(1) The Director of the Department of Consumer and Business Services shall adopt rules implementing ORS § 746.607. In adopting rules under this section, the director shall consider the information privacy provisions of the federal Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) and the federal Gramm-Leach-Bliley Act (P.L. 106-102).

(2) The rules adopted under subsection (1) of this section shall include but are not limited to:

(a) Permitted uses and disclosures of:

(A) Personal financial information for business, professional or insurance purposes; and

(B) Protected health information for treatment, payment and health care operations.

(b) Requirements for notice of privacy practices for protected health information and notice of information practices for personal financial information. [2003 c.87 § 4]