The Oregon Administrative Rules contain OARs filed through November 15, 2015
QUESTIONS ABOUT THE CONTENT OR MEANING OF THIS AGENCY'S RULES?
CLICK HERE TO ACCESS RULES COORDINATOR CONTACT INFORMATION
DEPARTMENT OF HUMAN SERVICES,
ADMINISTRATIVE SERVICES DIVISION AND DIRECTOR'S OFFICE
DIVISION 14
PRIVACY AND CONFIDENTIALITY
Privacy of Protected Information
407-014-0000
Definitions
The following definitions apply
to OAR 407-014-0000 to 407-014-0070:
(1) “Administrative hearing”
means an oral proceeding before an administrative law judge in a contested case
hearing.
(2) “Authority”
means the Oregon Health Authority.
(3) “Authorization”
means permission from an individual or his or her personal representative giving
the Department of Human Services (Department) authorization to obtain, release or
use information about the individual from third parties for specified purposes or
to disclose information to a third party specified by the individual.
(4) “Business associate”
means an individual or entity performing any function or activity on behalf of the
Authority, including the Department, involving the use or disclosure of protected health information (PHI) and is
not a member of the Authority’s workforce.
(a) For purposes of the definition of “business
associate,” “function or activity” includes but is not limited
to program administration, claims processing or administration, data analysis, utilization
review, quality assurance, billing, legal, actuarial, accounting, consulting, data
processing, management, administrative, accreditation, financial services, and similar
services for which the Authority may contract or obtain by interagency agreement,
if access to PHI is involved.
(b) Business associates do not
include licensees or providers unless the licensee or provider also performs some
function or activity on behalf of the Authority.
(5) “Client” means
an individual who requests or receives services from the Department. This includes
but is not limited to applicants for or recipients of public assistance, minors
and adults receiving protective services, individuals who are committed to the custody
of the Department, children in the custody of the Department receiving services
on a voluntary basis, and children committed to the custody of the Department.
(6) “Client information”
means personal information relating to a client that the Department may maintain
in one or more locations and in various forms, reports, or documents, or stored
or transmitted by electronic media.
(7) “Collect” or
“Collection” means the assembling of personal information through interviews,
forms, reports, or other information sources.
(8) “Contract” means
a written agreement between the Department and a person or entity setting forth
the rights and obligations of the parties including but not limited to contracts,
licenses, agreements, interagency agreements, and intergovernmental agreements.
(9) “Correctional institution”
means any penal or correctional facility, jail, reformatory, detention center, work
farm, halfway house, or residential community program center operated by contract
with the federal government, a state, or an Indian tribe for the confinement or
rehabilitation of persons charged with or convicted of a criminal offense or other
persons held in lawful custody. “Other persons held in lawful custody”
include juvenile offenders, adjudicated delinquents, aliens detained awaiting deportation,
witnesses, or others awaiting charges or trial.
(10) “Corrective action”
means an action that a business associate must take to remedy a breach or violation
of the business associate’s obligations under the business associate’s
contractual requirement, including but not limited to reasonable steps that must
be taken to cure the breach or end the violation.
(11) “Covered entity”
means health plans, health care clearinghouses, and health care providers who transmit
any health information in electronic form in connection with a transaction that
is subject to federal Health Insurance Portability and Accountability Act (HIPAA)
requirements, as those terms are defined and used in the HIPAA regulations, 45 CFR
parts 160 and 164.
(12) “De-identified data”
means client information from which the Department or other entity has deleted,
redacted, or blocked identifiers so the remaining information cannot reasonably
be used to identify an individual.
(13) “Department”
means the Department of Human Services.
(14) “Department workforce”
means employees, volunteers, trainees, and other persons whose conduct, in the performance
of work for the Department, is under the direction and control of the Department,
whether or not they are paid by the Department.
(15) “Disclose”
means the release, transfer, relay, provision of access to, or conveying of client
information to any individual or entity outside the Department.
(16) “Health care”
means care, services, or supplies related to the health of an individual. Health
care includes but is not limited to preventive, diagnostic, therapeutic, rehabilitative,
maintenance, palliative care, counseling services, assessment, or procedures with
respect to the physical or mental condition, or functional status of an individual,
or that affects the structure or function of the body and the sale or dispensing
of a drug, device, equipment, or other prescribed item.
(17) “Health care operations”
means any activities of a covered entity to the extent that the activities are related
to health care, Medicaid, or any other health care related programs, services, or
activities administered by the covered entity and includes:
(a) Conducting quality assessment
and improvement activities, including income evaluation and development of clinical
guidelines;
(b) Population-based activities
related to improving health or reducing health care costs, protocol development,
case management and care coordination, contacting health care providers and patients
with information about treatment alternatives, and related functions that do not
include treatment;
(c) Reviewing the competence
of qualifications of health care professionals, evaluating practitioner, provider,
and health plan performance; and conducting training programs in which students
and trainees in areas of health care learn under supervision to practice or improve
their skills, accreditation, certification, licensing, or credentialing activities;
(d) Underwriting, premium rating,
and other activities relating to the creation, renewal, or replacement of a contract
for Medicaid or health care related services;
(e) Conducting or arranging
for medical review, legal services, and auditing functions, including fraud and
abuse detection and compliance programs, and disclosure to the Medicaid Fraud Unit
pursuant to 43 CFR part 455.21;
(f) Business planning and development,
such as conducting cost-management and planning-related analyses related to managing
and operating the covered entity, including administration, development, or improvement
of methods of payments or health care coverage; and
(g) Business management and
general administrative activities of the covered entity, including but not limited
to:
(A) Management activities relating
to implementation of and compliance with the requirements of HIPAA;
(B) Customer service, including
providing data analysis;
(C) Resolution of internal grievances,
including administrative hearings and the resolution of disputes from patients or
enrollees regarding the quality of care and eligibility for services; and
(D) Creating de-identified data
or a limited data set.
(18) “Health oversight
agency” means an agency or authority of the federal government, a state, territory,
political subdivision of a state or territory, Indian tribe, or a person or entity
acting under a grant of authority from or by contract with the public agency, including
employees or agents of the public agency or its contractors or grantees that is
authorized by law to oversee the health care system or government programs in which
health information is necessary to determine eligibility or compliance, or to enforce
civil rights laws for which health information is relevant. When performing these
functions, the Department acts as a health oversight agency for the purposes of
these rules.
(19) “HIPAA” means
the Title II, Subtitle F of the Health Insurance Portability and Accountability
Act of 1996, 42 USC 1320d et seq, and the federal regulations adopted to implement
the Act.
(20) “Individual”
means the person who is the subject of information collected, used, or disclosed
by the Department.
(21) “Individually identifying
information” means any single item or compilation of information or data that
indicates or reveals the identity of an individual, either specifically (such as
the individual’s name or social security number), or from which the individual’s
identity can be reasonably ascertained.
(22) “Information”
means personal information relating to an individual, a participant, or a Department
client.
(23) “Inmate” means
a person incarcerated in or otherwise confined in a correctional institution. An
individual is no longer an inmate when released on parole, probation, supervised
release, or is otherwise no longer in custody.
(24) “Institutional Review
Board (IRB)” means a specially constituted review body established or designated
by an entity in accordance with 45 CFR part 46 to protect the welfare of human subjects
recruited to participate in biomedical or behavioral research. The IRB must be registered
with the Office for Human Research Protection.
(25) “Law enforcement official”
means an officer or employee of any agency or authority of the federal government,
a state, territory, political subdivision of a state or territory, or Indian tribe
who is empowered by law to:
(a) Investigate and conduct an official
inquiry into a potential violation of law; or
(b) Prosecute or otherwise conduct
a criminal, civil, or administrative proceeding arising from an alleged violation
of law.
(26) “Licensee”
means a person or entity that applies for or receives a license, certificate, registration,
or similar authority from the Department to perform or conduct a service, activity,
or function.
(27) “Minimum necessary”
means the least amount of information, when using or disclosing confidential client
information that is needed to accomplish the intended purpose of the use, disclosure,
or request.
(28) “Participant”
means individuals participating in Department population-based services, programs,
and activities that serve the general population, but who do not receive program
benefits or direct services received by a client. Examples of participants include
individuals who contact Department hotlines or the ombudsman for general public
information services.
(29) “Payment” means
any activities undertaken by a covered entity related to a client to whom health
care is provided in order to:
(a) Obtain premiums or to determine
or fulfill its responsibility for coverage and provision of benefits under the Medicaid
program or other publicly funded health care services; and
(b) Obtain or provide reimbursement
for the provision of health care.
(30) “Payment activities”
means:
(a) Determinations of eligibility
or coverage, including coordination of benefits or the determination of cost sharing
amounts, and adjudication of health benefit or health care claims;
(b) Risk adjusting amounts due
which are based on enrollee health status and demographic characteristics;
(c) Billing, claims management,
collection activities, obtaining payment under a contract for reinsurance, and related
health care data processing;
(d) Review of health care services
with respect to medical necessity, coverage under a health plan, appropriateness
of care, or justification of charges;
(e) Utilization review activities,
including pre-certification and pre-authorization of services, concurrent and retrospective
review of services; and
(f) Disclosure to consumer reporting
agencies related to collection of premiums or reimbursement including name and address,
date of birth, payment history, account number, and name and address of the health
care provider or health plan.
(31) “Personal representative”
means a person who has authority to act on behalf of an individual in making decisions
related to health care.
