Medical Assistance

ORS 414.607
Use and disclosure of member information

  • access by member to personal health information


The Oregon Health Authority shall ensure the appropriate use of member information by coordinated care organizations, including the use of electronic health information and administrative data that is available when and where the data is needed to improve health and health care through a secure, confidential health information exchange.


A member of a coordinated care organization must have access to the member’s personal health information in the manner provided in 45 C.F.R. 164.524 so the member can share the information with others involved in the member’s care and make better health care and lifestyle choices.


Notwithstanding ORS 179.505 (Disclosure of written accounts by health care services provider), a coordinated care organization, its provider network and programs administered by the Department of Human Services for seniors and persons with disabilities shall use and disclose member information for purposes of service and care delivery, coordination, service planning, transitional services and reimbursement, in order to improve the safety and quality of care, lower the cost of care and improve the health and well-being of the organization’s members.


A coordinated care organization and its provider network shall use and disclose sensitive diagnosis information including blood-borne infections and other health and mental health diagnoses, within the coordinated care organization for the purpose of providing whole-person care. Individually identifiable health information must be treated as confidential and privileged information subject to ORS 192.553 (Policy for protected health information) to 192.581 (Allowed retention or disclosure of genetic information) and applicable federal privacy requirements. Redisclosure of individually identifiable information outside of the coordinated care organization and the organization’s providers for purposes unrelated to this section or the requirements of ORS 413.032 (Establishment of Oregon Health Authority), 414.572 (Coordinated care organizations), 414.598 (Alternative payment methodologies), 414.605 (Consumer and provider protections), 414.632 (Services to individuals who are dually eligible for Medicare and Medicaid), 414.638 (Metrics and scoring subcommittee) or 414.655 (Utilization of patient centered primary care homes and behavioral health homes by coordinated care organizations) remains subject to any applicable federal or state privacy requirements.


This section does not prohibit the disclosure of information between a coordinated care organization and the organization’s provider network, and the Oregon Health Authority and the Department of Human Services for the purpose of administering the laws of Oregon.


The Health Information Technology Oversight Council shall develop readily available informational materials that can be used by coordinated care organizations and providers to inform all participants in the health care workforce about the appropriate uses and limitations on disclosure of electronic health records, including need-based access and privacy mandates. [Formerly 414.679]


Last accessed
Jun. 26, 2021