The Director of the Department of Consumer and Business Services shall adopt rules implementing ORS 746.607 (Use and disclosure of personal information). In adopting rules under this section, the director shall consider the information privacy provisions of the federal Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) and the federal Gramm-Leach-Bliley Act (P.L. 106-102).
The rules adopted under subsection (1) of this section shall include but are not limited to:
Permitted uses and disclosures of:
Personal financial information for business, professional or insurance purposes; and
Protected health information for treatment, payment and health care operations.
Requirements for notice of privacy practices for protected health information and notice of information practices for personal financial information. [2003 c.87 §4]