What Are Oregon’s HIPAA Laws?

Most of us are at least vaguely familiar with HIPAA regulations. In fact, you may even have to sign a HIPAA-compliant release of information if you work with a Paulson Coletti Trial Attorneys PC Portland medical malpractice lawyer. What many people don’t realize, though, is that the federal guidelines set by HIPAA are the minimum standard, and individual states have their own more stringent requirements.

Understanding HIPAA

The Health Insurance Portability and Accessibility Act of 1996 was established to set minimum federal standards for information privacy. The Centers for Disease Control and Prevention (CDC) explains that some of the goals for HIPAA are:

• Give patients more control of their health information
• Set boundaries on how health records can be used and released
• Limits the release of information to the minimum required
• It gives patients the right to obtain copies of their records
• Accountability for providers who violate

Protected Health Information

Protected health information (PHI) is a term seen everywhere when providers and insurance agencies discuss HIPAA. Oregon code 195.556 (11)((a) defines Protected Health Information(PHI) covered by HIPAA as health information that is individually identifiable and maintained or transmitted in any form by a covered entity. Health information is considered information related to medical or psychological conditions, test results, insurance policy details, and other similar information.

Covered Entities

The concept of a covered entity is a crucial point of understanding for HIPAA. These days, we hear HIPAA thrown around in a way that makes it seem that no one is allowed to share your health information. However, HIPAA protections in Oregon only regulate covered entities such as insurance companies, medical providers, behavioral health providers, pharmacists, and those handling your information in some professional settings. HIPAA protections also bind schools and public agencies like DHS.

How Can My Information be Released in Compliance with Oregon HIPAA Requirements?

Covered entities may not share your information in Oregon without set criteria. The times in which your information can be released to someone other than the patient are as follows:

• You are a minor who requires a guardian to consent to the care
• A judge has issued a court order for records
• Some records may be released with a subpoena, excluding substance abuse and some types of mental health records. Some information relating to HIV/AIDS may also require additional authorization

Your information may also be released to the payor of services, which is frequently your insurance company. The notification and consent can commonly be seen in your physician or care provider’s intake paperwork.

Oregon Release of Information Requirements

The state of Oregon has very specific requirements for releasing PHI to anyone other than the patient or their representative. In Oregon statute 192.566 shows a template Release of Information (ROI), which has all of the required information as shown below:

• Specific uses and limitations for the information
• The expiration date of the release
• Specific authorization for the release of mental health records, genetic testing, substance abuse records, and HIV/AIDS status
• The information for the disclosure is on a separate page and not included with any other information
• The signature for release is meant only for the release of the above-stated information and cannot be used in conjunction with any other forms
• The release must be signed and dated by the patient or their representative

The release of information is void as of the expiration date listed on the form, but you can also withdraw your consent to the release in writing if you so choose. This does not void the initial release or invalidate information sent legally. The release is still valid from the signature date, but disclosing your information beyond the date you rescinded permission is not legal.