Okla. Admin. Code § 260:45-3-3

Current through Vol. 42, No. 4, November 1, 2024
Section 260:45-3-3 - Participating entities/business associate protection of confidential health Information
(a) The participating entity/business associate may only use and disclose the member's health information for the purposes of a member's treatment, to facilitate payment for Plan benefits or for participating entity/business associate business operations on behalf of the member. The participating entity/business associate may not use or further disclose a member's health information other than permitted by EGID rules or described in a written contract between EGID and the participating entity/business associate.
(b) Participating entities/business associates shall protect a member's confidential health information according to the following guidelines. Participating entity/business associate shall:
(1) not use or disclose a member's health information other than permitted in these rules; described in a written contract with EGID or required by law,
(2) ensure that subcontractors or agents of the participating entity/business associate maintain confidentiality of any health information provided to its subcontractors or agents,
(3) not use or disclose confidential health information for employment related actions concerning the member, unless required by law,
(4) notify EGID within five [5] working days when the participating entity/business associate becomes aware of any use or disclosure of a member's health information that is inconsistent with this rule and make an accounting of these disclosures available for EGID and each member,
(5) allow a member to access and review health information on file with the participating entity/business associate and submit amending statements for inclusion in their health information file,
(6) establish procedures to protect a member's health information and account for disclosures not authorized by these rules,
(7) identify the participating entity/business associate employees who may access a member's health information and restrict access to those persons,
(8) return to EGID or destroy a member's health information when no longer required by the participating entity/ business associate, and if not feasible, limit the use or disclosure to the required purposes,
(9) ensure that proper security is in place to protect electronically stored health information and
(10) make internal practices, books and records concerning uses and disclosures of protected health information available for inspection by the appropriate authority. A written contract between EGID and participating entity/business associate shall not limit the participating entity/business associate protection of a member's health information to an extent less than described in this rule.

Okla. Admin. Code § 260:45-3-3

Adopted by Oklahoma Register, Volume 31, Issue 24, September 2, 2014, eff. 9/12/2014