October 16, 2019

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

Proposed Rule Would Require Ohio Providers to Accept Standard Authorization Form for Use and Disclosure of Protected Health Information

Recently, the Ohio Department of Medicaid (ODM) proposed the adoption of Ohio Administrative Code 5160-1-32.1 (the Proposed Rule), which provides two standard authorization forms for the use and disclosure of protected health information (PHI). The standard forms are designed to comply with both the HIPAA privacy rule (45 C.F.R. § 164.508) and 45 C.F.R. Part 2, which covers certain substance abuse treatment information. The Proposed Rule would require all Ohio providers to accept a properly executed standard authorization form within 30 days after the Proposed Rule’s effective date.  The Proposed Rule stems from legislation enacted by the Ohio General Assembly in 2012 to “harmonize state privacy law with federal law.” The legislation included a requirement that ODM develop a standard authorization form for the use and disclosure of PHI (Ohio Revised Code §§ 3798.02 and 3798.10).

According to ODM, the purpose of the standard authorization forms is to improve care coordination for Ohio patients across multiple providers by making it easier to share PHI in a secure manner.  Moreover, ODM developed the standard authorization forms as part of a broader statewide initiative to integrate physical and behavioral health care services within Medicaid managed care.  Ohio providers would not be required to use the standard forms, but they would be required to accept properly executed standard forms. A public hearing on the Proposed Rule will be held on November 16, 2018. Written comments may be submitted on or before the date of the public hearing.

The text of the Proposed Rule can be found here.  The ODM proposed standard authorization forms can be found here, and instructions for completing the standard authorization forms are available here.

© 2019 Dinsmore & Shohl LLP. All rights reserved.


About this Author

Jennifer Mitchell, health care practice group partner, Dinsmore Shohl, law firm,

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness. 

Within the...

Jared Bruce, Dinsmore Law Firm, Cincinnati, Corporate and Health Care Law Attorney

Jared focuses his practice on various health care law matters, including regulatory compliance, transactional matters and cybersecurity.  His prior experience includes serving as in-house counsel for a large non-profit managed care plan.

He drafts and negotiates complex health care-related contracts involving information technology (software licenses and professional service agreements), provider agreements, data sharing agreements and Business Associate Agreements. Jared’s practice includes advising payers, hospitals and providers on compliance and transactional matters related to government-sponsored health insurance plans such as Medicare and Medicaid. Additionally, he has experience representing clients in administrative appeals, Ohio Medicaid State hearings and provider reimbursement disputes.