The Oregon Health Plan and HIPAA: how Medicaid confidentiality goes beyond the federal floor
The Oregon Health Plan is Medicaid, and Medicaid confidentiality law is narrower than HIPAA. How the two interact, where they diverge, and which rule controls.
By CoreFolio
12-minute read
The Oregon Health Plan (OHP) is Oregon's Medicaid program, and Medicaid carries its own confidentiality law that is narrower than the federal Health Insurance Portability and Accountability Act (HIPAA). Federal Medicaid law and Oregon's ORS 411.320 restrict using or disclosing member information to purposes directly connected with administering the plan — a tighter gate than HIPAA's broad treatment, payment, and health care operations permissions. Where the two point in different directions for OHP data, you follow the stricter rule.
If you have heard a compliance advisor say that OHP "has its own rules that sometimes disagree with HIPAA," this is what they mean. The disagreement is rarely a head-on collision where one law forces you to break the other. It is that Medicaid confidentiality asks a narrower question than HIPAA does, and for OHP member information you have to answer both. This article explains where the two bodies of law diverge, which one controls when they do, and what that means for a practice that treats OHP patients.
Key takeaways
- The Oregon Health Plan is Oregon's Medicaid program, so its member information carries a confidentiality standard set by federal Medicaid law, not by HIPAA alone.
- That standard — use and disclosure only for purposes "directly connected with" administering the plan (42 USC 1396a(a)(7); ORS 411.320) — is narrower than HIPAA's treatment, payment, and health care operations permissions (45 CFR 164.506).
- Where the two point in different directions for OHP data, the stricter Medicaid rule controls; following it never violates HIPAA, because HIPAA's permissions are ceilings, not mandates.
- Oregon flows the standard down to providers through its Medicaid records rule (OAR 410-120-1360) and coordinated care organization contracts, not just through the statute.
- The common mistake runs both ways: some practices make disclosures Medicaid bars, and others refuse audits or fraud investigations that both HIPAA and the Medicaid rules plainly allow without patient authorization.
Why the Oregon Health Plan brings its own privacy rules
OHP is not a private insurer. It is Oregon's Medicaid and Children's Health Insurance Program, administered by the Oregon Health Authority (OHA) and delivered largely through coordinated care organizations (CCOs) — regional entities that manage care for OHP members. Because OHP is Medicaid, it inherits a federal confidentiality regime that predates HIPAA and applies on its own terms.
That regime starts in the Social Security Act. Section 1902(a)(7) requires every state Medicaid plan to provide "safeguards which restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with" the administration of the plan.1 The implementing regulations sit at 42 CFR Part 431 Subpart F.2 Two features of that subpart matter for a practice:
- A defined, narrow set of permitted purposes. 42 CFR 431.302 lists the "purposes directly related to plan administration": establishing eligibility, determining the amount of medical assistance, providing services for beneficiaries, and conducting or assisting an investigation, prosecution, or proceeding related to administering the plan.2 That list is the gate. A use or disclosure outside it is not permitted for Medicaid information, even where HIPAA might allow it.
- A state statute with legal sanctions. 42 CFR 431.301 requires the state plan to provide the safeguards "under a State statute that imposes legal sanctions."2 Oregon meets that requirement with ORS 411.320.
Oregon's statute mirrors the federal standard. ORS 411.320 provides that the agency may not disclose or use public assistance records "for purposes other than those directly connected with the administration of the public assistance programs," with a modest Oregon-specific addition: disclosure is also allowed where "necessary to assist public assistance applicants and recipients in accessing and receiving other governmental or private nonprofit services."3 The statute also declares that, in most judicial or administrative proceedings, the contents of those records "are considered privileged communications."3
How does Medicaid confidentiality differ from HIPAA?
HIPAA and Medicaid confidentiality are built on different logic, and that is the source of the friction a compliance advisor flags.
HIPAA is permissive. It tells a covered entity what it may do without patient authorization: it may use and disclose protected health information for its own treatment, payment, and health care operations, and for a defined list of public-interest purposes.4 Critically, these are ceilings on permission, not obligations — HIPAA almost never requires a covered entity to disclose. It also layers a minimum-necessary rule on most disclosures.5
Medicaid confidentiality is restrictive. It does not start from what a provider may do; it starts from a cap. Information about OHP applicants and members may be used or disclosed only for purposes directly connected with running the program.13 A purpose that is genuinely unrelated to administering the Medicaid benefit falls outside the gate regardless of whether HIPAA would have permitted it.
