Or. Admin. Code § 943-014-0415

Current through Register Vol. 63, No. 12, December 1, 2024
Section 943-014-0415 - General Business Associate Requirements

A contractor who is a business associate of the Authority shall:

(1) Not use or disclose protected health information or electronic protected health information except as permitted or required by these rules and the contract, or as required by law.
(2) Use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of protected health information other than as provided for by these rules and the contract.
(3) Mitigate, to the extent practicable, any known harmful effect of a use or disclosure of protected health information or electronic protected health information by the business associate in violation of the requirements of these rules and the contract.
(4) Report to the Authority any use or disclosure of protected health information or electronic protected health information not provided for by these rules and the contract as soon as possible after the contractor becomes aware of the use or disclosure.
(5) Ensure that any agent or subcontractor that creates, receives, maintains or transmits protected health information on behalf of the contractor, agrees to the same restrictions and conditions that apply to the business associate through these rules and the contract with respect to the information created, received, maintained or transmitted on behalf of the contractor.
(6) Provide access, as directed by the Authority and in the time and manner designated by the Authority, to protected health information or electronic protected health information in a designated record set to the Authority or to an individual in compliance with the requirements of 45 CFR 164.524.
(7) Make any amendment to protected health information or electronic protected health information in a designated record set that the Authority directs or agrees to pursuant to 45 CFR 164.526. These amendments will be made in the manner designated by the Authority within 10 business days of receiving direction from the Authority.
(8) Make available internal practices, books, and records, including policies and procedures relating to the use and disclosure of protected health information and electronic protected health information created, received, maintained or transmitted by the business associate on behalf of the Authority. These items must be available to the Authority and to the Secretary, in a time and manner designated by the Authority or the Secretary, for purposes of the Secretary determining the Authority's compliance with the Privacy Rule or Security Rule.
(9) Document disclosures of protected health information and electronic protected health information and information related to such disclosures as may be required for the Authority to respond to a request by an individual for an accounting of disclosures in accordance with 45 CFR 164.528.
(10) Provide the Authority or an individual, within 10 business days of receiving direction from the Authority in a manner designated by the Authority, information collected in accordance with OAR 943-014-0415(9) to permit the Authority to respond to an individual's request for an accounting of disclosures in accordance with 45 CFR 164.528.

Or. Admin. Code § 943-014-0415

OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065