Chapter 3798: Protected Health Information

3798.01 Definitions.

As used in this chapter:

(A) "Administrative safeguards," "physical safeguards," and "technical safeguards" have the same meanings as in 45 C.F.R. 164.304.

(B) "Approved health information exchange" means a health information exchange that has been approved or reapproved by the medicaid director pursuant to the approval or reapproval process, as applicable, the director establishes in rules adopted under division (A) of section 3798.15 of the Revised Code or that has been certified by the office of the national coordinator for health information technology in the United States department of health and human services.

(C) "Covered entity," "disclosure," "health care provider," "health information," "individually identifiable health information," "protected health information," and "use" have the same meanings as in 45 C.F.R. 160.103.

(D) "Designated record set" has the same meaning as in 45 C.F.R. 164.501.

(E) "Direct exchange" means the activity of electronic transmission of health information through a direct connection between the electronic record systems of health care providers without the use of a health information exchange.

(F) "Health care component" and "hybrid entity" have the same meanings as in 45 C.F.R. 164.103.

(G) "Health information exchange" means any person or governmental entity that provides in this state a technical infrastructure to connect computer systems or other electronic devices used by covered entities to facilitate the secure transmission of health information. "Health information exchange" excludes health care providers engaged in direct exchange, including direct exchange through the use of a health information service provider.

(H) "HIPAA privacy rule" means the standards for privacy of individually identifiable health information in 45 C.F.R. part 160 and in 45 C.F.R. part 164, subparts A and E.

(I) "Interoperability" means the capacity of two or more information systems to exchange information in an accurate, effective, secure, and consistent manner.

(J) "Minor" means an unemancipated person under eighteen years of age or a mentally or physically disabled person under twenty-one years of age who meets criteria specified in rules adopted by the medicaid director under section 3798.13 of the Revised Code.

(K) "More stringent" has the same meaning as in 45 C.F.R. 160.202.

(L) "Office of health transformation" means the office of health transformation created by executive order 2011-02K or a successor governmental entity responsible for health system oversight in this state.

(M) "Personal representative" means a person who has authority under applicable law to make decisions related to health care on behalf of an adult or emancipated minor, or the parent, legal guardian, or other person acting in loco parentis who is authorized under law to make health care decisions on behalf of an unemancipated minor. "Personal representative" does not include the parent or legal guardian of, or another person acting in loco parentis to, a minor who consents to the minor's own receipt of health care or a minor who makes medical decisions on the minor's own behalf pursuant to law, court approval, or because the minor's parent, legal guardian, or other person acting in loco parentis has assented to an agreement of confidentiality between the provider and the minor.

(N) "Political subdivision" means a municipal corporation, township, county, school district, or other body corporate and politic responsible for governmental activities in a geographic area smaller than that of the state.

(O) "State agency" means any one or more of the following:

(1) The department of administrative services;

(2) The department of aging;

(3) The department of mental health and addiction services;

(4) The department of developmental disabilities;

(5) The department of education;

(6) The department of health;

(7) The department of insurance;

(8) The department of job and family services;

(9) The department of medicaid;

(10) The department of rehabilitation and correction;

(11) The department of youth services;

(12) The bureau of workers' compensation;

(13) The opportunities for Ohioans with disabilities agency;

(14) The office of the attorney general;

(15) A health care licensing board created under Title XLVII of the Revised Code that possesses individually identifiable health information.

Cite as R.C. § 3798.01

Amended by 130th General Assembly File No. 25, HB 59, §101.01, eff. 9/29/2013.

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.02 Legislative intent.

It is the intent of the general assembly in enacting this chapter to make the laws of this state governing the use and disclosure of protected health information by covered entities consistent with, but generally not more stringent than, the HIPAA privacy rule for the purpose of eliminating barriers to the adoption and use of electronic health records and health information exchanges. Therefore, it is also the general assembly's intent in enacting this chapter to supersede any judicial or administrative ruling issued in this state that is inconsistent with the provisions of this chapter.

Cite as R.C. § 3798.02

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.03 Duty of covered entities.

(A) Subject to division (B) of this section, a covered entity shall do both of the following:

(1) If an individual's protected health information is maintained by the covered entity in a designated record set, provide the individual or the individual's personal representative with access to that information in a manner consistent with 45 C.F.R. 164.524 ;

(2) Implement and maintain appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in a manner consistent with 45 C.F.R. 164.530(c) .

(B) If a covered entity is a hybrid entity, this section applies only to the health care component of the covered entity.

Cite as R.C. § 3798.03

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.04 Prohibited disclosures of protected health information.

