Current through Register Vol. 63, No. 9, September 1, 2024
(1) This rule is intended to comply with
federal requirements of the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) and the HIPAA Privacy Rules in 45 CFR Parts 160 and 164 to
protect the privacy of Protected Health Information. This rule should be
construed to implement and not to alter the requirements of
45 CFR §
164.512(e).
(2) For purposes of this rule, and consistent
with the terms in the HIPAA Privacy Rules in 45 CFR Parts 160 and 164:
(a) An "administrative tribunal" is an
administrative law judge who conducts a contested case hearing on behalf of the
department.
(b) A "covered entity"
includes the following entities, as further defined in the HIPAA Privacy Rules:
(A) A Health Insurer or the Medicaid
program;
(B) A Health Care
Clearinghouse; or
(C) A Health Care
Provider that transmits any Individually Identifiable Health Information using
Electronic Transactions covered by HIPAA.
(c)
"Protected health
information
" means individually identifiable health
information:
(A) Except as provided in
paragraphs (B) of this subsection, that is:
(i) Transmitted by electronic
media;
(ii) Maintained in
electronic media; or
(iii)
Transmitted or maintained in any other form or medium.
(B) Protected health information excludes
individually identifiable health information:
(i) In education records covered by the
Family Educational Rights and Privacy Act, as amended,
20 U.S.C.
1232g;
(ii) In records described at
20 U.S.C.
1232g(a)(4)(B)(iv);
(iii) In employment records held by a covered
entity in its role as employer; and
(iv) Regarding a person who has been deceased
for more than 50 years.
(d) A "qualified protective order (QPO)" is
an order of the administrative tribunal that:
(A) Prohibits the use or disclosure of
protected health information by the administrative law judge, the department or
a party for any purpose other than the contested case proceeding or judicial
review of the contested case proceeding;
(B) Requires that all copies of the protected
health information be returned to the covered entity or destroyed at the
conclusion of the contested case proceeding, or judicial review of the
contested case proceeding, whichever is later; and
(C) Includes such additional terms and
conditions as may be appropriate to comply with federal or state
confidentiality requirements that apply to the protected health
information.
(3) An administrative tribunal may issue a
QPO at the request of a party, a covered entity, an individual, or the
department.
(a) A request for a QPO may be
accompanied by a copy of a subpoena, discovery request, or other lawful process
that requests protected health information from a covered entity.
(b) If the individual has signed an
authorization permitting disclosure of the protected health information for
purposes of the contested case proceeding, the administrative tribunal need not
issue a QPO.
(4) The
provisions of this rule do not supersede any other applicable provisions of the
HIPAA Privacy Rules that otherwise permit or restrict uses or disclosure of
protected health information without the use of a QPO.
Statutory/Other Authority: ORS
657B.340 &
183.341
Statutes/Other Implemented: ORS
657B.410 &
183.341
