New Healthcare Privacy Law in the State of Oregon

Oregon’s House Bill 3284 is an online healthcare website privacy law that was recently amended in 2021. As stated in the law, HB 3284 was enacted for the purpose of “protecting the privacy of the personal health data of residents of this state.” Subsequently, the law outlines the various steps that healthcare providers and organizations are required to take as it concerns protecting the Patient Health Information or PHI of the various patients that they serve on a daily basis, particularly in the midst of the COVID-19 pandemic. Furthermore, the law also sets forth the punishments that healthcare organizations stand to face should they fail to adhere to the sections of the law.

How are covered organizations defined under the law?

Under Oregon’s House Bill 3284, a covered organization is taken to mean “a person that collects, uses or discloses personal health data or that develops or operates a website, web application, mobile application, mobile operating system feature or other electronic method by means of which the person may collect, use or disclose personal health data.” Conversely, the law defines a service provider as “a person that collects, uses or discloses personal health data solely for the purpose of providing business services to, on behalf of, or for the benefit of a covered organization in accordance with instructions or direction from, or under the terms and conditions of a contract with, the covered organization.”

What are the duties of covered organizations under the law?

The responsibilities that covered organizations within the state of Oregon have under HB 3284 as it relates to protecting the health and medical records of the multitude of patients that reside within the state include but are not limited to:

• Covered organizations are prohibited from collecting, using, or disclosing the personal health data of a patient without first obtaining affirmative expressed consent from the said patient. There are some exceptions to this rule, however, such as instances where a healthcare provider within Oregon discloses a patient’s health care information in order to comply with a legal obligation, among others.
• Covered organizations are generally required to delete or otherwise render inaccessible the healthcare information of their patients if the information in question is no longer needed to effectively treat said patients, subject to certain exemptions. Such exemptions include personal healthcare information that is comprised of aggregate data, statistical analysis, and interpretations, just to name a few.
• Covered organizations must limit their collection, use, and disclosure of personal health data to what is necessary to effectively provide healthcare services to their respective patients.
• Covered organizations are required to implement safeguards that can be used to ensure the confidentiality of the healthcare data in their possession is maintained at all times.
• Covered organizations are required to take the appropriate steps necessary to both to ensure that the healthcare information they collect is complete and accurate, as well as provide patients with the means to correct their information an accessible and effective method to correct their information should it be found to be inaccurate.

What are the punishments for violating the law?

As it relates to the enforcement of the law, the various sections, and provisions laid out in Oregon’s Website Privacy Law are enforced by the state attorney general. To this point, violations of the law constitute an unlawful trade practice under applicable legislation within the state of Oregon. Some actions that could be considered violations of the law include:

• Employing an illegal or unconscionable tactic as it pertains to the disclosure or destruction of personal health data.
• Failing to deliver and portion healthcare services to patients in accordance with the manner in which said services were presented to patients.
• Publishing information on a website that does not comply with the law, or is not consistent with the actual healthcare services provided.

Healthcare information and redaction

As the COVID-19 pandemic placed an enormous strain on healthcare systems and facilities around the world, many healthcare providers have turned to collecting additional information from patients in order to combat the spread of the infectious disease. Nevertheless, while this information can be used to save lives, the privacy of patients must also be upheld. With this being said, one way in which healthcare providers can utilize the healthcare information needed to treat patients while simultaneously protecting their privacy is through redaction software. When using a redaction software program, healthcare professionals can use the personal data of their patients for legitimate and necessary purposes, while also securing this data from bad actors in society.

In response to everything that has happened as it relates to COVID-19 in the past two years, legislation such as Oregon’s House Bill 3284 is all but inevitable, as jurisdictions around the U.S. continue to seek new ways to fight the virus. As it relates to healthcare organizations that serve patients within the state of Oregon, HB 3284 ensures that the frenzy and confusion of living in the midst of a pandemic does not infringe upon the privacy, security, and personal liberties of said patients. As such, residents within the state of Oregon can have the peace of mind that the personal data they submit to their healthcare providers online will be legally protected from unauthorized use.