Ohio law provides robust protections for the confidentiality and privacy of patient information.  The law defines protected health information as information in any form that describes an individual’s past, present, or future physical or mental health status or condition, receipt of treatment or care, or purchase of health products if the information reveals or could be used to reveal the identity of the individual.  Protected health information in the possession of the director of health, the department of health, or a board of health, is confidential and may only be released with the written consent of the individual, as is necessary to provide treatment to the individual, to ensure the accuracy of the information or to avert or mitigate a clear threat to an individual or to the public health.  Information that does not identify an individual is not protected health information and may be released in summary, statistical, or aggregate form; such information is a public record and will be released by the director upon request.1  Each state agency must adopt rules regulating access to the confidential personal information the agency keeps, including a list of the valid reasons, directly related to the state agency’s exercise of its powers or duties, for which employees of the agency may access confidential personal information and a procedure that requires the agency to notify each person whose confidential personal information has been accessed for an invalid reason.2

Patients have the right to the confidentiality of their protected health information; this right is specifically delineated for certain individuals, including for residents of skilled nursing facilities,3  residents of adult care facilities, 4 and persons with mental retardation or a developmental disability.5

Ohio law governs the confidentiality and recordkeeping requirements for various facilities and providers.  The provider of a health care service must keep patient’s medical and financial records confidential.6  Every nursing home must store patient medical records and reports in a manner that protects and ensures their confidentiality.7  Each hospice care program must have policies and procedures to ensure the confidentiality of central clinical records.8  Adult care facilities must store resident records in a manner that protects and ensures their confidentiality; staff members who have access to residents’ personal information may not discuss or share the information with another individual working in the facility unless transmission of the information is necessary to provide care to or to meet the needs of the resident.9

The law permits disclosure of patient information in certain circumstances.  Insurers may disclose the results of a positive HIV-test to the insurance applicant, any person that the applicant or insured specifically designates in writing; and to a medical information exchange for insurers operated under procedures intended to ensure confidentiality.10  Patient-identifying information submitted to the department of health in conjunction with the hearing screening conducted by hospitals and freestanding birthing centers may be provided to entities as necessary; the department of health and any entity that receives information must maintain its confidentiality.11  The department of health may release information about an individual with malignant disease for diagnostic and treatment purposes, to the cancer registry of another state, and for statistical, scientific, and medical research for the purposes of reducing the morbidity or mortality of malignant disease.12  Information, data and reports with respect to a birth defects case that is furnished to, or obtained by, the birth defects information system or by the director may be disclosed to parents, guardians and custodians of children with birth defects, to provide data regarding birth defects in Ohio to the “National Birth Defects Prevention Network”, to the birth defects registry of another state and for medical research studies.13  Information obtained during an investigation initiated by the director of health in response to reports of illnesses or diseases may be released if the director has determined that the release of information collected pursuant to an incomplete investigation is necessary and in compliance with applicable law.14  Records maintained in connection with the employee assistance program may be disclosed without the individual’s consent to medical personnel to the extent necessary in a bona fide emergency, to qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, and if authorized by a court.15

Information that is collected or reported in accordance with various requirements is still subject to restrictions on further disclosure and use.  Maternity units and newborn care nurseries must take appropriate measures to ensure the confidentiality of patient medical records, and individual records may not be disclosed unless otherwise authorized by the patient, as allowed by state and federal laws and regulations, and for inspection by the director of health.16 Reported information regarding AIDS, AIDS-related conditions or positive HIV tests that identifies an individual is confidential and may be released only with the written consent of the individual, except as the director determines necessary to ensure the accuracy of the information, to provide treatment to the individual, as ordered by a court, or pursuant to a search warrant or subpoena.17  Any information, data, or report with respect to a case of malignant disease that are furnished to the cancer registry or the department of health is confidential and may only be used or disclosed for the confidential use of the department, to persons involved in a medical research project that meets the standards established by the department, if proper safeguards are in place, to physicians for diagnostic and treatment purposes and to another state’s registry, if proper safeguards are in place.18