75th OREGON LEGISLATIVE ASSEMBLY--2009 Regular Session
NOTE: Matter within { + braces and plus signs + } in an
amended section is new. Matter within { - braces and minus
signs - } is existing law to be omitted. New sections are within
{ + braces and plus signs + } .
LC 1094
A-Engrossed
House Bill 2604
Ordered by the House May 1
Including House Amendments dated May 1
Sponsored by Representatives GREENLICK, HOLVEY; Representatives
GELSER, HARKER, READ, SHIELDS
SUMMARY
The following summary is not prepared by the sponsors of the
measure and is not a part of the body thereof subject to
consideration by the Legislative Assembly. It is an editor's
brief statement of the essential features of the measure.
Requires covered entities to report annually on system
safeguards for protecting confidentiality of individually
identifiable health information.
A BILL FOR AN ACT
Relating to individually identifiable health information;
creating new provisions; and amending ORS 442.445 and 731.574.
Be It Enacted by the People of the State of Oregon:
{ + NOTE: + } Section 1 was deleted by amendment. Subsequent
sections were not renumbered.
SECTION 2. ORS 731.574 is amended to read:
731.574. (1) Except as provided in subsection { - (4) - }
{ + (5) + } of this section, every authorized insurer shall file
with the Director of the Department of Consumer and Business
Services, on or before March 1 of each year, a financial
statement for the year ending December 31 immediately preceding.
This statement shall be on a form prescribed by the director. The
statement shall contain such detailed exhibit of the condition
and transactions of the insurer, in such form and otherwise, as
the director prescribes. The director shall consider and may
prescribe the annual statement blank or other form established by
the National Association of Insurance Commissioners, including
instructions prepared by the National Association of Insurance
Commissioners for completing the blank or other form. If the
director prescribes the blank or other form established by the
National Association of Insurance Commissioners, including the
instructions, an insurer submitting the annual statement blank or
form established by the National Association of Insurance
Commissioners must complete the blank or form according to the
instructions. The director may require the filing of information
in addition to the information required in the annual statement.
The director may also require additional filings as the director
determines necessary.
{ + (2) A covered entity, as defined in ORS 192.519, that is
required to file an annual financial statement under subsection
(1) of this section shall file with the statement a protection of
health information report. The report must:
(a) State the responsibility of management for establishing and
maintaining adequate safeguards and procedures for protecting the
confidentiality of individually identifiable health information
that the covered entity retains in electronic and hard copy form;
(b) Contain an assessment, as of December 31 of the preceding
year, of the effectiveness of the safeguards and procedures in
protecting the confidentiality of individually identifiable
health information;
(c) Contain assurances that the signing officers have disclosed
to auditors and the governing board of the covered entity:
(A) All significant deficiencies in the design or operation of
record-keeping systems or controls that could adversely affect
the covered entity's ability to protect the confidentiality of
individually identifiable health information;
(B) Any breaches of the security of individually identifiable
health information, whether material or not, that involve
management or other employees who have a significant role in the
covered entity's record-keeping systems or controls; and
(C) All necessary steps that have been taken to address
deficiencies in the design or operation of record-keeping systems
or controls and to resolve any material weaknesses identified to
or by the covered entity's auditors; and
(d) Contain assurances that the signing officers have
identified for auditors any material weaknesses in the
record-keeping systems or controls. + }
{ - (2) - } { + (3) + } The financial statement filed by an
insurer under subsection (1) of this section { + and the report
filed under subsection (2) of this section + } shall be verified
by the oaths of the president and secretary of the insurer or, in
their absence, by two other principal officers. The statement of
an alien company shall embrace only its condition and
transactions in the United States, unless the director requires
otherwise, and shall be verified by the oath of its resident
manager or principal representatives in the United States.
Facsimile signatures are acceptable and shall have the same force
as original signatures.
{ - (3) - } { + (4) + } The director may grant an extension
of time for filing the annual statement.
{ - (4) - } { + (5) + } A home protection insurer may adopt
a fiscal year other than the calendar year for its financial
statements filed with the director under subsection (1) of this
section by declaring the fiscal year in its application for a
certificate of authority. An adopted fiscal year may not be
changed without the consent of the insurance supervisory official
of the insurer's domicile. The financial statement of a home
protection insurer on other than the calendar year basis shall be
filed with the director on or before the first day of the third
month which follows the end of the fiscal year.