(32) “Protected Health
Information (PHI)” means any individually identifiable health information,
whether oral or recorded in any form or medium, that is created or received by a
health care provider, health plan, public health authority, employer, life insurer,
school or university, or health care clearinghouse and relates to the past, present,
or future physical or mental health or condition of an individual; the provision
of health care to an individual; or the past, present, or future payment for the
provision of health care to an individual. Any data transmitted or maintained in
any other form or medium by covered entities, including paper records, fax documents,
all oral communications, or any other form, such as screen prints of eligibility
information, printed e-mails containing identified individual’s health information,
claim or billing information, or hard copy birth or death certificates. PHI does
not include school records that are subject to the Family Educational Rights and
Privacy Act and employment records held in the Department’s role as an employer.
(33) “Protected information”
means any participant or client information that the Department may have in its
records or files that must be safeguarded pursuant to federal or state law. This
includes but is not limited to individually identifying information.
(34) “Provider”
means a person or entity that may seek reimbursement from the Department as a provider
of services to Department clients pursuant to a contract. For purposes of these
rules, reimbursement may be requested on the basis of claims or encounters or other
means of requesting payment.
(35) “Psychotherapy notes”
means notes recorded in any medium by a health care provider who is a mental health
professional documenting or analyzing the contents of conversations during a private
counseling session, or group, joint, or family counseling session, when the notes
are separated from the rest of the individual’s record. Psychotherapy notes
do not include medication prescription and monitoring, counseling session start
and stop times, the modalities and frequencies of treatment furnished, results of
clinical tests, and any summary of diagnosis, functional status, treatment plan,
symptoms, prognosis, or progress to date.
(36) “Public health Agency”
means a public agency or a person or entity acting under a grant of authority from
or by contract with the public agency that performs or conducts one or more of the
following essential functions that characterize public health programs, services,
or activities:
(a) Monitor health status to
identify community health problems;
(b) Diagnose and investigate
health problems and health hazards in the community;
(A) Inform, educate, and empower
people about health issues;
(B) Mobilize community partnerships
to identify and solve health problems;
(C) Develop policies and plans
that support individual and community health efforts;
(D) Enforce laws and regulations
that protect health and ensure safety;
(E) Direct individuals to needed
personal health services and assure the provision of health care when otherwise
unavailable;
(F) Ensure a competent public
health and personal health care workforce;
(G) Evaluate the effectiveness,
accessibility, and quality of personal and population-based health services; and
(H) Perform research for new
insights and innovative solutions to health problems.
(37) “Public health authority”
means an agency or authority of the federal government, a state, territory, political
subdivision of a state or territory, Indian tribe, or a person or entity acting
under a grant of authority from or by contract with the public agency, including
the employees or agents of the public agency, or its contractors, persons, or entities
to whom it has granted authority, that is responsible for public health matters
as part of its official mandate.
(38) “Re-disclosure”
means the disclosure of information to a person, a Department program, a Department
subcontracted entity, or other entity or person other than what was originally authorized.
(39) “Research”
means systematic investigation, including research development, testing, and evaluation,
designed to develop or contribute to generalized knowledge.
(40) “Required by law”
means a duty or responsibility that federal or state law specifies that a person
or entity must perform or exercise. Required by law includes but is not limited
to court orders and court-ordered warrants; subpoenas or summons issued by a court,
grand jury, a governmental or tribal inspector general, or an administrative body
authorized to require the production of information; a civil or an authorized investigative
demand; Medicare conditions of participation with respect to health care providers
participating in the program; and statutes or rules that require the production
of information, including statutes or rules that require such information if payment
is sought under a government program providing public benefits.
(41) “Treatment”
means the provision, coordination, or management of heath care and related services
by one or more health care providers, including the coordination or management of
health care by a health care provider with a third party, consultation between health
care providers relating to a patient, or the referral of a patient for health care
from one health care provider to another.
(42) “Use” means the
sharing of individual information within a Department program or the sharing of
individual information between program staff and administrative staff that support
or oversee the program.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0000 by DHSD 5-2009, f. & cert. ef.
7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 11-2011,
f. & cert. ef. 12-16-11
407-014-0010
Purpose
(1) The purpose of these rules (OAR 407-014-000 to 407-014-0070) is to govern the collection, use, and disclosure of protected information by the Department about individuals and to explain the rights and specific actions that individuals may take or request to be taken regarding the uses and disclosures of their protected information. These rules also set forth Department requirements governing the use and disclosure of PHI for purposes of HIPAA, 42 USC 1320-d through 1320d-8, Pub L 104-191, sec. 262 and 264, and the implementing HIPAA privacy rules, 45 CFR parts 160 and 164.
(2) Except as provided in section (1) of this rule, state and federal statutes, rules, and policies that govern the administration of Department programs, services, and activities continue to govern the use and disclosure of protected information in those Department programs, services, and activities.
(3) In the event that it is not possible to comply with the requirements of both sections (1) and (2) of this rule, the Department shall act in accordance with whichever federal or state law imposes a stricter requirement regarding the privacy or safeguarding of information and which provides the greater protection or access to the individual who is the subject of the information, unless one of the following applies:
(a) Public health. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, birth, or death; public health surveillance; or public health investigation or intervention.
(b) Child abuse. Nothing in these rules shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of child abuse.
(c) State regulatory reporting. Nothing in these rules shall be construed to limit the ability of the State of Oregon or the Department to require a health plan to report, or to provide access to information for management audits, financial audits, program monitoring, facility licensure or certification, or individual licensure or certification.
(4) The Department may collect, maintain, use, transmit, share, and disclose information about any individual to the extent authorized by law to administer Department programs, services, and activities.
(5) The Department may use and disclose information about licensees or providers consistent with federal and state laws and regulations. Information regarding the qualifications of licensees and providers are public records.
(a) When the Department obtains information about individuals that relates to determining payment responsibility when a provider submits a request for payment to the Department, the Department shall safeguard the information consistent with federal and state laws and regulations and Department policies.
(b) The Department may review the performance of licensees and providers in the conduct of their health oversight activities and shall safeguard information obtained about individuals obtained during those activities in accordance with federal and state laws and regulations and Department policies.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: OMAP 26-2003, f. 3-31-03 cert. ef. 4-1-03; Renumbered from 410-014-0010 by DHSD 5-2009, f. & cert. ef. 7-1-09
407-014-0015
Information
Governed by the HIPAA Privacy Rules
(1) These rules address information
that, among other things, may be PHI that is protected by the HIPAA Privacy Rules.
For purposes of HIPAA Privacy Rules, the Authority is a covered entity, primarily
because of its role as the state Medicaid and Children’s Health Insurance
Program.
(2) The Authority administers
many aspects of the medical assistance program with the assistance of the Department,
including but not limited to eligibility determinations for the medical assistance
program and supervising the long-term and community-based services for seniors and
people with disabilities. The Department also provides certain health care operations
services for the Authority. In doing so, the Department is a business associate
of the Authority. As a business associate of the Authority, the Department is authorized
to use and disclose protected health information to perform or assist the Authority
in the performance of its covered functions, in a manner consistent with these rules.
(3) These rules only apply to
information maintained by the Department as a business associate of the Authority.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: DHSD 2-2011(Temp), f.
& cert. ef. 7-1-11 thru 12-27-11; DHSD 11-2011, f. & cert. ef. 12-16-11
407-014-0020
Uses and Disclosures
of Client or Participant Protected Information
(1) Uses and disclosures with
individual authorization. The Department must obtain a completed and signed authorization
for release of information from the individual, or the individual’s personal
representative, before obtaining or using protected information about an individual
from a third party or disclosing protected information about the individual to a
third party.
(a) Uses and disclosures must
be consistent with what the individual has approved on the signed authorization
form approved by the Department.
(b) An individual may revoke
an authorization at any time. The revocation must be in writing and signed by the
individual, except that substance abuse treatment patients may orally revoke an
authorization to disclose information obtained from substance abuse treatment programs.
No revocation shall apply to information already released while the authorization
was valid and in effect.
(2) Uses and disclosures without
authorization. The Department may use and disclose information without written authorization
in the following circumstances:
(a) The Department may disclose
information to individuals who have requested disclosure to themselves of their
information, if the individual has the right to access the information under OAR
407-014-0030(6).
(b) If the law requires or permits
the disclosure, and the use and disclosure complies with, and is limited to, the
relevant requirements of the relevant law.
(c) For treatment, payment,
and health care operations, the Department may disclose the following information:
(A) Activities involving the
current treatment of an individual, for the Department or health care provider;
(B) Payment activities, for
the Department, covered entity, or health care provider;
(C) Protected health information
for the purpose of health care operations; and
(D) Substance abuse treatment
information, if the recipient has a Qualified Service Organization Agreement with
the Department.
(d) Psychotherapy notes. The
Department may only use and disclose psychotherapy notes in the following circumstances:
(A) In the Department’s
supervised counseling training programs;
(B) In connection with oversight
of the originator of the psychotherapy notes; or
(C) To defend the Department
in a legal action or other proceeding brought by the individual.
(e) Public health activities.
(A) The Department may disclose
an individual’s protected information to appropriate entities or persons for
governmental public health activities and for other purposes including but not limited
to:
(i) A governmental public health authority
that is authorized by law to collect or receive protected information for the purpose
of preventing or controlling disease, injury, or disability, including but not limited
to reporting disease, injury, and vital events such as birth or death, and conducting
public health surveillance, investigations, and interventions;
(ii) An official of a foreign
government agency that is acting in collaboration with a governmental public health
authority;
(iii) A governmental public
health authority, or other government authority that is authorized by law to receive
reports of child abuse or neglect;
(iv) A person subject to the
jurisdiction of the federal Food and Drug Administration (FDA), regarding an FDA-regulated
product or activity for which that person is responsible for activities related
to the quality, safety, or effectiveness of an FDA-regulated product or activity;
or
(v) A person who may have been
exposed to a communicable disease, or may be at risk of contracting or spreading
a disease or condition.
