Skip to Content

Security of Health Information in Oregon

< Return to Security of Health Information

        Oregon law enacts measures to ensure that health information is protected from unauthorized access or disclosure by requiring the use of various security measures and penalizing violations of these measures. 

        Various facilities and providers are required to maintain specific security measures.  All health care facilities’ medical records must be protected from unauthorized access; if records are moved to an off-site storage facility, precautions must be taken to protect patient confidentiality.1  Each renal dialysis facility must safeguard medical record information against unauthorized use.2 Every in-home care agency must take precautions to protect clients’ medical records from unauthorized access.3  Providers participating in the Family Planning Expansion Program must implement security measures that protect the confidentiality of the program’s eligibility database and prevent unauthorized access to or disclosure of information from the database; such providers must report any incidents that compromise, damage or cause a loss of protection to the database.  Wrongful use or disclosure of the database may cause immediate suspension or revocation of any access granted.4

        In addition to providers and facilities, the state is required to maintain security measures for various databases, registries and collected information.  The information collected for the childhood diabetes database must be stored in a physically and technologically secure manner.5  Precautions must be taken to prevent the unauthorized disclosure of hospital outcome measure raw data files, including storing the data on a password protected personal computer, restricting staff and network access to the raw data files, and using strong encryption coding.6  The state’s prescription monitoring system has several security measures in place.  The Oregon Health Authority monitors the system for unusual and potentially unauthorized use; if such use is detected, the user account will be immediately deactivated.  Vendors, practitioners, pharmacists and pharmacies must report any suspected breach of the system or unauthorized access.  If the patient data has been breached or accessed without proper authorization, the authority will notify all affected patients, the Attorney General and the applicable health professional regulatory board.7

 

Footnotes

  • 1. Or. Admin. R. 333-071-0060
  • 2. Or. Admin. R. 333-700-0090
  • 3. Or. Admin. R. 333-536-0085
  • 4. Or. Admin. R. 333-004-0120
  • 5. Or. Admin. R. 333-010-0640
  • 6. Or. Admin. R. 410-121-4020
  • 7. Or. Admin R. 409-023-0025

 

Security of Health Information in Oregon

Subtopic Statute/Regulation Description
Unauthorized access or disclosure of health information (Cross reference Privacy & Confidentiality) Or. Admin R. 333-018-0135 - HAI Data Security The Oregon Office of Health Policy and Research will obtain hospital outcome measure data files from the CDC’s National Healthcare Safety...
Or. Admin. R. 333-004-0120 - Requirements for Financial, Clinical and Other Records The Office of Family Health is responsible for analyzing and monitoring the operation of the Family Planning Expansion Program and for auditing and...
Or. Admin. R. 333-049-0070 - Limitations on Access to Information in the Immunization Registry and Tracking and Recall System No authorized user of the immunization registry may access information from the registry about a client who is not currently under their care or...
Or. Admin. R. 409-022-0070 - Limited Data Sets with a Data Use Agreement The Office for Oregon Health Policy and Research may authorize the disclosure of health data in accordance with a data use agreement entered into by...
Or. Admin. R. 410-121-4020 - Information Access The Prescription Drug Monitoring Program system may be accessed by practitioners and pharmacists authorized to prescribe or dispense controlled...
Or. Rev. Stat. § 431.970 - Reports to health professional regulatory boards If a practitioner or pharmacist authorized to obtain prescription information from the prescription monitoring system discloses or uses information...
Security of Health Information Or. Admin. R. 309-032-0870 - Standards for Approval of Regional Acute Care Psychiatric Service In order to be granted approval for operation, regional acute care psychiatric services must comply with the following requirements: Maintain...
Or. Admin. R. 333-010-0050 - Confidentiality and Access to Data All identifying information regarding individual patients, cancer reporting facilities, and practitioners required to be reported to the central...
Or. Admin. R. 333-027-0150 - Clinical Records Every home health agency must maintain a clinical record for each patient that must include the patient’s identifying information, clinical...
Or. Admin. R. 333-071-0060 - Medical Records All health care facilities must maintain medical records for each patient that is admitted.  The medical record must include the following...
Or. Admin. R. 333-076-0165 - Medical Records All ambulatory surgical centers must maintain a medical record for each patient admitted for care.  Medical records are the property of the...
Or. Admin. R. 333-076-0690 - Health and Medical Records Birthing Centers must maintain health and clinical records for each client and must store such records to prevent access by unauthorized persons....
Or. Admin. R. 333-270-0050 - Access to the Registry The Physician Orders for Life-Sustaining Treatment (POLST) Registry staff, including its Emergency Communication Center staff, will have access to...
Or. Admin. R. 333-700-0090 - Medical Records Each renal dialysis facility must maintain complete medical records on all patients; each record must contain sufficient information to identify the...
Or. Rev. Stat. § 431.966 - Disclosure of information Patient data submitted as part of the prescription monitoring program is considered protected health information and is not subject to disclosure as...
Storage of health information in a secure location (Cross reference Medical Record Collection) Or. Admin. R. 325-015-0055 - Protection of Patient Safety Data The Oregon Patient Safety Commission must maintain the confidentiality of all Patient Safety Data that identifies or could be reasonably used to...
Or. Admin. R. 333-004-0120 - Requirements for Financial, Clinical and Other Records The Office of Family Health is responsible for analyzing and monitoring the operation of the Family Planning Expansion Program and for auditing and...
Or. Admin. R. 333-010-0640 - Confidentiality and Access to Data All identifying information required to be reported by practitioners and schools to the Childhood Diabetes Database is confidential.  The...
Or. Admin. R. 333-025-0120 - Anonymous, Coded, or Exempt Genetic Research A human biological sample or clinical individually identifiable health information may be used in anonymous or coded genetic research only if, prior...
Or. Admin. R. 333-049-0130 - Security Authorized users of the Immunization Registry must follow security procedures put in place to safeguard registry information.  The security...
Or. Admin. R. 333-536-0085 - Client Records Every in-home care agency must maintain a record for each client served by the agency.  Clients’ records are the property of the agency,...
Click on the individual state law in the table above to see our summary of the individual law.


Welcome to Health Information & the Law

Please provide the following information and continue to the site.

by Dr. Radut.