Skip to Content

Privacy and Confidentiality in Ohio

Ohio law provides robust protections for the confidentiality and privacy of patient information.  The law defines protected health information as information in any form that describes an individual’s past, present, or future physical or mental health status or condition, receipt of treatment or care, or purchase of health products if the information reveals or could be used to reveal the identity of the individual.  Protected health information in the possession of the director of health, the department of health, or a board of health, is confidential and may only be released with the written consent of the individual, as is necessary to provide treatment to the individual, to ensure the accuracy of the information or to avert or mitigate a clear threat to an individual or to the public health.  Information that does not identify an individual is not protected health information and may be released in summary, statistical, or aggregate form; such information is a public record and will be released by the director upon request.1  Each state agency must adopt rules regulating access to the confidential personal information the agency keeps, including a list of the valid reasons, directly related to the state agency’s exercise of its powers or duties, for which employees of the agency may access confidential personal information and a procedure that requires the agency to notify each person whose confidential personal information has been accessed for an invalid reason.2

Patients have the right to the confidentiality of their protected health information; this right is specifically delineated for certain individuals, including for residents of skilled nursing facilities,3  residents of adult care facilities, 4 and persons with mental retardation or a developmental disability.5

Ohio law governs the confidentiality and recordkeeping requirements for various facilities and providers.  The provider of a health care service must keep patient’s medical and financial records confidential.6  Every nursing home must store patient medical records and reports in a manner that protects and ensures their confidentiality.7  Each hospice care program must have policies and procedures to ensure the confidentiality of central clinical records.8  Adult care facilities must store resident records in a manner that protects and ensures their confidentiality; staff members who have access to residents’ personal information may not discuss or share the information with another individual working in the facility unless transmission of the information is necessary to provide care to or to meet the needs of the resident.9

The law permits disclosure of patient information in certain circumstances.  Insurers may disclose the results of a positive HIV-test to the insurance applicant, any person that the applicant or insured specifically designates in writing; and to a medical information exchange for insurers operated under procedures intended to ensure confidentiality.10  Patient-identifying information submitted to the department of health in conjunction with the hearing screening conducted by hospitals and freestanding birthing centers may be provided to entities as necessary; the department of health and any entity that receives information must maintain its confidentiality.11  The department of health may release information about an individual with malignant disease for diagnostic and treatment purposes, to the cancer registry of another state, and for statistical, scientific, and medical research for the purposes of reducing the morbidity or mortality of malignant disease.12  Information, data and reports with respect to a birth defects case that is furnished to, or obtained by, the birth defects information system or by the director may be disclosed to parents, guardians and custodians of children with birth defects, to provide data regarding birth defects in Ohio to the “National Birth Defects Prevention Network”, to the birth defects registry of another state and for medical research studies.13  Information obtained during an investigation initiated by the director of health in response to reports of illnesses or diseases may be released if the director has determined that the release of information collected pursuant to an incomplete investigation is necessary and in compliance with applicable law.14  Records maintained in connection with the employee assistance program may be disclosed without the individual’s consent to medical personnel to the extent necessary in a bona fide emergency, to qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, and if authorized by a court.15

Information that is collected or reported in accordance with various requirements is still subject to restrictions on further disclosure and use.  Maternity units and newborn care nurseries must take appropriate measures to ensure the confidentiality of patient medical records, and individual records may not be disclosed unless otherwise authorized by the patient, as allowed by state and federal laws and regulations, and for inspection by the director of health.16 Reported information regarding AIDS, AIDS-related conditions or positive HIV tests that identifies an individual is confidential and may be released only with the written consent of the individual, except as the director determines necessary to ensure the accuracy of the information, to provide treatment to the individual, as ordered by a court, or pursuant to a search warrant or subpoena.17  Any information, data, or report with respect to a case of malignant disease that are furnished to the cancer registry or the department of health is confidential and may only be used or disclosed for the confidential use of the department, to persons involved in a medical research project that meets the standards established by the department, if proper safeguards are in place, to physicians for diagnostic and treatment purposes and to another state’s registry, if proper safeguards are in place.18

 