(B) Where state or federal law
prohibits or restricts use and disclosure of information obtained or maintained
for public health purposes, the Department shall deny the use and disclosure.
(f) Child abuse reporting and
investigation. If the Department has reasonable cause to believe that a child is
a victim of abuse or neglect, the Department may disclose protected information
to appropriate governmental authorities authorized by law to receive reports of
child abuse or neglect (including reporting to the Department protective services
staff if appropriate). If the Department receives information as the child protective
services agency, the Department may use and disclose the information consistent
with its legal authority and in compliance with any applicable state and federal
regulations.
(g) Adult abuse reporting and
investigation. If the Department has reasonable cause to believe that a vulnerable
adult is a victim of abuse or neglect, the Department may disclose information,
as required by law, to a government authority or regulatory agency authorized by
law to receive reports of abuse or neglect including but not limited to a social
service or protective services agency (which may include the Department) authorized
by law to receive such reports. Vulnerable adults are adults age 65 or older and
persons with disabilities. If the Department receives information as the social
services or protective services agency, the Department may use and disclose the
information.
(h) Health oversight activities.
The Department may disclose information without authorization for health oversight
activities including audits; civil, criminal, or administrative investigations,
prosecutions, licensing or disciplinary actions; Medicaid fraud; or other necessary
oversight activities.
(i) Administrative and court
hearings, grievances, investigations, and appeals.
(A) The Department may use or
disclose information for an investigation, administrative or court hearing, grievance,
or appeal about an individual’s eligibility or right to receive Department
benefits or services.
(B) If the Department has obtained
information in performing its duties as a health oversight agency, protective service
entity, or public benefit program, the Department may use or disclose that information
in an administrative or court hearing consistent with the other privacy requirements
applicable to that program, service, or activity.
(j) Court orders. The Department
may disclose information for judicial or administrative proceedings in response
to a court order, subpoena, discovery request, or other legal process. If a court
orders the Department to conduct a mental examination pursuant to ORS 161.315, 161.365,
161.370, or 419B.352, or orders the Department to provide any other report or evaluation
to the court, the examination, report, or evaluation shall be deemed to be required
by law for purposes of HIPAA.
(k) Law enforcement purposes.
For limited law enforcement purposes, the Department may report certain injuries
or wounds; provide information to identify or locate a suspect, victim, or witness;
alert law enforcement of a death as a result of criminal conduct; and provide information
which constitutes evidence of criminal conduct on Department premises.
(A) The Department may provide
client information to a law enforcement officer in any of the following situations:
(i) The law enforcement officer
is involved in carrying out any investigation, criminal, or civil proceedings connected
with administering the program from which the information is sought;
(ii) A Department employee may
disclose information from personal knowledge that does not come from the client’s
interaction with the Department;
(iii) The disclosure is authorized
by statute or administrative rule;
(iv) The information informs
law enforcement of a death as a result of criminal conduct;
(v) The information constitutes
evidence of criminal conduct on Department premises; or
(vi) The disclosure is necessary
to protect the client or others, and the client poses a threat to his or her safety
or to the safety of others.
(B) Except as provided in section
(2)(k)(C) of this rule, the Department may give a client’s current address,
Social Security number, and photo to a law enforcement officer if the law enforcement
officer makes the request in the course of official duty, supplies the client’s
name, and states that the client:
(i) Is a fugitive felon or is
violating parole, probation, or post-prison supervision;
(ii) For all public assistance
programs, has information that is necessary for the officer to conduct official
duties, and the location or apprehension of the client is within the officer’s
official duties; or
(iii) For clients only in the
SNAP program, has information that is necessary to conduct an official investigation
of a fugitive felon or person violating parole, probation, or post-prison supervision.
(C) If domestic violence has
been identified in the household, the Department may not release information about
a victim of domestic violence unless a member of the household is either wanted
as a fugitive felon or is violating parole, probation, or post-prison supervision.
(D) For purposes of this subsection,
a fugitive felon is a person fleeing to avoid prosecution or custody for a crime,
or an attempt to commit a crime, that would be classified as a felony.
(E) For purposes of this section,
a law enforcement officer is an employee of the Oregon State Police, a county sheriff’s
department, or a municipal police department, whose official duties include arrest
authority.
(l) Use and disclosure of information
about deceased individuals.
(A) The Department may disclose
individual information to a coroner or medical examiner for the purpose of identifying
a deceased individual, determining cause of death, or other duties authorized by
law.
(B) The Department may disclose
individual information to funeral directors as needed to carry out their duties
regarding the decedent. The Department may also disclose individual information
prior to, and in anticipation of, the death.
(m) Organ or tissue donation.
The Department may disclose individual information to organ procurement organizations
or other entities engaged in procuring, banking, or transplanting cadaver organs,
eyes, or tissue for the purpose of facilitating transplantation.
(n) Research. The Department
may disclose individual information without authorization for research purposes,
as specified in OAR 407-014-0060.
(o) Threat to health or safety.
To avert a serious threat to health or safety the Department may disclose individual
information if:
(A) The Department believes
in good faith that the information is necessary to prevent or lessen a serious and
imminent threat to the health or safety of a person or the public; and
(B) The report is to a person or
persons reasonably able to prevent or lessen the threat, including the target of
the threat.
(p) National security and intelligence.
The Department may disclose information to authorized federal officials for lawful
intelligence, counterintelligence, and other national security activities.
(q) Correctional institutions
and law enforcement custody situations. The Department may disclose information
to a correctional institution or a law enforcement official having lawful custody
of an inmate or other person, for the limited purpose of providing health care or
ensuring the health or safety of the person or other inmates.
(r) Emergency treatment. In
case of an emergency, the Department may disclose individual information to the
extent needed to provide emergency treatment.
(s) Government entities providing
public benefits. The Department may disclose eligibility and other information to
governmental entities administering a government program providing public benefits.
(3) Authorization not required
if opportunity to object given. The Department may use and disclose an individual’s
information without authorization if the Department informs the individual in advance
and gives the individual an opportunity to either agree or refuse or restrict the
use and disclosure.
(a) These disclosures are limited
to disclosure of information to a family member, other relative, close personal
friend of the individual, or any other person named by the individual, subject to
the following limitations:
(A) The Department may disclose
only the protected information that directly relates to the person’s involvement
with the individual’s care or payment for care.
(B) The Department may use and
disclose protected information for notifying, identifying, or locating a family
member, personal representative, or other person responsible for care of the individual,
regarding the individual’s location, general condition, or death. For individuals
who had resided at one time at the state training center, OAR 411-320-0090(6) addresses
family reconnection.
(C) If the individual is present
for, or available prior to, a use and disclosure, the Department may disclose the
protected information if the Department:
(i) Obtains the individual’s
agreement;
(ii) Provides the individual
an opportunity to object to the disclosure, and the individual does not object;
or
(iii) Reasonably infers from
the circumstances that the individual does not object to the disclosure.
(D) If the individual is not
present, or the opportunity to object to the use and disclosure cannot practicably
be provided due to the individual’s incapacity or an emergency situation,
the Department may disclose the information if, using professional judgment, the
Department determines that the use and disclosure is in the individual’s best
interests.
(b) Exception. For individuals
referred to or receiving substance abuse treatment, mental health, or vocational
rehabilitation services, the Department shall not use or disclose information without
written authorization, unless disclosure is otherwise permitted under 42 CFR part
2, 34 CFR 361.38, or ORS 179.505.
(c) Personal representative.
The Department must treat a personal representative as the individual for purposes
of these rules, except that:
(A) A personal representative
must be authorized under state law to act on behalf of the individual with respect
to use and disclosure of information. The Department may require a personal representative
to provide a copy of the documentation authorizing the person to act on behalf of
the individual.
(B) The Department may elect
not to treat a person as a personal representative of an individual if:
(i) The Department has a reasonable
belief that the individual has been or may be subjected to domestic violence, abuse,
or neglect by the person;
(ii) The Department, in the
exercise of professional judgment, decides that it is not in the best interest of
the individual to treat the person as the individual’s personal representative.
(4) Redisclosure. The Department
must inform the individual that information held by the Department and authorized
by the individual for disclosure may be subject to redisclosure and no longer protected
by these rules.
(5) Specific written authorization.
If the use or disclosure of information requires an authorization, the authorization
must specify that the Department may use or disclose vocational rehabilitation records,
alcohol and drug records, HIV/AIDS records, genetics information, and mental health
or developmental disability records held by publicly funded providers.
(a) Pursuant to federal regulations
at 42 CFR part 2 and 34 CFR 361.38, the Department may not make further disclosure
of vocational rehabilitation and alcohol and drug rehabilitation information without
the specific written authorization of the individual to whom it pertains.
(b) Pursuant to ORS 433.045
and OAR 333-012-0270, the Department may not make further disclosure of individual
information pertaining to HIV/AIDS.
(c) Pursuant to ORS 192.531
to 192.549, the Department may not make further disclosure pertaining to genetic
information.
(6) Verification of person or
entity requesting information. The Department may not disclose information about
an individual without first verifying the identity of the person or entity requesting
the information, unless the Department workforce member fulfilling the request already
knows the person or has already verified identity.
