Who is affected by this change?

This affects Oregon Health Plan in OR on Medicaid plans.

When does this change take effect?

This change is effective Jan 1, 2024.

Back to dashboard

MedicaidAdministrativeLow impact

Timeframe for CCOs to report security/privacy incidents to ODHS/OHA Information Security and Privacy Office (ISPO)

Oregon Health Plan·OR·Plan contract

Effective date

Jan 1, 2024

We identified it

Jun 20, 2026

Days to comply

—

Summary

Oregon's CCO contracts now require security/privacy incidents to be reported to state authorities within 1 business day instead of 5 business days, effective immediately for 2023 and formally required in 2024 contracts. This change affects CCOs (Coordinated Care Organizations) that manage Medicaid and some commercial plans in Oregon.

Action Required

Action needed

Immediately: If your practice contracts with Oregon CCOs, update internal security incident response procedures to notify your CCO within 1 business day of discovering any security or privacy breach. Review current incident reporting protocols and ensure compliance staff are aware of the accelerated timeline.

Related policy hubs

Oregon Health Plan policies OR policy changes