Skip to main content
CoreFolioHIPAA
Oregon

HIV and genetic testing consent in Oregon: the sensitive-category rules that layer on HIPAA

Oregon adds pre-test notice for HIV and informed-consent rules for genetic information that go beyond HIPAA. What the rules require and how they interact with the federal floor.

By CoreFolio

8-minute read

Oregon singles out two categories of sensitive health information for handling that goes beyond HIPAA: HIV testing and genetic information. For HIV, ORS 433.045 requires a provider to give notice and an opportunity to decline before testing, and it wraps test results in a confidentiality rule. For genetic data, ORS 192.535 requires the individual's informed consent before a person may even obtain genetic information or a DNA sample — a requirement HIPAA does not impose at all. Neither replaces HIPAA; both add a step on top of it.

These rules reach ordinary practices, not just specialists. A primary-care office that orders an HIV screen, or a clinic that collects a cheek swab for a pharmacogenetic test, is inside them. This article explains what each rule requires, where it is genuinely stricter than HIPAA, and where — for HIV — the federal floor still does most of the work.

Key takeaways

  • Before an HIV test, an Oregon provider must notify the individual and allow them to decline; that notice may be verbal or in a general medical consent form (ORS 433.045).1
  • Oregon protects HIV test results and identity from disclosure except as federal law, state law, or rule permits, or as the individual authorizes — so it generally does not bar a disclosure HIPAA already allows.1
  • For genetic information, Oregon requires the individual's informed consent before a person may obtain it or a DNA sample (ORS 192.535) — a consent-to-obtain step HIPAA has no equivalent for.2
  • Oregon's genetic rules give patients control over the DNA sample itself, including destruction after testing and an out-of-pocket option to avoid payer disclosure (OAR 333-025-0140).3
  • These are "more stringent" state provisions HIPAA does not preempt (45 CFR 160.203); they belong in your consent forms, intake workflow, and risk analysis.4

HIV testing: notice, the chance to decline, and result confidentiality

Oregon does not require a separate, signed HIV-specific consent form for most providers. What it requires is notice and an opportunity to decline before the test. ORS 433.045 provides that, before subjecting an individual to an HIV test, a health care provider or the provider's designee shall "Notify the individual being tested" and "Allow the individual being tested the opportunity to decline the test."1 That notice "may be verbal or in writing, and may be contained in a general medical consent form."1 So a practice can meet the requirement through a well-drafted general consent — but it has to actually give the notice and honor a decline.

The statute also protects the sensitive result. A person "may not disclose or be compelled to disclose the identity of any individual upon whom an HIV-related test is performed, or the results of such a test in a manner that permits identification of the subject of the test," except as required or permitted by federal law, Oregon law, or applicable rule, or as authorized by the individual.1 Two points make this precise:

  • It is not stricter than HIPAA on disclosure in most cases. Because the exception expressly includes disclosures permitted by federal law, a disclosure HIPAA already allows — for treatment, for example — is generally not barred by ORS 433.045. The statute's distinctive contribution is the pre-test notice requirement, not a narrower disclosure gate.
  • Insurers face a stricter, separate rule. When an insurer, insurance producer, or insurance-support organization asks an applicant to take an HIV test, it must reveal the use of the test and obtain the applicant's written consent, and the consent form must disclose the purpose and who may receive results.1

For a provider, the operational takeaway is small but real: build the HIV notice and decline step into your testing workflow, and document it.

Genetic information is where Oregon clearly exceeds HIPAA. HIPAA regulates the use and disclosure of protected health information but does not require a patient's consent simply to obtain it for treatment. Oregon's Genetic Privacy Act does. ORS 192.535 provides that a person generally may not obtain genetic information from an individual, or from an individual's DNA sample, without first obtaining the informed consent of the individual or the individual's representative, subject to enumerated exceptions (such as certain law enforcement, paternity, newborn screening, and anonymous-research uses).2 A licensed physician seeks that consent through Oregon's physician informed-consent procedure; other licensed providers and researchers follow procedures set by rule.2

Oregon also gives the individual meaningful control over the physical sample and the downstream information:

  • Sample destruction and payer choice. The informed-consent process requires telling the individual that they may have their DNA sample promptly destroyed after the authorized test is complete, and that they may pay out of pocket rather than file an insurance claim to avoid disclosing to a third-party payer that the test was performed.3
  • Consent to disclose. Oregon restricts disclosure of genetic information without specific authorization, layered on top of HIPAA's disclosure rules.5

This matters for a widening range of practices — pharmacogenomic testing, carrier screening, and cancer-risk panels are no longer specialist-only. If your practice collects a sample for genetic analysis, the consent-to-obtain step is a distinct Oregon obligation.

