Ohio Administrative Code
Title 145 - Public Employees Retirement System
Chapter 145-4 - Health Care Coverage
Section 145-4-28 - Health care plan provisions regarding the Health Insurance Portability and Accountability Act of 1996 ("HIPAA")
Universal Citation: OH Admin Code 145-4-28
Current through all regulations passed and filed through September 16, 2024
(A) As used in this rule:
(1)
"Electronic protected health information" means protected health information
that is transmitted by electronic media or maintained in electronic
media.
(2)
"Enrollment/disenrollment information" means
information on whether the individual is participating in the health plan, or
is enrolled in or has disenrolled from a health insurance issuer, health
maintenance organization, or health insuring corporation offered by the
plan.
(3)
"Plan" means any health plan maintained by the Ohio
public employees retirement system under the authority granted in section
145.58 of the Revised
Code.
(4)
"Plan administration functions" means administrative
functions performed by the plan sponsor of a health plan on behalf of the
health plan and excludes functions performed by the plan sponsor in connection
with any other benefit or benefit plan of the plan sponsor.
(5)
"Plan sponsor"
means the Ohio public employees retirement system.
(6)
"Protected
health information" means individually identifiable health information that is
transmitted by electronic media; maintained in electronic media; or transmitted
or maintained in any other form or medium.
(7)
"Summary health
information" means information (a) that summarizes the claims history, claims
expenses, or type of claims experienced by individuals for whom a plan sponsor
has provided health coverage under the plan; and (b) from which the information
described at 42 C.F.R. Section 164.514(b)(2)(i), 67 F.R. 53270 (2002), has been
deleted, except that the geographic information described in 42 C.F.R. Section
164.514(b)(2)(i)(B) need only be aggregated to the level of a five-digit ZIP
code.
(B) The plan may disclose to the plan sponsor enrollment/disenrollment information at any time.
(C) The plan (or a health insurance issuer, health maintenance organization, or health insuring corporation with respect to the plan) may disclose summary health information to the plan sponsor, provided that the plan sponsor requests the summary health information for the purpose of (1) obtaining premium bids from health plans for providing health insurance coverage under the plan; or (2) modifying, amending, or terminating the plan.
(D)
(1)
Unless otherwise
permitted by law, and subject to the conditions of disclosure described in
paragraph (E) of this rule and obtaining written certification pursuant to
paragraph (G) of this rule, the plan (or a health insurance issuer, health
maintenance organization, or health insuring corporation on behalf of the plan)
may disclose protected health information and electronic protected health
information to the plan sponsor, provided that the plan sponsor uses or
discloses such protected health information and electronic protected health
information only for plan administrative purposes. "Plan administration
purposes" means administration functions performed by the plan sponsor on
behalf of the plan, such as quality assurance, claims processing, auditing, and
monitoring and other administrative services related to the plan. Plan
administration functions do not include functions performed by the plan sponsor
in connection with any other benefit or benefit plan of the plan sponsor or any
employment-related actions or decisions.
(2)
Notwithstanding
any provisions of this plan to the contrary, in no event shall the plan sponsor
be permitted to use or disclose protected health information or electronic
protected health information in a manner that is inconsistent with
45 C.F.R. Section
164.504(f), 68 F.R. 8381
(2003).
(E)
(1)
Plan sponsor
agrees that with respect to any protected health information (other than
enrollment/disenrollment information and summary health information, and
information disclosed pursuant to a signed authorization that complies with the
requirements of
45
C.F.R. Section 164.508, 67 F.R. 53268 (2002),
which are not subject to these restrictions) disclosed to it by the plan (or a
health insurance issuer, health maintenance organization, or health insuring
corporation on behalf of the plan), plan sponsor shall:
(a)
Not use or
further disclose the protected health information other than as permitted or
required by the plan or as required by law;
(b)
Ensure that any
agent, including a subcontractor, to whom it provides protected health
information received from the plan agrees to the same restrictions and
conditions that apply to the plan sponsor with respect to protected health
information;
(c)
Not use or disclose the protected health information
for employment-related actions and decisions or in connection with any other
benefit or employee benefit plan of the plan sponsor;
(d)
Report to the
plan any use or disclosure of the protected health information of which it
becomes aware that is inconsistent with the uses or disclosures provided
for;
(e)
Make available protected health information to comply
with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA")