A covered entity shall not do either of the following:

(A) Use or disclose protected health information without an authorization that is valid under 45 C.F.R. 164.508 and, if applicable, 42 C.F.R. part 2, except when the use or disclosure is required or permitted without such authorization by Subchapter C of Subtitle A of Title 45 of the Code of Federal Regulations and, if applicable, 42 C.F.R. part 2;

(B) Use or disclose protected health information in a manner that is not consistent with 45 C.F.R. 164.502 .

Cite as R.C. § 3798.04

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.06 Conditions for disclosure of information without authorization.

Except in the circumstances described in division (A) of section 3798.04 of the Revised Code when a covered entity is permitted to disclose protected health information without an authorization that is valid under 45 C.F.R. 164.508 , a covered entity shall not disclose protected health information to a health information exchange without an authorization described in division (A) of section 3798.04 of the Revised Code unless all of the following are true:

(A) The disclosure is to an approved health information exchange.

(B) The covered entity is a party to a valid participation agreement with the approved health information exchange that meets the requirements of rules adopted under section 3798.16 of the Revised Code.

(C) The disclosure is consistent with all procedures established by the approved health information exchange.

(D) Prior to the disclosure, the covered entity furnishes to the individual or individual's personal representative a written notice that complies with rules adopted under division (A)(3) of section 3798.16 of the Revised Code.

Cite as R.C. § 3798.06

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.07 Additional conditions for disclosure to health information exchange.

(A) In addition to a covered entity generally being subject to the conditions specified in divisions (A) to (D) of section 3798.06 of the Revised Code when the covered entity discloses protected health information to a health information exchange without a valid authorization, the covered entity shall also be subject to the following conditions when it discloses protected health information to a health information exchange:

(1) The covered entity shall restrict disclosure consistent with all applicable federal laws governing the disclosure;

(2) If the protected health information concerns a minor, the covered entity shall restrict disclosure in a manner that complies with laws of this state pertaining to the circumstances under which a minor may consent to the minor's own receipt of health care or make medical decisions on the minor's own behalf, including sections 2907.29 , 3709.241 , 3719.012 , 5120.172 , 5122.04 , and 5126.043 of the Revised Code unless the minor authorizes the disclosure.

(3) The covered entity shall restrict disclosure in a manner that is consistent with a written request from the individual or the individual's personal representative to restrict disclosure of all of the individual's protected health information.

(4) The covered entity shall restrict disclosure in a manner that is consistent with a written request from the individual or the individual's personal representative concerning specific categories of protected health information to the extent that rules adopted pursuant to section 3798.16 of the Revised Code require the covered entity to comply with such a request.

(B) The conditions in division (A) of this section on a covered entity's disclosure of protected health information to a health information exchange do not render unenforceable or restrict in any manner any of the following:

(1) A provision of the Revised Code that on the effective date of this section requires a person or governmental entity to disclose protected health information to a state agency, political subdivision, or other governmental entity;

(2) The confidential status of proceedings and records within the scope of a peer review committee of a health care entity as described in section 2305.252 of the Revised Code;

(3) The confidential status of quality assurance program activities and quality assurance records as described in section 5122.32 of the Revised Code;

(4) The testimonial privilege established by division (B) of section 2317.02 of the Revised Code;

(5) Any of the following items that govern the confidentiality, privacy, security, or privileged status of protected health information in the possession or custody of an agency as defined in section 111.15 of the Revised Code; govern the process for obtaining from a patient consent to the provision of health care or consent for participation in medical or other scientific research; govern the process for determining whether an adult has a physical or mental impairment or an adult's capacity to make health care decisions for purposes of Chapter 5126. of the Revised Code; or govern the process for determining whether a minor has been emancipated:

(a) A section of the Revised Code that is not in this chapter;

(b) A rule as defined in section 119.01 of the Revised Code;

(c) An internal management rule as defined in section 111.15 of the Revised Code;

(d) Guidance issued by an agency as defined in section 111.15 of the Revised Code;

(e) Orders or regulations of a board of health of a city health district made under section 3709.20 of the Revised Code;

(f) Orders or regulations of a board of health of a general health district made under section 3709.21 of the Revised Code;

(g) An ordinance or resolution adopted by a political subdivision;

(h) A professional code of ethics;

(i) When a minor is authorized to consent to the minor's own receipt of health care or make medical decisions on the minor's own behalf, including the circumstances described in sections 2907.29 , 3709.241 , 3719.012 , 5120.172 , 5122.04 , and 5126.043 of the Revised Code.

Cite as R.C. § 3798.07

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.08 Civil or criminal liability.

(A) A covered entity that accesses protected health information from or through an approved health information exchange or discloses protected health information to an approved health information exchange in a manner that complies with section 3798.07 of the Revised Code and is not in violation of section 3798.04 or 3798.06 of the Revised Code is not liable in a civil action and is not subject to criminal prosecution or professional disciplinary action arising out of or relating to the access or disclosure.