Footnotes

  • 1. Ohio Rev. Code Ann. § 3701.17
  • 2. Ohio Rev. Code § 1347.15
  • 3. Ohio Rev. Code § 3721.13
  • 4. Ohio Rev. Code § 5119.81
  • 5. Ohio Rev. Code § 5123.62
  • 6. Ohio Admin. Code 3701-84-07
  • 7. Ohio Admin. Code 3701-17-19
  • 8. Ohio Admin. Code 3701-19-23
  • 9. Ohio Admin. Code 5122-33-15
  • 10. Ohio Rev. Code § 3901.46
  • 11. Ohio Admin. Code 3701-40-09
  • 12. Ohio Admin. Code 3701-4-03
  • 13. Ohio Admin. Code 3701-57-04
  • 14. Ohio Admin. Code 3701-73-01
  • 15. Ohio Rev. Code § 3701.041
  • 16. Ohio Admin. Code 3701-7-16
  • 17. Ohio Rev. Code Ann. § 3701.24
  • 18. Ohio Rev. Code Ann. § 3701.263

 

Privacy and Confidentiality in Ohio

Subtopic Statute/Regulation Description
Disclosure requirements (what providers can disclose, prohibition on further disclosure) Access rules for confidential personal information – Ohio Rev. Code Ann. § 1347.15 Each state agency must adopt rules regulating access to the confidential personal information the agency keeps, electronically or on paper.  The...
Analyzing and interpreting hearing screening information – Ohio Rev. Code Ann. § 3701.509 Each hospital and freestanding birth center that has conducted a hearing screening on a newborn must provide the following information to the...
Confidentiality of records pertaining to identity, diagnosis or treatment – Ohio Rev. Code Ann. § 5119.27 Confidentiality of records pertaining to identity, diagnosis or treatment            ...
Confidentiality – Ohio Rev. Code Ann. § 3701.028 The following records maintained by the program for medically handicapped children and other programs funded from the Maternal and Child Health Block...
Copies of vital records – Ohio Rev. Code Ann. § 3705.23 Information contained in the “information for medical and health use only” section of a birth record may be disclosed in accordance with...
Disclosing identifying quality-of-care data – Ohio Rev. Code Ann. § 3702.18 Data reported the department of health regarding specific adverse events, bodily injuries, or complaints and quality-of-care data reported to the...
Disclosure of medical and health information – Ohio Admin. Code 3701-5-12 The state or registrar may disclose data from vital statistics records including data from the “information for medical and health use only...
Disclosure of medical assistance information – Ohio Rev. Code Ann. § 5160.45 Information regarding a medical assistance recipient may only be disclosed in connection with the administration of the medical assistance program....
Disclosure of personal or privileged information – Ohio Rev. Code Ann. § 3904.13 An insurance institution, agent, or insurance support organization may disclose personal or privileged information about an individual collected or...
Emergency medical or funeral service worker exposed to contagious or infectious disease may request notice of test results – Ohio Rev. Code Ann. § 3701.248 An emergency medical services worker or funeral services worker who believes that he has sustained significant exposure through his contact with a...
General medical records requirements – Ohio Admin. Code 3701-83-11 Each health care facility (HCF) must maintain a medical record for each patient for six years from the date of discharge that documents the patient...
Hospital performance measures reporting requirements – Ohio Admin. Code 3701-14-03 “Hospital performance measures reporting requirements”   Each hospital must annually submit information to the director of health...
Investigation of complaint concerning home – disclosure of information – Ohio Rev. Code Ann. § 3721.031 “Investigation of complaint concerning home – disclosure of information”   The director of health may investigate any...
Licensure recordkeeping requirements – Ohio Admin. Code 3701-7-16 As a condition of licensure, maternity units and newborn care nurseries must maintain a medical record for each patient for five years that documents...
Physician’s report to department on attempted or completed abortions – Ohio Rev. Code Ann. § 2919.171 “Physician’s report to department on attempted or completed abortions”   A physician who performs or induces, or attempts to...
Records – Ohio Rev. Code Ann. § 5120.21 “Records”   The department of rehabilitation and correction shall keep records showing the name, residence, sex, age, nativity,...
Release of information – director investigations – Ohio Admin. Code 3701-73-01 “Release of information – director investigations”   Information obtained during an investigation initiated by the director of...
Requiring HIV testing – Ohio Rev. Code Ann. § 3901.46 An insurer may require an applicant for coverage to submit to an HIV test in conjunction with tests for other health conditions.  The insurer...
