OAR 943-014-0040
Minimum Necessary Standards


The Authority shall limit the use and disclosure of protected information to that which is reasonably necessary to accomplish the intended purpose of the use or disclosure which is referred to in these rules as the minimum necessary standard.


This minimum necessary standard is not intended to impede the essential Authority activities of treatment, payment, health care operations, or service delivery.


The minimum necessary standard applies:


When using protected information within the Authority;


When disclosing protected information to a third party in response to a request; or


When requesting protected information from another covered entity.


The minimum necessary standard does not apply to:


Disclosures to or requests by a health care provider for treatment;


Disclosures made to the individual, including disclosures made in response to a request for access or an accounting;


Disclosures made with a valid authorization;


Disclosures made to DHHS for the purposes of compliance and enforcement of federal regulations under 45 CFR part 160 and required for compliance with 45 CFR part 164; or


Uses and disclosures required by law;


When requesting protected information about an individual from another entity, the Authority shall limit requests to those that are reasonably necessary to accomplish the purposes for which the request is made. The Authority shall not request a person’s entire medical record unless the Authority can specifically justify the need for the entire medical record.

Source: Rule 943-014-0040 — Minimum Necessary Standards, https://secure.­sos.­state.­or.­us/oard/view.­action?ruleNumber=943-014-0040.

Last Updated

Jun. 8, 2021

Rule 943-014-0040’s source at or​.us