(B) An approved health information exchange is not liable in a civil action and not subject to criminal prosecution arising out of or relating to either of the following:

(1) A covered entity's having accessed protected health information from or through an approved health information exchange;

(2) A covered entity's disclosure of protected health information to the approved health information exchange if the disclosure complies with section 3798.07 of the Revised Code and is not in violation of section 3798.04 or 3798.06 of the Revised Code.

Cite as R.C. § 3798.08

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.10 Standard authorization form.

(A) Not later than six months after September 10, 2012, the medicaid director , in consultation with the office of health transformation, shall prescribe by rules adopted in accordance with Chapter 119. of the Revised Code a standard authorization form for the use and disclosure of protected health information by covered entities in this state. The form shall meet all requirements specified in 45 C.F.R. 164.508 and, where applicable, 42 C.F.R. part 2.

(B) If a form the medicaid director prescribes under division (A) of this section is properly executed by an individual or the individual's personal representative, it shall be accepted by any person or governmental entity in this state as valid authorization for the use or disclosure of the individual's protected health information to the persons or governmental entities specified in the form.

(C) This section does not preclude a person or governmental entity from accepting as valid authorization for the use or disclosure of protected health information a form other than the form prescribed under division (A) of this section if the other form meets all requirements specified in 45 C.F.R. 164.508 and, if applicable, 42 C.F.R. part 2.

Cite as R.C. § 3798.10

Amended by 130th General Assembly File No. 25, HB 59, §101.01, eff. 9/29/2013.

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.12 Conflicts with other laws.

As used in this section, "agency" has the same meaning as in section 111.15 of the Revised Code.

(A) Except as provided in division (B) of this section, any of the following pertaining to the confidentiality, privacy, security, or privileged status of protected health information transacted, maintained in, or accessed through a health information exchange is unenforceable if it conflicts with this chapter:

(1) A section of the Revised Code that is not in this chapter;

(2) A rule as defined in section 119.01 of the Revised Code;

(3) An internal management rule as defined in section 111.15 of the Revised Code;

(4) Guidance issued by an agency;

(5) Orders or regulations of a board of health of a city health district made under section 3709.20 of the Revised Code;

(6) Orders or regulations of a board of health of a general health district made under section 3709.21 of the Revised Code;

(7) An ordinance or resolution adopted by a political subdivision;

(8) A professional code of ethics.

(B) Division (A) of this section does not render unenforceable or restrict in any manner any of the following:

(1) A provision of the Revised Code that on the effective date of this section requires a person or governmental entity to disclose protected health information to a state agency, political subdivision, or other governmental entity;

(2) The confidential status of proceedings and records within the scope of a peer review committee of a health care entity as described in section 2305.252 of the Revised Code;

(3) The confidential status of quality assurance program activities and quality assurance records as described in section 5122.32 of the Revised Code;

(4) The testimonial privilege established by division (B) of section 2317.02 of the Revised Code;

(5) An item described in divisions (A)(1) to (8) of this section that governs any of the following:

(a) The confidentiality, privacy, security, or privileged status of protected health information in the possession or custody of an agency;

(b) The process for obtaining from a patient consent to the provision of health care or consent for participation in medical or other scientific research;

(c) The process for determining whether an adult has a physical or mental impairment or an adult's capacity to make health care decisions for purposes of Chapter 5126. of the Revised Code;

(d) The process for determining whether a minor has been emancipated.

(6) When a minor is authorized to consent to the minor's own receipt of health care or make medical decisions on the minor's own behalf, including the circumstances described in sections 2907.29 , 3709.241 , 3719.012 , 5120.172 , 5122.04 , and 5126.043 of the Revised Code.

Cite as R.C. § 3798.12

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.13 Adoption of rules regarding classification of minors.

The medicaid director shall adopt rules for purposes of specifying the criteria a person who is mentally or physically disabled and who is under twenty-one years of age must meet to be considered a minor for purposes of sections 3798.07 and 3798.12 of the Revised Code.

Cite as R.C. § 3798.13

Amended by 130th General Assembly File No. 25, HB 59, §101.01, eff. 9/29/2013.

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.14 Standards for approval of approve health information exchanges.

(A) The medicaid director , in consultation with the office of health transformation, shall adopt rules in accordance with Chapter 119. of the Revised Code for the purpose of establishing standards the director must use to approve health information exchanges operating in this state. The rules shall not be adopted until the earlier of sixty days following the adoption of a federal certification process for health information exchanges by the office of the national coordinator for health information technology in the United States department of health and human services or January 1, 2013. Subject to division (B) of this section, the rules may include standards and procedures to be followed by a health information exchange regarding the following:

(1) Access to and use and disclosure of protected health information maintained by or on an approved health information exchange;

(2) Demonstration of adequate financial resources to sustain continued operations in compliance with the rules adopted under this section;

(3) Participation in outreach activities for individuals and covered entities;

(4) Conduct of operations in a transparent manner to promote consumer confidence;

(5) Implementation of security breach notification procedures.

