Ohio Administrative Code
Title 3364 - University of Toledo
Chapter 3364-90 - Guidelines for Protected Health Information
Section 3364-90-01 - Release of health information

Universal Citation: OH Admin Code 3364-90-01

Current through all regulations passed and filed through September 16, 2024

(A) Policy statement

Health information that identifies an individual, or in respect of which there is a reasonable basis to believe that it can be used to identify, the individual is protected by law. Such information is confidential and may only be released in accordance with the law.

(B) Purpose of policy

To assure the privacy and confidentiality of protected health information "PHI" and to provide guidelines for its use and disclosure in accordance with state and federal laws such as the health insurance portability and accountability act of 1996 "HIPAA" and the Family Education Rights and Privacy Act, 20 U.S.C. 1232g; 34 C.F.R. part 99 "FERPA." Uses and disclosures addressed in this policy are not exhaustive and do not capture all permissible uses or disclosures by law or encountered in daily operations. As such, workforce members are encouraged to contact the privacy officer or office of legal affairs prior to any non-routine use or disclosure or to seek clarification on a use or disclosure addressed generally in this rule.

(C) Procedure

(1) Generally:
(a) Protected health information (PHI) under HIPAA may not be used or disclosed by a member of the university of Toledo (UToledo) workforce except as permitted in this or other UToledo policies or applicable law. PHI also may be incidentally used or disclosed in conjunction with a use or disclosure required or permitted by law.

(b) All uses or disclosures of PHI that are not specifically addressed in this policy should be referred to the health information management department who will follow up with the privacy officer or the office of legal affairs as necessary.

(c) Where the use or disclosure of PHI is required or permitted, the use or disclosure must be limited to the minimum necessary except where the minimum necessary rules do not apply [ 45 C.F.R. 164.502(b)(2)(i)-(vi) ] such as:
(i) Disclosures to a healthcare provider for treatment.

(ii) Permitted or required access by the individual.

(iii) Pursuant to an authorization.

(iv) Disclosures made to the department of health and human services "DHHS."

(v) Required disclosures.

(vi) Required for compliance with HIPAA.

(2) Required uses and disclosures
(a) To the individual when a request for access to medical information or accounting of disclosures is made.

(b) To the secretary of health and human services "HHS" for investigation and compliance purposes. Such requests must be directed to the office of legal affairs or the privacy office.

(3) Permitted uses and disclosures
(a) For treatment, payment and healthcare operations, as permitted by law.

(b) Disclosure to the individual is permitted. Individuals have the right to request access, amendment or accounting of disclosure of their PHI. Such requests are handled through the health information management department where the identity and authority of the person requesting PHI will be verified and documented prior to disclosure using any of the following methods:
(i) The call back procedure.

(ii) Comparing signature on patient record with signature on request form.

(iii) Obtaining a copy of the requestor's government issued picture identification.

(iv) Any other reasonable and appropriate means of verification under the circumstances.

(c) Pursuant to a valid written authorization or after the individual is given an opportunity to object or agree.
(i) A valid written authorization is required prior to the following uses and disclosures:
(a) Use and disclosure of psychotherapy notes.

(b) For marketing purposes with the exception of a face-to-face communication with the individual or where a promotional gift of nominal value is provided.

(c) Sale of PHI as defined in paragraph (D) of this rule.

(ii) When a valid written authorization is required prior to release of PHI, UToledo's form (authorization to release) should be used whenever possible. If the said form is not used, any other form containing the following minimum requirements may be used:
(a) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

(b) The name of the person authorized to make the request for use/disclosure.

(c) The name of the person to whom UToledo may make the requested use/disclosure.

(d) A description of the purpose of the request (when the individual initiates the request, "at the request of the individual" is sufficient).

(e) An expiration date or expiration event.

(f) A statement of the individual's right to revoke the authorization in writing, the exceptions to that right and the how to revoke an authorization as referenced in the notice of privacy practices.