The federal genetic-privacy backdrop

Two federal rules sit alongside Oregon's. HIPAA itself bars a health plan from using or disclosing genetic information for underwriting purposes (45 CFR § 164.502(a)(5)(i)), and the federal Genetic Information Nondiscrimination Act (GINA) restricts the use of genetic information in health insurance and employment.6 Oregon's informed-consent-to-obtain requirement is additive to these — it governs the collection step the federal rules largely do not.

How these layer with HIPAA

HIPAA's preemption framework preserves both Oregon rules. A state provision that relates to the privacy of individually identifiable health information and is more stringent than the federal standard is not preempted, under 45 CFR § 160.203.4 The genetic consent-to-obtain requirement is plainly more stringent — HIPAA has no analog. The HIV notice-and-decline requirement is an added procedural step rather than a narrower disclosure rule, but it is a real obligation a HIPAA-only workflow will miss.

The reconciling principle is the same one that governs the rest of Oregon's overlay: comply with HIPAA and with the stricter Oregon step. Following the Oregon rule never violates HIPAA, because HIPAA permits — but does not compel — the disclosures at issue.

What this means for your HIPAA compliance file

None of this changes the method of a HIPAA risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). It changes the inputs and your consent forms. A practice that orders HIV tests or handles genetic data should reflect:

  • an HIV pre-test notice-and-decline step in the testing workflow, captured in the general consent or a dedicated notice, and documented;
  • a genetic informed-consent-to-obtain process that meets ORS 192.535 and the associated Oregon rules, including sample-destruction and payer-choice disclosures;
  • disclosure procedures for genetic information that require specific authorization; and
  • staff training so intake and testing staff apply the sensitive-category steps consistently.

A risk analysis that treats HIPAA as the only applicable law is incomplete for an Oregon practice that touches either category.

What Oregon practices should do this month

  1. Add the HIV notice step to your workflow. Confirm your general consent or intake process gives the ORS 433.045 notice and records the opportunity to decline before any HIV test.
  2. Build a genetic informed-consent form. If you collect samples for genetic analysis, adopt a consent process that meets ORS 192.535 and includes the sample-destruction and out-of-pocket disclosures.
  3. Set disclosure rules for genetic data. Require specific authorization for genetic-information disclosures beyond what treatment permits.
  4. Train intake and testing staff. Make the sensitive-category steps a consistent, documented part of the visit.
  5. Reflect it in your risk analysis. Record the HIV and genetic obligations as part of your documented environment.

These steps prepare the ground. Turning them into a dated risk analysis, consent forms, and disclosure procedures a regulator would find defensible is the work itself — specific, citation-heavy, and easy to get wrong from a blank page. CoreFolio HIPAA walks through each step and produces that documentation with the structure already in place.

Sources

Footnotes

  1. ORS 433.045 (Notice of HIV test required; exceptions — notice and opportunity to decline before an HIV test, which may be verbal or in a general medical consent form; confidentiality of identity and results; separate written consent for insurer testing). Oregon Revised Statutes, Chapter 433: https://www.oregonlegislature.gov/bills_laws/ors/ors433.html 2 3 4 5 6

  2. ORS 192.535 (Informed consent for obtaining genetic information — consent required before obtaining genetic information or a DNA sample, subject to exceptions). Oregon Revised Statutes, Chapter 192: https://www.oregonlegislature.gov/bills_laws/ors/ors192.html 2 3

  3. OAR 333-025-0140 (Informed Consent Procedures for Obtaining Genetic Information — elements of consent, including the right to have a DNA sample destroyed after testing and the option to pay out of pocket to avoid payer disclosure). Oregon Secretary of State, Oregon Administrative Rules: https://secure.sos.state.or.us/oard/viewSingleRule.action?ruleVrsnRsn=55498 2

  4. 45 CFR § 160.203 (preemption of contrary State law; "more stringent" exception for state privacy provisions). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-160.203 2

  5. ORS 192.539 (Disclosure of genetic information — authorization requirements). Oregon Revised Statutes, Chapter 192: https://www.oregonlegislature.gov/bills_laws/ors/ors192.html

  6. 45 CFR § 164.502(a)(5)(i) (HIPAA — prohibition on health plans using or disclosing genetic information for underwriting purposes, implementing the Genetic Information Nondiscrimination Act). Electronic Code of Federal Regulations: https://www.ecfr.gov/current/title-45/section-164.502