OAR 943-014-0430
Authority Obligations
(1)
To the extent that a business associate’s use or disclosure of protected health information and electronic protected health information may be affected, the Authority shall notify business associate of:(a)
Limitations in its notice of privacy practices in accordance with 45 CFR 164.520. The Authority may satisfy this obligation by providing business associate with the Authority’s most current Notices of Privacy Practices.(b)
Changes in, or revocation of, permission by an individual to use or disclose protected health information or electronic protected health information.(c)
Restrictions to the use or disclosure of protected health information or electronic protected health information that the Authority has agreed to in accordance with 45 CFR 164.522.(2)
The Authority may not request that a business associate use or disclose protected health information or electronic protected health information in any manner that is not permissible under the Privacy Rule or Security Rule if done by the Authority, except as permitted by OAR 943-014-0420 (Uses and Disclosures of Protected Health Information by Business Associate).
Source:
Rule 943-014-0430 — Authority Obligations, https://secure.sos.state.or.us/oard/view.action?ruleNumber=943-014-0430
.