How to Comply with HIPAA Laws in Ohio

HIPAA Laws Ohio

If you’re a healthcare provider treating patients in Ohio, you are likely wondering, what are HIPAA laws in Ohio? While some states have their own privacy, some of which impose stricter requirements than HIPAA, Ohio is not one of those states. However, Ohio does have stricter breach notification laws than HIPAA. Find out more about Ohio HIPAA laws here.

HIPAA Laws Ohio

To meet the requirements of the HIPAA regulations, healthcare organizations (healthcare providers, healthcare vendors, and MSPs) must implement a HIPAA compliance program. Most federal HIPAA requirements apply at the state level in Ohio as well.

Security Risk Assessments, Gap Identification, and Remediation

To be HIPAA compliant, it is crucial to identify where your deficiencies lie. To do so, healthcare organizations must conduct six self-audits annually. These self-audits uncover weaknesses and vulnerabilities in your security practices. To ensure that your organization meets HIPAA safeguard requirements, you must create remediation plans. Remediation plans list your identified deficiencies and how you plan to address them, including actions and a timeline.

HIPAA Policies and Procedures

To ensure that you meet HIPAA Privacy, Security, and Breach Notification requirements, you must implement written policies and procedures. These policies and procedures must be customized for your practice’s specific needs, applying directly to how your business operates. To account for any changes in your business practices, you must review your policies and procedures annually and make amendments where appropriate.

HIPAA Training Ohio

HIPAA imposes employee training requirements that are the same regardless of the state the healthcare organization operates in. HIPAA training in Ohio must be provided to each employee that has the potential to access PHI. Training must be provided annually, in which employees must legally attest that they understand and agree to adhere to the training material. 

Business Associate Agreements

Business associate agreements must be signed with each of your business associate vendors. HIPAA defines a business associate as any entity that performs a service for your practice that gives them the potential to access PHI. Common examples of business associates include electronic health records platforms, email service providers, online appointment scheduling software, and cloud storage providers. 

You cannot use any vendor and be HIPAA compliant. They need to be willing and able to sign a business associate agreement (BAA). A BAA is a legal contract that requires each signing party to be HIPAA compliant and be responsible for maintaining their compliance. When a vendor doesn’t sign a BAA, it cannot be used for business associate services.

Incident Management

To comply with the HIPAA Breach Notification Rule, you must have a system to detect, respond to, and report breaches. Employees must also have the means to report incidents anonymously and be aware of what to do if they suspect a breach has occurred.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

HIPAA Notice of Privacy Practices in Ohio

Under HIPAA regulations, covered entities are required to provide individuals with a Notice of Privacy Practices in plain language that contains:   

  • A description of how PHI can be used for treatment, payment, and health care operations.
  • A description of the types of PHI uses and disclosures requiring patient authorization.
  • A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.
    •  A covered entity may use or disclose PHI without authorization for a number of purposes. Examples include public health and health oversight activities, and judicial proceedings.
  • The name, title, and phone number of a person or office to contact for further information or questions about the notice.
  • The date on which the notice is first in effect.
  • A statement that an individual may revoke an authorization.

HIPAA Release Form Ohio

A HIPAA release form in Ohio is required under certain circumstances. HIPAA regulations outline the uses and disclosures of PHI that require authorization to be obtained from a patient/plan member before that person’s PHI can be shared or used. 

HIPAA release forms are required before:

  • The covered entity can use or disclose PHI whose use or disclosure is otherwise not permitted by the HIPAA Privacy Rule
  • The covered entity can use or disclose PHI for marketing purposes. If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

The law requires that a HIPAA release form contain specific “core elements” to be valid. 

These elements include:

  • A description of the specific information to be used or disclosed.
  • The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  • The name or other specific identification of any third parties (persons or classes of persons) to whom the covered entity may make the requested use or disclosure.
  • A description of each purpose of the requested use or disclosure. 
  • An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. 
  • The signature of the individual, and the date. 

Ohio Data Breach Notification Law

Ohio data breach notification law requires organizations that are breached, compromising personal information, to report the incident. Entities that are subject to HIPAA and report incidents following HIPAA standards, also meet the requirements of the Ohio data breach notification law.

The HIPAA Breach Notification Rule requires healthcare organizations to report breaches that compromise the confidentiality, integrity, or availability of protected health information. 

