(A) Is protected health information under ORS 192.553 to 192.581.
(B) Is confidential and not subject to disclosure under ORS 192.311 to 192.478.
(b) Except as provided under subsection (3)(a)(H) of this section, prescription monitoring information submitted under ORS 431A.860 to the prescription monitoring program may not be used to evaluate a practitioner’s professional practice.
(2) The Oregon Health Authority may review the prescription monitoring information of an individual who dies from a drug overdose.
(3)(a) Except as provided in paragraph (c) of this subsection, the Oregon Health Authority shall disclose prescription monitoring information reported to the authority under ORS 431A.860:
(A) To a practitioner or pharmacist, or, if a practitioner or pharmacist authorizes the authority to disclose the information to a member of the practitioner’s or pharmacist’s staff, to a member of the practitioner’s or pharmacist’s staff. If a practitioner or pharmacist authorizes disclosing the information to a member of the practitioner’s or pharmacist’s staff under this subparagraph, the practitioner or pharmacist remains responsible for the use or misuse of the information by the staff member. To receive information under this subparagraph, or to authorize the receipt of information by a staff member under this subparagraph, a practitioner or pharmacist must certify that the requested information is for the purpose of evaluating the need for or providing medical or pharmaceutical treatment for a patient to whom the practitioner or pharmacist anticipates providing, is providing or has provided care.
(B) To a dental director, medical director or pharmacy director, or, if a dental director, medical director or pharmacy director authorizes the authority to disclose the information to a member of the dental director’s, medical director’s or pharmacy director’s staff, to a member of the dental director’s, medical director’s or pharmacy director’s staff. If a dental director, medical director or pharmacy director authorizes disclosing the information to a member of the dental director’s, medical director’s or pharmacy director’s staff under this subparagraph, the dental director, medical director or pharmacy director remains responsible for the use or misuse of the information by the staff member. To receive information under this subparagraph, or to authorize the receipt of information by a staff member under this subparagraph:
(i) A dental director must certify that the requested information is for the purposes of overseeing the operations of a coordinated care organization, dental clinic or office, or a system of dental clinics or offices, and ensuring the delivery of quality dental care within the coordinated care organization, clinic, office or system.
(ii) A medical director must certify that the requested information is for the purposes of overseeing the operations of a coordinated care organization, hospital, health care clinic or system of hospitals or health care clinics and ensuring the delivery of quality health care within the coordinated care organization, hospital, clinic or system.
(iii) A pharmacy director must certify that the requested information is for the purposes of overseeing the operations of a coordinated care organization, pharmacy or system of pharmacies and ensuring the delivery of quality pharmaceutical care within the coordinated care organization, pharmacy or system.
(C) In accordance with subparagraphs (A) and (B) of this paragraph, to an individual described in subparagraphs (A) and (B) of this paragraph through a health information technology system that is used by the individual to access information about patients if:
(i) The individual is authorized to access the information in the health information technology system;
(ii) The information is not permanently retained in the health information technology system, except for purposes of conducting audits and maintaining patient records; and
(iii) The health information technology system meets any privacy and security requirements and other criteria, including criteria required by the federal Health Insurance Portability and Accountability Act, established by the authority by rule.
(D) To a practitioner in a form that catalogs all prescription drugs prescribed by the practitioner according to the number assigned to the practitioner by the Drug Enforcement Administration of the United States Department of Justice.
(E) To the Chief Medical Examiner or designee of the Chief Medical Examiner, for the purpose of conducting a medicolegal investigation or autopsy.
(F) To designated representatives of the authority or any vendor or contractor with whom the authority has contracted to establish or maintain the electronic system established under ORS 431A.855.
(G) Pursuant to a valid court order based on probable cause and issued at the request of a federal, state or local law enforcement agency engaged in an authorized drug-related investigation involving a person to whom the requested information pertains.
(H) To a health professional regulatory board that certifies in writing that the requested information is necessary for an investigation related to licensure, license renewal or disciplinary action involving the applicant, licensee or registrant to whom the requested information pertains.
(I) Pursuant to an agreement entered into under ORS 431A.869.