Reviewing report of abuse, neglect, or a major unusual incident – Ohio Rev. Code Ann. § 5123.611 Upon reviewing a report of abuse, neglect or major unusual incident of an individual with mental retardation or a developmental disability, the...
State employee assistance program – Ohio Rev. Code Ann. § 124.88 “State employees assistance program”   The employee assistance program  refers state employees to medical, social or other...
Subject of report or representative has right to report and related records – Ohio Rev. Code Ann. § 5123.613 Upon the death of an individual with mental retardation or a developmental disability who was the subject of an abuse, neglect or unusual incident...
Patient’s right to confidentiality of medical records/medical information Access rules for confidential personal information – Ohio Rev. Code Ann. § 1347.15 Each state agency must adopt rules regulating access to the confidential personal information the agency keeps, electronically or on paper.  The...
Confidentiality of patient records – Ohio Admin. Code 4729-5-29 Records relating to the practice of pharmacy, the administration of drugs, or any patient-specific drug transaction are not public records.  A...
Confidentiality – Ohio Rev. Code Ann. § 5123.89 All certificates, applications, records and reports that identify a resident or former resident of an institution for the mentally retarded or person...
Confidentiality – Ohio Rev. Code Ann. § 5165.88 The department of job and family services and any contracting agency must protect the identity of nursing facility residents and any individual who...
Licensure recordkeeping requirements – Ohio Admin. Code 3701-7-16 As a condition of licensure, maternity units and newborn care nurseries must maintain a medical record for each patient for five years that documents...
Records and reports – Ohio Admin. Code 3701-17-19 Every nursing home must maintain an individual medical record for each resident, started immediately upon admission and containing the following...
Residents’ rights – Ohio Rev. Code Ann. § 3721.13 “Residents’ rights”   Each resident of a skilled nursing facility has the following rights: ·    ...
Review of plans of care and individual service plans – Ohio Rev. Code Ann. § 5166.05 The department of job and family services may review and approve, modify, or deny written plans of care and individual service plans created for...
Toll-free patient safety telephone line – Ohio Rev. Code Ann. § 3701.91 The department of health must maintain a public toll-free patient safety telephone line.  The department must accept calls through the toll-free...
Disclosure of health information pursuant to court order or subpoena Access to information by staff and attorneys – Ohio Rev. Code Ann. § 5123.601 “Access to information by staff and attorneys”   The Ohio protection and advocacy system staff and attorneys representing relevant...
Disclosing of AIDS and HIV test results or diagnosis – Ohio Rev. Code Ann. § 3701.243 No person or agency of state or local government that acquires information while providing health services or while working in a health care facility...
Authorization for disclosure and exceptions to authorization requirements Authorization form – Ohio Rev. Code Ann. § 5101.272 For the purposes of disclosing medical assistance information, an authorization must be made on a form that uses language understandable to the...
Confidentiality – Ohio Rev. Code Ann. § 3701.028 The following records maintained by the program for medically handicapped children and other programs funded from the Maternal and Child Health Block...
Confidentiality – Ohio Rev. Code Ann. § 5165.88 The department of job and family services and any contracting agency must protect the identity of nursing facility residents and any individual who...
Duties of state and local agencies maintaining personal information systems – Ohio Rev. Code Ann. § 1347.05 Every state or local agency that maintains a personal information system must take reasonable precautions to protect personal information in the...
Emergency medical or funeral service worker exposed to contagious or infectious disease may request notice of test results – Ohio Rev. Code Ann. § 3701.248 An emergency medical services worker or funeral services worker who believes that he has sustained significant exposure through his contact with a...
Information provided from drug database – record of requests – confidentiality – Ohio Rev. Code Ann. § 4729.80 The state board of pharmacy is authorized to provide information from its drug database in accordance with the following: To a representative of...
Patient care policies – Ohio Admin. Code 3701-84-07 The provider of a health care service  (HCS) must develop and follow comprehensive and effective patient care policies that include the...
