Or. Admin. Code § 943-014-0440

Current through Register Vol. 63, No. 12, December 1, 2024
Section 943-014-0440 - Breach
(1) For the purposes of this rule a breach is considered "discovered" in accordance with 45 CFR 164.404(a)(2) and 45 CFR 164.410(2).
(2) In the event a breach of unsecured protected health information is discovered, a contractor must:
(a) Notify the Authority of the breach.
(A) The notification must be made as soon as possible and business associate shall confer with the Authority as soon as practicable thereafter.
(B) The notification must be made to the Authority no later than 30 calendar days after the discovery of breach.
(C) Notification shall include identification of each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed during the breach.
(D) Notification shall include steps taken to mitigate harm, steps taken to reasonably ensure a like breach will not occur in the future, and any other information that may be reasonably required by the Authority for the Authority to meet its obligations.
(b) Confer with the Authority regarding preparing and issuing an appropriate notice to each individual whose unsecured protected health information has been, or is reasonably believed to have been accessed, acquired, or disclosed as a result of a breach.
(c) Confer with the Authority regarding preparing and issuing an appropriate notice to prominent media outlets within the state or local jurisdictions when the breach involves more than 500 individuals.
(d) Make the appropriate notification to media outlets and individuals affected by the breach as necessary.
(e) Confer with the Authority regarding preparing and issuing notice of the breach to the Secretary.
(A) If the breach involves 500 or more individuals, the notice to the Secretary must be provided immediately.
(B) Any breach involving less than 500 individuals shall be documented in a log and the log provided to the Secretary annually, no later than 60 calendar days after December 31 of each year.
(3) Except as set forth in section (5) of this rule, notifications required by this rule must be made without unreasonable delay and no later than 60 calendar days after the discovery of a breach.
(4) Notice must be provided in the manner and content required by 45 CFR 164.404 through 164.410.
(5) Any notification required by this rule may be delayed by a law enforcement official in accordance with the 45 CFR 164.412.

Or. Admin. Code § 943-014-0440

OHA 1-2013(Temp), f. & cert. ef. 8-23-13 thru 2-18-14; OHA 1-2014, f. 2-12-14, cert. ef. 2-18-14

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 179.505, 192.553, 192.556 - 192.581, 413.032, 413.042 & 414.065