- (a) The participating entity/business associate may only use and disclose the member's health information for the purposes of a member's treatment, to facilitate payment for Plan benefits or for participating entity/business associate business operations on behalf of the member. The participating entity/business associate may not use or further disclose a member's health information other than permitted by EGID rules or described in a written contract between EGID and the participating entity/business associate.
- (b) Participating entities/business associates shall protect a member's confidential health information according to the following guidelines. Participating entity/business associate shall:
- (1) not use or disclose a member's health information other than permitted in these rules; described in a written contract with EGID or required by law,
- (2) ensure that subcontractors or agents of the participating entity/business associate maintain confidentiality of any health information provided to its subcontractors or agents,
- (3) not use or disclose confidential health information for employment related actions concerning the member, unless required by law,
- (4) notify EGID within five [5] working days when the participating entity/business associate becomes aware of any use or disclosure of a member's health information that is inconsistent with this rule and make an accounting of these disclosures available for EGID and each member,
- (5) allow a member to access and review health information on file with the participating entity/business associate and submit amending statements for inclusion in their health information file,
- (6) establish procedures to protect a member's health information and account for disclosures not authorized by these rules,
- (7) identify the participating entity/business associate employees who may access a member's health information and restrict access to those persons,
- (8) return to EGID or destroy a member's health information when no longer required by the participating entity/ business associate, and if not feasible, limit the use or disclosure to the required purposes,
- (9) ensure that proper security is in place to protect electronically stored health information and
- (10) make internal practices, books and records concerning uses and disclosures of protected health information available for inspection by the appropriate authority. A written contract between EGID and participating entity/business associate shall not limit the participating entity/business associate protection of a member's health information to an extent less than described in this rule.
Added at 42 Ok Reg, Number 20, effective 7-11-25