(g) A statement that information used/disclosed may be subject to re-disclosure by the recipient and no longer be protected by the HIPAA privacy rule.

(h) A statement indicating that the authorization may not condition treatment or payment on the signing of the authorization.

(i) Signature of the individual and date (if signed by a personal representative, authorization should also have a description of the representative's authority to act for the individual).

(j) A notice that if part two PHI is included in the release of information, the PHI may not be further disclosed.

Following authorized release of PHI from the health information management department, the signed authorization will be retained in the health record with a notation of what specific information was released, the date of the release and the signature of the individual who released the information.

(d) The individual must be given an opportunity to object or agree (orally or written) to the use or disclosure of PHI in the following circumstances: 45 C.F.R. 164.510.
(i) Use or disclosures of PHI in institutional directories.

(ii) Prior to disclosure of relevant information to persons involved in the individual's care or to notify family or relatives of the individual's condition.

(e) Where the agreement of the individual is not required prior to disclosure. 45 C.F.R. 164.512.
(i) Uses and disclosures for public health activities authorized by law.

(ii) Disclosures about victims of abuse, neglect or domestic violence authorized by law.

(iii) Uses and disclosures for health oversight activities.

(iv) Disclosures for purposes of judicial and administrative proceedings.

(v) Disclosures for law enforcement purposes permitted by law.

(vi) Disclosures to coroners, medical examiners, funeral directors and cadaveric organ donation entities that are relevant and necessary to carry out legally authorized activities.

(vii) Disclosures for research purposes provided that a waiver of authorization has been approved by the institutional review board (IRB) and in other circumstances permitted by law.

(viii) Incidental to a permitted or required use where minimum necessary guidelines are followed.

(ix) Disclosures made in good faith based on a belief that it is necessary to prevent serious and imminent threat to a person or to the public and the disclosure is made to a person(s) who is able to lessen or prevent the threat.

(x) Specialized government functions such as for certain military purposes, to the secret service, etc.

(xi) Disclosures that are directly related to a worker's injury, made in order to comply with workers compensation laws.

(4) Other requirements and details of permitted uses and disclosure
(a) Fundraising communications 45 C.F.R. 164.514 Uses and disclosures of the following PHI is permitted to an institutionally related foundation or a business associate for the purpose of raising funds for university of Toledo medical center "UTMC" and its healthcare components in accordance with law and notice provided in the institution's notice of privacy practices. See 45 C.F.R. 164.514(f).
(i) Demographic information relating to the individual.

(ii) Dates of healthcare provided.

(iii) Department of service information.

(iv) Treating physician.

(v) Outcome information and health insurance status.

Individuals must be given a clear opportunity to opt out of receiving fundraising communications and must not receive any related communications after they have opted out. Individuals who have opted out may also be provided an opportunity to opt back in. Treatment or payment will not be conditioned on an individual's choice regarding fundraising communications.

(b) Use and disclosure in emergency situations or in the absence of the individual.
(i) If the individual is present and has the capacity to make healthcare decisions, relevant PHI may be disclosed to family members or other relatives or close personal friend(s) who have been involved in the individual's healthcare or payment if:
(a) The individual agrees.

(b) The individual is given an opportunity to object or agree and the individual fails to object.

(c) The healthcare provider in exercise of professional judgment infers from circumstances that the individual does not object to the disclosure.

(ii) If the individual is not present or is unable to agree or object due to incapacity or an emergency, PHI may be disclosed if it is determined to be in the best interest of the individual. Under these circumstances, only directly relevant PHI may be disclosed. A person may be allowed to act on behalf of an individual to pick up filled prescriptions, medical supplies or other similar forms of PHI based on professional judgment as determined on an individual basis.

(c) Workforce members accessing their own PHI.
(i) Subject to the limitations placed on access from time to time by the UToledo, a workforce member is permitted to access only his/her own PHI using UToledo computing systems which the workforce member is authorized to access.

