4123-6-15. Confidentiality of records  


Latest version.
  • (A) Subject to sections 2317.02, 4123.27, and 4123.88 of the Revised Code, certain employer premium, payroll, and claim file information is confidential and exempt from the general open records laws of Ohio, as set forth in section 149.43 of the Revised Code.

    (B) In the course of medical management in the HPP, some confidential information may be provided by the bureau to the MCO, and/or exchanged among the bureau, the MCO, the employer and its representative, the employee and his or her representative, the provider, and the provider's employees and agents. All such parties receiving and/or exchanging confidential information for use in the HPP shall ensure transmission of confidential information through secured methods approved by the bureau, including but not limited to encryption, password protection, facsimile, and other secure methods.

    (C) All parties receiving and/or exchanging confidential information for use in the HPP shall not use such confidential information for any use other than to perform duties required by the HPP, and shall prevent such information from further disclosure or use by unauthorized persons. MCOs shall not release any confidential information, other than in accordance with rule 4123-3-22 of the Administrative Code, to any third parties (including, but not limited to, parent, subsidiary, or affiliate companies, or subcontractors of the MCO) without the express prior written authorization of the bureau.

    (D) MCOs shall comply with, and shall assist the bureau in complying with, all disclosure, notification or other requirements contained in sections 1347.12, 1349.19, 1349.191 and 1349.192 of the Revised Code, as may be applicable, in the event computerized data that includes personal information, obtained by the MCO for use in the HPP, is or reasonably is believed to have been accessed and acquired by an unauthorized person and the access and acquisition by the unauthorized person causes, or reasonably is believed will cause a material risk of identity theft or other fraud.

    (E) MCOs shall comply with all electronic data security measures as may be required by Ohio law, Ohio department of administrative services or other state agency directive, executive order of the governor of Ohio, and/or the MCO contract.


Effective: 11/13/2015
Five Year Review (FYR) Dates: 08/26/2015 and 08/25/2020
Promulgated Under: 119.03
Statutory Authority: 4121.12, 4121.121, 4121.30, 4121.31, 4121.44, 4121.441, 4123.05
Rule Amplifies: 149.43, 1347.12, 1347.19, 1347.191, 1347.192, 2317.02, 4121.12, 4121.121, 4121.44, 4121.441, 4123.27, 4123.88
Prior Effective Dates: 2/16/96, 2/1/10