Privacy and Confidentiality in Oregon
The state of Oregon’s official policy is that individual health information must be protected from unlawful use or disclosure.1 The law specifically provides the right to confidentiality of medical records and information to patients in adult foster homes,2 nursing homes,3 home health agencies,4 in-home care patients,5 and individuals receiving mental health community treatment and support services.6 Additionally, all insurers offering health benefit plans must ensure the confidentiality of patient records and information.7 While confidentiality and privacy of medical information is paramount, the law provides a number of means by which medical information may be disclosed without the authorization of the patient.
A health care provider or state health plan may use or disclose protected health information without obtaining an authorization for use in the provider or plan’s own treatment, payment, or health care operations, to another covered entity for purposes of the entity’s health care operations or fraud and abuse detection or compliance.8 Nursing homes may release records in conjunction with a patient transfer or where examination is required by a third party payment contractor.9 The Long Term Care Ombudsman may access any long term care facility resident’s records.10
Disclosure of protected health information may be made by and to public health authorities under certain circumstances. During a declared public health emergency, the public health director and local public health administrators will have immediate access to individually identifiable health information,11 and may disclose such information to authorized state, local or federal agencies, health care providers, or to determine the cause or manner of a death.12 The Oregon Health Authority or a local public health administrator may release information obtained during an investigation of a reportable disease or disease outbreak to authorized individuals, including individually identifiable information, if there is clear and convincing evidence that release is necessary to avoid an immediate danger to other individuals or to the public.13
Disclosure may be made for research purposes, if the research meets certain criteria. All disclosures of protected health information for research purposes are subject to state and federal law; the Department of Human Services may use or disclose an individual’s information for research without a written authorization if the Institutional Review Board waives the authorization requirement.14 The Oregon Health Authority or a health agency may publish statistical compilations and reports relating to epidemiologic or general morbidity and mortality studies if such compilations and reports do not identify individual cases and sources of information.15 The Oregon Health Authority may disclose information from the prescription monitoring program that does not identify a patient, practitioner or drug outlet for educational, research or public health purposes; and to officials of the authority who are conducting special epidemiologic morbidity and mortality studies.16 The Office for Oregon Health Policy and Research may authorize the disclosure of health data in accordance with a data use agreement with a researcher for purposes of research, public health, or health care operations.17
There are a number of requirements surrounding disclosure of disease-specific information. Clinical laboratories may disclose HIV/AIDS test information for treatment purposes to the person ordering the test, to persons who must review a medical record for treatment, and as otherwise permitted by federal law.18 All identifying information reported for use in the Childhood Diabetes Database must remain confidential;19 collected information may only be used for approved research and studies.20 All identifying information about cases of cancer or benign tumors that is required to be reported must be kept confidential.21 Facilities and practitioners that report cases of cancer or benign tumors may access confidential data on any case submitted by that facility or practitioner; when a patient has been seen by multiple facilities or practitioners, the public health division may share information on treatment and follow-up among those involved with the patient’s care.22
Oregon also maintains a number of health-related registries, which all have requirements surrounding the disclosure of the information contained therein. Information in an immunization registry or information derived from the registry or record is confidential and may only be disclosed to those who have been specifically authorized to receive such information.23 Individually identifiable information may be released from the Oregon Trauma Registry if it is to be used for specific case reviews, for quality assurance or quality improvement purposes, or for research approved by an institutional review board.24 Information contained in the Physician Orders for Life-Sustaining Treatment (POLST) Registry may only be released to authorized persons, facilities and researchers, and for authorized purposes.25 The information reported to the central cancer registry may be disclosed for purposes directly related to the registry, and in a number of other circumstances, including when the public health division has entered into a reciprocal cooperative agreement with other states and when the division contracts with another agency with comparable confidentiality protections for performance of a registry function.26
Finally, information that is required to be reported may be disclosed under certain circumstances. The Oregon Health Authority may disclose prescription monitoring to a treating practitioner or pharmacist, to a health professional regulatory board for purposes of an investigation and to a prescription monitoring authority of another state. 27 The Oregon Health Authority may require the owner or director of a laboratory to submit initial findings indicative of communicable diseases; information contained in these reports may be disclosed for purposes of administering the public health laws and may be used to compile statistical and other data if persons are not identified.28
Footnotes
- 1. Or. Rev. Stat. §192.518
- 2. Or. Rev. Stat. § 443.739
- 3. Or. Rev. Stat. § 441.605
- 4. Or. Admin. R. 333-027-0080
- 5. Or. Admin. R. 333-536-0060
- 6. Or. Admin. R. 309-032-1515
- 7. Or. Rev. Stat. § 743.804
- 8. Or. Rev. Stat. §192.520
- 9. Or. Rev. Stat. § 441.605
- 10. Or. Rev. Stat. § 441.117
- 11. Or. Admin. R. 333-003-0050
- 12. Or. Rev. Stat. § 433.443
- 13. Or. Rev. Stat. §433.008
- 14. Or. Admin R. 407-014-0060
- 15. Or. Rev. Stat. § 432.060
- 16. Or. Rev. Stat. § 431.966
- 17. Or. Admin. R. 409-022-0070
- 18. Or. Rev. Stat. § 433.045
- 19. Or. Rev. Stat. § 444.330
- 20. Or. Admin. R. 333-010-0640
- 21. Or. Rev. Stat. § 432.530
- 22. Or. Admin. R. 333-010-0050
- 23. Or. Rev. Stat. § 433.098
- 24. Or. Rev. Stat. § 431.635
- 25. Or. Admin. R. 333-270-0060
- 26. Or. Admin. R. 333-010-0050
- 27. Or. Rev. Stat. § 431.966
- 28. Or. Rev. Stat. § 438.310
.png)