(ii) A workforce member may not access the health record portal on behalf of or at the request of another workforce member.

(iii) A workforce member may not access the health record of a family member including but not limited to: spouse, children/step children (whether dependent or not), siblings, parents/step-parents, grandparents, grandchildren and anyone related by blood or by marriage for the purpose of obtaining information.

(iv) Workforce members who may need to access PHI of friends or relatives as part of their duties within the scope of their employment are encouraged to have another authorized workforce member complete such duties.

(v) Limitations placed on access by the UToledo may include a denial of access to: psychotherapy notes, information compiled in reasonable anticipation of a legal proceeding; certain information that is part of a research study before completion of the study or laboratory results or information. Workforce members may not access PHI through rule 3364-90-07 of the Administrative Code (medical record availability and access). Workforce members will only be provided access to UToledo computing systems.

(d) Disclosures for purposes of hospital directories.
(i) UTMC maintains a hospital directory for in-patients. See rule 3364-90-08 of the Administrative Code. Upon registration for admission, patients will be given a consent form consistent with the notice of privacy practices. Patients may choose to have their information included in UTMC's directory or not. Information contained in the directory may only be released to an individual who asks for the patient by name. The directory will include the following information:
(a) Name of patient.

(b) Location of the patient in the facility.

(c) Religious affiliation (released to clergy).

(d) General condition (must not include specific medical information).

(ii) Part two patient information will be kept confidential and not disclosed without patient's authorization.

(e) Disclosure for research purposes.

Please refer to rule 3364-70-05 of the Administrative Code (protection of human subjects in research) for uses and disclosures for research purposes.

(f) Disclosure to employers about an individual who is a member of the workforce of the employer.

Relevant PHI may be disclosed to an employer who has requested UTMC to provide healthcare services to a member of its workforce in certain circumstances relating to workplace related illness, injury or medical surveillance at the workplace. The individual must be given prior notice of the disclosure before permitting the disclosure.

(g) Student immunization records.

PHI limited to proof of immunization of a student or prospective student may be released to a school if the school is required by law to have such proof as part of admission requirements. Documentation must be maintained of the request from the student, parent or person acting in loco parentis as the case may be, as proof of agreement to the disclosure.

(h) Disclosures to social or protective services.
(i) A patient who is suspected to be a victim of abuse or neglect must be given an opportunity to agree to a disclosure to social or protective services or other authorized government agency mandated to receive such reports.

(ii) Disclosures must be made to the extent required or authorized by law and must be relevant to the requirements of such law.

(iii) Where the individual is unavailable through incapacity to agree to the disclosure, the individual must be promptly notified of the disclosure once he/she regains capacity except where informing the individual poses a risk to the individual or where notification is to be given to a caregiver who is suspected to be the abuser.

(i) Disclosures for judicial and administrative proceedings.

The office of legal affairs, privacy officer or health information management department must be contacted prior to disclosures in response to a court order, discovery requests or other requests for judicial or other administrative proceedings.

(j) Disclosure to law enforcement officials.
(i) In response to a law enforcement official's request for PHI, which includes UToledo police, and subject to the verification of the official's identity, health information may be disclosed for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that only the following information is released:
(a) Name and address.

(b) Date and place of birth.

(c) Social security number.

(d) ABO blood type and Rh factor.

(e) Type of injury.

(f) Date and time of treatment.

(g) Date and time of death.

(h) Description of distinguishing physical characteristics including height, weight, gender, race, hair, eye color, presence or absence of facial hair, scars and tattoos.

(ii) The patient's DNA, dental records or typing, samples or analysis of body fluids or tissues may not be released, except as otherwise permitted by law.

(iii) Information regarding any tests to determine the presence of alcohol or a substance of abuse may be released to a police officer involved in an official criminal investigation or proceeding upon the receipt of a written statement requesting the release of records as set forth by division (B) of section 2317.022 of the Revised Code.

