Current through Register Vol. 63, No. 11, November 1, 2024
Section 333-011-0325 - Confidentiality and Disclosure of Information from Vital Records or Vital ReportsTo protect the confidentiality and security of vital records and vital reports:
(1) The state registrar shall not permit access to or disclosure of personally identifiable information contained in vital records, or issue a copy of all or part of any such record unless the applicant is authorized to obtain such record for a proper purpose under ORS 432.350, or is authorized to obtain such record under ORS 432.380. (a) Access to or disclosure of information contained in vital records for sale or release to the public, for direct or indirect marketing of goods or services, for other non-research solicitation of registrants or families of registrants, or for other commercial or speculative purposes shall not be deemed a proper purpose. (b) The state registrar may impose reasonable conditions as to the use and re-disclosure of information, and may limit access to the minimum necessary to fulfill the purpose for which information is requested. (2) Requests for personally identifiable information contained in vital records for health research purposes shall be submitted in writing to the state registrar. (a) Each request shall contain at a minimum: (A) Name, title, organizational affiliation and contact information (mailing address, telephone number, and electronic mail address) of the requestor and the organizational official authorized to execute agreements; (B) Title, objectives and description of the proposed research study; (C) Institutional Review Board approval of study protocol if any contact with study subjects including children or parents listed on live birth records or next-of-kin or informants of decedents is proposed; (D) Physical and electronic storage and security measures to be taken to assure confidentiality and security of identifying information, and provision for return or destruction of the information at the conclusion of the research study; (E) Time frame of the research study; (F) Names of all persons on the research study team who will have access to the personally identifiable information; (G) Plan for dissemination of the results. (b) Each request for personally identifiable information from vital records to be used for health research purposes shall be reviewed to determine compliance with at least the following: (A) Contains all elements required by this rule; (B) Adequately justifies the need for the requested information; (C) Compliance with past data use agreements; (D) The requested information can be provided within the time frame set forth in the request; and (E) The state registrar has adequate resources with which to comply with the request. (3) Requests by government agencies for any identifiable information contained in the state's vital records maintained pursuant to ORS Chapter 432, or for verifications thereof, shall specify in writing the official use to which the requested information will be put and why the information is necessary in accordance with ORS 432.350. The request may be granted only if the state registrar agrees that the requested information is necessary for a proper purpose. (a) Each request shall contain at a minimum: (A) Name, title, agency, and contact information (mailing address, telephone number, and electronic mail address) of the requestor and the agency official authorized to execute agreements; (B) Purpose or intended use of the data or vital records being requested; (C) Physical and electronic storage and security measures to be taken to assure confidentiality and security of identifying information, and provision for return or destruction of the information at the conclusion of the intended use; (D) Time frame of intended use; and (E) Names of all persons who will have access to the personally identifiable information being requested. (b) Each request from a government agency for personally identifiable information from vital records shall be reviewed to determine compliance with at least the following: (A) Contains all elements required by this rule; (B) Adequately justifies the need for the requested information; (C) Compliance with past data use agreements; (D) The requested information can be provided within the time frame set forth in the request; and (E) The state registrar has adequate resources with which to comply with the request. (4) The state registrar shall enter into data use agreements for all approved health research and government agency requests for personally identifiable information from vital records. Each data use agreement shall include but not be limited to: (a) Specification of exactly what information will be disclosed to the requestor, the purpose for which it is provided, and the manner in which the data will be used; (b) The charges or fees, if any, to be paid by the requestor to the state registrar for use of the data; (c) A prohibition of re-release by the requestor of any information that may identify any person or any individual case record, whether identifiable or not, without the prior written approval of the state registrar; (d) The requestor's acknowledgment and agreement that ownership of all information provided by the state registrar shall remain exclusively that of the state registrar and that the data use agreement constitutes a license to use the data provided only for the purpose and in the manner set forth in the agreement; (e) The requestor's agreement neither to attempt to link nor to permit others to attempt to link the data set with individually identifiable records from any other data set without the prior written approval of the state registrar; (f) The requestor's agreement neither to use nor to allow anyone else to use the information to attempt to learn the identity of any person included from the information provided without the prior written approval of the state registrar; (g) Agreement that if the identity of any person is discovered inadvertently, the recipient: (A) Will not make use of this knowledge; (B) Will immediately notify the state registrar; and (C) Will safeguard or destroy the information which led to the identification of the individual as requested by the state registrar; (h) Acknowledgment and agreement that the requestor shall be responsible for any breach of security, including but not limited to any notifications to affected persons required by law or by the state registrar, and any fines, penalties or other sanctions that may be imposed pursuant to applicable law. (i) Agreement to prohibit the use of data provided for any purpose not explicitly identified and approved in the signed data use agreement.Or. Admin. Code § 333-011-0325
PH 17-2013, f. 12-26-13, cert. ef. 1-1-14Stat. Auth: ORS 432.350
Stats. Implemented: ORS 432.350