(7) Whistleblowers. The Department
may disclose an individual’s protected health information under the HIPAA
privacy rules under the following circumstances:
(a) The Department workforce
member believes in good faith that the Department has engaged in conduct that is
unlawful or that otherwise violates professional standards or Department policy,
or that the care, services, or conditions provided by the Department could endanger
Department staff, individuals in Department care, or the public; and
(b) The disclosure is to a government
oversight agency or public health authority, or an attorney of a Department workforce
member retained for the purpose of determining the legal options of the workforce
member with regard to the conduct alleged under section (7)(a) above; and
(c) Nothing in this rule is
intended to interfere with ORS 659A.200 to 659A.224 describing the circumstances
applicable to disclosures by the Department's workforce.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
& 433.045
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0020 by DHSD 5-2009, f. & cert. ef.
7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 11-2011,
f. & cert. ef. 12-16-11
407-014-0030
Client Privacy Rights
(1) Rights of clients to access
their information. Clients may access, inspect, and obtain a copy of information
on their own cases in Department files or records, consistent with federal and state
law.
(a) A client may request access
by completing the Access to Records Request form, or by providing sufficient information
to accomplish this request.
(b) Clients may request access
to their own information that is kept by the Department by using a personal identifier
such as the client’s name or Department case number.
(c) If the Department maintains
information in a record that includes information about other people, the client
may see information only about himself or herself.
(d) If a person identified in
the file is a minor child of the client, and the client is authorized under Oregon
law to have access to the minor’s information or to act on behalf of the minor
for making decisions about the minor’s care, the client may obtain information
about the minor.
(e) If the requestor of information
is recognized under Oregon law as a the client’s guardian or custodian and
is authorized under Oregon law to have access to the client’s information
or to act on behalf of the client for making decisions about the client’s
services or care, the Department shall release information to the requestor.
(f) For individuals with disabilities
or mental illnesses, the named system in ORS 192.517, to protect and advocate the
rights of individuals with developmental disabilities under Part C of the Developmental
Disabilities Assistance and Bill of Rights Act (42 U.S.C. 6041 et seq.) and the
rights of individuals with mental illness under the Protection and Advocacy for
Individuals with Mental Illness Act (42 U.S.C. 10801 et seq.), shall have access
to all records defined in ORS 192.515.
(g) The Department may deny a client’s
access to their own PHI if federal law prohibits the disclosure. Clients may access,
inspect, and obtain a copy of health information on their own case in Department
files or records except for the following:
(A) Psychotherapy notes;
(B) Information compiled in
reasonable anticipation of, or for use in civil, criminal, or administrative proceedings;
(C) Information that is subject
to the federal Clinical Labs Improvement Amendments of 1988, or exempt pursuant
to 42 CFR 493.3(a)(2);
(D) Information that the Department
believes, in good faith, can cause harm to the client, participant, or to any other
person; and
(E) Documents protected by attorney
work-product privilege.
(h) The Department may deny
a client access to information that was obtained under a promise of confidentiality
from a person other than a health care provider to the extent that access would
reveal the source of the information.
(i) The Department may deny
a client access to information, if the Department gives the client a right to have
the denial reviewed when:
(A) A licensed health care professional
(for health information) or other designated staff (for other information) has determined,
in the exercise of professional judgment, that the information requested may endanger
the life or physical safety of the client or another person;
(B) The information makes reference
to another person, and a licensed health care professional (for health information)
or other designated staff (for other information) has determined, in the exercise
of professional judgment, that the information requested may cause substantial harm
to the client or to another person; or
(C) The request for access is
made by the client’s personal representative, and a licensed health care professional
(for health information) or other designated staff (for other information) has determined,
in the exercise of professional judgment, that allowing the personal representative
access to the information may cause substantial harm to the client or to another
person.
(j) If the Department denies
access under section (1)(i) of this rule, the client may have the decision reviewed
by a licensed health care professional (for health information) or other designated
staff (for other information) not directly involved in making the original denial
decision.
(A) The Department must promptly
refer a client’s request for review to the designated reviewer.
(B) The reviewer must determine,
within the 30 or 60-day time limits stated in section (1)(k)(A) and (B) of this
rule, whether to approve or deny the client’s request for access.
(C) Based on the reviewer’s
decision, the Department shall:
(i) Promptly notify the client
in writing of the reviewer’s determination; and
(ii) If approved, take action
to carry out the reviewer’s determination.
(k) The Department must act
on a client’s request for access no later than 30 days after receiving the
request, except as provided in this section and in the case of written accounts
under ORS 179.505, which must be disclosed within five days.
(A) In cases where the information
is not maintained or accessible to the Department on-site, and does not fall under
ORS 179.505, the Department must act on the client’s request no later than
60 days after receiving the request.
(B) If the Department is unable
to act within the 30 or 60-day limits, the Department may extend this time period
a maximum of 30 additional days, subject to the following:
(i) The Department must notify
the client in writing of the reasons for the delay and the date by which the Department
shall act on the request.
(ii) The Department shall use
only one 30-day extension.
(l) If the Department grants
the client’s request, in whole or in part, the Department must inform the
client of the access decision and provide the requested access.
(A) If the Department maintains
the same information in more than one format or at more than one location, the Department
may provide the requested information once.
(B) The Department must provide
the requested information in a form or format requested by the client, if readily
producible in that form or format. If not readily producible, the Department shall
provide the information in a readable hard-copy format or other format as agreed
to by the Department and the client.
(C) The Department may provide
the client with a summary of the requested information, in lieu of providing access,
or may provide an explanation of the information if access has been provided, if:
(i) The client agrees in advance;
and
(ii) The client agrees in advance
to pay any fees the Department may impose, under section (1)(L)(E) of this rule.
(D) The Department shall arrange
with the client for providing the requested access in a time, place, and manner
convenient for the client and the Department.
(E) If a client, or legal guardian
or custodian, requests a copy, written summary, or explanation of the requested
information, the Department may impose a reasonable cost-based fee, limited to the
following:
(i) Copying the requested information,
including the costs of supplies and the labor of copying;
(ii) Postage; and
(iii) Staff time for preparing
an explanation or summary of the requested information.
(m) If the Department denies
access, in whole or in part, to the requested information, the Department must:
(A) Give the client access to
any other requested client information, after excluding the information to which
access is denied; and
(B) Provide the client with
a timely written denial. The denial must:
(i) Be provided within the time
limits specified in section (1)(k)(A) and (B) of this rule;
(ii) State the basis of the
denial in plain language;
(iii) If the Department denies
access under section (1)(i) of this rule, explain the client’s review rights
as specified in section (1)(j) of this rule, including an explanation of how the
client may exercise these rights; and
(iv) Provide a description of
how the client may file a complaint with the Department, and if the information
is PHI, with the United States Department of Health and Human Services (DHHS), Office
for Civil Rights, pursuant to section (7) of this rule.
(n) If the Department does not
maintain the requested information, in whole or in part, and knows where the information
is maintained (such as by a medical provider, insurer, other public agency, private
business, or other non-Department entity), the Department must inform the client
where to direct the request for access.
(2) Department Notice of Privacy
Practices. The Department shall send clients notice about the Department’s
privacy practices as follows:
(a) The Department shall make
available to each client a notice of Department privacy practices that describes
the duty of the Department to maintain the privacy of PHI and include a description
that clearly informs the client of the types of uses and disclosures the Department
is permitted or required to make;
(b) The Department shall provide
all clients in direct care settings a notice of Department privacy practices and
shall request the client’s signature on an acknowledgement of receipt form;
(c) If the Department revises
its privacy practices, the Department shall make the revised notice available to
all clients;
(d) The Department shall post a
copy of the Department’s Notice of Privacy Practices for public viewing at
each Department worksite and on the Department website; and
(e) The Department shall give a paper copy
of the Department’s Notice of Privacy Practices to any individual upon request.
(3) Right to request restrictions
on uses or disclosures. Clients may request restrictions on the use or disclosure
of their information.
(a) The Department must comply
with the restriction if:
(A) Except as otherwise required
by law, the disclosure is to a health plan for purposes of carrying out payment
or health care operations (and is not for purposes of carrying out treatment); and
(B) The protected health information
pertains solely to a health care item or service for which the health care provider
involved has been paid out of pocket in full.
(b) The Department is not required
to agree to a restriction if the disclosure is:
(A) Required by law; or
(B) Not to a health plan for
purposes of carrying out payment or health care operations.
(c) The Department may not deny
a client’s request to restrict the sharing of records of alcohol and drug
treatment or records relating to vocational rehabilitation services with another
Department program.
(d) The Department shall document
the client’s request, and the reasons for granting or denying the request,
in the client’s Department case file.
(e) If the client needs emergency
treatment and the restricted protected information is needed to provide the treatment,
the Department may use or disclose the restricted protected information to a provider,
for the limited purpose of providing treatment. However, once the emergency situation
subsides, the Department shall ask the provider not to redisclose the information.
(f) The Department may terminate
its agreement to a restriction if:
(A) The client agrees to or
requests the termination in writing;
(B) The client orally requests
or agrees to the termination, and the Department documents the oral request or agreement
in the client’s Department case file; or
(C) With or without the client’s
agreement, the Department informs the client that the Department is terminating
its agreement to the restriction. Information created or received while the restriction
was in place shall remain subject to the restriction.
