Oregon privacy and security laws that layer with HIPAA: what medical and dental practices need to know
How Oregon's breach-notification, data-security, and health-records laws layer on top of HIPAA for medical, dental, and behavioral health practices.
By CoreFolio
13-minute read
Most Oregon medical and dental practices know the federal Health Insurance Portability and Accountability Act (HIPAA) sets the baseline for protecting patient information. Fewer realize that Oregon adds its own layer on top — a state Attorney-General notice trigger, its own breach-notification timing for data HIPAA does not cover, a standalone data-security duty, and confidentiality rules for certain behavioral health records that go beyond the federal floor. None of these replace HIPAA. They stack on it, and in the places where Oregon law is stricter, the Oregon rule is the one you have to follow.
This article explains how state law interacts with HIPAA for practices operating in Oregon, which obligations reach a general medical or dental office, and which apply only to behavioral health providers. The requirements are clear; knowing which ones apply to your specific practice — and reflecting them in your documentation — takes some care.
How Oregon law layers on top of HIPAA
HIPAA does not preempt a state law that is more stringent — that is, a state law giving an individual greater privacy protection or greater rights. The general preemption rule is set out at 45 CFR § 160.203.1
"A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law."
That general rule then carves out an exception: it does not apply where the state-law provision relates to the privacy of individually identifiable health information and is more stringent than the corresponding federal standard. In other words, this is often called "floor preemption": the federal rule is the floor, and a stricter state rule controls. The practical consequence for an Oregon practice is that you comply with HIPAA and with the specific Oregon provisions that are more protective. Oregon does not have a single omnibus medical-privacy act the way California does. Instead, it tightens four discrete areas, described below.
Breach notification: Oregon's 45-day clock (ORS 646A.604)
The Oregon Consumer Information Protection Act (OCIPA) is the state law most likely to reach every Oregon practice. Its breach-notification requirement lives at ORS 646A.604.2
Under OCIPA, a "covered entity" is defined broadly — any person that owns, maintains, or otherwise possesses personal information in the course of business — so a medical or dental practice qualifies. "Personal information" expressly includes information about a consumer's medical history or physical or mental condition, and a health care professional's diagnosis or treatment, when tied to the consumer's name.3 A breach of that data triggers the statute.
The two headline mechanics:
- Timing. Notice to affected consumers must be given "in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification" of the breach. That is shorter than HIPAA's 60-day outer limit for notifying individuals.4
- Attorney-General trigger. If the number of consumers who must be notified exceeds 250, the covered entity must also notify the Oregon Attorney General, in writing or electronically.
Which clock actually governs your practice
This is the piece that trips practices up. Every Oregon medical and dental practice is a HIPAA covered entity, and OCIPA exempts a covered entity that complies with HIPAA's and the HITECH Act's breach-notification regulations from the state statute — for the personal information that is also protected health information under HIPAA.2 So for a breach of protected health information, a practice that follows HIPAA notifies affected individuals on HIPAA's timeline (no later than 60 days), not Oregon's 45.4 The 45-day state clock does not separately bind that protected health information.
Two things keep Oregon in the picture even for a fully HIPAA-compliant practice:
- The Attorney-General copy still applies. Notwithstanding the HIPAA exemption, the practice must still provide the Oregon Attorney General with at least one copy of any notice it sends when the breach affects more than 250 consumers.2 Following HIPAA does not remove this state filing.
- The 45-day clock governs your non-health data. The exemption only covers data that is also subject to HIPAA. A breach of personal information that is not protected health information — for example, employee Social Security numbers, payroll records, or payment-card data not tied to treatment — is not exempt, so Oregon's 45-day consumer-notice deadline and Attorney-General rules apply to it.
In short, the reason to "just follow HIPAA" is exactly right: for protected health information, HIPAA is what governs. Oregon reaches a compliant practice through the Attorney-General copy on large breaches and through the 45-day clock on any non-health personal data it holds.
Other OCIPA breach provisions worth knowing
- Risk-of-harm exception. If, after an appropriate investigation or consultation with law enforcement, the entity reasonably determines that affected consumers are unlikely to suffer harm, consumer notice may not be required — but the determination must be documented in writing and retained for at least five years.2
- Enforcement. A violation is an unlawful practice under Oregon's Unlawful Trade Practices Act, enforced by the Attorney General; OCIPA's breach section does not create a private right of action.2
Data security: your HIPAA program likely carries the state floor
OCIPA also imposes a freestanding duty to develop, implement, and maintain reasonable safeguards to protect personal information, at ORS 646A.622.5 For a practice, this is largely a floor that a genuine HIPAA Security Rule program already meets. OCIPA even provides an affirmative defense: an entity can defend against an inadequate-safeguards allegation by showing it maintained the security measures required for information subject to HIPAA.2
The takeaway is not "do nothing." It is that the Oregon security duty does not demand a separate technical program — it points back at the same administrative, physical, and technical safeguards HIPAA requires. The work is the HIPAA Security Rule work. Where a gap exists against HIPAA, the same gap exists against Oregon law.
