Okla. Admin. Code § 340:2-8-2

Current through Vol. 42, No. 7, December 16, 2024
Section 340:2-8-2 - Definitions

The following words and terms, when used in this Subchapter shall have the following meanings, unless the context clearly indicates otherwise:

"Authorization" means, per Section 164.508(c) of Title 45 of the Code of Federal Regulations ( 45 C.F.R. § 164.508(c)) , a document that contains:

(A) a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;

(B) the name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure;

(C) the name or other specific identification of the person(s) or class of persons to whom the Oklahoma Department of Human Services DHS may make the requested use or disclosure;

(D) a description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not or, elects not to provide, a statement of the purpose;

(E) an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient when the authorization is for a use or disclosure of protected health information (PHI) for research, including the creation and maintenance of a research database or research repository;

(F) the individual's signature and date. When the authorization is signed by the individual's personal representative, a description of the representative's authority to act for the individual must be provided; and

(G) the individual's right to revoke the authorization in writing.

"Covered function" means, per 45 C.F.R. § 164.103, a covered entity function of which the performance makes the entity a health plan, health care provider, or health care clearinghouse. Determination of SoonerCare (Medicaid) eligibility and coverage are DHS-covered functions.

"Disclosure" means, per 45 C.F.R. § 160.103, the PHI release to another entity or individual.

"Health care component" means, per 45 C.F.R. § 164.103, a component or combination of components of a hybrid entity designated by a hybrid entity, per 45 C.F.R. § 164.105(a)(2)(iii)(D).

"Health care operations" means, per 45 C.F.R. § 164.501, certain administrative, financial, legal, and quality improvement activities that are necessary to run and support an organization's core treatment and payment functions. Some common activities include quality assessment activities, case management, care coordination, and fraud and abuse investigations.

"Health information" means, per 45 C.F.R. § 160.103, any information including genetic information, whether verbalized or recorded in any form or medium that:

(A) is created or received by a health care plan, health care provider, health care clearinghouse, public health authority, employer, life insurer, or school or university; and

(B) relates to the past, present, or future:

(i) physical or mental health or condition of an individual;

(ii) provision of health care to an individual; or

(iii) payment for the provision of health care to an individual.

"Hybrid entity" means, per 45 C.F.R. § 164.103, a single legal entity:

(A) that is a covered entity;

(B) whose business activities include both covered- and non-covered functions; and

(C) that designates health care components, per 45 C.F.R. § 164.105(a)(2)(iii)(D).

"Individually identifiable health information" means, per 45 C.F.R. § 160.103, information that is a subset of health information, including demographic information collected from an individual, and:

(A) is created or received by a health plan, health care provider, health care clearinghouse, or employer;

(B) relates to the past, present, or future:

(i) physical or mental health or condition of an individual;

(ii) provision of health care to an individual; or

(iii) payment for the provision of health care to an individual; and

(C) identifies the individual or there is a reasonable basis to believe the information can be used to identify him or her.

"Payment" means, per 45 C.F.R. § 164.501, the activities undertaken by a:

(A) health plan or health care provider to obtain or provide reimbursement for the provision of health care; or

(B) health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan, except as prohibited, per 45 C.F.R. § 164.502(a)(5)(i).

"Personal representative" means, per 45 C.F.R. § 164.502, an individual, who:

(A) is a parent, legal guardian, or legal custodian appointed by a court;

(B) has the authority to act on behalf of a deceased individual or his or her estate;

(C) is given authority to act on behalf of an individual with regard to health care through a power of attorney, medical directive, or guardianship; or

(D) is designated by an adult as his or her personal representative with regard to health care. A personal representative is treated the same as the client is treated.

"Privacy notice" means, per 45 C.F.R. § 164.520(b), a form that notifies an individual:

(A) how DHS handles his or her health information; and

(B) what his or her rights are regarding protected health information.

"Protected health information (PHI)" means, per 45 C.F.R. § 160.103, any health-related information that is used to individually identify a person by virtue of its containing one or more individual identifiers, such as name, Social Security number, phone number, case number, or postal Zip code, and applies to information transmitted or maintained in any form or medium, including electronic, paper, or verbal.

"Treatment" means, per 45 C.F.R. § 164.501, the provision, coordination, or management of health care and related services. This includes consultation between health care providers regarding a client or the referral of a client from one health care provider to another.

"Use" means with respect to PHI, per 45 C.F.R. § 160.103, the sharing, employment, application, utilization, examination, or analysis of information within an entity that maintains such information.

Okla. Admin. Code § 340:2-8-2

Added at 20 Ok Reg 2907, eff 8-21-03 (emergency); Added at 21 Ok Reg 784, eff 4-26-04
Amended by Oklahoma Register, Volume 36, Issue 24, September 3, 2019, eff. 9/16/2019