Chapter 3798 | Protected Health Information

As used in this chapter:

(A) "Administrative safeguards," "physical safeguards," and "technical safeguards" have the same meanings as in 45 C.F.R. 164.304.

(B) "Covered entity," "disclosure," "health care provider," "health information," "individually identifiable health information," "protected health information," and "use" have the same meanings as in 45 C.F.R. 160.103.

(C) "Designated record set" has the same meaning as in 45 C.F.R. 164.501.

(D) "Direct exchange" means the activity of electronic transmission of health information through a direct connection between the electronic record systems of health care providers without the use of a health information exchange.

(E) "Health care component" and "hybrid entity" have the same meanings as in 45 C.F.R. 164.103.

(F) "Health information exchange" means any person or governmental entity that provides in this state a technical infrastructure to connect computer systems or other electronic devices used by covered entities to facilitate the secure transmission of health information. "Health information exchange" excludes health care providers engaged in direct exchange, including direct exchange through the use of a health information service provider.

(G) "HIPAA privacy rule" means the standards for privacy of individually identifiable health information in 45 C.F.R. part 160 and in 45 C.F.R. part 164, subparts A and E.

(H) "Interoperability" means the capacity of two or more information systems to exchange information in an accurate, effective, secure, and consistent manner.

(I) "Minor" means an unemancipated person under eighteen years of age or a mentally or physically disabled person under twenty-one years of age who meets criteria specified in rules adopted by the medicaid director under section 3798.13 of the Revised Code.

(J) "More stringent" has the same meaning as in 45 C.F.R. 160.202.

(K) "Personal representative" means a person who has authority under applicable law to make decisions related to health care on behalf of an adult or emancipated minor, or the parent, legal guardian, or other person acting in loco parentis who is authorized under law to make health care decisions on behalf of an unemancipated minor. "Personal representative" does not include the parent or legal guardian of, or another person acting in loco parentis to, a minor who consents to the minor's own receipt of health care or a minor who makes medical decisions on the minor's own behalf pursuant to law, court approval, or because the minor's parent, legal guardian, or other person acting in loco parentis has assented to an agreement of confidentiality between the provider and the minor.

(L) "Political subdivision" means a municipal corporation, township, county, school district, or other body corporate and politic responsible for governmental activities in a geographic area smaller than that of the state.

(M) "State agency" means any one or more of the following:

(1) The department of administrative services;

(2) The department of aging;

(3) The department of mental health and addiction services;

(4) The department of developmental disabilities;

(5) The department of education and workforce;

(6) The department of health;

(7) The department of insurance;

(8) The department of job and family services;

(9) The department of medicaid;

(10) The department of rehabilitation and correction;

(11) The department of youth services;

(12) The bureau of workers' compensation;

(13) The opportunities for Ohioans with disabilities agency;

(14) The office of the attorney general;

(15) A health care licensing board created under Title XLVII of the Revised Code that possesses individually identifiable health information.

It is the intent of the general assembly in enacting this chapter to make the laws of this state governing the use and disclosure of protected health information by covered entities consistent with, but generally not more stringent than, the HIPAA privacy rule for the purpose of eliminating barriers to the adoption and use of electronic health records and health information exchanges. Therefore, it is also the general assembly's intent in enacting this chapter to supersede any judicial or administrative ruling issued in this state that is inconsistent with the provisions of this chapter.

(A) Subject to division (B) of this section, a covered entity shall do both of the following:

(1) If an individual's protected health information is maintained by the covered entity in a designated record set, provide the individual or the individual's personal representative with access to that information in a manner consistent with 45 C.F.R. 164.524;

(2) Implement and maintain appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in a manner consistent with 45 C.F.R. 164.530(c).

(B) If a covered entity is a hybrid entity, this section applies only to the health care component of the covered entity.

A covered entity shall not do either of the following:

(A) Use or disclose protected health information without an authorization that is valid under 45 C.F.R. 164.508 and, if applicable, 42 C.F.R. part 2, except when the use or disclosure is required or permitted without such authorization by Subchapter C of Subtitle A of Title 45 of the Code of Federal Regulations and, if applicable, 42 C.F.R. part 2;

(B) Use or disclose protected health information in a manner that is not consistent with 45 C.F.R. 164.502.

(A) A covered entity shall be subject to the following conditions when it discloses protected health information to a health information exchange:

(1) The covered entity shall restrict disclosure consistent with all applicable federal laws governing the disclosure.

(2) If the protected health information concerns a minor, the covered entity shall restrict disclosure in a manner that complies with laws of this state pertaining to the circumstances under which a minor may consent to the minor's own receipt of health care or make medical decisions on the minor's own behalf, including sections 2907.29, 3709.241, 3719.012, 5120.172, 5122.04, and 5126.043 of the Revised Code unless the minor authorizes the disclosure.

(3) The covered entity shall restrict disclosure in a manner that is consistent with a written request from the individual or the individual's personal representative to restrict disclosure of all of the individual's protected health information.

