Or. Admin. Code § 333-023-0820

Current through Register Vol. 63, No. 12, December 1, 2024
Section 333-023-0820 - Information Access
(1) System Access. Only the following individuals or entities may access the system:
(a) Practitioners and pharmacists authorized to prescribe or dispense controlled substances;
(b) Delegates of practitioners or pharmacists;
(c) Designated representatives of the Authority and any vendor contracted to establish or maintain the system;
(d) State Medical Examiner and designees of the State Medical Examiner; or
(e) Medical, dental, and pharmacy directors.
(2) All entities or individuals who request access from the Authority for the creation of user accounts shall agree to terms and conditions of use of the system.
(3) All delegates must be authorized by a practitioner or pharmacist with an active system account.
(4) The Authority shall monitor the system for unusual and potentially unauthorized use. When such use is detected, the user account shall be immediately deactivated.
(5) The vendor, a practitioner, a medical director, a dental director, a pharmacy director, a pharmacist, a pharmacy, or an approved entity shall report to the Authority within 24 hours any suspected breach of the system or unauthorized access.
(6) When the Authority is informed of any suspected breach of the system or unauthorized access, the Authority shall notify the Authority's Information Security Office and investigate.
(7) If patient data is determined to have been breached or accessed without proper authorization, the Authority shall notify all affected patients, the Attorney General, and the applicable health professional regulatory board as soon as possible but no later than 30 days from the date of the final determination that a breach or unauthorized access occurred. Notice shall be made by first class mail to a patient or a patient's next of kin if the patient is deceased. The notice shall include:
(a) The date the breach or unauthorized access was discovered and the date the Authority believes the breach or unauthorized access occurred;
(b) The data that was breached or accessed without proper authorization;
(c) Steps the individual can take to protect him or herself from identity or medical identity theft;
(d) Mitigation steps taken by the Authority; and
(e) Steps the Authority will take to reasonably ensure such a breach does not occur in the future.
(8) Practitioner, Pharmacist, Medical Director, Dental Director, Pharmacy Director, and Delegate Access. A practitioner, pharmacist, medical director, pharmacy director, or delegate who chooses to request access to the system shall apply for a user account as follows:
(a) Complete and submit an application provided by the Authority that includes identifying information and credentials; and
(b) Agree to terms and conditions of use of the system that defines the limits of access, allowable use of patient information, and penalties for misuse of the system.
(9) State Medical Examiner Access. The State Medical Examiner or his or her designee shall apply for a user account as required in section (8) of this rule and indicate their license type as Medical Examiner. For purposes of ORS 431A.865 and these rules, a designee of the State Medical Examiner is an individual who has authority to conduct a medicolegal investigation or autopsy on behalf of the State Medical Examiner under ORS chapter 146.
(10) The Authority shall compare the licensure requirements between Oregon practitioners and similarly licensed professionals in California, Idaho, and Washington. The Authority's determination of similar licensure requirements shall be based upon scope of practice and formulary.
(11) The Authority shall review each application to authenticate before granting approval of a new account.
(12) If the Authority learns that an applicant has provided inaccurate or false information on an application, the Authority shall deny access to the system or terminate access to the system if access has already been established. The Authority may send written notification to the appropriate health professional regulatory board or oversight entity.
(13) A practitioner or pharmacist who is an authorized system user shall notify the Authority when his or her license or DEA registration has been limited, revoked, or voluntarily retired. A practitioner or pharmacist who changes or terminates employment shall notify the Authority of that change.
(14) When the Authority learns that a practitioner or pharmacist's license has been limited or revoked, the Authority shall deny further access to the system.
(15) When a delegate for any reason is no longer authorized as a delegate by a practitioner or pharmacist, the practitioner or pharmacist shall revoke the delegation and notify the Authority.
(16) When the account of a delegate is inactive for more than six months, the account shall be deactivated by the Authority.
(17) When for any reason access of a designee of the State Medical Examiner must be revoked, the State Medical Examiner shall notify the Authority.
(18) Each time a practitioner or pharmacist makes a non-health IT integrated patient query he or she shall certify that requests are in connection with the treatment of a patient in his or her care and agree to terms and conditions of use of the system.
(19) Each time the State Medical Examiner or designee of the State Medical Examiner makes a patient query he or she shall certify that requests are for the purpose of conducting a specific medicolegal investigation or autopsy where there is reason to believe controlled substances contributed to the death and agree to terms and conditions of use of the system.
(20) Each time a delegate makes a non-health IT integrated patient query he or she shall certify that requests are in connection with the treatment of a patient of the practitioner or pharmacist for whom the delegate is conducting the query, agree to terms and conditions of use, and indicate the authorizing practitioner or pharmacist for whom the delegate is conducting the query.
(21) Practitioners and pharmacists with delegates must conduct monthly audits of delegate use to monitor for potential misuse of the system.
(22) When a practitioner or pharmacist learns of any potential unauthorized use of the system or system data by a delegate, the practitioner or pharmacist shall:
(a) Revoke the delegation; and
(b) Notify the Authority of the potential unauthorized use.
(23) When the State Medical Examiner learns of any potential unauthorized use of the system or system data by a designee, the State Medical Examiner shall notify the Authority.
(24) When the Authority learns of any potential unauthorized use of the system or system data, the Authority shall revoke the user's access to the system, notify the Authority's Information Security Office, and investigate.
(a) If the Authority determines unauthorized use occurred, the Authority shall send written notification to the appropriate health professional regulatory board, the Attorney General and all affected individuals.
(b) If the Authority determines unauthorized use did not occur, the Authority shall reinstate access to the system.
(25) The Authority shall send written notification to a user or a potential user when an account has been deactivated or access has been denied.
(26) Patient Access. A patient may request a report of the patient's own controlled substance record. The patient shall mail to the Authority a request that contains the following documents:
