Statutes, codes, and regulations
Oregon Administrative Code
Chapter 471 - EMPLOYMENT DEPARTMENT
Division 70 - Paid Family Medical Leave Insurance
Section 471-070-8037 - Appeals: Individually Identifiable Health Information

Or. Admin. Code § 471-070-8037

Download
PDF
Current through Register Vol. 63, No. 12, December 1, 2024
Section 471-070-8037 - Appeals: Individually Identifiable Health Information
(1) This rule is intended to comply with federal requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy Rules in 45 CFR Parts 160 and 164 to protect the privacy of Protected Health Information. This rule should be construed to implement and not to alter the requirements of 45 CFR § 164.512(e).
(2) For purposes of this rule, and consistent with the terms in the HIPAA Privacy Rules in 45 CFR Parts 160 and 164:
(a) An "administrative tribunal" is an administrative law judge who conducts a contested case hearing on behalf of the department.
(b) A "covered entity" includes the following entities, as further defined in the HIPAA Privacy Rules:
(A) A Health Insurer or the Medicaid program;
(B) A Health Care Clearinghouse; or
(C) A Health Care Provider that transmits any Individually Identifiable Health Information using Electronic Transactions covered by HIPAA.
(c)"Protected health information" means individually identifiable health information:
(A) Except as provided in paragraphs (B) of this subsection, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(B) Protected health information excludes individually identifiable health information:
(i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
(iii) In employment records held by a covered entity in its role as employer; and
(iv) Regarding a person who has been deceased for more than 50 years.
(d) A "qualified protective order (QPO)" is an order of the administrative tribunal that:
(A) Prohibits the use or disclosure of protected health information by the administrative law judge, the department or a party for any purpose other than the contested case proceeding or judicial review of the contested case proceeding;
(B) Requires that all copies of the protected health information be returned to the covered entity or destroyed at the conclusion of the contested case proceeding, or judicial review of the contested case proceeding, whichever is later; and
(C) Includes such additional terms and conditions as may be appropriate to comply with federal or state confidentiality requirements that apply to the protected health information.
(3) An administrative tribunal may issue a QPO at the request of a party, a covered entity, an individual, or the department.
(a) A request for a QPO may be accompanied by a copy of a subpoena, discovery request, or other lawful process that requests protected health information from a covered entity.
(b) If the individual has signed an authorization permitting disclosure of the protected health information for purposes of the contested case proceeding, the administrative tribunal need not issue a QPO.
(4) The provisions of this rule do not supersede any other applicable provisions of the HIPAA Privacy Rules that otherwise permit or restrict uses or disclosure of protected health information without the use of a QPO.

Or. Admin. Code § 471-070-8037

ED 15-2022, adopt filed 11/23/2022, effective 11/23/2022

Statutory/Other Authority: ORS 657B.340 & 183.341

Statutes/Other Implemented: ORS 657B.410 & 183.341