Rule 5101:9-9-20 | Treatment of Health Insurance Portability and Accountability Act (HIPAA) inquiries to a county agency.

(A) HIPAA is a federal law requiring the protection of confidentiality and security of health data including the safeguarding, privacy, and release of protected health information (PHI).

(B) PHI includes, but is not limited to, the following individually identifiable health information of medicaid and public assistance applicants, recipients, and former recipients:

(1) Information relating to past, present, or future physical or mental health or condition of an individual;

(2) Provision of health care to an individual;

(3) Past, present, or future payment for health care to an individual; and

(4) Information regarding an individual's eligibility for medicaid benefits or the refugee medical assistance program, or any other plan or program that provides medical assistance or pays the cost of medical care.

(C) All current and future recipients of medicaid, refugee medical assistance, or any other plan or program that provides medical assistance or pays the cost of medical care, will receive a privacy notice outlining the following descriptions of uses and disclosures, and recipient rights:

(1) A description of the types of uses and disclosures of PHI the Ohio department of job and family services (ODJFS) or its delegated entity is permitted to make, including examples of payment, treatment, and healthcare operations. For instance, an individual's PHI may be used:

(a) For activities such as determining eligibility or medical coverage.

(b) To review prior authorization or service requests or to determine if the individual qualifies for specialized programs.

(c) By our employees or partner agencies to assist us in administering public assistance programs. All employees and partner agencies are bound by strict confidentiality requirements.

(d) By other government agencies that may provide public benefits or services to individuals. Additionally, PHI may be disclosed for any purpose required by law, such as responding to a court order, subpoena, warrant, summons, or similar process authorized under state or federal law.

(e) For other routine administrative purposes.

(2) A description of other uses and disclosures permitted or required under HIPAA without written consent or authorization, including those in the notice of privacy practices;

(3) A statement that other uses and disclosures will be made only with the individual's written authorization;

(4) Complaint procedure regarding access, use, or disclosure of PHI;

(5) Request for restriction procedure;

(6) Request for amendment procedure; and

(7) Request for accounting procedure.

(D) If a recipient of benefits identified in paragraph (C) of this rule requests any of the procedures outlined in paragraphs (C)(4) to (C)(7) of this rule from the county agency or entity acting on behalf of ODJFS that collects and maintains the information identified in paragraph (B) of this rule through which the recipient participates, the county agency or entity acting on behalf of ODJFS shall do one of the following:

(1) Refer the recipient to the privacy official at ODJFS or the Ohio department of medicaid, by providing the recipient with the appropriate email address; or

(2) Provide the recipient with a copy of the HIPAA privacy notice outlining the procedures set out in paragraphs (C)(4) to (C)(7) of this rule and notice identifying whom the recipient may contact to initiate those procedures.

"Notice of Privacy Practices - Effective date September 23, 2013 (reviewed February 14, 2025) | Medicaid"