(4) Rights of clients to request
to receive information from the Department by alternative means or at alternative
locations. The Department must accommodate reasonable requests by clients to receive
communications from the Department by alternative means, such as by mail, e-mail,
fax, or telephone, and at an alternative location.
(a) The client must specify
the preferred alternative means or location.
(b) The client may submit the
request for alternative means or locations either orally or in writing.
(A) If the client makes a request
in-person, the Department shall document the request and ask for the client’s
signature.
(B) If the client makes a request
by telephone or electronically, the Department shall document the request and verify
the identity of the client.
(c) The Department may terminate
its agreement to an alternative location or method of communication if:
(A) The client agrees to or
requests termination of the alternative location or method of communication in writing
or orally. The Department shall document the oral agreement or request in the client’s
Department case file; or
(B) The Department informs the
client that the Department is terminating its agreement to the alternative location
or method of communication because the alternative location or method of communication
is not effective. The Department may terminate its agreement to communicate at the
alternative location or by the alternate method if:
(i) The Department is unable
to contact the client at the location or by the method requested; or
(ii) The client fails to respond
to payment requests, if applicable.
(5) Right of clients to request
amendment of their information. Clients may request that the Department amend information
about themselves in Department files.
(a) For all amendment requests,
the Department shall have the client complete the approved Department form.
(b) The Department may deny
the request or limit its agreement to amend.
(c) The Department must act
on the client’s request no later than 60 days after receiving the request.
If the Department is unable to act within 60 days, the Department may extend this
time limit by a maximum of 30 additional days, subject to the following:
(A) The Department must notify
the client in writing, within 60 days of receiving the request, of the reasons for
the delay and the date by which the Department shall act on the request; and
(B) The Department shall use
only one 30-day extension.
(d) The program’s medical
director, a licensed health care professional designated by the program administrator,
or a Department staff person involved in the client’s case must review the
request and any related documentation prior to making a decision to amend a health
or medical record.
(e) A staff person designated
by the Department shall review the request and any related documentation prior to
making a decision to amend any information that is not a health or medical record.
(f) If the Department grants
the request, in whole or in part, the Department shall:
(A) Make the appropriate amendment
to the information or records, and document the amendment in the client’s
Department file or record;
(B) Provide notice to the client
that the amendment has been granted, pursuant to the time limits under section (5)(c)
of this rule;
(C) Obtain the client’s
agreement to notify other relevant persons or entities with whom the Department
has shared or needs to share the amended information; and
(D) Inform and provide the amendment
within a reasonable time to:
(i) Persons named by the client
who have received the information and who need the amendment; and
(ii) Persons, that the Department
knows have the information that is the subject of the amendment and who may have
relied, or could foreseeably rely, on the information to the client’s detriment.
(g) The Department may deny
the client’s request for amendment if:
(A) The Department finds the
information to be accurate and complete;
(B) The information was not
created by the Department;
(C) The information is not part
of Department records; or
(D) The information would not
be available for inspection or access by the client, pursuant to section (1)(g)
and (h) of this rule.
(h) If the Department denies
the amendment request, in whole or in part, the Department must provide the client
with a written denial. The denial must:
(A) Be sent within the time
limits specified in section (5)(c) of this rule;
(B) State the basis for the
denial, in plain language; and
(C) Explain the client’s
right to submit a written statement disagreeing with the denial and how to file
the statement. If the client files a statement:
(i) The Department shall enter
the written statement into the client’s Department case file;
(ii) The Department may also
enter a Department-written rebuttal of the client’s written statement into
the client’s Department case file. The Department shall send a copy of any
written rebuttal to the client;
(iii) The Department shall include
a copy of the statement and any Department-written rebuttal with any future disclosures
of the relevant information;
(iv) If a client does not submit
a written statement of disagreement, the client may ask that if the Department makes
any further disclosures of the relevant information, that the Department shall also include a copy of the client’s
original request for amendment and a copy of the Department written denial; and
(v) The Department shall provide information
on how the client may file a complaint with the Department and, if the information
is PHI, with DHHS, Office for Civil Rights.
(6) Rights of clients to request
an accounting of disclosures of PHI. Clients may receive an accounting of disclosures
of PHI that the Department has made for any period of time, not to exceed six years,
preceding the request date for the accounting.
(a) For all requests for an
accounting of disclosures, the client may complete the authorized Department form
“Request for Accounting of Disclosures of Health Records,” or provide
sufficient information to accomplish this request.
(b) The right to an accounting
of disclosures does not apply when the request is:
(A) Authorized by the client;
(B) Made prior to April 14,
2003;
(C) Made to carry out treatment,
payment, or health care operations, unless these disclosures are made from an electronic
health record;
(D) Made to the client;
(E) Made to persons involved
in the client’s care;
(F) Made as part of a limited
data set in accordance with OAR 407-014-0070;
(G) Made for national security
or intelligence purposes; or
(H) Made to correctional institutions
or law enforcement officials having lawful custody of an inmate.
(c) For each disclosure, the
accounting must include:
(A) The date of the disclosure;
(B) The name and address, if
known, of the person or entity who received the disclosed information;
(C) A brief description of the
information disclosed; and
(D) A brief statement of the
purpose of the disclosure that reasonably informs the client of the basis for the
disclosure, or, in lieu of a statement, a copy of the client’s written request
for a disclosure, if any.
(d) If, during the time period
covered by the accounting, the Department has made multiple disclosures to the same
person or entity for the same purpose, the Department may provide the required information
for only the first disclosure. The Department need not list the same identical information
for each subsequent disclosure to the same person or entity if the Department adds
the following information:
(A) The frequency or number
of disclosures made to the same person or entity; and
(B) The date of the most recent
disclosure during the time period for which the accounting is requested.
(e) The Department must act
on the client’s request for an accounting no later than 60 days after receiving
the request. If the Department is unable to act within 60 days, the Department may
extend this time limit by a maximum of 30 additional days, subject to the following:
(A) The Department must notify
the client in writing, within 60 days of receiving the request, of the reasons for
the delay and the date by which the Department shall act on the request; and
(B) The Department shall use
only one 30-day extension.
(f) The Department shall provide
the first requested accounting in any 12-month period without charge. The Department
may charge the client a reasonable cost-based fee for each additional accounting
requested by the client within the 12-month period following the first request,
if the Department:
(A) Informs the client of the
fee before proceeding with any additional request; and
(B) Allows the client an opportunity
to withdraw or modify the request in order to avoid or reduce the fee.
(g) The Department shall document
the information required to be included in an accounting of disclosures, as specified
in section (6)(c) of this rule, and retain a copy of the written accounting provided
to the client.
(h) The Department shall temporarily
suspend a client’s right to receive an accounting of disclosures that the
Department has made to a health oversight agency or to a law enforcement official,
for a length of time specified by the agency or official, if the agency or official
provides a written or oral statement to the Department that the accounting would
be reasonably likely to impede their activities. If the agency or official makes
an oral request, the Department shall:
(A) Document the oral request,
including the identity of the agency or official making the request.
(B) Temporarily suspend the
client’s request to an accounting of disclosures; and
(C) Limit the temporary suspension
to no longer than 30 days from the date of the oral request, unless the agency or
official submits a written request specifying a longer time period.
(7) Filing a complaint. Clients
may file a complaint with the Department or, if the complaint concerns a violation
of the HIPAA Privacy or Security Rule, with DHHS, Office for Civil Rights.
(a) Upon request, the Department
shall give clients the name and address of the specific person or office of where
to submit complaints to DHHS.
(b) The Department may not intimidate,
threaten, coerce, discriminate against, or take any other form of retaliatory action
against any individual filing a complaint or inquiring about how to file a complaint.
(c) The Department may not require
clients to waive their rights to file a complaint as a condition of providing treatment,
payment, enrollment in a health plan, or eligibility for benefits.
(d) The Department shall designate
staff to review and determine action on complaints filed with the Department.
(e) The Department shall document,
in the client’s Department case file, all complaints, the findings from reviewing
each complaint, and the Department’s actions resulting from the complaint.
For each complaint, the documentation shall include a description of corrective
action that the Department has taken, if any are necessary, or why corrective action
is not needed.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0030 by DHSD 5-2009, f. & cert. ef.
7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 11-2011,
f. & cert. ef. 12-16-11
407-014-0040
Minimum Necessary Standards
(1) The Department shall limit
the use and disclosure of protected information to that which is reasonably necessary
to accomplish the intended purpose of the use or disclosure which is referred to
in these rules as the minimum necessary standard.
(2) This minimum necessary standard
is not intended to impede essential Department activities.
(3) The minimum necessary standard
applies:
(a) When using protected information
within the Department;
(b) When disclosing protected
information to a third party in response to a request; or
(c) When requesting protected
information from another covered entity.
(4) The minimum necessary standard
does not apply to:
(a) Disclosures to or requests
by a health care provider for treatment;
(b) Disclosures made to the
individual, including disclosures made in response to a request for access or an
accounting;
(c) Disclosures made with a
valid authorization;
(d) Disclosures made to DHHS
for the purposes of compliance and enforcement of federal regulations under 45 CFR
part 160 and required for compliance with 45 CFR part 164; or
(e) Uses and disclosures required
by law;
(5) When requesting protected
information about an individual from another entity, the Department shall limit
requests to those that are reasonably necessary to accomplish the purposes for which
the request is made. The Department shall not request a person’s entire medical
record unless the Department can specifically justify the need for the entire medical
record.
Stat. Auth.: ORS 409.050
Stats. Implemented: 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0040 by DHSD 5-2009, f. & cert. ef.
