2013 ORS § 746.607¹
Use and disclosure of personal information

A health insurer:

(1) May use or disclose personal information of an individual in a manner that is consistent with an authorization provided by the individual or a personal representative of the individual.

(2) May use or disclose protected health information of an individual without obtaining an authorization from the individual or a personal representative of the individual:

(a) For its own treatment, payment or health care operations; or

(b) As otherwise permitted or required by state or federal law or by order of the court.

(3) May disclose, subject to any requirements established by rule under ORS 746.608 (Rules) and consistent with federal law, protected health information of an individual without obtaining an authorization from the individual or a personal representative of the individual:

(a) To another covered entity for health care operations activities of the entity that receives the information if:

(A) Each entity has or had a relationship with the individual who is the subject of the protected health information; and

(B) The protected health information pertains to the relationship and the disclosure is for the purpose of:

(i) Health care operations listed in ORS 746.600 (Definitions for ORS 746.600 to 746.690) (13)(a) or (b); or

(ii) Health care fraud and abuse detection or compliance;

(b) To another covered entity or any other health care provider for treatment activities of a health care provider; or

(c) To another covered entity or any other health care provider for the payment activities of the entity that receives the information.

(4) May use or disclose personal financial information of an individual:

(a) To perform a business, professional or insurance function, subject to any requirements established by rule under ORS 746.608 (Rules) for an authorization by an individual or a personal representative of an individual; or

(b) Without obtaining an authorization by the individual or the personal representative of the individual as otherwise permitted or required by state or federal law or by order of the court.

(5) May charge a reasonable, cost-based fee, provided that the fee includes only the cost of:

(a) Copying personal information requested by an individual or a personal representative of the individual, including the cost of supplies for and labor of copying;

(b) Postage, when an individual or a personal representative of the individual has requested that copies of personal information or an explanation or summary of protected health information be mailed; or

(c) Preparing an explanation or summary of personal information if requested by an individual or a personal representative of the individual.

(6) Shall provide adequate notice of the uses and disclosures of personal information that may be made by the health insurer and of the individuals rights and the health insurers legal duties with respect to personal information.

(7) Shall permit an individual or a personal representative of an individual to request:

(a) Access to inspect or obtain a copy of the individuals personal financial information or protected health information that is maintained in a designated record set about the individual; or

(b) That the health insurer correct, amend or delete personal information. [2003 c.87 §3]