OAR 943-014-0440
Breach

(1)

For the purposes of this rule a breach is considered “discovered” in accordance with 45 CFR 164.404(a)(2) and 45 CFR 164.410(2).

(2)

In the event a breach of unsecured protected health information is discovered, a contractor must:

(a)

Notify the Authority of the breach.

(A)

The notification must be made as soon as possible and business associate shall confer with the Authority as soon as practicable thereafter.

(B)

The notification must be made to the Authority no later than 30 calendar days after the discovery of breach.

(C)

Notification shall include identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during the breach.

(D)

Notification shall include steps taken to mitigate harm, steps taken to reasonably ensure a like breach will not occur in the future, and any other information that may be reasonably required by the Authority for the Authority to meet its obligations.

(b)

Confer with the Authority regarding preparing and issuing an appropriate notice to each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach.

(c)

Confer with the Authority regarding preparing and issuing an appropriate notice to prominent media outlets within the state or local jurisdictions when the breach involves more than 500 individuals.

(d)

Make the appropriate notification to media outlets and individuals affected by the breach as necessary.

(e)

Confer with the Authority regarding preparing and issuing notice of the breach to the Secretary.

(A)

If the breach involves 500 or more individuals, the notice to the Secretary must be provided immediately.

(B)

Any breach involving less than 500 individuals shall be documented in a log and the log provided to the Secretary annually, no later than 60 calendar days after December 31 of each year.

(3)

Except as set forth in section (5) of this rule, notifications required by this rule must be made without unreasonable delay and no later than 60 calendar days after the discovery of a breach.

(4)

Notice must be provided in the manner and content required by 45 CFR 164.404 through 164.410.

(5)

Any notification required by this rule may be delayed by a law enforcement official in accordance with the 45 CFR 164.412.

Source: Rule 943-014-0440 — Breach, https://secure.sos.state.or.us/oard/view.action?ruleNumber=943-014-0440.

943‑014‑0000
Definitions 943‑014‑0010
Purpose 943‑014‑0015
Covered Entity Status for Purposes of the HIPAA Privacy Rules 943‑014‑0020
Uses and Disclosures of Client or Participant Protected Information 943‑014‑0030
Client Privacy Rights 943‑014‑0040
Minimum Necessary Standards 943‑014‑0060
Uses and Disclosures of Protected Information for Research Purposes 943‑014‑0070
De-identification of Client Information and Use of Limited Data Sets under Data Use Agreements 943‑014‑0200
Confidentiality and Inadmissibility of Mediation Communications 943‑014‑0205
Confidentiality and Inadmissibility of Workplace Interpersonal Dispute Mediation Communications 943‑014‑0300
Scope 943‑014‑0305
Definitions 943‑014‑0310
Information Access 943‑014‑0315
Security Information Assets 943‑014‑0320
User Responsibility 943‑014‑0400
Purpose 943‑014‑0410
Definitions 943‑014‑0415
General Business Associate Requirements 943‑014‑0420
Uses and Disclosures of Protected Health Information by Business Associate 943‑014‑0430
Authority Obligations 943‑014‑0435
Contractor Security Requirements 943‑014‑0440
Breach 943‑014‑0445
Violations 943‑014‑0450
Termination of Contract 943‑014‑0455
Order of Precedence 943‑014‑0460
Authority Compliance Methods 943‑014‑0465
Standards in Individual Contracts

California:	Codes
Colorado:	C.R.S.
Nevada:	NRS
New York:	Laws
Oregon:	OAR, ORS
Texas:	Statutes
World:	Rome Statute, International Dictionary

OAR 943-014-0440 Breach

(1)

(2)

(a)

(A)

(B)

(C)

(D)

(b)

(c)

(d)

(e)

(A)

(B)

(3)

(4)

(5)

OAR 943-014-0440
Breach