7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 11-2011,
f. & cert. ef. 12-16-11
407-014-0050
Business Associate
(1) The Department is a business
associate of the Authority. The Authority is the single state Medicaid agency, but
the Department performs or assists in the performance of key components of the medical
assistance program under the supervision of the Authority including but not limited
to eligibility determinations for the medical assistance program and supervising
the long-term and community-based services for seniors and people with disabilities.
The Department also provides certain health care operations services for the Authority.
In doing so, the Department is a business associate of the Authority. As a business
associate of the Authority, the Department is authorized to use and disclose protected
health information to perform or assist the Authority in the performance of its
covered functions. However, as a business associate, the Department is subject to
the privacy requirements described in these rules.
(2) As a business associate
of the Authority implementing the requirements of the medical assistance program,
the Department may disclose an individual’s PHI to its contractors or providers,
and may allow its contractors or providers to create or receive an individual’s
PHI on behalf of the Department if the contract or agreement that complies with
applicable federal and state law. In some limited circumstances, the Department
may determine that the Department is a business associate of a covered entity. A
business associate relationship with the Department requires additional contractual
disclosure and privacy provisions that must be incorporated into the contract pursuant
to 45 CFR part 164-504(e)(1).
(3) A contract with a business
associate must comply with OAR 125-055-0100 to 125-055-0130 and the qualified service
organization requirements in 42 CFR part 2.11.
Stat. Auth.: ORS 409.050
Stats. Implemented: 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0050 by DHSD 5-2009, f. & cert. ef.
7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 11-2011,
f. & cert. ef. 12-16-11
407-014-0060
Uses and Disclosures
of Protected Information for Research Purposes
The Department may use and disclose
an individual’s information for research purposes as specified in this rule.
(1) All research disclosures
are subject to applicable requirements of federal and state laws and rules including
but not limited to 45 CFR part 46 and 21 CFR part 50.0 to 50.56, relating to the
protection of human research subjects.
(2) The Department may use and
disclose de-identified information or a limited data set for research purposes,
pursuant to OAR 407-014-0070.
(3) The Department may use and
disclose information regarding an individual for research purposes with the specific
written authorization of the individual. The authorization must meet all requirements
in OAR 407-014-0030, and may indicate an expiration date with terms such as “end
of research study” or similar language. An authorization for use and disclosure
for a research study may be combined with other types of written authorization for
the same research study. If research includes treatment, the researcher may require
an authorization for use and disclosure for the research as a provision of providing
research related treatment.
(4) Notwithstanding section
(3) of this rule, the Department may use and disclose an individual’s information
for research purposes without the individual’s written authorization, regardless
of the source of funding for the research, provided that:
(a) The Department obtains documentation
that a waiver of an individual’s authorization for release of information
requirements has been approved by an IRB registered with the Office for Human Research
Protection. Documentation required of an IRB when granting approval of a waiver
of an individual’s authorization for release of information must include all
criteria specified in 45 CFR part 164.512(i)(2).
(b) A researcher may request
access to individual information maintained by the Department in preparation for
research or to facilitate the development of a research protocol in anticipation
of research. The Department may determine whether to permit such use or disclosure,
without individual authorization or use of an IRB, pursuant to 45 CFR part 164.512(i)(1)(ii).
(c) A researcher may request
access to individual information maintained by the Department about deceased individuals.
The Department may determine whether to permit such use or disclosure of information
about decedents, without individual authorization or use of an IRB, pursuant to
45 CFR part 164.512(i)(1)(iii).
(5) The Department may collect,
use, or disclose information, without individual authorization, to the extent that
the collection, use, or disclosure is required by law. When the Department uses
information to conduct studies as required by law, no additional individual authorization
is required nor does this rule require an IRB or privacy board waiver of authorization
based on the HIPAA privacy rules.
(6) The Department may use and
disclose information without individual authorization for studies and data analysis
conducted for the Department’s own quality assurance purposes or to comply
with reporting requirements applicable to federal or state funding requirements
in accordance with the definition of “health care operations” in 45
CFR part 164.501.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0060 by DHSD 5-2009, f. & cert. ef.
7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 11-2011,
f. & cert. ef. 12-16-11
407-014-0070
De-identification of
Client Information and Use of Limited Data Sets under Data Use Agreements
(1) The Department may use and
disclose information as appropriate for the work of the Department, without further
restriction, if the Department or another entity has taken steps to de-identify
the information pursuant to 45 CFR part 164.514(a) and (b).
(2) The Department may assign
a code or other means of record identification to allow the Department to re-identify
the de-identified information provided that:
(a) The code or other means
of record identification is not derived from or related to information about the
individual and cannot otherwise be translated to identify the individual; and,
(b) The Department does not
use or disclose the code or other means of record identification for any other purpose,
and does not disclose the mechanism for re-identification.
(3) The Department may use and
disclose a limited data set if the Department enters into a data use agreement with
an entity requesting or providing the Department with a limited data set subject
to the requirements of 45 CFR part 164.514(e).
(a) The Department may use and
disclose a limited data set for the purposes of research. The Department may use
limited data set for its own activities or operations if the Department has obtained
a limited data set that is subject to a data use agreement.
(b) If the Department knows
of a pattern of activity or practice of a limited data set recipient that constitutes
a material breach or violation of a data use agreement, the Department shall take
reasonable steps to cure the breach or end the violation. If such steps are unsuccessful,
the Department shall discontinue disclosure of information to the recipient and
report the problem to the appropriate authority.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 409.010
Hist.: OMAP 26-2003, f. 3-31-03
cert. ef. 4-1-03; Renumbered from 410-014-0070 by DHSD 5-2009, f. & cert. ef.
7-1-09; DHSD 2-2011(Temp), f. & cert. ef. 7-1-11 thru 12-27-11; DHSD 11-2011,
f. & cert. ef. 12-16-11
Confidentiality and Mediation Communications
407-014-0200
Confidentiality and Inadmissibility of Mediation Communications
(1) The words and phrases used in this rule have the same meaning as given to them in ORS 36.110 and 36.234.
(2) Nothing in this rule affects any confidentiality created by other law. Nothing in this rule relieves a public body from complying with the Public Meetings Law, ORS 192.610 to 192.690. Whether or not they are confidential under this or other rules of the agency, mediation communications are exempt from disclosure under the Public Records Law to the extent provided in ORS 192.410 to 192.505.
(3) This rule applies only to mediations in which the agency is a party or is mediating a dispute as to which the agency has regulatory authority. This rule does not apply when the agency is acting as the "mediator" in a matter in which the agency also is a party as defined in ORS 36.234.
(4) To the extent mediation communications would otherwise be compromise negotiations under ORS 40.190 (OEC Rule 408), those mediation communications are not admissible as provided in ORS 40.190 (OEC Rule 408), notwithstanding any provisions to the contrary in section (9) of this rule.
(5) Mediations Excluded. Sections (6)-(10) of this rule do not apply to:
(a) Mediation of workplace interpersonal disputes involving the interpersonal relationships between this agency's employees, officials or employees and officials, unless a formal grievance under a labor contract, a tort claim notice or a lawsuit has been filed; or
(b) Mediation in which the person acting as the mediator will also act as the hearings officer in a contested case involving some or all of the same matters;
(c) Mediation in which the only parties are public bodies;
(d) Mediation involving two or more public bodies and a private party if the laws, rule or policies governing mediation confidentiality for at least one of the public bodies provide that mediation communications in the mediation are not confidential;
(e) Mediation involving 15 or more parties if the agency has designated that another mediation confidentiality rule adopted by the agency may apply to that mediation.
(6) Disclosures by Mediator. A mediator may not disclose or be compelled to disclose mediation communications in a mediation and, if disclosed, such communications may not be introduced into evidence in any subsequent administrative, judicial or arbitration proceeding unless:
(a) All the parties to the mediation and the mediator agree in writing to the disclosure; or
(b) The mediation communication may be disclosed or introduced into evidence in a subsequent proceeding as provided in subsections (c)-(d), (j)-(l) or (o)-(p) of section (9) of this rule; or
(c) The mediation communication includes information related to the health or safety of any child, then the mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child.
(d) The mediation communication includes information relating to suffering by or commission of abuse upon certain persons and that information would otherwise be required to be reported by a public or private official under the provisions of ORS 124.060 (person 65 years of age or older), 430.765 (1) and (2) (person who is mentally ill or developmentally disabled who is 18 years of age or older and receives services from a community program or facility) or 441.640 (person who is a resident in a long-term care facility), in which case that portion of the mediation communication may be disclosed as required by statute.
(7) Confidentiality and Inadmissibility of Mediation Communications. Except as provided in sections (8)-(9) of this rule, mediation communications are confidential and may not be disclosed to any other person, are not admissible in any subsequent administrative, judicial or arbitration proceeding and may not be disclosed during testimony in, or during any discovery conducted as part of a subsequent proceeding, or introduced as evidence by the parties or the mediator in any subsequent proceeding.
(8) Written Agreement. Section (7) of this rule does not apply to a mediation unless the parties to the mediation agree in writing, as provided in this section, that the mediation communications in the mediation will be confidential and/or nondiscoverable and inadmissible. If the mediator is the employee of and acting on behalf of a state agency, the mediator or an authorized agency representative must also sign the agreement. The parties' agreement to participate in a confidential mediation must be in substantially the following form. This form may be used separately or incorporated into an "agreement to mediate." [Form not included. See ED. NOTE.]
(9) Exceptions to confidentiality and inadmissibility.