(iv) PHI may be disclosed to law enforcement officials about an individual or deceased individual who is or is suspected to be a victim of a crime if the individual is unable to consent because of incapacity or other emergency circumstance and the law enforcement official represents that such information is needed to determine whether a violation by a person other than the victim has occurred. It must be shown that such information is not intended to be used against the victim and that the information is material to the investigation and waiting for the individual to agree to the disclosure would adversely affect the investigation and disclosure is in the best interests of the individual in the professional judgment of the caregiver.

(v) When emergency care is provided to a patient due to a crime other than abuse or neglect, PHI disclosure is permissible when it appears necessary to alert law enforcement to determine:
(a) The commission and nature of a crime.

(b) Location of such crime or victims of such crime.

(c) The identity, description, and location of the perpetrator of such crime.

(k) Disclosure of PHI of minors.
(i) For individuals who are minors, a parent, guardian or other authorized person generally has the authority to act on behalf of the minor for the purpose of release of information. There are exceptions to when a parent, guardian, or other person does not have authority which are:
(a) When the minor has the authority under law to consent to healthcare treatment, the minor holds the authority to provide, and the minor has not requested that such person be treated as the personal representative.

(b) When the minor may lawfully obtain healthcare services without the consent of a parent, guardian or other authorized person and the minor, a court or other person authorized by law consents to such treatment.

(c) When the parent, guardian or other authorized person agrees that the minor and healthcare provider may have a confidential relationship; and

(d) When the provider reasonably believes in his or her professional judgment that the minor has been or may be subjected to abuse or neglect, or that treating the parent, guardian or other authorized person as the minor's personal representative could endanger the minor. In these circumstances the provider is permitted not to treat the parent, guardian or other authorized person as the minor's personal representative with respect to health information.

(ii) In the case of a minor of divorced parents, generally the custodial parent may authorize use or disclosure of PHI but legal documents may authorize either parent to authorize the use or disclosure of PHI. If UToledo personnel are allied to a potential problem in this regard, these cases should be referred to the office of legal affairs; or

In the state of Ohio, if a minor has been treated for sexually transmitted conditions without the consent of the parent, the minor has the right to authorize use/disclosure of PHI without the signature of parent. The parent is not financially responsible if the parent did not consent.

(l) Disclosure of PHI to students.

Health records kept by the UToledo for students enrolled at UToledo, and where such persons are not employees of the UToledo are not subject to the rules with respect to HIPAA, but instead the FERPA.

(m) Disclosure of PHI to business associates.

Disclosure of PHI to business associates of UTMC and its healthcare components is governed by the relevant business associate agreement and applicable law.

(5) Special rules concerning human immunodeficiency virus "HIV" records and alcohol abuse.
(a) The release of information concerning alcohol and drug abuse prevention records or HIV testing records or acquired immunodeficiency syndrome "AIDS" records is controlled by state and federal laws and has a higher obligation of confidentiality (see 42 U.S.C. 290dd-3, 42 C.F.R. part 2 and section 3701.243 of the Revised Code and related statutes). Any release of such records must meet specific statutes or regulations for authorization for release. Releases and issues involving these matters should be referred to the health information management department or the office of legal affairs.

(b) Not only must patients be informed of federal privacy rights upon admission related to treatment for alcohol and drug abuse, in releasing alcohol and/or drug abuse prevention records pursuant to an appropriate authorization, a re-disclosure statement must accompany the released information. An authorization is not required when disclosing in a bona fide emergency, if authorized by a court order or for one of the other federally permitted uses. If an authorization is required, the authorization must also state:

"This information has been disclosed to you from records protected by federal confidentiality rules ( 42 C.F.R. Part 2). The federal rules prohibit you from making any further disclosure of this information unless this further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 C.F.R. Part 2. A general authorization for the release of medical or other information is not sufficient for this purpose. The federal rules restrict any use of the information to criminally investigate or prosecute any alcohol or drug abuse patient."

