognized under Oregon law as a the client’s guardian or custodian and is authorized under Oregon law to have access to the client’s information or to act on behalf of the client for making decisions about the client’s services or care, the Authority shall release information to the requestor.

(f)

For individuals with disabilities or mental illnesses, the named system in ORS 192.517 (Access to records of individual with disability or individual with mental illness), to protect and advocate the rights of individuals with developmental disabilities under Part C of the Developmental Disabilities Assistance and Bill of Rights Act (42 U.S.C. 6041 et seq.) and the rights of individuals with mental illness under the Protection and Advocacy for Individuals with Mental Illness Act (42 U.S.C. 10801 et seq.), shall have access to all records defined in ORS 192.515 (Definitions for ORS 192.515 and 192.517).

(g)

The Authority may deny a client’s access to their own PHI if federal law prohibits the disclosure. Clients may access, inspect, and obtain a copy of health information on their own case in Authority files or records except for the following:

(A)

Psychotherapy notes;

(B)

Information compiled in reasonable anticipation of, or for use in civil, criminal, or administrative proceedings;

(C)

Information that is subject to the federal Clinical Labs Improvement Amendments of 1988, or exempt pursuant to 42 CFR 493.3(a)(2);

(D)

Information that the Authority believes, in good faith, can cause harm to the client, participant, or to any other person; and

(E)

Documents protected by attorney work-product privilege.

(h)

The Authority may deny a client access to information that was obtained under a promise of confidentiality from a person other than a health care provider to the extent that access would reveal the source of the information.

(i)

The Authority may deny a client access to information, if the Authority gives the client a right to have the denial reviewed when:

(A)

A licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may endanger the life or physical safety of the client or another person;

(B)

The information makes reference to another person, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that the information requested may cause substantial harm to the client or to another person; or

(C)

The request for access is made by the client’s personal representative, and a licensed health care professional (for health information) or other designated staff (for other information) has determined, in the exercise of professional judgment, that allowing the personal representative access to the information may cause substantial harm to the client or to another person.

(j)

If the Authority denies access under section (1)(i) of this rule, the client may have the decision reviewed by a licensed health care professional (for health information) or other designated staff (for other information) not directly involved in making the original denial decision.

(A)

The Authority must promptly refer a client’s request for review to the designated reviewer.

(B)

The reviewer must determine, within the 30 or 60-day time limits stated in section (1)(k)(A) and (B) of this rule, whether to approve or deny the client’s request for access.

(C)

Based on the reviewer’s decision, the Authority shall:
(i)
Promptly notify the client in writing of the reviewer’s determination; and
(ii)
If approved, take action to carry out the reviewer’s determination.

(k)

The Authority must act on a client’s request for access no later than 30 days after receiving the request, except as provided in this section and in the case of written accounts under ORS 179.505 (Disclosure of written accounts by health care services provider), which must be disclosed within five days.

(A)

In cases where the information is not maintained or accessible to the Authority on-site, and does not fall under ORS 179.505 (Disclosure of written accounts by health care services provider), the Authority must act on the client’s request no later than 60 days after receiving the request.

(B)

If the Authority is unable to act within the 30 or 60-day limits, the Authority may extend this time period a maximum of 30 additional days, subject to the following:
(i)
The Authority must notify the client in writing of the reasons for the delay and the date by which the Authority shall act on the request.
(ii)
The Authority shall use only one 30-day extension.

(l)

If the Authority grants the client’s request, in whole or in part, the Authority must inform the client of the access decision and provide the requested access.

(A)

If the Authority maintains the same information in more than one format or at more than one location, the Authority may provide the requested information once.

(B)

The Authority must provide the requested information in a form or format requested by the client, if readily producible in that form or format. If not readily producible, the Authority shall provide the information in a readable hard-copy format or other format as agreed to by the Authority and the client.

(C)

The Authority may provide the client with a summary of the requested information, in lieu of providing access, or may provide an explanation of the information if access has been provided, if:
(i)
The client agrees in advance; and
(ii)
The client agrees in advance to pay any fees the Authority may impose, under section (1)(L)(E) of this rule.