(a) Any statements, memoranda, work products, documents and other materials, otherwise subject to discovery that were not prepared specifically for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding.
(b) Any mediation communications that are public records, as defined in ORS 192.410(4), and were not specifically prepared for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential or privileged under state or federal law.
(c) A mediation communication is not confidential and may be disclosed by any person receiving the communication to the extent that person reasonably believes that disclosing the communication is necessary to prevent the commission of a crime that is likely to result in death or bodily injury to any person. A mediation communication is not confidential and may be disclosed in a subsequent proceeding to the extent its disclosure may further the investigation or prosecution of a felony crime involving physical violence to a person.
(d) Any mediation communication related to the conduct of a licensed professional that is made to or in the presence of a person who, as a condition of his or her professional license, is obligated to report such communication by law or court rule is not confidential and may be disclosed to the extent necessary to make such a report.
(e) The parties to the mediation may agree in writing that all or part of the mediation communications are not confidential or that all or part of the mediation communications may be disclosed and may be introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential, privileged or otherwise prohibited from disclosure under state or federal law.
(f) A party to the mediation may disclose confidential mediation communications to a person if the party's communication with that person is privileged under ORS chapter 40 or other provision of law. A party to the mediation may disclose confidential mediation communications to a person for the purpose of obtaining advice concerning the subject matter of the mediation, if all the parties agree.
(g) An employee of the agency may disclose confidential mediation communications to another agency employee so long as the disclosure is necessary to conduct authorized activities of the agency. An employee receiving a confidential mediation communication under this subsection is bound by the same confidentiality requirements as apply to the parties to the mediation.
(h) A written mediation communication may be disclosed or introduced as evidence in a subsequent proceeding at the discretion of the party who prepared the communication so long as the communication is not otherwise confidential under state or federal law and does not contain confidential information from the mediator or another party who does not agree to the disclosure.
(i) In any proceeding to enforce, modify or set aside a mediation agreement, a party to the mediation may disclose mediation communications and such communications may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of mediation communications or agreements to persons other than the parties to the agreement.
(j) In an action for damages or other relief between a party to the mediation and a mediator or mediation program, mediation communications are not confidential and may be disclosed and may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of the mediation communications or agreements.
(k) When a mediation is conducted as part of the negotiation of a collective bargaining agreement, the following mediation communications are not confidential and such communications may be introduced into evidence in a subsequent administrative, judicial or arbitration proceeding:
(A) A request for mediation; or
(B) A communication from the Employment Relations Board Conciliation Service establishing the time and place of mediation; or
(C) A final offer submitted by the parties to the mediator pursuant to ORS 243.712; or
(D) A strike notice submitted to the Employment Relations Board.
(l) To the extent a mediation communication contains information the substance of which is required to be disclosed by Oregon statute, other than ORS 192.410 to 192.505, that portion of the communication may be disclosed as required by statute.
(m) Written mediation communications prepared by or for the agency or its attorney are not confidential and may be disclosed and may be introduced as evidence in any subsequent administrative, judicial or arbitration proceeding to the extent the communication does not contain confidential information from the mediator or another party, except for those written mediation communications that are:
(A) Attorney-client privileged communications so long as they have been disclosed to no one other than the mediator in the course of the mediation or to persons as to whom disclosure of the communication would not waive the privilege; or
(B) Attorney work product prepared in anticipation of litigation or for trial; or
(C) Prepared exclusively for the mediator or in a caucus session and not given to another party in the mediation other than a state agency; or
(D) Prepared in response to the written request of the mediator for specific documents or information and given to another party in the mediation; or
(E) Settlement concepts or proposals, shared with the mediator or other parties.
(n) A mediation communication made to the agency may be disclosed and may be admitted into evidence to the extent the Agency Director, Division Administrator or designee determines that disclosure of the communication is necessary to prevent or mitigate a serious danger to the public's health or safety, and the communication is not otherwise confidential or privileged under state or federal law.
(o) The terms of any mediation agreement are not confidential and may be introduced as evidence in a subsequent proceeding, except to the extent the terms of the agreement are exempt from disclosure under ORS 192.410 to 192.505, a court has ordered the terms to be confidential under ORS 17.095 or state or federal law requires the terms to be confidential.
(p) The mediator may report the disposition of a mediation to the agency at the conclusion of the mediation so long as the report does not disclose specific confidential mediation communications. The agency or the mediator may use or disclose confidential mediation communications for research, training or educational purposes, subject to the provisions of ORS 36.232(4).
(q) The mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child or person 65 years of age or older, person who is mentally ill or developmentally disabled and receives services from a community program or facility as defined in ORS 430.735 or person who is a resident of a long-term care facility.
(10) When a mediation is subject to section (7) of this rule, the agency will provide to all parties to the mediation and the mediator a copy of this rule or a citation to the rule and an explanation of where a copy of the rule may be obtained. Violation of this provision does not waive confidentiality or inadmissibility.
[ED. NOTE: Forms referenced are available from the agency.]
Stat. Authority: ORS 409.050
Stats. Implemented: ORS 36.224, 36.228, 36.230, 36.232 & 36.234
Hist.: OMAP 8-1999, f. & cert. ef. 3-1-99; Renumbered from 410-006-0011, DHSD 6-2007, f. 6-29-07, cert. ef. 7-1-07
407-014-0205
Confidentiality and Inadmissibility of Workplace Interpersonal Dispute Mediation Communications
(1) This rule applies to workplace interpersonal disputes, which are disputes involving the interpersonal relationships between this agency's employees, officials or employees and officials. This rule does not apply to disputes involving the negotiation of labor contracts or matters about which a formal grievance under a labor contract, a tort claim notice or a lawsuit has been filed.
(2) The words and phrases used in this rule have the same meaning as given to them in ORS 36.110 and 36.234.
(3) Nothing in this rule affects any confidentiality created by other law.
(4) To the extent mediation communications would otherwise be compromise negotiations under ORS 40.190 (OEC Rule 408), those mediation communications are not admissible as provided in ORS 40.190 (OEC Rule 408), notwithstanding any provisions to the contrary in section (9) of this rule.
(5) Disclosures by Mediator. A mediator may not disclose or be compelled to disclose mediation communications in a mediation and, if disclosed, such communications may not be introduced into evidence in any subsequent administrative, judicial or arbitration proceeding unless:
(a) All the parties to the mediation and the mediator agree in writing to the disclosure; or
(b) The mediation communication may be disclosed or introduced into evidence in a subsequent proceeding as provided in subsections (c) or (h)-(j) of section (7) of this rule; or
(c) The mediation communication includes information related to the health or safety of any child, then the mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child.
(d) The mediation communication includes information relating to suffering by or commission of abuse upon certain persons and that information would otherwise be required to be reported by a public or private official under the provisions of ORS 124.060 (person 65 years of age or older), 430.765 (1) and (2) (person who is mentally ill or developmentally disabled who is 18 years of age or older and receives services from a community program or facility) or 441.640 (person who is a resident in a long-term care facility), in which case that portion of the mediation communication may be disclosed as required by statute.
(6) Confidentiality and Inadmissibility of Mediation Communications. Except as provided in section (7) of this rule, mediation communications in mediations involving workplace interpersonal disputes are confidential and may not be disclosed to any other person, are not admissible in any subsequent administrative, judicial or arbitration proceeding and may not be disclosed during testimony in, or during any discovery conducted as part of a subsequent proceeding, or introduced into evidence by the parties or the mediator in any subsequent proceeding so long as:
(a) The parties to the mediation and the agency have agreed in writing to the confidentiality of the mediation; and
(b) The person agreeing to the confidentiality of the mediation on behalf of the agency:
(A) Is neither a party to the dispute nor the mediator; and
(B) Is designated by the agency to authorize confidentiality for the mediation; and
(C) Is at the same or higher level in the agency than any of the parties to the mediation or who is a person with responsibility for human resources or personnel matters in the agency, unless the agency head or member of the governing board is one of the persons involved in the interpersonal dispute, in which case the Governor or the Governor's designee.
(7) Exceptions to confidentiality and inadmissibility.
(a) Any statements, memoranda, work products, documents and other materials, otherwise subject to discovery that were not prepared specifically for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding.
(b) Any mediation communications that are public records, as defined in ORS 192.410(4), and were not specifically prepared for use in the mediation are not confidential and may be disclosed or introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential or privileged under state or federal law.
(c) A mediation communication is not confidential and may be disclosed by any person receiving the communication to the extent that person reasonably believes that disclosing the communication is necessary to prevent the commission of a crime that is likely to result in death or bodily injury to any person. A mediation communication is not confidential and may be disclosed in a subsequent proceeding to the extent its disclosure may further the investigation or prosecution of a felony crime involving physical violence to a person.
(d) The parties to the mediation may agree in writing that all or part of the mediation communications are not confidential or that all or part of the mediation communications may be disclosed and may be introduced into evidence in a subsequent proceeding unless the substance of the communication is confidential, privileged or otherwise prohibited from disclosure under state or federal law.
(e) A party to the mediation may disclose confidential mediation communications to a person if the party's communication with that person is privileged under ORS chapter 40 or other provision of law. A party to the mediation may disclose confidential mediation communications to a person for the purpose of obtaining advice concerning the subject matter of the mediation, if all the parties agree.
(f) A written mediation communication may be disclosed or introduced as evidence in a subsequent proceeding at the discretion of the party who prepared the communication so long as the communication is not otherwise confidential under state or federal law and does not contain confidential information from the mediator or another party who does not agree to the disclosure.