right to access in accordance with
45 C.F.R.
Section 164.524, 67 F.R. 53271
(2002);
(f)
Make available protected health information for
amendment, and incorporate any amendments to protected health information, in
accordance with
45 C.F.R. Section
164.526, 65 F.R. 82802
(2002);
(g)
Make available the information required to provide an
accounting of disclosures in accordance with
45 C.F.R.
Section 164.528;
(h)
Make its
internal practices, books, and records relating to the use and disclosure of
protected health information received from the plan available to the secretary
of health and human services for purposes of determining compliance by the plan
with HIPAA's privacy requirements;
(i)
If feasible,
return or destroy all protected health information received from the plan that
the plan sponsor still maintains in any form and retain no copies of such
information when no longer needed for the purpose for which disclosure was
made, except that, if such return or destruction is not feasible, limit further
uses and disclosures to those purposes that make the return or destruction of
the information infeasible; and
(j)
Ensure that the
adequate separation between plan and plan sponsor (i.e., the firewall),
required by
45 C.F.R. Section
164.504(f)(2)(iii), is
established.
(2)
Plan sponsor further agrees that if it creates,
receives, maintains, or transmits any electronic protected health information
(other than enrollment/disenrollment information and summary health
information, and information disclosed pursuant to a signed authorization that
complies with the requirements of
45
C.F.R. Section 164.508, which are not subject
to these restrictions) on behalf of the plan, it will:
(a)
Implement
administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of the
electronic protected health information that it creates, receives, maintains,
or transmits on behalf of the plan;
(b)
Ensure that the
adequate separation between the plan and plan sponsor (i.e., the firewall),
required by
45 C.F.R. Section
164.504(f)(2)(iii) is
supported by reasonable and appropriate security measures;
(c)
Ensure that any
agent, including a subcontractor, to whom it provides electronic protected
health information agrees to implement reasonable and appropriate security
measures to protect the information; and
(d)
Report to the
plan any security incident of which it becomes aware, as follows: plan sponsor
will report to the plan, with such frequency and at such times as agreed, the
aggregate number of unsuccessful, unauthorized attempts to access, use,
disclose, modify, or destroy electronic protected health information or to
interfere with systems operations in an information system containing
electronic protected health information; in addition, plan sponsor will report
to the plan as soon as feasible any successful unauthorized access, use,
disclosure, modification, or destruction of electronic protected health
information or interference with systems operations in an information system
containing electronic protected health information.
(F)
(1)
The plan sponsor
shall allow only those employees or other persons under the control of the plan
sponsor who are involved in the administration of the health plan access to the
protected health information. No other persons shall have access to protected
health information. These specified employees (or classes of employees) shall
only have access to and use of protected health information to the extent
necessary to perform the plan administration functions that the plan sponsor
performs for the plan. In the event that any of these specified employees does
not comply with the provisions of this rule, that employee shall be subject to
disciplinary action by the plan sponsor for non-compliance pursuant to the plan
sponsor's employee discipline and termination procedures.
(2)
The plan sponsor
shall ensure that the provisions of this rule are supported by reasonable and
appropriate security measures to the extent that the persons designated above
create, receive, maintain, or transmit electronic protected health information
on behalf of the plan.
(G) The plan (or a health insurance issuer, health maintenance organization, or health insuring corporation with respect to the plan) shall disclose protected health information to the plan sponsor only upon the receipt of a certification by the plan sponsor that the plan has been amended to incorporate the provisions of 45 C.F.R. Section 164.504(f)(2)(ii), and that the plan sponsor agrees to the conditions of disclosure set forth in paragraph (E) of this rule.
Replaces: 145-4-50
Five Year Review (FYR) Dates:
10/10/2018 and
09/29/2023
Promulgated
Under: 111.15
Statutory
Authority: 145.09,
145.58
Rule
Amplifies: 145.58,
145.584
Prior
Effective Dates: 01/01/2009, 01/01/2011, 01/07/2013 (Emer.), 03/24/2013,
01/01/2014, 01/01/2016
Disclaimer: These regulations may not be the most recent version. Ohio may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
