Rule 5160-1-32 | Medicaid: safeguarding and releasing information.

(A) "Safeguarded information" includes but is not limited to the following types of information about individual medicaid applicants, enrollees, or former recipients:

(1) Names and addresses;

(2) Social security numbers;

(3) Medical services provided;

(4) Social and economic conditions or circumstances;

(5) Agency evaluation of personal information;

(6) Medical data, including diagnosis and past history of disease or disability;

(7) Any information received in connection with the identification of third party coverage; and

(8) Any information received for verifying income eligibility and amount of medical assistance payments. Income information received from the social security administration (SSA) or the internal revenue service (IRS) should be safeguarded according to the regulations of the agency that furnished the data.

(B) For the purpose of this rule, "administrative agency" means the Ohio department of medicaid (ODM) or an agent of ODM to determine eligibility or maintain records for a medical assistance program. The administrative agency has the following responsibilities:

(1) Implementing administrative, physical and technical safeguards in accordance with 45 C.F.R. 164.308, 45 C.F.R. 164.310, and 45 C.F.R. 164.312 (as in effect on October 1, 2023).

(2) Following the safeguarding guidelines for protecting federal tax information (FTI) described in the most current version of IRS publication 1075 (rev. 11/2021).

(3) Safeguarding information received or maintained about an individual connected with the administration of the medicaid program in accordance with section 1902(a)(7) of the Social Security Act (as in effect on October 1, 2023).

(4) Publicizing provisions governing the confidential nature of information about individuals, including the legal sanctions imposed for improper disclosure and use, in accordance with 42 C.F.R. 431.304 (as in effect October 1, 2023).

(5) Providing copies of the publicized provisions to individuals and to other persons and agencies to whom information is disclosed, in accordance with 42 C.F.R. 431.304 (as in effect October 1, 2023).

(6) Protecting the types of safeguarded information referenced in 42 C.F.R. 431.305 (as in effect October 1, 2023).

(7) Maintaining confidentiality and safeguarding psychiatric hospitalization records, mental health or addiction treatment records, rehabilitation and correction records, or other sensitive records in accordance with section 5122.31 of the Revised Code.

(8) Refraining from publishing names of individuals in accordance with 42 C.F.R. 431.306(c) (as in effect October 1, 2023).

(C) Release of information. The administrative agency has the following responsibilities:

(1) Obtaining permission from an individual or authorized representative before releasing information, unless that information is used to verify income or eligibility, in accordance with 42 C.F.R. 431.306(d) (as in effect on October 1, 2023).

(2) Applying policies to all requests for information from outside sources, including governmental bodies, courts of law, or law enforcement officials, except as provided in sections 5160.45 to 5160.48 of the Revised Code.

(3) Establishing criteria specifying the conditions for release and use of information about individuals. The information has to be restricted to persons or agency representatives who are subject to standards of confidentiality that are comparable to those of the agency in accordance with 42 C.F.R. 431.306(a) and (b) (as in effect on October 1, 2023).

(4) Limiting disclosures of protected health information (PHI) for individuals applying for, or participating in, a medical assistance program to purposes related to payment, treatment, or health care operations. For any other purposes, disclosures of information about the health care of an individual, health care provided to an individual, or payment for the provision of health care for an individual has to include an authorization or waiver of authorization from an institutional review board or privacy board compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with 45 C.F.R. 164.508 and 45 C.F.R. 164.512(i) (as in effect October 1, 2023).

(5) Releasing information as permitted by and in accordance with section 5160.45 of the Revised Code.