Incidents that are considered reportable breaches include:

  • Hacking or IT incidents
  • Unauthorized access or disclosure of PHI
  • Theft or loss of an unencrypted device with access to PHI
  • Improper disposal of medical records

When a patient’s PHI is potentially affected by one of these incidents, the affected patient must be informed within 60 days of discovery. Breach notification letters must be mailed to affected patients. If ten or more patients cannot be reached by mail, a substitute notice must be available on the organization’s website. If the incident affected 500 or more patients, the breached organization must notify media outlets to ensure that all affected patients are aware of the incident.

Breach notification requirements to the Department of Health and Human Services (HHS) differ depending on how many patients are affected by the incident.

  • Breaches affecting 1 – 499 patients: organizations must keep an account of any breach that involved less than 500 patients over the course of the calendar year. Organizations have 60 days from the end of the calendar year in which the breach occurred to report these incidents to the HHS – March 1st.
  • Breaches affecting 500+ patients: any incident that affected 500 or more patients must be reported to the HHS within 60 days of discovering the incident. These incidents are posted on the OCR’s online breach portal.

Although HIPAA states that individuals must be notified within 60 days of a breach, Ohio data breach notification law states that consumers should be notified no later than 45 days after the breach is discovered. So organizations that handle the PHI of Ohio residents must ensure that those residents are notified in the shorter 45 day timeframe.

For more information on Ohio breach notification requirements, please click here.

HIPAA Violation Ohio

What is a HIPAA violation in Ohio? While many HIPAA violations occur due to breaches, it is not the breach itself that would conclude that a healthcare organization violated HIPAA. Most HIPAA violations occur when healthcare organizations fail to conduct accurate and thorough risk assessments, provide patients timely access to their medical records, have signed business associate agreements, or report breaches promptly.

HIPAA Laws Ohio: State Privacy Laws

HIPAA laws Ohio refer to Ohio state laws that overlap with HIPAA. Title 37 of the Ohio laws and rules, Chapter 3798, entitled “Protected Health Information,” serves Ohio’s mini-HIPAA law. 

HIPAA Laws Ohio and Protected Health Information

HIPAA laws Ohio, under Chapter 3798, specify the conditions to which Ohio covered entities are subject when those covered entities disclose protected health information to a health information exchange.

Under Ohio law, the terms “covered entity,” “disclosure,” and “protected health information,” mean the same as they do under HIPAA.

Under Ohio law, a “health information exchange” means any person or governmental entity in Ohio that:

  • Provides a technical infrastructure, to
  • Connect computer systems or other electronic devices, used by
  • Covered entities, to
  • Facilitate the secure transmission of health information.

What Does Ohio Law Require?

Under Ohio law, a covered entity is subject to the following conditions when it discloses protected health information (PHI) to a health information exchange:

  • The covered entity must restrict disclosure consistent with all applicable federal laws, including HIPAA, governing the disclosure.
  • If the protected health information concerns a minor, the covered entity must restrict disclosure in a manner that complies with Ohio laws regarding the circumstances under which a minor may consent to receipt of healthcare, or make medical decisions on the minor’s own behalf, unless the minor authorizes the disclosure.
  • The covered entity must restrict disclosure in a manner that is consistent with a written request from the individual or his or her personal representative to restrict disclosure of all of the individual’s protected health information.

What is HIPAA Enforcement in Ohio?

Various Ohio agencies work together to implement the federal HIPAA regulations. These agencies include:

  • The Ohio Department of Agriculture Services
  • The Ohio Department of Aging
  • The Ohio Department of Alcohol and Drug Addiction Services
  • The Ohio Attorney General
  • The Ohio Department of Health
  • The Ohio Department of Mental Health
  • The Ohio Department of Mental Retardation and Developmental Disabilities
  • The Ohio Department of Job and Family Services 
  • The Ohio Department of Rehabilitation and Corrections
  • The Ohio Department of Workers Compensation

Each of these agencies works as part of “HIPAA Ohio.” HIPAA Ohio is governed by an Executive Leadership Committee, a group of leaders from these agencies. The committee is the “final word” in all HIPAA related financial, policy, and managerial matters.

Work groups under the Executive Committee are in charge of developing policies for the state to best implement HIPAA regulations. These groups also write up legal contracts, codes, and educational materials for healthcare providers and others who must understand the HIPAA regulations.

Meet All Your HIPAA Requirements

Our software provides everything you need to satisfy state and federal HIPAA laws.

Global CTAs Image