(B) The rules the medicaid director adopts pursuant to division (A) of this section shall be consistent with certification standards for health information exchanges established in federal statutes and regulations, including nationally recognized standards for interoperability.

Cite as R.C. § 3798.14

Amended by 130th General Assembly File No. 25, HB 59, §101.01, eff. 9/29/2013.

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.15 Establishment of processes regarding health information exchanges.

(A) The medicaid director , in consultation with the office of health transformation, shall adopt rules in accordance with Chapter 119. of the Revised Code for the purpose of establishing processes for all of the following:

(1) A health information exchange to obtain approval to operate as an approved health information exchange in this state and, at times specified by the director, obtain reapproval of such status;

(2) The director to investigate and resolve concerns and complaints submitted to the director regarding an approved health information exchange;

(3) A health information exchange to apply for reconsideration of a decision the director makes under a process established under division (A)(1) or (2) of this section;

(4) Covered entities and approved health information exchanges to enter into participation agreements and enforce the terms of such agreements.

(B) Any decision the medicaid director makes in relation to a request for reconsideration made in accordance with rules adopted under division (A)(3) of this section is not subject to appeal under Chapter 119. of the Revised Code.

Cite as R.C. § 3798.15

Amended by 130th General Assembly File No. 25, HB 59, §101.01, eff. 9/29/2013.

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.

3798.16 Rules regarding content of agreements governing covered entities' participation in approved health information exchanges.

(A) The medicaid director of job and family services, in consultation with the office of health transformation, shall adopt rules in accordance with Chapter 119. of the Revised Code for the purpose of specifying the content of agreements governing covered entities' participation in approved health information exchanges. At a minimum, the rules shall require the content of such participation agreements to include all of the following:

(1) Procedures for a covered entity to disclose an individual's protected health information to an approved health information exchange;

(2) Procedures for a covered entity to access an individual's protected health information from an approved health information exchange;

(3) Subject to division (B) of this section, a written notice to be provided by a covered entity to an individual or the individual's personal representative prior to the covered entity's disclosure of the individual's protected health information to an approved health information exchange;

(4) Documentation the covered entity must use to verify that a notice described in division (A)(3) of this section has been provided by the covered entity to an individual or the individual's personal representative prior to the disclosure of the individual's protected health information to an approved health information exchange;

(5) Procedures for an individual or the individual's personal representative to submit to the covered entity a written request to place restrictions on the covered entity's disclosure of protected health information to the approved health information exchange;

(6) The standards a covered entity must use to determine whether, and to what extent, to comply with a written request described in division (A)(5) of this section;

(7) The purposes for which a covered entity may access and use protected health information from the approved health information exchange.

(B) With respect to the written notice described in division (A)(3) of this section, the rules may specify that the notice can be incorporated into the covered entity's notice of privacy practices required by 45 C.F.R. 164.520 and shall specify that the notice include the following statements:

(1) The individual's protected health information will be disclosed to the approved health information exchange to facilitate the provision of health care to the individual.

(2) The approved health information exchange maintains appropriate administrative, physical, and technical safeguards to protect the privacy and security of protected health information.

(3) Only authorized individuals may access and use protected health information from the approved health information exchange.

(4) The individual or the individual's personal representative has the right to request in writing that the covered entity do either or both of the following:

(a) Not disclose any of the individual's protected health information to the approved health information exchange;

(b) Not disclose specific categories of the individual's protected health information to the approved health information exchange.

(5) Any restrictions on the disclosure of protected health information an individual requests as described in either division (B)(4)(a) or (b) of this section may result in a health care provider not having access to information that is necessary for the provider to render appropriate care to the individual.

(6) Any restrictions on the disclosure of protected health information an individual requests as described in division (B)(4)(a) of this section must be honored by the covered entity.

(7) Any restrictions on the disclosure of protected health information an individual requests as described in division (B)(4)(b) of this section must be honored if the restriction is consistent with rules adopted under this chapter.

(C) In adopting standards under division (A)(6) of this section, the medicaid director shall take into consideration the technical capabilities of software available to health information exchanges."

Cite as R.C. § 3798.16

Amended by 130th General Assembly File No. 25, HB 59, §101.01, eff. 9/29/2013.

Added by 129th General AssemblyFile No.127, HB 487, §101.01, eff. 9/10/2012.