Skip to main content
CoreFolioHIPAA
Oregon

What a coordinated care organization (CCO) contract adds to your HIPAA obligations in Oregon

Joining an Oregon coordinated care organization layers Medicaid managed-care duties on top of HIPAA — record-keeping, whole-person data sharing, member access, and subcontractor monitoring. What changes.

By CoreFolio

8-minute read

Most Oregon Health Plan members receive their care through a coordinated care organization (CCO) — the entity Oregon uses to manage Medicaid care. When a practice joins a CCO network, it does not trade HIPAA for a different rulebook. It keeps every HIPAA obligation it already had and takes on a layer of Medicaid managed-care duties flowed down through the CCO contract and Oregon's coordinated care rules: record-keeping and security standards, a whole-person data-sharing expectation, a member-access standard, and a duty to monitor the subcontractors it uses.

Understanding what the contract adds — rather than assuming it is "just HIPAA" — is what keeps a practice out of trouble on both fronts. This article explains what a CCO is, how it relates to HIPAA, and the specific obligations a CCO contract layers on top of the federal floor.

Key takeaways

  • A CCO is a legal entity certified under ORS 414.572 to provide integrated, coordinated care for its members, and it is a Medicaid managed care entity under 42 CFR Part 438.12
  • Joining a CCO network does not replace HIPAA — you remain a covered entity and add the contract's flow-down duties on top.
  • Oregon's coordinated care rules require the network to share sensitive diagnoses for whole-person care (OAR 410-141-3520), while keeping the information confidential and restricting outside redisclosure.3
  • The same rule sets record-keeping and security duties tied to HIPAA and a member-access standard referencing 45 CFR 164.524 and ORS 179.505(9).3
  • Because CCO members are Medicaid beneficiaries, the Medicaid confidentiality standard ("directly connected with administration of the plan") also governs their information — covered in depth in our Oregon Health Plan article.

What a CCO is, in plain terms

Oregon Administrative Rule 410-141-3500 defines a coordinated care organization as "a corporation, governmental agency, public corporation, or other legal entity that is certified as meeting the criteria adopted by the Authority under ORS 414.572 to be accountable for care management and to provide integrated and coordinated health care for each of the organization's members."1 In practice, a CCO is the Medicaid health plan for a region: it receives a global budget from the Oregon Health Authority and is responsible for the physical, behavioral, and (often) oral health of the Oregon Health Plan members enrolled with it.

A CCO is also a managed care entity for purposes of the federal Medicaid managed-care rules at 42 CFR Part 438, which means the federal Medicaid program integrity, member-protection, and confidentiality expectations flow through it to its network.2 So a practice in a CCO network sits at the bottom of a stack: HIPAA, federal Medicaid managed-care rules, Oregon's coordinated care rules, and the CCO's own contract terms.

How a CCO relates to HIPAA

The relationship is additive, not substitutive:

  • You stay a covered entity. A provider in a CCO network remains a HIPAA covered entity, responsible for its own Security Rule and Privacy Rule compliance. Nothing in the CCO relationship reduces that.
  • The CCO is a covered entity too. A CCO is a health plan under HIPAA. When a provider or downstream entity performs a function that makes it a business associate of the CCO, a business associate agreement is required — the CCO flows those terms down.
  • The contract carries Medicaid and Oregon duties into your practice. The record-keeping, security, sharing, and access obligations below reach you because the CCO is contractually required to push them down to its network and its subcontractors.

What the CCO contract adds on top of HIPAA

Oregon Administrative Rule 410-141-3520 — "Record Keeping and Use of Health Information Technology" — is where much of the added weight lives. Four duties stand out for a network practice.

1. Record-keeping and security tied to HIPAA

A managed care entity must maintain a record-keeping system that secures records "as required by the Health Insurance Portability and Accountability Act (HIPAA)," keeps complete clinical records of the coordinated care services members receive, communicates these policies to subcontractors, and monitors subcontractor compliance with corrective action.3 For most practices this points back at the HIPAA Security Rule program you already owe — but the subcontractor-monitoring duty is an explicit, documentable expectation the contract adds.

2. Whole-person information sharing

Oregon deliberately pushes CCO data toward sharing so care can be integrated. The rule directs a managed care entity and its provider network to "use and disclose sensitive diagnosis information including HIV and other health and behavioral health diagnoses within the MCE for the purpose of providing whole-person care," while treating that information as confidential and privileged and limiting redisclosure outside the network.3 This is a genuine obligation to participate in coordinated data flows — but it does not override 42 CFR Part 2 for substance use disorder records held by a Part 2 program. (We cover that tension in our Oregon behavioral health and substance use records article.)