Health-records confidentiality for behavioral health providers (ORS 179.505)
Oregon's stricter confidentiality rules are concentrated in ORS 179.505, which governs disclosure of "written accounts" of individually identifiable health information held by a "health care services provider."6 This is the provision most often misread, because its scope is narrower than it first appears.
Who it applies to — a self-test
ORS 179.505 reaches records held by or for a "public provider." Despite the name, "public provider" is not limited to government-owned facilities. The statutory list sweeps in any program providing a full-day, part-day, or by-appointment program of treatment that is "licensed, approved, established, maintained or operated by or contracted with the Oregon Health Authority for alcoholism, drug addiction or mental or emotional disturbance," as well as community mental health programs and the private entities they contract with.6
So the trigger is not ownership — it is an Oregon Health Authority (OHA) license, certification, or contract, or a community-mental-health-program relationship. A useful self-test for a practice: Does this practice hold an OHA behavioral health or substance-use-disorder license or certification, subcontract with a community mental health program, or otherwise operate a treatment program under an OHA relationship? If yes, ORS 179.505 very likely applies. A purely private-pay clinician whose only credential is an individual board license, with no OHA program nexus, is generally outside it. A general dental or primary-care office is almost always outside it.
What it requires where it applies
For practices that fall within ORS 179.505, the provisions are meaningfully stricter than HIPAA:
- Written authorization content. Disclosure with the individual's authorization requires a written, signed, and dated authorization that specifies the provider authorized to disclose, the recipient, the individual's name, the extent or nature of the information, and a revocation statement with an expiration date, event, or condition.6
- Faster patient access. A copy of the written account must be disclosed to the individual or their personal representative "within a reasonable time not to exceed five working days" of a written request — faster than HIPAA's 30-day outer limit.67
- Mental-health access denial. Access to psychiatric or psychological information may be denied if disclosure would constitute an immediate and grave detriment to the individual's treatment and is medically contraindicated by the treating professional.6
- Permissive danger disclosure. Information that, in the provider's professional judgment, indicates a clear and immediate danger to others or to society may be reported to the appropriate authority; a decision not to disclose does not create civil liability. This is a permissive rule, not a mandate — the choice sits with the professional's judgment.6
- Psychotherapy notes. As under HIPAA, disclosure of psychotherapy notes generally requires a separate authorization, with narrow treatment, training, and legal-defense exceptions.6
Unlike OCIPA's breach section, ORS 179.505 is backed by a private right of action: an individual may sue for equitable relief and for damages of actual loss or $500, whichever is greater, plus attorney fees.6
Sensitive categories: minors and genetic information
Two more Oregon rules apply more broadly than ORS 179.505 and are worth flagging, especially for practices that see adolescents or handle genetic data.
- Minor consent for behavioral health (ORS 109.675). A minor 14 years of age or older may obtain outpatient diagnosis or treatment of a mental or emotional disorder or a chemical dependency (excluding methadone maintenance) without parental knowledge or consent, through a range of licensed providers. The provider must involve the minor's parents before the end of treatment unless the parents refuse or there are clear clinical indications to the contrary, documented in the record, with exceptions.8 This shapes who can authorize disclosure of an adolescent's record.
- Genetic information (ORS 192.535). A person may not obtain genetic information from an individual, or from the individual's DNA sample, without first obtaining the individual's informed consent, subject to enumerated exceptions. A licensed health care provider must seek that consent in a manner substantially similar to the informed-consent procedure Oregon requires of physicians.9
A note on Oregon's consumer privacy law (OCPA)
Practices sometimes ask whether the Oregon Consumer Privacy Act (OCPA) applies to them. Its scope is threshold-based: it reaches a person that, in a calendar year, controls or processes the personal data of 100,000 or more consumers, or 25,000 or more consumers while deriving at least 25 percent of gross revenue from selling personal data. It also carries a data-level exemption for protected health information a covered entity or business associate processes under HIPAA.10 For most small and mid-size practices, the volume thresholds are not met, and any patient information that is protected health information is exempt in any event. OCPA is most relevant to a practice's non-clinical data (for example, large marketing lists) — not its patient records.
Where dental practices fit
Dental practices are HIPAA covered entities, and the Oregon layers that reach them are the general ones: the OCIPA breach-notification clock and Attorney-General trigger, the OCIPA reasonable-safeguards duty (met by a HIPAA Security Rule program), and the genetic-information consent rule if genetic data is ever handled. The behavioral health confidentiality regime in ORS 179.505 generally does not apply to a general dental office absent an Oregon Health Authority relationship. The practical implication is that a dental practice's Oregon obligations concentrate in breach response and data security — which makes an accurate incident-response plan and a current risk analysis the highest-value places to focus.
