191.04 Exchange of protected health care information.

(A) In accordance with federal laws governing the confidentiality of individually identifiable health information, including the "Health Insurance Portability and Accountability Act of 1996," 104 Pub. L. No. 191, 110 Stat. 2021, 42 U.S.C. 1320d et seq., as amended, and regulations promulgated by the United States department of health and human services to implement the act, a state agency may exchange protected health information with another state agency relating to eligibility for or enrollment in a health plan or relating to participation in a government program providing public benefits if the exchange of information is necessary for either or both of the following:

(1) Operating a health plan;

(2) Coordinating, or improving the administration or management of, the health care-related functions of at least one government program providing public benefits.

(B) For fiscal years 2013, 2014, and 2015 only, a state agency also may exchange personally identifiable information with another state agency for purposes related to and in support of a health transformation initiative identified by the executive director of the office of health transformation pursuant to division (C) of section 191.06 of the Revised Code.

(C) With respect to a state agency that uses or discloses personally identifiable information, all of the following conditions apply:

(1) The state agency shall use or disclose the information only as permitted or required by state and federal law. In addition, if the information is obtained during fiscal year 2013, 2014, or 2015 from an exchange of personally identifiable information permitted under division (B) of this section, the agency shall also use or disclose the information in accordance with all operating protocols that apply to the use or disclosure.

(2) If the state agency is a state agency other than the department of medicaid and it uses or discloses protected health information that is related to a medicaid recipient and obtained from the department of medicaid or another agency operating a component of the medicaid program, the state agency shall comply with all state and federal laws that apply to the department of medicaid when that department, as the state's single state agency to supervise the medicaid program , uses or discloses protected health information.

(3) A state agency shall implement administrative, physical, and technical safeguards for the purpose of protecting the confidentiality, integrity, and availability of personally identifiable information the creation, receipt, maintenance, or transmittal of which is affected or governed by this section.

(4) If a state agency discovers an unauthorized use or disclosure of unsecured protected health information or unsecured individually identifiable health information, the state agency shall, not later than seventy-two hours after the discovery, do all of the following:

(a) Identify the individuals who are the subject of the protected health information or individually identifiable health information;

(b) Report the discovery and the names of all individuals identified pursuant to division (C)(4)(a) of this section to all other state agencies and the executive director of the office of health transformation or the executive director's designee;

(c) Mitigate, to the extent reasonably possible, any potential adverse effects of the unauthorized use or disclosure.

(5) A state agency shall make available to the executive director of the office of health transformation or the executive director's designee, and to any other state or federal governmental entity required by law to have access on that entity's request, all internal practices, records, and documentation relating to personally identifiable information it receives, uses, or discloses that is affected or governed by this section.

(6) On termination or expiration of an operating protocol and if feasible, a state agency shall return or destroy all personally identifiable information received directly from or received on behalf of another state agency. If the personally identifiable information is not returned or destroyed, the state agency maintaining the information shall extend the protections set forth in this section for as long as it is maintained.

(7) If a state agency enters into a subcontract or, when required by 45 C.F.R. 164.502(e)(2), a business associate agreement, the subcontract or business associate agreement shall require the subcontractor or business associate to comply with the terms of this section as if the subcontractor or business associate were a state agency.

Amended by 130th General Assembly File No. 25, HB 59, §101.01, eff. 9/29/2013.

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.