Ohio Admin. Code 5160-1-32 - Medicaid: safeguarding and releasing information

(A) "Safeguarded information" includes but is not limited to the following types of information about individual medicaid applicants, enrollees, or former recipients:

(1) Names and addresses; and

(2) Social security numbers; and

(3) Medical services provided; and

(4) Social and economic conditions or circumstances; and

(5) Agency evaluation of personal information; and

(6) Medical data, including diagnosis and past history of disease or disability; and

(7) Any information received in connection with the identification of third party coverage; and

(8) Any information received for verifying income eligibility and amount of medical assistance payments. Income information received from the social security administration (SSA) or the internal revenue service (IRS) must should be safeguarded according to the requirements regulations of the agency that furnished the data.

(B) For the purpose of this rule, "administrative agency" means the Ohio department of medicaid (ODM) and/ or an agent of ODM to determine eligibility or maintain records for a medical assistance program. The administrative agency must has the following responsibilities:

(1) Implement Implementing administrative, physical and technical safeguards in accordance with 45 C.F.R. 164.308, 45 C.F.R. 164.310, and 45 C.F.R. 164.312 (as in effect on October 1, 2015 2023).

(2) Follow Following the safeguarding guidelines for protecting federal tax information (FTI) described in the most current version of IRS publication 1075 (rev. 10/2014 11/2021).

(3) Safeguard Safeguarding information received or maintained about an individual connected with the administration of the medicaid program in accordance with section 1902(a)(7) of the Social Security Act (as in effect on July October 1, 2016 2023).

(4) Publicize Publicizing provisions governing the confidential nature of information about individuals, including the legal sanctions imposed for improper disclosure and use, in accordance with 42 C.F.R. 431.304 (as in effect October 1, 2015 2023).

(5) Provide Providing copies of the publicized provisions to individuals and to other persons and agencies to whom information is disclosed, in accordance with 42 C.F.R. 431.304 (as in effect October 1, 2015 2023).

(6) Protect Protecting the types of safeguarded information required by referenced in 42 C.F.R. 431.305 (as in effect October 1, 2015 2023).

(7) Maintain Maintaining confidentiality and safeguard safeguarding psychiatric hospitalization records, mental health or addiction treatment records, rehabilitation and correction records, or other sensitive records in accordance with section 5122.31 of the Revised Code.

(8) Refraining from publishing Not publish names of individuals in accordance with 42 C.F.R. 431.306(c) (as in effect October 1, 2015 2023).

(C) Release of information. The administrative agency must has the following responsibilities:

(1) Obtain Obtaining permission from an individual or authorized representative before releasing information, unless that information is used to verify income or eligibility, in accordance with 42 C.F.R. 431.306(d) (as in effect on October 1, 2015 2023).

(2) Apply Applying policies to all requests for information from outside sources, including governmental bodies, courts of law, or law enforcement officials, except as provided in sections 5160.45 to 5160.48 of the Revised Code.

(3) Establish Establishing criteria specifying the conditions for release and use of information about individuals. The information must has to be restricted to persons or agency representatives who are subject to standards of confidentiality that are comparable to those of the agency in accordance with 42 C.F.R. 431.306(a) and (b) (as in effect on October 1, 2015 2023).

(4) Limit Limiting disclosures of protected health information (PHI) for individuals applying for, or participating in, a medical assistance program to purposes related to payment, treatment, or health care operations. For any other purposes, disclosures of information about the health care of an individual, health care provided to an individual, or payment for the provision of health care for an individual require has to include an authorization or waiver of authorization from an institutional review board or privacy board compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with 45 C.F.R. 164.508 and 45 C.F.R. 164.512(i) (as in effect October 1, 2015 2023).

(5) Release Releasing information as permitted by and in accordance with section 5160.45 of the Revised Code.

Notes

Ohio Admin. Code 5160-1-32

Effective: 11/1/2024
Five Year Review (FYR) Dates: 6/14/2024 and 11/01/2029
Promulgated Under: 119.03
Statutory Authority: 5162.02, 5160.48
Rule Amplifies: 5160.45, 5160.48
Prior Effective Dates: 10/01/2013, 01/13/2017