(b) The authority may disclose information from the prescription monitoring program that does not identify a patient, practitioner or drug outlet:
(A) For educational, research or public health purposes;
(B) For the purpose of educating practitioners about the prescribing of opioids and other controlled substances;
(C) To a health professional regulatory board;
(D) To a local public health authority, as defined in ORS 431.003; or
(E) To officials of the authority who are conducting special epidemiologic morbidity and mortality studies in accordance with ORS 413.196 and rules adopted under ORS 431.001 to 431.550 and 431.990.
(c) The authority may not disclose, except as provided in paragraph (b) of this subsection:
(A) Prescription drug monitoring information to the extent that the disclosure fails to comply with applicable provisions of the federal Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) and regulations adopted under that law, including 45 C.F.R. parts 160 and 164, federal alcohol and drug treatment confidentiality laws and regulations, including 42 C.F.R. part 2, and state health and mental health confidentiality laws, including ORS 179.505, 192.517 and 192.553 to 192.581.
(B) The sex of a patient for whom a drug was prescribed.
(C) The identity of a patient for whom naloxone was prescribed.
(d) The authority shall disclose information relating to a patient maintained in the electronic system established under ORS 431A.855 to that patient at no cost to the patient within 10 business days after the authority receives a request from the patient for the information.
(e)(A) A patient may request the authority to correct any information related to the patient that is maintained in the electronic system established under ORS 431A.855 that is erroneous. The authority shall grant or deny a request to correct information within 10 business days after the authority receives the request. If a request to correct information cannot be granted because the error occurred at the pharmacy where the information was inputted, the authority shall inform the patient that the information cannot be corrected because the error occurred at the pharmacy.
(B) If the authority denies a patient’s request to correct information under this paragraph, or fails to grant a patient’s request to correct information under this paragraph within 10 business days after the authority receives the request, the patient may appeal the denial or failure to grant the request. Upon receiving notice of an appeal under this subparagraph, the authority shall conduct a contested case hearing as provided in ORS chapter 183. Notwithstanding ORS 183.450, the authority has the burden in the contested case hearing of establishing that the information is correct.
(f) The information in the prescription monitoring program may not be used for any commercial purpose.
(g) In accordance with ORS 192.553 to 192.581 and federal laws and regulations related to privacy, any person authorized to prescribe or dispense a prescription drug who is entitled to access a patient’s prescription monitoring information may discuss the information with or release the information to other health care providers involved with the patient’s care for the purpose of providing safe and appropriate care coordination.
(4)(a) The authority shall maintain records of the information disclosed through the prescription monitoring program including:
(A) The identity of each person who requests or receives information from the program and any organization the person represents;
(B) The information released to each person or organization; and
(C) The date and time the information was requested and the date and time the information was provided.
(b) Records maintained as required by this subsection may be reviewed by the Prescription Monitoring Program Advisory Commission.
(5) Information in the prescription monitoring program that identifies an individual patient must be removed no later than three years from the date the information is entered into the program.
(6) The authority shall notify the Attorney General and each individual affected by an improper disclosure of information from the prescription monitoring program of the disclosure.
(7)(a) If the authority or a person or entity required to report or authorized to receive or release prescription information under this section violates this section or ORS 431A.860 or 431A.870, a person injured by the violation may bring a civil action against the authority, person or entity and may recover damages in the amount of $1,000 or actual damages, whichever is greater.
(b) Notwithstanding paragraph (a) of this subsection, the authority and a person or entity required to report or authorized to receive or release prescription information under this section are immune from civil liability for violations of this section or ORS 431A.860 or 431A.870 unless the authority, person or entity acts with malice, criminal intent, gross negligence, recklessness or willful intent.
(8) Nothing in ORS 431A.855 to 431A.900 requires a practitioner or pharmacist who prescribes or dispenses a prescription drug to obtain information about a patient from the prescription monitoring program. A practitioner or pharmacist who prescribes or dispenses a prescription drug may not be held liable for damages in any civil action on the basis that the practitioner or pharmacist did or did not request or obtain information from the prescription monitoring program.
(9) The authority shall, at regular intervals, ensure compliance of a health information technology system described in subsection (3) of this section with the privacy and security requirements and other criteria established by the authority under subsection (3) of this section. [Formerly 431.966; 2016 c.100 §1; 2017 c.151 §24; 2017 c.683 §14; 2019 c.53 §2; 2019 c.470 §7; 2019 c.583 §18]