Rule 4123-6-15 | Confidentiality of records.
(A) Subject to sections 2317.02, 4123.27, and 4123.88 of the Revised Code, certain employer premium, payroll, and claim file information is confidential and exempt from the general open records laws of Ohio, as set forth in section 149.43 of the Revised Code.
(B) In the course of medical management in the HPP, some confidential information may be provided by the bureau to the MCO, and/or exchanged among the bureau, the MCO, the employer and its representative, the injured worker and the injured worker's representative, the provider, and the provider's employees and agents. All such parties receiving and/or exchanging confidential information for use in the HPP shall ensure transmission of confidential information through secured methods approved by the bureau, including but not limited to encryption, password protection, facsimile, and other secure methods.
(C) All parties receiving and/or exchanging confidential information for use in the HPP shall not use such confidential information for any use other than to perform duties required by the HPP, and shall prevent such information from further disclosure or use by unauthorized persons. MCOs shall not release any confidential information, other than in accordance with rule 4123-3-22 of the Administrative Code, to any third parties (including, but not limited to, parent, subsidiary, or affiliate companies, or subcontractors of the MCO) without the express prior written authorization of the bureau.
(D) MCOs shall comply with, and shall assist the bureau in complying with, all disclosure, notification or other requirements contained in sections 1347.12, 1349.19, 1349.191 and 1349.192 of the Revised Code, as may be applicable, in the event computerized data that includes personal information, obtained by the MCO for use in the HPP, is or reasonably is believed to have been accessed and acquired by an unauthorized person and the access and acquisition by the unauthorized person causes, or reasonably is believed will cause a material risk of identity theft or other fraud.
(E) MCOs shall comply with all electronic data security measures as may be required by Ohio law, Ohio department of administrative services or other state agency directive, executive order of the governor of Ohio, and/or the MCO contract.
Last updated June 4, 2021 at 10:25 AM