(A) Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law requiring the administrative agency to issue a certificate of creditable coverage and a privacy notice.
(1) "Certificate of creditable coverage" is a document that reflects certain details about an individual's creditable health coverage.
(2) "Electronic protected health information" (ePHI) refers to any PHI that is in electronic form, maintained or transmitted, regardless of the format.
(3) "Individually identifiable health information" means information that is a subset of health information including demographic information collected from an individual and:
(a) Is created or received by a health care provider, health plan, employer or health care clearinghouse; and
(b) Relates to the past, present, or future physical condition or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and;
(i) Identifies the individual; or
(ii) There is a reasonable basis to believe the information can be used to identify the individual.
(4) "Protected health information" (PHI) means individually identifiable health information that is transmitted by electronic media, maintained in electronic media or transmitted or maintained in any other form or medium as defined in 45 C.F.R. 160.103 (as in effect on November 1, 2009).
(C) Administrative agency responsibilities: The administrative agency shall:
(1) Ensure appropriate safeguards are taken in accordance with rule 5101:1-37-01.1 of the Administrative Code.
(2) Issue all individuals of medical assistance programs a privacy notice, as described in 45 C.F.R. 164.520 (as in effect November 1, 2009), outlining the following descriptions of uses and disclosures, and procedures:
(a) A description of the types of uses and disclosures of PHI the administrative agency is permitted with examples for each of the following purposes:
(ii) Treatment; and
(iii) Healthcare operations.
(b) A description of uses and disclosures permitted without the individual's written consent or authorization;
(c) A statement that other uses and disclosures will be made only with the individual's written authorization;
(d) Complaint procedure;
(e) Request for restriction procedure;
(f) Request for amendment procedure;
(g) Request for accounting procedure; and,
(h) A name, or title, and telephone number of a person to contact for further information.
(3) Issue the JFS 03748, "Certificate of Group Health Plan Coverage" (Rev. 6/2003) or its electronic equivalent, for any medicaid eligible individual. The administrative agency has the option to create its own certificate provided it contains all of the following information, as cited in 45 C.F.R. 146.115(a)(3)(ii) (as in effect November 1, 2009):
(a) The date the certificate is issued;
(b) The name of the group health plan that provided the coverage;
(c) The name(s) of the individual(s);
(d) The medicaid billing number;
(e) The name, address and telephone number of the administrative agency member who is responsible for issuing certificates and accepting telephone inquiries regarding the certificates;
(f) A statement that an individual has at least eighteen months of creditable coverage before a significant break in coverage,
(g) Dates of creditable coverage; and
(h) Date the creditable coverage ended.
(i) An educational statement regarding HIPAA explaining:
(i) The restrictions on the ability of a health plan or issuer to impose a preexisting condition exclusion against an individual including an individual's ability to reduce a preexisting condition exclusion by creditable coverage;
(ii) Special enrollment rights;
(iii) The prohibitions against discrimination based on any health factor;
(iv) The right to individual health coverage;
(v) The fact that state law may require issuers to provide additional protections to individuals in that state; and
(vi) Where to get more information.
(4) Provide the certificate of coverage to all medicaid-eligible individuals, dependents or to an entity requesting the certificate on behalf of the individual. The certificate shall be available for up to no less than twenty-four months after coverage ceases. The certificate shall be mailed to the individual's last known address. If a dependent's last known address is different than the participant's last known address, a separate certificate is required to be provided to the dependent at the dependent's last known address in accordance with 45 C.F.R. 146.115(a)(4) (as in effect November 1, 2009).
Replaces: 5101:1-38- 01.5
R.C. 119.032 review dates: 11/01/2014
Promulgated Under: 111.15
Statutory Authority: 5111.01, 5111.011
Rule Amplifies: 3901.44, 5101.27, 5111.01, 5111.011
Prior Effective Dates: 10/1/98, 10/6/03