5101:1-37-51.1 Medicaid: safeguarding and releasing information.

(A) This rule describes the administrative agency's responsibilities regarding disclosing information, maintaining confidentiality and safeguarding information for an individual applying for or participating in a medical assistance program.

(B) "Safeguarded information" includes but is not limited to the following types of information:

(1) Names and addresses; and

(2) Medical services provided; and

(3) Social and economic conditions or circumstances; and

(4) Agency evaluation of personal information; and

(5) Medical data, including diagnosis and past history of disease or disability; and

(6) Any information received in connection with the identification of third party coverage; and

(7) Any information received for verifying income eligibility and amount of medical assistance payments. Income information received from the social security administration (SSA) or the internal revenue service (IRS) must be safeguarded according to the requirements of the agency that furnished the data.

(C) Administrative agency safeguarding responsibilities. The administrative agency must:

(1) Implement administrative, physical and technical safeguards in accordance with 45 CFR 164.308 , 45 CFR 164.310 , and 45 CFR 164.312 (as in effect on April 1, 2013).

(2) Follow the safeguarding guidelines for protecting federal tax information (FTI) described in the most current version of IRS publication 1075 (rev. 6/2010).

(3) Safeguard information received or maintained about an individual connected with the administration of the medicaid program in accordance with 42 C.F.R. 431.302 (as in effect on March 1, 2013).

(4) Publicize provisions governing the confidential nature of information about individuals, including the legal sanctions imposed for improper disclosure and use, in accordance with 42 C.F.R. 431.304 (as in effect March 1, 2013).

(5) Provide copies of the publicized provisions to individuals and to other persons and agencies to whom information is disclosed, in accordance with 42 C.F.R. 431.304 (as in effect March 1, 2013).

(6) Protect the types of safeguarded information required by 42 C.F.R. 431.305 (as in effect March 1, 2013).

(7) Not release medical, psychiatric or psychological information to an individual or authorized representative if the administrative agency has reason to believe that the release may have an adverse effect on the individual, as provided in section 5122.31 of the Revised Code.

(8) Not publish names of individuals in accordance with 42 C.F.R. 431.306(c) (as in effect March 1, 2013).

(D) Release of information. The administrative agency must:

(1) Obtain permission from an individual or authorized representative before releasing information, unless that information is used to verify income or eligibility, in accordance with 42 C.F.R. 431.306(d) (as in effect on March 1, 2013).

(2) Apply policies to all requests for information from outside sources, including governmental bodies, courts of law, or law enforcement officials, except as provided in sections 5101.26 to 5101.30 of the Revised Code.

(3) Establish criteria specifying the conditions for release and use of information about individuals. The information must be restricted to persons or agency representatives who are subject to standards of confidentiality that are comparable to those of the agency in accordance with 42 C.F.R. 431.306(a) and (b) (as in effect on March 1, 2013).

(4) Limit disclosures of protected health information (PHI) for individuals applying for, or participating in, a medical assistance program to purposes related to payment, treatment, or health care operations. For any other purposes, disclosures of information about the health care of an individual, health care provided to an individual, or payment for the provision of health care for an individual require an authorization compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with 45 CFR 164.508 (as in effect April 1, 2013).

(5) Release information as permitted by and in accordance with sections 5101.27 and 5101.271 of the Revised Code.

Effective: 10/01/2013
R.C. 119.032 review dates: 10/01/2018
Promulgated Under: 111.15
Statutory Authority: 5111.01 , 5111.011
Rule Amplifies: 307.981 , 329.01 , 1347, 3503.10 , 5101.30 , 5111.01 , 5111.011 , 5122.31 , 5703.211