(B) The conditions in division (A) of this section on a covered entity's disclosure of protected health information to a health information exchange do not render unenforceable or restrict in any manner any of the following:

(1) A provision of the Revised Code that on September 10, 2012, requires a person or governmental entity to disclose protected health information to a state agency, political subdivision, or other governmental entity;

(2) The confidential status of proceedings and records within the scope of a peer review committee of a health care entity as described in section 2305.252 of the Revised Code;

(3) The confidential status of quality assurance program activities and quality assurance records as described in section 5122.32 of the Revised Code;

(4) The testimonial privilege established by division (B) of section 2317.02 of the Revised Code;

(5) Any of the following items that govern the confidentiality, privacy, security, or privileged status of protected health information in the possession or custody of an agency as defined in section 111.15 of the Revised Code; govern the process for obtaining from a patient consent to the provision of health care or consent for participation in medical or other scientific research; govern the process for determining whether an adult has a physical or mental impairment or an adult's capacity to make health care decisions for purposes of Chapter 5126. of the Revised Code; or govern the process for determining whether a minor has been emancipated:

(a) A section of the Revised Code that is not in this chapter;

(b) A rule as defined in section 119.01 of the Revised Code;

(c) An internal management rule as defined in section 111.15 of the Revised Code;

(d) Guidance issued by an agency as defined in section 111.15 of the Revised Code;

(e) Orders or regulations of a board of health of a city health district made under section 3709.20 of the Revised Code;

(f) Orders or regulations of a board of health of a general health district made under section 3709.21 of the Revised Code;

(g) An ordinance or resolution adopted by a political subdivision;

(h) A professional code of ethics;

(i) When a minor is authorized to consent to the minor's own receipt of health care or make medical decisions on the minor's own behalf, including the circumstances described in sections 2907.29, 3709.241, 3719.012, 5120.172, 5122.04, and 5126.043 of the Revised Code.

(A) The medicaid director shall prescribe by rules adopted in accordance with Chapter 119. of the Revised Code a standard authorization form for the use and disclosure of protected health information by covered entities in this state. The form shall meet all requirements specified in 45 C.F.R. 164.508 and, where applicable, 42 C.F.R. part 2.

(B) If a form the medicaid director prescribes under division (A) of this section is properly executed by an individual or the individual's personal representative, it shall be accepted by any person or governmental entity in this state as valid authorization for the use or disclosure of the individual's protected health information to the persons or governmental entities specified in the form.

(C) This section does not preclude a person or governmental entity from accepting as valid authorization for the use or disclosure of protected health information a form other than the form prescribed under division (A) of this section if the other form meets all requirements specified in 45 C.F.R. 164.508 and, if applicable, 42 C.F.R. part 2.

As used in this section, "agency" has the same meaning as in section 111.15 of the Revised Code.

(A) Except as provided in division (B) of this section, any of the following pertaining to the confidentiality, privacy, security, or privileged status of protected health information transacted, maintained in, or accessed through a health information exchange is unenforceable if it conflicts with this chapter:

(1) A section of the Revised Code that is not in this chapter;

(2) A rule as defined in section 119.01 of the Revised Code;

(3) An internal management rule as defined in section 111.15 of the Revised Code;

(4) Guidance issued by an agency;

(5) Orders or regulations of a board of health of a city health district made under section 3709.20 of the Revised Code;

(6) Orders or regulations of a board of health of a general health district made under section 3709.21 of the Revised Code;

(7) An ordinance or resolution adopted by a political subdivision;

(8) A professional code of ethics.

(B) Division (A) of this section does not render unenforceable or restrict in any manner any of the following:

(1) A provision of the Revised Code that on the effective date of this section requires a person or governmental entity to disclose protected health information to a state agency, political subdivision, or other governmental entity;

(2) The confidential status of proceedings and records within the scope of a peer review committee of a health care entity as described in section 2305.252 of the Revised Code;

(3) The confidential status of quality assurance program activities and quality assurance records as described in section 5122.32 of the Revised Code;

(4) The testimonial privilege established by division (B) of section 2317.02 of the Revised Code;

(5) An item described in divisions (A)(1) to (8) of this section that governs any of the following:

(a) The confidentiality, privacy, security, or privileged status of protected health information in the possession or custody of an agency;

(b) The process for obtaining from a patient consent to the provision of health care or consent for participation in medical or other scientific research;

(c) The process for determining whether an adult has a physical or mental impairment or an adult's capacity to make health care decisions for purposes of Chapter 5126. of the Revised Code;

(d) The process for determining whether a minor has been emancipated.

(6) When a minor is authorized to consent to the minor's own receipt of health care or make medical decisions on the minor's own behalf, including the circumstances described in sections 2907.29, 3709.241, 3719.012, 5120.172, 5122.04, and 5126.043 of the Revised Code.

The medicaid director shall adopt rules for purposes of specifying the criteria a person who is mentally or physically disabled and who is under twenty-one years of age must meet to be considered a minor for purposes of sections 3798.07 and 3798.12 of the Revised Code.