(g) In any proceeding to enforce, modify or set aside a mediation agreement, a party to the mediation may disclose mediation communications and such communications may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of mediation communications or agreements to persons other than the parties to the agreement.
(h) In an action for damages or other relief between a party to the mediation and a mediator or mediation program, mediation communications are not confidential and may be disclosed and may be introduced as evidence to the extent necessary to prosecute or defend the matter. At the request of a party, the court may seal any part of the record of the proceeding to prevent further disclosure of the mediation communications or agreements.
(i) To the extent a mediation communication contains information the substance of which is required to be disclosed by Oregon statute, other than ORS 192.410 to 192.505, that portion of the communication may be disclosed as required by statute.
(j) The mediator may report the disposition of a mediation to the agency at the conclusion of the mediation so long as the report does not disclose specific confidential mediation communications. The agency or the mediator may use or disclose confidential mediation communications for research, training or educational purposes, subject to the provisions of ORS 36.232(4).
(k) The mediation communication may be disclosed and may be admitted into evidence in a subsequent proceeding to the extent the disclosure is necessary to prevent or mitigate a threat or danger to the health or safety of any child or person 65 years of age or older, person who is mentally ill or developmentally disabled and receives services from a community program or facility as defined in ORS 430.735 or person who is a resident of a long-term care facility.
(8) The terms of any agreement arising out of the mediation of a workplace interpersonal dispute are confidential so long as the parties and the agency so agree in writing. Any term of an agreement that requires an expenditure of public funds, other than expenditures of $1,000 or less for employee training, employee counseling or purchases of equipment that remain the property of the agency, may not be made confidential.
(9) When a mediation is subject to section (6) of this rule, the agency will provide to all parties to the mediation and to the mediator a copy of this rule or an explanation of where a copy may be obtained. Violation of this provision does not waive confidentiality or inadmissibility.
Stat. Authority: ORS 409.050
Stats. Implemented: ORS 36.224, 36.228, 36.230, 36.232 & 36.234
Hist.: OMAP 8-1999, f. & cert. ef. 3-1-99; Renumbered from 410-006-0021, DHSD 6-2007, f. 6-29-07, cert. ef. 7-1-07
Access Control
407-014-0300
Scope
These rules (OAR 407-014-0300
to 407-014-0320) apply to an organization or individual seeking or receiving access
to Department information assets or network and information systems for the purpose
of carrying out a business transaction between the Department and the user.
(1) These rules are intended
to complement, and not supersede, access control or security requirements in the
Department’s Electronic Data Transmission rules, OAR 407-120-0100 to 407-120-0200,
and whichever rule is more specific shall control.
(2) The confidentiality of specific
information and the conditions for use and disclosure of specific information are
governed by other laws and rules, including but not limited to the Department’s
rules for the privacy of protected information, OAR 407-014-0000 to 407-014-0070.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 182.122
Hist.: DHSD 14-2007, f. 12-31-07,
cert. ef. 1-1-08; DHSD 6-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; DHSD
1-2012, f. & cert. ef. 2-1-12
407-014-0305
Definitions
For purpose of these rules,
the following terms have definitions set forth below. All other terms not defined
in this section shall have the meaning used in the Health Insurance Portability
and Accountability Act (HIPAA) security rules found at 45 CFR § 164.304:
(1) “Access” means
the ability or the means necessary to read, communicate, or otherwise use any Department
information asset.
(2) “Access control process”
means Department forms and processes used to authorize a user, identify their job
assignment, and determine the required access.
(3) “Client records”
means any client, applicant, or participant information regardless of the media
or source, provided by the Department to the user, or exchanged between the Department
and the user.
(4) “Department”
means the Department of Human Services.
(5) “Incident” means
the attempted or successful unauthorized access, use, disclosure, modification,
or destruction of any network and information system or Department information asset
including but not limited to unauthorized disclosure of information, failure to
protect user’s identification (ID) provided by the Department, or theft of
computer equipment that uses or stores any Department information asset.
(6) “Information asset”
means any information, also known as data, provided through the Department, regardless
of the source or media, which requires measures for security and privacy of the
information.
(7) “Network and information
system” means the State of Oregon’s computer infrastructure which provides
personal communications, client records and other sensitive information assets,
regional, wide area and local area networks, and the internetworking of various
types of networks on behalf of the Department.
(8) “Organization”
means any entity authorized by the Department to access a network and information
system or information asset.
(9) “User” means any
individual authorized by the Department to access a network and information system
or information asset.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 182.122
Hist.: DHSD 14-2007, f. 12-31-07,
cert. ef. 1-1-08; DHSD 6-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; DHSD
1-2012, f. & cert. ef. 2-1-12
407-014-0310
Information Access
The organization or user shall
utilize the Department access control process for all requested and approved access.
The Department shall notify the user of each approval or denial. When approved,
the Department shall provide the user with a unique login identifier to access the
network and information system or information asset. The Department may authorize
the use of a generic login identifier..
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 182.122
Hist.: DHSD 14-2007, f. 12-31-07,
cert. ef. 1-1-08; DHSD 6-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; DHSD
1-2012, f. & cert. ef. 2-1-12
407-014-0315
Security Information
Assets
(1) No organization or user
shall access an information asset for any purpose other than that specifically authorized
by the Department access control process.
(2) Except as specified or approved
by the Department, no organization or user shall alter, delete, or destroy any information
asset.
(3) The organization shall prohibit
unauthorized access by their staff, contractors, agents, or others to the network
and information systems or Department information assets, and shall implement safeguards
to prevent unauthorized access in accordance with section (4) of this rule.
(4) The organization shall develop
a security risk management plan. The organization shall ensure that the plan includes
but is not limited to the following:
(a) Administrative, technical,
and physical safeguards commonly found in the International Standards Organization
27002: 2005 security standard or National Institute of Standards and Technology
(NIST) 800 Series.
(b) Standards established in
accordance with HIPAA security rules, 45 CFR Parts 160 and 164, applicable to an
organization or user regarding the security and privacy of a client record, any
information asset, or network and information system.
(c) The organization’s
privacy and security policies.
(d) Controls and safeguards
that address the security of equipment and storage of any information asset accessed
to prevent inadvertent destruction, disclosure, or loss.
(e) Controls and safeguards
that ensure the security of an information asset, regardless of the media, as identified
below:
(A) The user keeps Department-assigned
access control requirements such as identification of authorized users and access
control information (passwords and personal identification numbers (PINs)), in a
secure location until access is terminated;
(B) Upon request of the Department,
the organization makes available all information about the user’s use or application
of the access controlled network and information system or information asset; and
(C) The organization or user
ensures the proper handling, storage, and disposal of any information asset obtained
or reproduced and, when the authorized use of that information ends, is consistent
with any applicable record retention requirements.
(f) Existing security plans
developed to address other regulatory requirements, such as Sarbanes-Oxley Act of
2002 (PL 107-204), Title V of Gramm Leach Bliley Act of 1999, and Statement on Auditing
Standards (SAS) number 70, will be deemed acceptable as long as they address the
above requirements.
(5) The Department may request
additional information related to the organization’s security measures.
(6) The organization or user
must immediately notify the Department when access is no longer required and immediately
cease access to or use of all information assets or network and information systems.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 182.122
Hist.: DHSD 14-2007, f. 12-31-07,
cert. ef. 1-1-08; DHSD 6-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; DHSD
1-2012, f. & cert. ef. 2-1-12
407-014-0320
User Responsibility
The organization or user shall
not make any root level changes to any Department or State of Oregon network and
information system. The Department recognizes that some application users have root
level access to certain functions to allow the user to diagnose problems (such as
startup or shutdown operations, disk layouts, user additions, deletions or modifications,
or other operation) that require root privileges. This access does not give the
user the right to make any changes normally restricted to root without explicit,
written permission from the Department.
(1) Use and disclosure of any
Department information asset is strictly limited to the minimum information necessary
to perform the requested and authorized service.
(2) The organization shall have
established privacy and security measures that meet or exceed the standards set
forth in the Department’s privacy and information security policies, available
from the Department, regarding the disclosure of an information asset.
(3) The organization or user
shall comply with all security and privacy federal and state laws, rules, and regulations
applicable to the access granted.
(4) The organization shall make
the security risk plan available to the Department for review upon request.
(5) The organization or user
shall report to the Department all privacy or security incidents by the user that
compromise, damage, or cause a loss of protection to Department information assets
or network and information systems. The incident report shall be made no later than
five business days from the date on which the user becomes aware of such incident.
The user shall provide the Department a written report which must include the results
of the incident assessment findings and resolution strategies.
(6) Wrongful use of a network
and information system or wrongful use or disclosure of a Department information
asset by the organization or user may cause the immediate suspension or revocation
of any access granted at the sole discretion of the Department without advance notice.
(7) The organization or user
shall comply with the Department’s request for corrective action concerning
a privacy or security incident and with laws requiring mitigation of harm caused
by the unauthorized use or disclosure of confidential information, if any.
Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 182.122
Hist.: DHSD 14-2007, f. 12-31-07,
cert. ef. 1-1-08; DHSD 6-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; DHSD
1-2012, f. & cert. ef. 2-1-12
The official copy of an Oregon Administrative Rule is
contained in the Administrative Order filed at the Archives Division,
800 Summer St. NE, Salem, Oregon 97310. Any discrepancies with the
published version are satisfied in favor of the Administrative Order.
The Oregon Administrative Rules and the Oregon Bulletin are
copyrighted by the Oregon Secretary of State. Terms
and Conditions of Use