(D)

The Authority shall arrange with the client for providing the requested access in a time, place, and manner convenient for the client and the Authority.

(E)

If a client, or legal guardian or custodian, requests a copy, written summary, or explanation of the requested information, the Authority may impose a reasonable cost-based fee, limited to the following:
(i)
Copying the requested information, including the costs of supplies and the labor of copying;
(ii)
Postage; and
(iii)
Staff time for preparing an explanation or summary of the requested information.

(m)

If the Authority denies access, in whole or in part, to the requested information, the Authority must:

(A)

Give the client access to any other requested client information, after excluding the information to which access is denied; and

(B)

Provide the client with a timely written denial. The denial must:
(i)
Be provided within the time limits specified in section (1)(k)(A) and (B) of this rule;
(ii)
State the basis of the denial in plain language;
(iii)
If the Authority denies access under section (1)(i) of this rule, explain the client’s review rights as specified in section (1)(j) of this rule, including an explanation of how the client may exercise these rights; and
(iv)
Provide a description of how the client may file a complaint with the Authority, and if the information is PHI, with the United States Department of Health and Human Services (DHHS), Office for Civil Rights, pursuant to section (7) of this rule.

(n)

If the Authority does not maintain the requested information, in whole or in part, and knows where the information is maintained (such as by a medical provider, insurer, other public agency, private business, or other non-Authority entity), the Authority must inform the client where to direct the request for access.

(2)

Authority Notice of Privacy Practices. The Authority shall send clients notice about the Authority’s privacy practices as follows:

(a)

The Authority shall make available to each client a notice of Authority privacy practices that describes the duty of the Authority to maintain the privacy of PHI and include a description that clearly informs the client of the types of uses and disclosures the Authority is permitted or required to make;

(b)

The Authority shall provide all clients in direct care settings a notice of Authority privacy practices and shall request the client’s signature on an acknowledgement of receipt form;

(c)

If the Authority revises its privacy practices, the Authority shall make the revised notice available to all clients;

(d)

The Authority shall post a copy of the Authority’s Notice of Privacy Practices for public viewing at each Authority worksite and on the Authority website; and

(e)

The Authority shall give a paper copy of the Authority’s Notice of Privacy Practices to any individual upon request.

(3)

Right to request restrictions on uses or disclosures. Clients may request restrictions on the use or disclosure of their information.

(a)

The Authority may deny the client’s request or limit its agreement to a request.

(A)

The Authority may not agree to restrict uses or disclosures of information if the restriction would adversely affect the quality of the client’s care or services.

(B)

The Authority may not agree to restrict uses or disclosures of information that would limit or prevent the Authority from making or obtaining payment for services.

(b)

The Authority may not deny a client’s request to restrict the sharing of records of alcohol and drug treatment or records relating to vocational rehabilitation services with another Authority program.

(c)

The Authority shall document the client’s request, and the reasons for granting or denying the request, in the client’s Authority case file.

(d)

If the client needs emergency treatment and the restricted protected information is needed to provide the treatment, the Authority may use or disclose the restricted protected information to a provider, for the limited purpose of providing treatment. However, once the emergency situation subsides the Authority shall ask the provider not to redisclose the information.

(e)

The Authority may terminate its agreement to a restriction if:

(A)

The client agrees to or requests the termination in writing;

(B)

The client orally requests or agrees to the termination, and the Authority documents the oral request or agreement in the client’s Authority case file; or

(C)

With or without the client’s agreement, the Authority informs the client that the Authority is terminating its agreement to the restriction. Information created or received while the restriction was in place shall remain subject to the restriction.

(4)

Rights of clients to request to receive information from the Authority by alternative means or at alternative locations. The Authority must accommodate reasonable requests by clients to receive communications from the Authority by alternative means, such as by mail, e-mail, fax, or telephone, and at an alternative location.

(a)

The client must specify the preferred alternative means or location.

(b)

The client may submit the request for alternative means or locations either orally or in writing.

