How do You Comply with HIPAA Laws in Ohio?
Although the Ohio Personal Privacy Act (HB 376) is still to pass the House, and although no companion bill has yet been introduced into the Senate, the content of this article – originally published in 2022 – is still relevant. It is hoped that HB 376 gets the push it needs in 2024 to better protect the personal information of Ohio residents.
Original Article
There has been an increased interest in how do you comply with HIPAA laws in Ohio since the introduction of a proposed Ohio Personal Privacy Act. As the proposed Act stands at present, HIPAA Covered Entities and Business Associates will be exempt from complying with any new legislation, while any new privacy standards will not apply to Protected Health Information.
In July 2021, Ohio Lieutenant Governor John Husted announced the introduction of the Ohio Personal Privacy Act – a proposed framework of privacy protections similar to those passed in California, Virginia, and Colorado. The Act (HB 376) will – if passed – give consumers in Ohio rights over what information is collected about them, how it is used, and who it is disclosed to.
Businesses subject to the Ohio Personal Privacy Act will also be required to “prevent, detect, protect against, or respond to security incidents, identity theft, fraud, […] or any illegal activity” and report data breaches to the Ohio Attorney General. Therefore, in many ways the proposed Act has similar requirements to the HIPAA Privacy, Security, and Breach Notification Rules.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Consequently, it is not surprising that – as it stands at present – the Ohio Personal Privacy Act will not apply to organizations already subject to the HIPAA Privacy, Security, and Breach Notification Rules. This exemption mirrors several existing Ohio laws, yet there are some differences between HIPAA and laws in Ohio Covered Entities and Business Associates need to be aware of.
Where HIPAA Differs from Laws in Ohio
The HIPAA Privacy Rule set a federal floor of privacy protections for individuals´ individually identifiable health information created, received, maintained, or transmitted by a Covered Entity or Business Associate. The Privacy Rule takes precedence over state privacy and security legislation unless state legislation provides greater privacy protections or individuals´ rights.
Although the proposed Ohio Personal Privacy Act will not affect how Covered Entities and Business Associates in Ohio comply with HIPAA, some existing state legislation does provide greater privacy protections and individuals´ rights than HIPAA. These include:
- Ohio Code 5119.27 – which provides privacy protections for individuals with substance use disorders similar to 45 CFR Part 2. Compliance with 45 CFR Part 2 is not currently covered by the HIPAA Privacy Rule, although this may soon change.
- Ohio has separate rules relating to disclosures of HIV-related information. Under Ohio Code 3701.243, some disclosures are mandated (for public health purposes), while others require the written authorization of the individual to whom the information relates.
- With regards to individuals´ rights, Ohio Code 3701.741 mandates a fee schedule for obtaining copies of medical records. The schedule includes several instances in which individuals can obtain copies free of charge – making access to PHI more affordable.
Most other differences between HIPAA and laws in Ohio are nuanced. For example, in Ohio, pharmacists are permitted to disclose Protected Health Information to a healthcare provider for treatment purposes. Under HIPAA, such disclosures are permitted only when a treatment relationship already exists between a pharmacy and a healthcare provider.
Ohio Breach Notification Rule
Even though there are breach notification provisions in the proposed Ohio Personal Privacy Act, some breach notification provisions already exist in §1349.19 of the Ohio Code. This section does not apply to HIPAA Covered Entities under an exemption in §1349.19(F)(2), but – unlike the Ohio Personal Privacy Act – there is no carve-out for Business Associates.
This means that, in addition to reporting HIPAA security incidents to their Covered Entities (as required by the HIPAA Security Rule), Business Associates must report system security breaches to the Ohio Attorney General within 45 days of discovery if they result in the unauthorized access to, or acquisition of, computerized data that compromises the security or confidentiality of data.
Complying with Changing HIPAA Laws in Ohio
The proposed Ohio Personal Privacy Act is not going to affect any HIPAA compliance requirements in Ohio. However, when enacted, it will likely make plan members and patients more aware of their HIPAA rights. Therefore, Covered Entities and Business Associates may need to be better prepared to respond to individuals requesting copies of PHI and Accountings of Disclosures.
Other changes may have more of an impact on HIPAA compliance requirements in Ohio. 45 CFR Part 2 privacy protections for individuals with substance use disorders will likely be codified into HIPAA, while Business Associates may – or may not – have different breach notification reporting requirements when the Ohio Personal Privacy Act is enacted.
Organizations unsure about what HIPAA laws in Ohio apply to their operations should seek professional compliance advice to ensure they comply with both federal and state privacy, security, and breach notification legislation.
