OAR 943-014-0420
Uses and Disclosures of Protected Health Information by Business Associate
(1)
Except as otherwise limited or prohibited by the contract or these rules, a contractor who is a business associate of the Authority may:(a)
Use or disclose protected health information and electronic protected health information to perform functions, activities, or services as specified in the contract and these rules on behalf of the Authority.(b)
Use protected health information and electronic protected health information for the proper management and administration of the business associate contract or to carry out the business associate’s legal responsibilities.(c)
Disclose protected health information and electronic protected health information for the proper management and administration of the business associate, provided disclosures are required by law.(d)
Disclose protected health information and electronic protected health information to a subcontractor if the business associate and subcontractor enter into a business associate agreement that complies with this rule.(e)
Use or disclose protected health information and electronic protected health information to report violations of law to appropriate federal and state authorities, consistent with 45 CFR 164.502(j)(1).(2)
All other use or disclosure of protected health information and electronic protected health information are prohibited.(3)
A contractor who is a business associate of the Authority may not aggregate or compile the Authority’s protected health information or electronic protected health information with the protected health information or electronic protected health information of other covered entities unless the contract permits data aggregation services.(a)
If the contract permits a business associate to provide data aggregation services, a business associate may use protected health information to provide data aggregation services requested by the Authority as permitted by 45 CFR 164.504(e)(2)(i)(B) and subject to any limitations contained in these rules.(b)
If the Authority requests data aggregation services, a business associate may aggregate the Authority’s protected health information with protected heath information of other covered entities that the business associate has in its possession through its capacity as a business associate to other covered entities.(c)
The business associate may only aggregate data for the purpose of providing the Authority with analysis relating to the Authority’s health care operations.(4)
Business associates may not disclose the Authority’s protected health information to another covered entity without the Authority’s express authorization.(5)
Use or disclosure of protected health information or electronic protected health information in accordance with any section of this rule may not violate the Privacy Rule, Security Rule, the HITECH Act, or other applicable federal or state laws or regulations or the minimum necessary policies and procedures of the Authority.
Source:
Rule 943-014-0420 — Uses and Disclosures of Protected Health Information by Business Associate, https://secure.sos.state.or.us/oard/view.action?ruleNumber=943-014-0420.