What this means for your HIPAA risk analysis
None of the above changes the method of a HIPAA risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). It changes the inputs. A defensible Oregon risk analysis and the incident-response procedures built on it should reflect:
- which breach clock governs which data: HIPAA's 60-day individual-notice timeline for a protected-health-information breach, the Oregon Attorney-General copy for any breach affecting more than 250 consumers, and Oregon's 45-day clock for a breach of non-protected-health-information the practice holds;
- the fact that following HIPAA's breach process still leaves a state Attorney-General copy obligation for larger breaches;
- whether ORS 179.505 applies to your practice, and if so, the five-working-day access rule and the authorization-content requirements; and
- the minor-consent and genetic-consent rules where your patient population makes them relevant.
A risk analysis that treats HIPAA as the only applicable law is incomplete for an Oregon practice, because it will not surface the state-specific timelines and recipients an Oregon regulator would expect to see.
What Oregon practices should do this month
You do not need a law firm to take the first, organizational steps. You do need to be precise about which rules apply to you.
- Map the right breach clock to the right data. Review your incident-response procedure so it follows HIPAA's 60-day individual-notice timeline for a protected-health-information breach, flags the Oregon Attorney-General copy step for any breach affecting more than 250 consumers, and applies Oregon's 45-day deadline to a breach of non-protected-health information you hold (for example, employee or payroll data).
- Run the ORS 179.505 self-test. Determine, in writing, whether your practice holds an Oregon Health Authority behavioral health or substance-use-disorder license or certification, or contracts with a community mental health program. That single answer decides whether the stricter confidentiality and five-working-day access rules apply to you.
- Confirm your security program is documented, not just running. Because Oregon's safeguards duty points back at HIPAA, the state floor is only as defensible as your HIPAA Security Rule documentation. Locate your current risk analysis and safeguards records.
- Note your sensitive-category exposure. If you treat adolescents or handle genetic information, flag ORS 109.675 and ORS 192.535 for your authorization forms and intake process.
- Bring the state facts into your risk analysis. When you next update your risk analysis, record the Oregon-specific timelines, recipients, and any applicable confidentiality rules as part of your environment — not as an afterthought.
These steps prepare the ground. Turning them into a dated risk analysis, a gap report, and an incident-response procedure that a regulator would find defensible is the work itself — specific, citation-heavy, and easy to get wrong from a blank page. CoreFolio HIPAA walks through each step and produces that documentation with the structure already in place.
Sources
Footnotes
-
45 CFR § 160.203 (preemption of contrary State law; "more stringent" exception). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-160.203 ↩
-
ORS 646A.604 (Notice of breach of security — 45-day deadline; Attorney-General notice when consumers exceed 250; HIPAA/HITECH exemption and the Attorney-General copy obligation for breaches affecting more than 250 consumers; risk-of-harm exception and five-year documentation; Unlawful Trade Practices Act enforcement). Oregon Revised Statutes, Chapter 646A: https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html ↩ ↩2 ↩3 ↩4 ↩5 ↩6
-
ORS 646A.602 (Definitions — "covered entity," "breach of security," and "personal information," which includes information about a consumer's medical history or physical or mental condition). Oregon Revised Statutes, Chapter 646A: https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html ↩
-
45 CFR § 164.404(b) (HIPAA Breach Notification Rule — individual notice "without unreasonable delay and in no case later than 60 calendar days" after discovery of a breach). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-164.404 ↩ ↩2
-
ORS 646A.622 (Requirement to develop safeguards for personal information). Oregon Revised Statutes, Chapter 646A: https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html ↩
-
ORS 179.505 (Disclosure of written accounts by health care services provider — "public provider" scope; written-authorization content; five-working-day access; mental-health access denial; permissive clear-and-immediate-danger disclosure at subsection (12); psychotherapy notes) and ORS 179.507 (private right of action). Oregon Revised Statutes, Chapter 179: https://www.oregonlegislature.gov/bills_laws/ors/ors179.html ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8
-
45 CFR § 164.524(b)(2) (HIPAA right of access — the covered entity must act on an access request "no later than 30 days after receipt"). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-164.524 ↩
-
ORS 109.675 (Right to diagnosis or treatment for mental or emotional disorder or chemical dependency without parental consent for minors 14 and older). Oregon Revised Statutes, Chapter 109: https://www.oregonlegislature.gov/bills_laws/ors/ors109.html ↩
-
ORS 192.535 (Informed consent for obtaining genetic information). Oregon Revised Statutes, Chapter 192: https://www.oregonlegislature.gov/bills_laws/ors/ors192.html ↩
-
ORS 646A.572 (Oregon Consumer Privacy Act — scope, thresholds, and the protected-health-information data-level exemption). Oregon Revised Statutes, Chapter 646A: https://www.oregonlegislature.gov/bills_laws/ors/ors646A.html ↩