(c) In releasing information on HIV/AIDS records, a re-disclosure statement must accompany the released information. This will state:

"This information has been disclosed to you from confidential records protected from disclosure by state law. You shall make no further disclosure of this information without the specific, written, and informed release of the individual to whom it pertains, or as otherwise permitted by state law. A general authorization for the release of medical or other information is not sufficient for the purpose of the release of HIV test results or diagnoses."

(d) See also the HIV/AIDS disclosure protocol found within the health information management department as required by division (B)(3) of section 3701.243 of the Revised Code.

(D) Definitions

For the purpose of this document the terms below are defined as follows:

(1) Business associate means a person or entity that performs any one or more of the following functions and is not a member of the workforce of the UTMC or any of its covered components.
(a) Performs or assists the provider in the performance of an operational function or activity involving PHI, such as, but not limited to, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for the covered entity (claims processing; data analysis, processing, billing); utilization review; patient safety activities in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(b) Provides an operational service to or for the provider involving the disclosure of PHI, such as accounting, consulting, data aggregation, and accreditation.

Business associates include providers of data transmission services with respect to PHI such as health information organizations or e-prescribing gateway who require access on a routine basis to PHI, a subcontractor that creates, receives, maintains or transmits PHI on behalf of a business associate and a person who offers a personal health record to one or more individuals on behalf of UTMC or its healthcare components.

(2) Covered component(s) or designated health care component includes the hybrid and ACE which is maintained by the privacy officer and approved by the privacy and security committee.

(3) Health information - is defined by HIPAA to include any information, whether oral or recorded in any form or medium, that is created or received by a health care provider and related to the past, present or future physical or mental health or condition of an individual, the provision of healthcare services to an individual, or the payment of the provision of healthcare services.

(4) Protected health information (PHI) is health information that identifies or can be used to identify an individual. Any of the following information pertaining to a patient or relative, employees or household members of the patient can be used to identify a patient: name, street address, city, county, precinct, zip code, geocode, birth date, admission date, discharge date, date of death, age, telephone number, fax number, e-mail, social security number, medical records number, health plan number, account number, certificate/license number, vehicle ID number and license plate, device identifier, web location, internet address, biometric identifier, photographs or any unique ID.

PHI does not include:

(a) Individually identifiable health information in education records covered by FERPA. Records on a student of the which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in that person's professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than person(s) providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student's choice of the UToledo which are made or maintained by a physician.

(b) Employment records held by the UToledo in its role as employer.

(c) Individually identifiable health information for people who have been deceased for more than fifty years.

(d) Health care operations means any of the following activities to the extent that the activities are related to covered functions: conducting quality assessment and improvement activities; credentialing activities, including the reviewing the competence or qualifications of health care professionals, evaluating performance and health plan performance; underwriting or premium rating; conducting or arranging for medical, legal or auditing review; business management and general administrative activities of the UToledo, including customer service, complaint resolution and merger or consolidation with another entity any other general business use consistent with de-identification or limited data set or permitted fundraising uses.

(5) Workforce member means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the UToledo or its healthcare components is under the direct control of the UToledo or its healthcare components regardless of whether or not they are paid by the UToledo or its healthcare components.

(6) Individual means a person who is the subject of the protected health information or with respect to use and disclosure of PHI; an authorized personal representative of the person (invoked health care power of attorney, guardian or executor) shall be treated as the individual.
(a) A health care provider may elect not to treat a person as a personal representative if:
(i) The health care provider believes that an individual has been or may be subjected to domestic violence, abuse or neglect by such person, or that treating such person as the personal representative could endanger the individual; and

(ii) The health care provider decides that it is not in the best interest of the individual to treat such person as the individual's personal representative.

(b) 42 C.F.R. part 2 are all records relating to the identity diagnosis, prognosis, or treatment of any patient in a substance abuse program.

(c) Sale is defined as disclosure of PHI by a covered entity where the covered entity directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.

Disclaimer: These regulations may not be the most recent version. Ohio may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.