Because HIPAA's permissions are ceilings and Medicaid's standard is a floor of restriction, the two are reconcilable: following the stricter Medicaid rule for OHP data never puts you out of step with HIPAA. HIPAA expressly permits disclosures that are required by other law and does not compel the disclosures Medicaid confidentiality would bar.6 And under HIPAA's preemption rule, a state privacy law that is more protective of the individual is not displaced by the federal standard.7 The practical rule of thumb for OHP member information is therefore simple to state and easy to get wrong in the moment: when HIPAA and Medicaid confidentiality point in different directions, follow the narrower one.
Three places OHP rules reach past the HIPAA floor
1. The permitted-purpose gate is narrower than treatment, payment, and operations
HIPAA's "health care operations" category is broad. It reaches quality activities, care coordination, business management, and more. Some disclosures HIPAA permits — for example, using limited protected health information for a practice's own fundraising, or certain operations disclosures to another covered entity — have no obvious tie to administering the Medicaid program. For OHP member information, the directly-connected standard governs, so a use that is permissible under HIPAA can still be off-limits because it is not connected to running the plan.13 The gap is not enormous for routine treatment and billing, which sit squarely inside both regimes. It shows up at the edges — secondary uses of member data that HIPAA tolerates but Medicaid confidentiality does not.
2. OHP records can carry an evidentiary privilege HIPAA does not create
HIPAA sets rules for disclosing protected health information in litigation, but it does not make a medical record privileged. Oregon's Medicaid confidentiality statute goes further: in any judicial or administrative proceeding other than one connected with administering public assistance or child-support enforcement, the contents of the records "are considered privileged communications."3 That is a substantive protection Oregon layers on top of HIPAA for OHP records — one that changes how a subpoena for those records should be handled, and a place where reflexively "just following HIPAA" would understate the protection the member is owed.
3. The duties flow down to providers through Oregon's Medicaid rules
The federal and state statutes speak to the Medicaid agency. Oregon carries the same standard down to providers through its Medicaid administrative rules. OAR 410-120-1360 requires every OHP provider to keep policies and procedures that maintain the confidentiality of medical-record information and release it "in accordance with federal and state statutes," naming ORS 179.505 through 179.507, ORS 411.320, ORS 433.045, 42 CFR part 2, 42 CFR subpart F, and 45 CFR 205.50.8 A practice enrolled to bill OHP agrees to that rule, and a CCO contract typically flows equivalent obligations down again. So the Medicaid confidentiality standard reaches an OHP provider not because ORS 411.320 names the provider directly, but through the provider agreement and the rules it accepted to participate.
Where people wrongly think HIPAA blocks something OHP requires
The divergence runs the other way too, and this is the more common real-world mistake. Providers sometimes withhold records from a Medicaid audit or a fraud investigator, believing HIPAA or "patient privacy" forbids the disclosure. It does not.
OAR 410-120-1360 is explicit that "access to records, inclusive of medical charts and financial records does not require authorization or release from the client" when the purpose is to perform billing review, to perform utilization review, to review the quality and medical appropriateness of care, to facilitate payment authorization, to investigate a client's contested-case hearing request, or to facilitate an investigation by the Medicaid Fraud Control Unit or the federal Department of Health and Human Services.8 HIPAA independently permits each of these as a payment, health care operations, health-oversight, or required-by-law disclosure.46 Both bodies of law point the same way. A provider who refuses on HIPAA grounds is misreading both — and, under the same rule, records not produced on time may be deemed not to exist for purposes of an audit or overpayment determination, exposing the provider to recovery of payments or sanctions.8
Behavioral health and substance use tighten the knot
For OHP members receiving behavioral health or substance use disorder (SUD) treatment, a third and fourth layer stack on top. Oregon's health-records confidentiality statute for certain behavioral health providers, ORS 179.505, imposes stricter authorization and access rules than HIPAA where it applies.9 And federal 42 CFR Part 2 imposes its own consent regime on SUD treatment records that is, in specific respects, stricter than HIPAA.10 OHP's coordinated-care model actively encourages sharing member information across a CCO's network to coordinate care — a goal that runs into these confidentiality rules from the opposite side. Untangling which record can be shared, with whom, and on what consent is exactly the kind of question that does not have a one-line answer. Our Oregon privacy and security laws overview covers ORS 179.505 and the behavioral health rules in more depth.
What this means for your HIPAA risk analysis
None of the above changes the method of a HIPAA risk analysis under 45 CFR 164.308(a)(1)(ii)(A). It changes the inputs. A practice that treats OHP members operates under HIPAA plus a narrower Medicaid confidentiality standard plus, for some records, behavioral health and SUD rules. A defensible risk analysis and the disclosure procedures built on it should reflect:
- the directly-connected-with-administration standard as the governing gate for OHP member information, not HIPAA's broader operations category;
- the provider records-and-confidentiality obligations in OAR 410-120-1360 that you accepted at enrollment, and any CCO contract terms that flow duties down;
- the evidentiary-privilege status of OHP records in litigation; and
- the behavioral health (ORS 179.505) and 42 CFR Part 2 rules where your patient population makes them relevant.
