340:2-8-5. Privacy officer
(a) The Oklahoma Department of Human Services (DHS) designated a privacy officer to perform the required functions, per Section 164.530 of Title 45 of the Code of Federal Regulations.The contact information is:Oklahoma Department of Human Services, Privacy Officer, PO Box 25352, Oklahoma City, Oklahoma 73125.
(b) The privacy officer is responsible for:
(2) making decisions regarding the use and or disclosure of protected health information (PHI) when requested for the purpose of:
(A) judicial and administrative proceedings;
(B) law enforcement investigations;
(C) research; and
(3) reviewing a denial for a client's access to his or her own PHI for reasons indicated in Oklahoma Administrative Code 340:2-8-4(a)(1)(C), and taking appropriate action following the review;
(4) receiving complaints regarding the use or disclosure of PHI from external and internal sources, and taking the appropriate action following the review; • 1
(5) ensuring proper business associate agreements contain the appropriate language and provisions as required by the Privacy Rule; and
(6) receiving complaints regarding business associate activities or practices, and taking appropriate action following the review. • 2
1.(a) The privacy officer reviews all complaints, makes a decision regarding the appropriate action, documents the decision, informs the client, and forwards copies of all documentations to the client's case record.The documentation must be kept for six years.
(b) When the privacy officer determines that an inappropriate use or disclosure occurred, Oklahoma Department of Human Services (DHS) staff takes all practicable steps to mitigate the harmful effects.The mitigation that occurs is based on the facts and circumstances of each case.
2.(a) The privacy officer sends a letter to the business associate requesting review of the circumstances related to the alleged conduct and requires a response from the business associate within 10-business days.
(b) When the facts known to DHS indicate a violation of the business associate agreement, the privacy officer sends a letter outlining required remediation in order for the business associate to attain contract compliance.
(c) When contract compliance cannot be attained, DHS must terminate the contract when feasible.When termination is not feasible, the privacy officer reports the problem to the United States Department of Health and Human Services, Office for Civil Rights.