(A)

If the client makes a request in-person, the Authority shall document the request and ask for the client’s signature.

(B)

If the client makes a request by telephone or electronically, the Authority shall document the request and verify the identity of the client.

(c)

The Authority may terminate its agreement to an alternative location or method of communication if:

(A)

The client agrees to or requests termination of the alternative location or method of communication in writing or orally. The Authority shall document the oral agreement or request in the client’s Authority case file; or

(B)

The Authority informs the client that the Authority is terminating its agreement to the alternative location or method of communication because the alternative location or method of communication is not effective. The Authority may terminate its agreement to communicate at the alternative location or by the alternate method if:
(i)
The Authority is unable to contact the client at the location or by the method requested; or
(ii)
The client fails to respond to payment requests, if applicable.

(5)

Right of clients to request amendment of their information. Clients may request that the Authority amend information about themselves in Authority files.

(a)

For all amendment requests, the Authority shall have the client complete the approved Authority form.

(b)

The Authority may deny the request or limit its agreement to amend.

(c)

The Authority must act on the client’s request no later than 60 days after receiving the request. If the Authority is unable to act within 60 days, the Authority may extend this time limit by a maximum of 30 additional days, subject to the following:

(A)

The Authority must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Authority shall act on the request; and

(B)

The Authority shall use only one 30-day extension.

(d)

The program’s medical director, a licensed health care professional designated by the program administrator, or an Authority staff person involved in the client’s case must review the request and any related documentation prior to making a decision to amend a health or medical record.

(e)

A staff person designated by the Authority shall review the request and any related documentation prior to making a decision to amend any information that is not a health or medical record.

(f)

If the Authority grants the request, in whole or in part, the Authority shall:

(A)

Make the appropriate amendment to the information or records, and document the amendment in the client’s Authority file or record;

(B)

Provide notice to the client that the amendment has been granted, pursuant to the time limits under section (5)(c) of this rule;

(C)

Obtain the client’s agreement to notify other relevant persons or entities with whom the Authority has shared or needs to share the amended information; and

(D)

Inform and provide the amendment within a reasonable time to:
(i)
Persons named by the client who have received the information and who need the amendment; and
(ii)
Persons, including business associates of the Authority, that the Authority knows have the information that is the subject of the amendment and who may have relied, or could foreseeably rely, on the information to the client’s detriment.

(g)

The Authority may deny the client’s request for amendment if:

(A)

The Authority finds the information to be accurate and complete;

(B)

The information was not created by the Authority;

(C)

The information is not part of Authority records; or

(D)

The information would not be available for inspection or access by the client, pursuant to section (1)(g) and (h) of this rule.

(h)

If the Authority denies the amendment request, in whole or in part, the Authority must provide the client with a written denial. The denial must:

(A)

Be sent within the time limits specified in section (5)(c) of this rule;

(B)

State the basis for the denial, in plain language; and

(C)

Explain the client’s right to submit a written statement disagreeing with the denial and how to file the statement. If the client files a statement:
(i)
The Authority shall enter the written statement into the client’s Authority case file;
(ii)
The Authority may also enter an Authority written rebuttal of the client’s written statement into the client’s Authority case file. The Authority shall send a copy of any written rebuttal to the client;
(iii)
The Authority shall include a copy of the statement and any Authority written rebuttal with any future disclosures of the relevant information;
(iv)
If a client does not submit a written statement of disagreement, the client may ask that if the Authority makes any further disclosures of the relevant information that the Authority shall also include a copy of the client’s original request for amendment and a copy of the Authority written denial; and
(v)
The Authority shall provide information on how the client may file a complaint with the Authority and, if the information is PHI, with DHHS, Office for Civil Rights.

(6)

Rights of clients to request an accounting of disclosures of PHI. Clients may receive an accounting of disclosures of PHI that the Authority has made for any period of time, not to exceed six years, preceding the request date for the accounting.

(a)

For all requests for an accounting of disclosures, the client may complete the authorized Authority form “Request for Accounting of Disclosures of Health Records”, or provide sufficient information to accomplish this request.