(a) A signed and dated patient request form provided by the Authority; and
(b) A copy of the patient's current valid U.S. driver's license or other valid government issued photo identification.
(27) The Authority shall review the personal information submitted and verify that the patient's identification and request match before taking further action.
(28) If the Authority cannot verify the information, the Authority shall send written notification to the patient explaining why the request cannot be processed.
(29) After the Authority has verified the request, the Authority shall query the system based upon the patient information provided in the request and securely send the report to the patient at no cost to the patient. The report shall include:
(a) A list of controlled substances dispensed to the patient including the dates of dispensation, the practitioners who prescribed the controlled substances, and the pharmacies that dispensed them; and
(b) A list of users who accessed the system for information on that specific patient with the date of each instance of access.
(30) If no data is found that matches the patient identified in the request, the Authority shall send written notification to the patient explaining possible reasons why no patient data was identified.
(31) A patient may send written notification to the Authority if he or she believes unauthorized access to his or her information has occurred. The notification shall include the patient's name, who is suspected to have gained unauthorized access to the patient's information, what information is suspected to have been accessed by unauthorized use, when the suspected unauthorized access occurred, and why the patient suspects the access was unauthorized. The Authority shall treat such patient notifications as potential unauthorized use of the system.
(32) A patient may request that the Authority correct information in a patient record report as follows:
(a) The patient shall specify in writing to the Authority what information in the report the patient considers incorrect.
(b) When the Authority receives a request to correct a patient's information in the system, the Authority shall make a note in the system that the information is contested and verify the accuracy of the system data with the vendor. The vendor shall verify that the data obtained from the query is the same data received from the pharmacy.
(c) If the data is verified incorrect, the Authority shall correct the errors in consultation with the vendor and pharmacy and document the correction. The Authority shall send to the patient the corrected report.
(d) If the vendor verifies the data is correct, the Authority shall send written notification informing the patient that the request for correction is denied. The notice shall inform the patient of his or her rights as are applicable to the prescription drug monitoring program, the process for filing an appeal, and if there are no appeal rights, how to otherwise address or resolve the issue.
(33) The Authority shall respond to all patient requests within 10 business days after the Authority receives a request. Each response shall include information that informs the patient of his or her rights as are applicable to the prescription drug monitoring program.
(34) If the Authority denies a patient's request to correct information, or fails to grant a patient's request within 10 business days after the Authority receives the request, a patient may appeal the denial or failure by requesting a contested case hearing. The appeal shall be filed within 30 days after the request to correct information is denied. The appeal process is conducted pursuant to ORS chapter 183 and the Attorney General's Uniform and Model Rules of Procedure for the Office of Administrative Hearings (OAH), OAR 137-003-0501 through 137-003-0700.
(35) Law Enforcement Access. A state or local law enforcement agency engaged in an authorized drug-related investigation of an individual may request from the Authority controlled substance information pertaining to the individual to whom the information pertains. The request shall be pursuant to a valid court order based on probable cause.
(36) A law enforcement agency shall submit to the Authority a request that contains the following:
(a) A form provided by the Authority specifying the information requested; and
(b) A copy of the court order documents.
(37) The Authority shall review the law enforcement request.
(a) If the form is complete and the court order is valid, the Authority shall query the system for the requested information and securely provide a report to the law enforcement agency.
(b) If the request or court order is not valid, the Authority shall respond to the law enforcement agency providing an explanation for the denial.
(38) Health Professional Regulatory Board Access. A health professional regulatory board investigating an individual regulated by the board may request from the Authority controlled substance information pertaining to the member.
(a) A health professional regulatory board shall submit to the Authority a form provided by the Authority specifying the information requested. The board's executive director shall certify that the requested information is necessary for an investigation related to licensure, renewal, or disciplinary action involving the applicant, licensee, or registrant to whom the requested information pertains.
(b) The Authority shall review the regulatory board request.
(A) If a request is valid, the Authority shall query the system for the requested information and securely provide a report to the health professional regulatory board.
(B) If a request is not valid, the Authority shall respond to the health professional regulatory board providing an explanation for the denial.
(39) Researcher Access. The Authority may provide de-identified data for research purposes to a researcher. A researcher shall submit a research data request form provided by the Authority.
(a) The request shall include but is not limited to a thorough description of the study aims, data use, data storage, data destruction, and publishing guidelines.
(b) The Authority shall approve or deny research data requests based on application merit.
(c) If a request is approved, the requestor shall sign a data use agreement provided by the Authority.
(d) The Authority shall provide the minimum data set necessary that does not identify individuals.
(e) The Authority may charge researchers a reasonable fee for services involved in data access.
(40) A medical, dental, or pharmacy director may request information from the system for the sole purpose of overseeing their organization's quality assessment and improvement activities. Such access is strictly limited pursuant ORS 431A.865 sections (1)(b) and (2)(a) and only for quality assessment and improvement activities defined under 45 CFR 164.501 and is not permitted for the purpose of determining prior authorization or reducing healthcare costs to their respective organizations.

Or. Admin. Code § 333-023-0820

Renumbered from 410-121-4020, PH 28-2015, f. 12-29-15, cert. ef. 1/1/2016; PH 2-2017, f. & cert. ef. 1/10/2017; PH 232-2018, amend filed 07/02/2018, effective 7/2/2018; PH 27-2019, amend filed 12/16/2019, effective 1/1/2020

Statutory/Other Authority: ORS 431A.855

Statutes/Other Implemented: ORS 431A.865 & ORS 431A.855