{ - (5) - } { + (6) + } An insurer, subject to requirements
set forth in rules made by the director, may publish financial
statements, or information based on financial statements,
prepared on a basis that is in accordance with requirements of a
competent authority and differs from the basis of the statements
required to be filed with the director.
{ - (6) - } { + (7) + } It is the intention of the
Legislative Assembly that the director consider and follow the
accounting, reporting and other standards, practices and
procedures established by the National Association of Insurance
Commissioners in order to:
(a) Strengthen and improve regulation of insurer solvency by
the Department of Consumer and Business Services;
(b) Promote uniform and consistent regulation of insurance by
this state and the other states;
(c) Reduce regulatory costs owing to unnecessary differences in
the laws of the various states; and
(d) Obtain and maintain accreditation of this state's insurance
regulatory program by the National Association of Insurance
Commissioners.
{ + (8) As used in this section, 'individually identifiable
health information' has the meaning given that term in ORS
192.519. + }
SECTION 3. { + Section 4 of this 2009 Act is added to and made
a part of ORS chapter 441. + }
SECTION 4. { + (1) A health care facility shall file with the
Administrator of the Office for Oregon Health Policy and Research
a protection of health information report no later than 120 days
following the close of the fiscal year. The report shall be on a
form prescribed by the administrator, shall be signed by the
chief executive officer of the facility and must:
(a) State the responsibility of the health care facility's
management for establishing and maintaining adequate safeguards
and procedures for protecting the confidentiality of individually
identifiable health information that the facility retains in
electronic and hard copy form;
(b) Contain assurances that the signing officer has disclosed
to the board of directors of the facility:
(A) All significant deficiencies in the design or operation of
record-keeping systems or controls that could adversely affect
the facility's ability to protect the confidentiality of
individually identifiable health information;
(B) Any breaches of the security of individually identifiable
health information, whether material or not, that involve
management, staff or employees of the facility who have a
significant role in the facility's record-keeping systems or
controls; and
(C) All necessary steps that have been taken to address
deficiencies in the design or operation of record-keeping systems
or controls and to resolve any material weaknesses identified by
the facility; and
(c) Contain assurances that the signing officer has identified
for the board any material weaknesses in the record-keeping
systems or controls.
(2) The administrator may adopt all rules necessary to carry
out the provisions of this section.
(3) As used in this section, 'individually identifiable health
information' has the meaning given that term in ORS 192.519. + }
SECTION 5. ORS 442.445 is amended to read:
442.445. (1) Any health care facility that fails to perform as
required in ORS 442.205 and 442.400 to 442.463 or section 3,
chapter 838, Oregon Laws 2007, { + or section 4 of this 2009
Act + } and rules of the Office for Oregon Health Policy and
Research may be subject to a civil penalty.
(2) The Administrator of the Office for Oregon Health Policy
and Research shall adopt a schedule of penalties not to exceed
$500 per day of violation, determined by the severity of the
violation.
(3) Civil penalties under this section shall be imposed as
provided in ORS 183.745.
(4) Civil penalties imposed under this section may be remitted
or mitigated upon such terms and conditions as the administrator
considers proper and consistent with the public health and
safety.
(5) Civil penalties incurred under any law of this state are
not allowable as costs for the purpose of rate determination or
for reimbursement by a third-party payer.
SECTION 6. ORS 442.445, as amended by section 8, chapter 838,
Oregon Laws 2007, is amended to read:
442.445. (1) Any health care facility that fails to perform as
required in ORS 442.205 and 442.400 to 442.463 { + or section 4
of this 2009 Act + } and rules of the Office for Oregon Health
Policy and Research may be subject to a civil penalty.
(2) The Administrator of the Office for Oregon Health Policy
and Research shall adopt a schedule of penalties not to exceed
$500 per day of violation, determined by the severity of the
violation.
(3) Civil penalties under this section shall be imposed as
provided in ORS 183.745.
(4) Civil penalties imposed under this section may be remitted
or mitigated upon such terms and conditions as the administrator
considers proper and consistent with the public health and
safety.
(5) Civil penalties incurred under any law of this state are
not allowable as costs for the purpose of rate determination or
for reimbursement by a third-party payer.
----------