Or. Admin. R. 410-141-3531 - Sanctions for Failure to Comply with State or Federal Information Security or Privacy Laws
(1) Pursuant to
42 CFR §
438.700, the Authority may impose sanctions
on an MCE if the Authority makes a determination that an MCE failed to comply
with any one or more of the following:
(a) The
contractual requirements of accessing or using the Authority's or State Data,
Network and Information Systems and Information Assets; or
(b) The Health Insurance Portability and
Accountability Act (HIPAA) and the federal regulations implementing the HIPAA
Privacy and Security Rules as set forth in 45 CFR Parts 160 and 164;
or
(c) The Authority's privacy
administrative rules in Chapter 407, Division 014; or
(d) The federal regulations implementing the
HIPAA Transaction Rule as set forth in 45 CFR Part 162, and any other federal
statutes or regulations relating to health information technology that may come
into effect, including, without limitation, the 21st Century Cures Act and the
Interoperability and Patient Access regulations; or
(e) The Authority's rules for electronic data
transactions in OAR 943-120-0100 through 943-120-0200.
(2) The Authority may impose one or more
sanctions under this rule including, but not limited to. the following:
(a) Require the MCE, at its own expense, to
engage an independent third-party to conduct one or more security audits and
implement any remedies identified or recommended in the audit
report(s);
(b) Suspension or
termination of one or more MCE employee's access to the Authority's or State's
Data, Network Systems, or Information Assets, or termination of access to the
Authority's and the State's Data, Network, and Information Assets;
(c) Require the MCE, at its own expense, to
engage an independent third-party to conduct penetration testing of its network
systems on a monthly or more frequent basis;
(d) Require the MCE, at its own expense, to
engage an independent third-party to provide information privacy and security
training to the MCE's employees;
(e) Require the MCE to develop and implement
a time specific plan for the correction of the identified area(s) of
non-compliance under section (1) of this rule; or
(f) Additional sanctions available under OAR
410-141-3530 or any other Oregon Administrative Rule or any Oregon Revised
Statute that address areas of noncompliance for an MCE's contractual,
statutory, or administrative rule obligations.
(3) The Authority shall have the right to
impose one or more sanctions for the same violation depending on the nature of
the noncompliance (e.g. number of members impacted, whether an authorized party
was provided with or was able to obtain protected health information or other
identifiable personal information, or was the result of gross negligence,
willful or intentional misconduct), whether the violation has occurred before,
or if the Authority determines that there has been continued egregious
conduct.
(4) In the event the
Authority determines an MCE should be subject to sanctions under this rule, the
Authority shall comply with, as applicable, sections (5) - (8) of OAR
410-141-3530, relating to written notice, appeal, administrative review,
mediation, and termination rights.
Notes
Statutory/Other Authority: ORS 413.042
Statutes/Other Implemented: ORS 414.065
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.