Ohio Admin. Code 5160-1-32 - Medicaid: safeguarding and releasing information
(A)
"Safeguarded
information" includes but is not limited to the following types of
information:
(1)
Names and addresses; and
(2)
Social security
numbers; and
(3)
Medical services provided; and
(4)
Social and
economic conditions or circumstances; and
(5)
Agency evaluation
of personal information; and
(6)
Medical data,
including diagnosis and past history of disease or disability;
and
(7)
Any information received in connection with the
identification of third party coverage; and
(8)
Any information
received for verifying income eligibility and amount of medical assistance
payments. Income information received from the social security administration
(SSA) or the internal revenue service (IRS) must be safeguarded according to
the requirements of the agency that furnished the data.
(B)
For
the purpose of this rule, "administrative agency" means the Ohio department of
medicaid (ODM) and/or an agent of ODM to determine eligibility or maintain
records for a medical assistance program. The administrative agency must:
(1)
Implement
administrative, physical and technical safeguards in accordance with
45 C.F.R.
164.308,
45 C.F.R.
164.310, and
45 C.F.R.
164.312 (as in effect on October 1,
2015).
(2)
Follow the safeguarding guidelines for protecting
federal tax information (FTI) described in the most current version of IRS
publication 1075 (rev. 10/2014).
(3)
Safeguard
information received or maintained about an individual connected with the
administration of the medicaid program in accordance with section 1902(a)(7) of
the Social Security Act (as in effect on July 1, 2016).
(4)
Publicize
provisions governing the confidential nature of information about individuals,
including the legal sanctions imposed for improper disclosure and use, in
accordance with
42 C.F.R.
431.304 (as in effect October 1,
2015).
(5)
Provide copies of the publicized provisions to
individuals and to other persons and agencies to whom information is disclosed,
in accordance with
42 C.F.R.
431.304 (as in effect October 1,
2015).
(6)
Protect the types of safeguarded information required
by
42 C.F.R.
431.305 (as in effect October 1,
2015).
(7)
Maintain confidentiality and safeguard psychiatric
hospitalization records, mental health or addiction treatment records,
rehabilitation and correction records, or other sensitive records in accordance
with section 5122.31 of the Revised
Code.
(8)
Not publish names of individuals in accordance with
42 C.F.R.
431.306(c) (as in effect
October 1, 2015).
(C)
Release of
information. The administrative agency must:
(1)
Obtain permission
from an individual or authorized representative before releasing information,
unless that information is used to verify income or eligibility, in accordance
with
42 C.F.R.
431.306(d) (as in effect on
October 1, 2015).
(2)
Apply policies to all requests for information from
outside sources, including governmental bodies, courts of law, or law
enforcement officials, except as provided in sections
5160.45 to
5160.48 of the Revised
Code.
(3)
Establish criteria specifying the conditions for
release and use of information about individuals. The information must be
restricted to persons or agency representatives who are subject to standards of
confidentiality that are comparable to those of the agency in accordance with
42 C.F.R. 431.306(a) and
(b) (as in effect on October 1,
2015).
(4)
Limit disclosures of protected health information (PHI)
for individuals applying for, or participating in, a medical assistance program
to purposes related to payment, treatment, or health care operations. For any
other purposes, disclosures of information about the health care of an
individual, health care provided to an individual, or payment for the provision
of health care for an individual require an authorization compliant with the
Health Insurance Portability and Accountability Act of 1996 (HIPAA) in
accordance with
45
C.F.R. 164.508 (as in effect October 1,
2015).
(5)
Release information as permitted by and in accordance
with section 5160.45 of the Revised
Code.
Notes
Promulgated Under: 119.03
Statutory Authority: 5162.03
Rule Amplifies: 5162.03, 5160.45, 5160.48
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.