3. A member-access standard

The rule requires that a member have access to their personal health information "in the manner provided in 45 C.F.R. 164.524 and ORS 179.505(9)" so the member can share it with others involved in their care.3 That pins your access process to both the HIPAA right-of-access standard and Oregon's health-records access rule — a place where the CCO contract makes Oregon's faster access timeline directly relevant.4

4. Confidentiality and restricted redisclosure

Individually identifiable information handled in the network must be treated as confidential and privileged, subject to Oregon's protected-health-information statutes (ORS 192.553 to 192.581) and applicable federal privacy requirements, with redisclosure outside the network for unrelated purposes remaining subject to those privacy rules.35 This is the counterweight to the whole-person sharing duty: share inside the network for care, but do not treat that as license to send member data outward.

The Medicaid confidentiality layer

Because CCO members are Medicaid beneficiaries, their information also carries the Medicaid confidentiality standard — use and disclosure limited to purposes "directly connected with administration of the plan." That standard is narrower than HIPAA's treatment, payment, and operations permissions, and it governs plan-related data regardless of the CCO contract's own terms. Rather than repeat that analysis here, see our companion article on the Oregon Health Plan and HIPAA, which walks through the "directly connected" standard and how it diverges from HIPAA.

The combined picture: a CCO-contracted practice answers to HIPAA, to the Medicaid confidentiality standard for member data, to the CCO contract's flow-down duties, and to Oregon's coordinated care rules — all at once, and all reconcilable if the practice's documentation reflects them.

What this means for your HIPAA risk analysis

Joining a CCO network does not change the method of a HIPAA risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). It adds inputs you should be able to point to. A defensible risk analysis for a CCO-contracted practice should reflect:

  • the record-keeping and security duties the contract flows down, including subcontractor monitoring;
  • the whole-person sharing expectation and how it is reconciled with 42 CFR Part 2 and other sensitive-category rules;
  • the member-access standard (45 CFR 164.524 and ORS 179.505(9)) your process must meet;
  • the restricted-redisclosure rule for information leaving the network; and
  • the Medicaid confidentiality standard for member information.

A risk analysis that treats HIPAA as the only applicable law is incomplete for a practice in a CCO network — it will miss the flow-down and Medicaid obligations a CCO or the Oregon Health Authority would expect to see reflected.

What CCO-contracted practices should do this month

  1. Read the data-and-privacy sections of your CCO contract. Identify the flow-down record-keeping, security, sharing, access, and subcontractor provisions and map each to an internal policy.
  2. Confirm your business associate agreements. Make sure any subcontractor that touches member data is under a BAA and that you monitor its compliance, as the contract requires.
  3. Align your member-access process. Ensure your access workflow meets both 45 CFR 164.524 and the ORS 179.505 access standard the rule references.
  4. Reconcile whole-person sharing with sensitive-category rules. Document how you share within the network for care while honoring 42 CFR Part 2 and Oregon's HIV, genetic, and behavioral health rules.
  5. Fold it into your risk analysis. Record the CCO flow-down duties and the Medicaid confidentiality standard as part of your documented environment.

These steps prepare the ground. Turning them into a dated risk analysis and the policies a CCO or regulator would find defensible is the work itself — specific, citation-heavy, and easy to get wrong from a blank page. CoreFolio HIPAA walks through each step and produces that documentation with the structure already in place.

Sources

Footnotes

  1. OAR 410-141-3500 (Definitions — "Coordinated Care Organization" as a legal entity "certified as meeting the criteria adopted by the Authority under ORS 414.572 to be accountable for care management and to provide integrated and coordinated health care for each of the organization's members"; "Managed Care Entity"). Oregon Secretary of State, Oregon Administrative Rules: https://secure.sos.state.or.us/oard/displayDivisionRules.action?selectedDivision=1728 — full text also at https://www.law.cornell.edu/regulations/oregon/Or-Admin-Code-SS-410-141-3500 2

  2. 42 CFR Part 438 (Medicaid Managed Care). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-C/part-438 2

  3. OAR 410-141-3520 (Record Keeping and Use of Health Information Technology — record security "as required by the Health Insurance Portability and Accountability Act (HIPAA)"; subcontractor monitoring; member access "in the manner provided in 45 C.F.R. 164.524 and ORS 179.505(9)"; use and disclosure of "sensitive diagnosis information including HIV and other health and behavioral health diagnoses within the MCE for the purpose of providing whole-person care"; restricted outside redisclosure). Oregon Secretary of State, Oregon Administrative Rules: https://secure.sos.state.or.us/oard/displayDivisionRules.action?selectedDivision=1728 — full text also at https://www.law.cornell.edu/regulations/oregon/Or-Admin-Code-SS-410-141-3520 2 3 4 5 6

  4. 45 CFR § 164.524 (HIPAA right of access to protected health information). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-164.524

  5. ORS 192.553 to 192.581 (Oregon protected health information — legislative policy and standards for use and disclosure of individually identifiable health information). Oregon Revised Statutes, Chapter 192: https://www.oregonlegislature.gov/bills_laws/ors/ors192.html