(b)

The right to an accounting of disclosures does not apply when the request is:

(A)

Authorized by the client;

(B)

Made prior to April 14, 2003;

(C)

Made to carry out treatment, payment, or health care operations, unless these disclosures are made from an electronic health record;

(D)

Made to the client;

(E)

Made to persons involved in the client’s care;

(F)

Made as part of a limited data set in accordance with OAR 943-014-0070 (De-identification of Client Information and Use of Limited Data Sets under Data Use Agreements);

(G)

Made for national security or intelligence purposes; or

(H)

Made to correctional institutions or law enforcement officials having lawful custody of an inmate.

(c)

For each disclosure, the accounting must include:

(A)

The date of the disclosure;

(B)

The name and address, if known, of the person or entit, who received the disclosed information;

(C)

A brief description of the information disclosed; and

(D)

A brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or, in lieu of a statement, a copy of the client’s written request for a disclosure, if any.

(d)

If, during the time period covered by the accounting, the Authority has made multiple disclosures to the same person or entity for the same purpose, the Authority may provide the required information for only the first disclosure. The Authority need not list the same identical information for each subsequent disclosure to the same person or entity if the Authority adds the following information:

(A)

The frequency or number of disclosures made to the same person or entity; and

(B)

The date of the most recent disclosure during the time period for which the accounting is requested.

(e)

The Authority must act on the client’s request for an accounting no later than 60 days after receiving the request. If the Authority is unable to act within 60 days, the Authority may extend this time limit by a maximum of 30 additional days, subject to the following:

(A)

The Authority must notify the client in writing, within 60 days of receiving the request, of the reasons for the delay and the date by which the Authority shall act on the request; and

(B)

The Authority shall use only one 30-day extension.

(f)

The Authority shall provide the first requested accounting in any 12-month period without charge. The Authority may charge the client a reasonable cost-based fee for each additional accounting requested by the client within the 12-month period following the first request, if the Authority:

(A)

Informs the client of the fee before proceeding with any additional request; and

(B)

Allows the client an opportunity to withdraw or modify the request in order to avoid or reduce the fee.

(g)

The Authority shall document the information required to be included in an accounting of disclosures, as specified in section (6)(c) of this rule, and retain a copy of the written accounting provided to the client.

(h)

The Authority shall temporarily suspend a client’s right to receive an accounting of disclosures that the Authority has made to a health oversight agency or to a law enforcement official, for a length of time specified by the agency or official, if the agency or official provides a written or oral statement to the Authority that the accounting would be reasonably likely to impede their activities. If the agency or official makes an oral request, the Authority shall:

(A)

Document the oral request, including the identity of the agency or official making the request.

(B)

Temporarily suspend the client’s request to an accounting of disclosures; and

(C)

Limit the temporary suspension to no longer than 30 days from the date of the oral request, unless the agency or official submits a written request specifying a longer time period.

(7)

Filing a complaint. Clients may file a complaint with the Authority or, if the information is PHI, with DHHS, Office for Civil Rights.

(a)

Upon request, the Authority shall give clients the name and address of the specific person or office of where to submit complaints to DHHS.

(b)

The Authority may not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any individual filing a complaint or inquiring about how to file a complaint.

(c)

The Authority may not require clients to waive their rights to file a complaint as a condition of providing treatment, payment, enrollment in a health plan, or eligibility for benefits.

(d)

The Authority shall designate staff to review and determine action on complaints filed with the Authority.

(e)

The Authority shall document, in the client’s Authority case file all complaints, the findings from reviewing each complaint, and the Authority’s actions resulting from the complaint. For each complaint the documentation shall include a description of corrective action that the Authority has taken, if any are necessary, or why corrective action is not needed.

Source: Rule 943-014-0030 — Client Privacy Rights, https://secure.­sos.­state.­or.­us/oard/view.­action?ruleNumber=943-014-0030.

Last Updated

Jun. 8, 2021

Rule 943-014-0030’s source at or​.us