A risk analysis that treats HIPAA as the only applicable law is incomplete for an OHP practice, because it will not surface the narrower Medicaid standard, the flow-down duties, or the extra protections an Oregon regulator or a CCO would expect to see reflected in your procedures.
What Oregon OHP practices should do this quarter
You do not need a law firm to take the first, organizational steps. You do need to be precise about which standard governs which data.
- Confirm your OHP participation obligations in writing. Locate your provider enrollment agreement and any CCO contract, and note the confidentiality and records-access clauses they contain. These are the documents that flow the Medicaid standard down to you.
- Add the directly-connected test to your disclosure workflow. For OHP member information, train whoever handles records requests to ask not only "does HIPAA permit this?" but also "is this directly connected with administering the plan?" — and to follow the narrower answer.
- Separate the two failure modes. Make sure staff know that audits, utilization review, and fraud investigations do not require patient authorization, while secondary uses unrelated to plan administration may be barred even when HIPAA would tolerate them.
- Flag behavioral health and SUD records. If you treat OHP members for mental health or substance use, mark those records for the stricter ORS 179.505 and 42 CFR Part 2 handling before a coordination request arrives.
- Bring the OHP facts into your risk analysis. When you next update your risk analysis, record the Medicaid confidentiality standard, the flow-down obligations, and your sensitive-record handling as part of your environment.
These steps prepare the ground. Turning them into a dated risk analysis, a gap report, and disclosure procedures that a regulator or a CCO would find defensible is the work itself — specific, citation-heavy, and easy to get wrong from a blank page. CoreFolio HIPAA walks through each step and produces that documentation with the structure already in place.
Sources
Footnotes
-
Social Security Act § 1902(a)(7), 42 U.S.C. § 1396a(a)(7) (state Medicaid plan must provide "safeguards which restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with" the administration of the plan). United States Code, govinfo.gov: https://www.govinfo.gov/content/pkg/USCODE-2023-title42/html/USCODE-2023-title42-chap7-subchapXIX-sec1396a.htm ↩ ↩2 ↩3
-
42 CFR Part 431 Subpart F — Safeguarding Information on Applicants and Beneficiaries (§ 431.300 basis and purpose; § 431.301 state plan requirement "under a State statute that imposes legal sanctions"; § 431.302 purposes directly related to plan administration; § 431.306 release of information). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-42/chapter-IV/subchapter-C/part-431/subpart-F — § 431.301 full text also at https://www.law.cornell.edu/cfr/text/42/431.301 and § 431.302 at https://www.law.cornell.edu/cfr/text/42/431.302 ↩ ↩2 ↩3
-
ORS 411.320 (Disclosure and use of records limited to purposes connected to administration of public assistance programs — "directly connected with the administration of the public assistance programs" standard; assistance-in-accessing-other-services clause; "privileged communications" in judicial or administrative proceedings). Oregon Revised Statutes, Chapter 411: https://www.oregonlegislature.gov/bills_laws/ors/ors411.html ↩ ↩2 ↩3 ↩4 ↩5
-
45 CFR § 164.506 (permitted uses and disclosures for treatment, payment, and health care operations, without authorization). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-164.506 — full text also at https://www.law.cornell.edu/cfr/text/45/164.506 ↩ ↩2
-
45 CFR § 164.502(b) (minimum necessary standard for most uses and disclosures of protected health information). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-164.502 ↩
-
45 CFR § 164.512(a) (a covered entity may use or disclose protected health information to the extent the use or disclosure is required by law). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-164.512 — full text also at https://www.law.cornell.edu/cfr/text/45/164.512 ↩ ↩2
-
45 CFR § 160.203 (preemption of contrary State law; the "more stringent" exception for state law relating to the privacy of individually identifiable health information). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-160.203 ↩
-
OAR 410-120-1360 (Requirements for Financial, Clinical and Other Records — provider confidentiality policies releasing information in accordance with ORS 179.505 through 179.507, 411.320, 433.045, 42 CFR part 2, 42 CFR subpart F, and 45 CFR 205.50; the no-authorization access categories at subsection (4); records-deemed-not-to-exist consequence at subsection (5)). Oregon Secretary of State, Oregon Administrative Rules Database: https://secure.sos.state.or.us/oard/view.action?ruleNumber=410-120-1360 ↩ ↩2 ↩3
-
ORS 179.505 (Disclosure of written accounts by health care services provider — stricter authorization, access, and behavioral health confidentiality rules where it applies). Oregon Revised Statutes, Chapter 179: https://www.oregonlegislature.gov/bills_laws/ors/ors179.html ↩
-
42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2 ↩