Confidentiality and disclosure requirements of public health reporting information (disease specific information/registry data) (Cross reference to Public Health Reporting) Availability of public records for inspection and copying – Ohio Rev. Code Ann. § 149.43 “Availability of public records for inspection and copying”   Public records are records kept by any public office and records...
Confidential information – Ohio Rev. Code Ann. § 173.22 “Confidential information”   The collection, compilation, analysis, and dissemination of information by the office of the state long...
Confidentiality – Ohio Rev. Code Ann. § 5123.31 The department of developmental disabilities will keep in its office, accessible only to its employees or by consent of the department or the order...
Director to develop and administer AIDS and HIV related programs – Ohio Rev. Code Ann. § 3701.241 The director of health will have the following responsibilities with respect to AIDS and HIV –related programs: Develop a surveillance...
Disclosing of AIDS and HIV test results or diagnosis – Ohio Rev. Code Ann. § 3701.243 No person or agency of state or local government that acquires information while providing health services or while working in a health care facility...
Hearing screening tracking and follow-up – Ohio Admin. Code 3701-40-09 Patient identifying information submitted to the department of health in conjunction with the hearing screening conducted by hospitals and...
Patient care policies – Ohio Admin. Code 3701-83-07 Every healthcare facility must develop and follow comprehensive and effective patient care policies that include the following rights for each...
Physician, hospital and department abortion reports – Ohio Rev. Code Ann. § 3701.79 An attending physician must complete a confidential abortion report for each abortion he performs.  The report may not contain the woman’s...
Protected health information – Ohio Rev. Code Ann. § 3701.17 Protected health information is defined as information in any form that describes an individual’s past, present, or future physical or mental...
Records are confidential – exceptions – Ohio Rev. Code Ann. § 3705.32 Records received and information assembled by the birth defects information system are confidential medical records, accessible only by the director...
Release of patient’s medical records – Ohio Admin. Code 3701-3-08 Any person, hospital, clinic, agency or other institution or facility providing care or treatment to an individual suffering from a reportable...
Report as to contagious or infectious diseases - AIDS and HIV – Ohio Rev. Code Ann. § 3701.24 Required reporters must promptly report every case of AIDS, every AIDS-related condition, and every confirmed positive HIV test to the department of...
Special duties of director of health – Ohio Rev. Code Ann. § 3701.14 The director of health has the following responsibilities: To investigate the cause of disease or illness, including the study of births and...
Privacy and Confidentiality Central clinical record – Ohio Admin. Code 3701-19-23 Each hospice care program must establish and maintain a central clinical record for each patient receiving care and services from the program. All...
Disclosure of information - Ohio Rev. Code Ann. § 5122.31 Records and information relating to the mental health of an individual are confidential and privileged to the patient, and may only be disclosed in...
Duties and powers regarding tuberculosis – Ohio Rev. Code Ann. § 3701.146 The director of health will engage in the following activities with regard to tuberculosis: Surveillance activities, including the collection and...
Duties of citizen’s advisory councils – Ohio Rev. Code Ann. § 5123.093 The citizen’s advisory council established at each institution and branch institution under the control of the department of developmental...
Duty of covered entities – Ohio Rev. Code Ann. § 3798.03 This section applies to covered entities as they are defined in the HIPAA administrative regulation provisions (at 45 C.F.R. § 160.103)....
Fees for providing copies of medical records – Ohio Rev. Code Ann. § 3701.741 When a patient or a patient's personal representative requests a copy of the patient's medical record, the health care provider or medical records...
General medical records requirements – Ohio Admin. Code 3701-84-11 The provider of a health care service (HCS) must maintain a medical record for each patient for five years from the date of discharge; such record...
Information to be provided by licensees who personally furnish drugs to patients – Ohio Rev. Code Ann. § 4729.79 Each licensed health professional authorized to prescribe drugs who personally furnishes a controlled substance or other dangerous drug must submit...
Managed health care programs: member rights – Ohio Admin. Code 5160-26-08.3 Managed health care program members have the following rights: To be ensured of confidential handling of information concerning their diagnoses,...
