Rule 5160-1-32 | Medicaid: safeguarding and releasing information.
(A) "Safeguarded information" includes but is not limited to the following types of information:
(1) Names and addresses; and
(2) Social security numbers; and
(3) Medical services provided; and
(4) Social and economic conditions or circumstances; and
(5) Agency evaluation of personal information; and
(6) Medical data, including diagnosis and past history of disease or disability; and
(7) Any information received in connection with the identification of third party coverage; and
(8) Any information received for verifying income eligibility and amount of medical assistance payments. Income information received from the social security administration (SSA) or the internal revenue service (IRS) must be safeguarded according to the requirements of the agency that furnished the data.
(B) For the purpose of this rule, "administrative agency" means the Ohio department of medicaid (ODM) and/or an agent of ODM to determine eligibility or maintain records for a medical assistance program. The administrative agency must:
(1) Implement administrative, physical and technical safeguards in accordance with 45 C.F.R. 164.308, 45 C.F.R. 164.310, and 45 C.F.R. 164.312 (as in effect on October 1, 2015).
(2) Follow the safeguarding guidelines for protecting federal tax information (FTI) described in the most current version of IRS publication 1075 (rev. 10/2014).
(3) Safeguard information received or maintained about an individual connected with the administration of the medicaid program in accordance with section 1902(a)(7) of the Social Security Act (as in effect on July 1, 2016).
(4) Publicize provisions governing the confidential nature of information about individuals, including the legal sanctions imposed for improper disclosure and use, in accordance with 42 C.F.R. 431.304 (as in effect October 1, 2015).
(5) Provide copies of the publicized provisions to individuals and to other persons and agencies to whom information is disclosed, in accordance with 42 C.F.R. 431.304 (as in effect October 1, 2015).
(6) Protect the types of safeguarded information required by 42 C.F.R. 431.305 (as in effect October 1, 2015).
(7) Maintain confidentiality and safeguard psychiatric hospitalization records, mental health or addiction treatment records, rehabilitation and correction records, or other sensitive records in accordance with section 5122.31 of the Revised Code.
(8) Not publish names of individuals in accordance with 42 C.F.R. 431.306(c) (as in effect October 1, 2015).
(C) Release of information. The administrative agency must:
(1) Obtain permission from an individual or authorized representative before releasing information, unless that information is used to verify income or eligibility, in accordance with 42 C.F.R. 431.306(d) (as in effect on October 1, 2015).
(2) Apply policies to all requests for information from outside sources, including governmental bodies, courts of law, or law enforcement officials, except as provided in sections 5160.45 to 5160.48 of the Revised Code.
(3) Establish criteria specifying the conditions for release and use of information about individuals. The information must be restricted to persons or agency representatives who are subject to standards of confidentiality that are comparable to those of the agency in accordance with 42 C.F.R. 431.306(a) and (b) (as in effect on October 1, 2015).
(4) Limit disclosures of protected health information (PHI) for individuals applying for, or participating in, a medical assistance program to purposes related to payment, treatment, or health care operations. For any other purposes, disclosures of information about the health care of an individual, health care provided to an individual, or payment for the provision of health care for an individual require an authorization compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in accordance with 45 C.F.R. 164.508 (as in effect October 1, 2015).
(5) Release information as permitted by and in accordance with section 5160.45 of the Revised Code.