Statutes, codes, and regulations
Oregon Administrative Code
Chapter 410 - OREGON HEALTH AUTHORITY, HEALTH SYSTEMS DIVISION: MEDICAL ASSISTANCE PROGRAMS
Division 141 - OREGON HEALTH PLAN
Section 410-141-3531 - Sanctions for Failure to Comply with State or Federal Information Security or Privacy Laws

Or. Admin. R. 410-141-3531

Download
PDF
Current through Register Vol. 63, No. 6, June 1, 2024
Section 410-141-3531 - Sanctions for Failure to Comply with State or Federal Information Security or Privacy Laws
(1) Pursuant to 42 CFR § 438.700, the Authority may impose sanctions on an MCE if the Authority makes a determination that an MCE failed to comply with any one or more of the following:
(a) The contractual requirements of accessing or using the Authority's or State Data, Network and Information Systems and Information Assets; or
(b) The Health Insurance Portability and Accountability Act (HIPAA) and the federal regulations implementing the HIPAA Privacy and Security Rules as set forth in 45 CFR Parts 160 and 164; or
(c) The Authority's privacy administrative rules in Chapter 407, Division 014; or
(d) The federal regulations implementing the HIPAA Transaction Rule as set forth in 45 CFR Part 162, and any other federal statutes or regulations relating to health information technology that may come into effect, including, without limitation, the 21st Century Cures Act and the Interoperability and Patient Access regulations; or
(e) The Authority's rules for electronic data transactions in OAR 943-120-0100 through 943-120-0200.
(2) The Authority may impose one or more sanctions under this rule including, but not limited to. the following:
(a) Require the MCE, at its own expense, to engage an independent third-party to conduct one or more security audits and implement any remedies identified or recommended in the audit report(s);
(b) Suspension or termination of one or more MCE employee's access to the Authority's or State's Data, Network Systems, or Information Assets, or termination of access to the Authority's and the State's Data, Network, and Information Assets;
(c) Require the MCE, at its own expense, to engage an independent third-party to conduct penetration testing of its network systems on a monthly or more frequent basis;
(d) Require the MCE, at its own expense, to engage an independent third-party to provide information privacy and security training to the MCE's employees;
(e) Require the MCE to develop and implement a time specific plan for the correction of the identified area(s) of non-compliance under section (1) of this rule; or
(f) Additional sanctions available under OAR 410-141-3530 or any other Oregon Administrative Rule or any Oregon Revised Statute that address areas of noncompliance for an MCE's contractual, statutory, or administrative rule obligations.
(3) The Authority shall have the right to impose one or more sanctions for the same violation depending on the nature of the noncompliance (e.g. number of members impacted, whether an authorized party was provided with or was able to obtain protected health information or other identifiable personal information, or was the result of gross negligence, willful or intentional misconduct), whether the violation has occurred before, or if the Authority determines that there has been continued egregious conduct.
(4) In the event the Authority determines an MCE should be subject to sanctions under this rule, the Authority shall comply with, as applicable, sections (5) - (8) of OAR 410-141-3530, relating to written notice, appeal, administrative review, mediation, and termination rights.

Or. Admin. R. 410-141-3531

DMAP 56-2021, adopt filed 12/30/2021, effective 1/1/2022

Statutory/Other Authority: ORS 413.042

Statutes/Other Implemented: ORS 414.065