Notice to be given of prevalence of infectious diseases – Ohio Rev. Code Ann. § 3707.06 An attending health care provider must report to the health commissioner of relevant jurisdiction the name, age, sex, race and address of a patient...
Occupational diseases – report by physician to department of health – Ohio Rev. Code Ann. § 3701.25 Occupational diseases – report by physician to department of health Physicians must report to the department of health any patients whom the...
Provider agreement for providers – Ohio Admin. Code 5160-1-17.2 Provider agreements between the Ohio department of job and family services and a provider of Medicaid covered services will contain the following...
Recordkeeping – Ohio Admin. Code 5122-33-15 Adult care facilities must maintain a record for each resident that contains the following: The resident’s name, previous address, date of...
Reporting Requirements – pharmacies or pharmacists – Ohio Admin. Code 3701-3-15 All pharmacies and pharmacists must immediately report by telephone or electronically to the health commissioner of the appropriate health district...
Reporting significant changes in medication usage that may be caused by bioterrorism, epidemic or pandemic disease – Ohio Rev. Code Ann. § 3701.232 The public health council will adopt reporting rules for pharmacies and pharmacists to report significant changes in medication usage that may be...
Statewide birth defects information system – Ohio Rev. Code Ann. § 3705.30 A statewide birth defects information system has been established to collect information concerning congenital anomalies, stillbirths, and abnormal...
Disclosure of medical information for research purposes (Cross reference Research) Confidentiality; research – Ohio Admin. Code 3701-4-03 “Confidentiality; research”   Any information, data, and reports with respect to a case of malignant disease that are furnished to...
Confidentiality; research – Ohio Admin. Code 3701-57-04 Information, data and reports with respect to a birth defects case that is furnished to, or obtained by, the birth defects information system or by...
Office of women’s health initiatives – Ohio Rev. Code Ann. § 3701.141 The women’s health program has been established in the department of health, which will engage in the following activities: Identify,...
Insurer and Medicaid/Medicare confidentiality requirements, including disclosure laws (Cross reference Medicaid Data, Medicare data, and private insurance data requirements) Correction, amendment or deletion of information – Ohio Rev. Code Ann. § 3904.09 Within thirty business days of receiving a written request from an individual to correct, amend, or delete any recorded personal information about...
Disclosure of medical assistance information – Ohio Rev. Code Ann. § 5160.45 Information regarding a medical assistance recipient may only be disclosed in connection with the administration of the medical assistance program....
Review of plans of care and individual service plans – Ohio Rev. Code Ann. § 5166.05 The department of job and family services may review and approve, modify, or deny written plans of care and individual service plans created for...
Other Correction, amendment or deletion of information – Ohio Rev. Code Ann. § 3904.09 Within thirty business days of receiving a written request from an individual to correct, amend, or delete any recorded personal information about...
Reporting contagious or infectious diseases, illnesses, health conditions, or unusual infectious agents or biological toxins – Ohio Rev. Code Ann. § 3701.23 Boards of health, health authorities or officials, health care providers in localities in which there are no health authorities or officials, and...
Confidentiality and disclosure requirements of peer review information (Cross reference to Medical Peer Review) Director to develop and administer AIDS and HIV related programs – Ohio Rev. Code Ann. § 3701.241 The director of health will have the following responsibilities with respect to AIDS and HIV –related programs: Develop a surveillance...
Liability; reporting forms; confidentiality and disclosure – Ohio Admin. Code 4731-15-05 “Liability; reporting forms; confidentiality and disclosure”   Any individual, health care facility, association, society or insurer...
Protected health information – Ohio Rev. Code Ann. § 3701.17 Protected health information is defined as information in any form that describes an individual’s past, present, or future physical or mental...
Report as to contagious or infectious diseases - AIDS and HIV – Ohio Rev. Code Ann. § 3701.24 Required reporters must promptly report every case of AIDS, every AIDS-related condition, and every confirmed positive HIV test to the department of...