HIPAA Authorization Form - Ohio

HIPAA AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION (OHIO)

(Comprehensive - HIPAA, Ohio Medical Records Statutes, and Sensitive-Records Overlays)

1. DOCUMENT HEADER

HIPAA AUTHORIZATION FOR USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION

Effective Date: [MM/DD/YYYY]

This HIPAA Authorization ("Authorization") is executed by:

2. DEFINITIONS

"Authorization" - This HIPAA authorization form, including appendices and amendments.

"Covered Entity" or "CE" - The health-care provider, health plan, or health-care clearinghouse identified above that is subject to HIPAA and, where applicable, to Ohio confidentiality statutes including Ohio Rev. Code Sections 5122.31, 3701.243, 3701.74, and 5119.27.

"Disclose" or "Disclosure" - The release, transfer, provision of access to, or divulging in any other manner of PHI outside CE, as used in 45 C.F.R. Section 160.103.

"HIPAA" - The Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and its implementing regulations at 45 C.F.R. Parts 160 and 164.

"Individual" - The subject of the PHI and signatory hereto, as used in 45 C.F.R. Section 160.103.

"PHI" - Protected Health Information, including [describe categories, e.g., laboratory test results dated [DATE RANGE], diagnostic imaging, physician progress notes, behavioral health records, and discharge summaries].

"Recipient" - The person(s) or entity(ies) authorized to receive the PHI, as set forth in Section 3.1(b).

"Use" - The sharing, employment, application, utilization, examination, or analysis of PHI within CE, as used in 45 C.F.R. Section 160.103.

3. OPERATIVE PROVISIONS

3.1 Grant of Authorization.

a. Authorized PHI. CE is hereby authorized to Use and Disclose the PHI specifically described in the definition of "PHI" above.

b. Authorized Recipient(s). Disclosure may be made to: [Recipient Name / Title / Address].

c. Purpose(s). PHI may be Used or Disclosed solely for the following purpose(s): [e.g., "continuity of care," "insurance underwriting," "legal proceeding in Case No. ____," "research study titled ____," or "at the request of the Individual"].

d. Expiration. This Authorization shall expire on the earliest of:

(i) [MM/DD/YYYY];

(ii) completion of the purpose(s) stated in 3.1(c); or

(iii) revocation pursuant to Section 3.2.

3.2 Right of Revocation.

Individual may revoke this Authorization at any time by delivering written notice to CE at [Designated HIPAA Privacy Office Address]. Revocation is effective upon receipt except to the extent CE or Recipient has already acted in reliance on this Authorization, consistent with 45 C.F.R. Section 164.508(b)(5).

3.3 Re-Disclosure Warning.

Information disclosed under this Authorization may be subject to re-disclosure by Recipient and may no longer be protected by HIPAA or Ohio law. CE has no responsibility for any re-disclosure outside its control.

HIV Disclosure-Restriction Statement (required by ORC 3701.243(C) when applicable): "This information has been disclosed to you from confidential records protected from disclosure by state law. No further disclosure of this information may be made without the specific, written, and informed release of the individual to whom it pertains, or as otherwise permitted by state law. A general authorization for the release of medical information is not sufficient for the purpose of releasing HIV test results or diagnoses."

3.4 Conditions for Treatment, Payment, Enrollment, or Eligibility.

Except for research-related treatment or enrollment in a health plan, CE may not condition treatment, payment, enrollment, or eligibility for benefits on the execution of this Authorization, consistent with 45 C.F.R. Section 164.508(b)(4).

3.5 Special Categories of PHI - Ohio Sensitive Records.

The following sensitive categories of PHI require the Individual's specific, knowing initials. CE shall not Disclose any sensitive category for which the corresponding box is not initialed.

a. Psychotherapy Notes (45 C.F.R. Section 164.508(a)(2)). ☐ Authorized. Initials: [____]

b. Mental Health Records (Ohio Rev. Code Section 5122.31). Certificates, applications, records, and reports identifying a patient or former patient that are made for purposes of Chapter 5122 are confidential and may be disclosed only as expressly permitted under Section 5122.31 or with the patient's consent. ☐ Authorized. Initials: [____]

c. HIV / AIDS Test Results and Diagnoses (Ohio Rev. Code Section 3701.243). HIV test results and the identity of the individual tested are confidential and may be disclosed only as specifically authorized in writing by the Individual or as otherwise permitted by Section 3701.243. Any such Disclosure must include the disclosure-restriction statement set out in Section 3.3 above. ☐ Authorized. Initials: [____]

d. Substance Use Disorder Treatment Records (42 C.F.R. Part 2; Ohio Rev. Code Section 5119.27 (formerly ORC ch. 3793)). Records identifying the Individual as having sought or received substance use disorder treatment from a federally assisted or Ohio-licensed program may not be Disclosed except in strict compliance with 42 C.F.R. Part 2 and Section 5119.27. ☐ Authorized. Initials: [____]

e. Genetic Information. Genetic test results may only be Disclosed consistent with the Genetic Information Nondiscrimination Act (GINA) and applicable Ohio law.

3.6 Prohibition on Sale of PHI; Marketing.

CE shall not Disclose PHI in exchange for direct or indirect remuneration except as permitted under HIPAA and Ohio law, and shall not Use or Disclose PHI for marketing without a separate, compliant written authorization.

3.7 Right to Access and to Copy.

Individual retains the right to inspect and obtain a copy of PHI under 45 C.F.R. Section 164.524 and under Ohio Rev. Code Section 3701.74, with fees subject to the limits in Ohio Rev. Code Section 3701.741. Individuals whose information is maintained in a state or local agency personal information system additionally have rights under Ohio Rev. Code Section 1347.08.

4. REPRESENTATIONS & WARRANTIES

4.1 Individual's Representations.

a. Individual is at least 18 years of age and possesses full legal capacity, or is the parent, legal guardian, person acting in loco parentis, executor/administrator, or personal representative duly authorized under Ohio law to execute this Authorization on behalf of the Individual (as those categories are defined in Ohio Rev. Code Section 3701.74).

b. The information provided herein is accurate and complete to the best of Individual's knowledge.

4.2 CE's Representations.

a. CE will Use and Disclose PHI only as expressly authorized herein and as permitted by applicable law.

b. CE maintains the administrative, physical, and technical safeguards required by HIPAA and by applicable Ohio law.

4.3 Recipient's Representations.

Recipient shall maintain the confidentiality of PHI in accordance with all applicable laws and this Authorization and shall not Use or Disclose PHI except as expressly permitted herein.

5. COVENANTS & RESTRICTIONS

5.1 Recipient Safeguards.

Recipient shall implement reasonable administrative, physical, and technical safeguards to prevent unauthorized Use or Disclosure of PHI and shall immediately notify CE and Individual of any breach or suspected breach.

5.2 Prohibited Actions.

Recipient shall not (a) sell PHI; (b) Use PHI for marketing without separate written authorization; or (c) combine PHI with other data in a manner that violates HIPAA, Ohio Rev. Code Section 5122.31, Section 3701.243, Section 5119.27, or other applicable law.

5.3 Minimum Necessary.

Disclosure shall be limited to the minimum necessary to accomplish the purpose(s) in Section 3.1(c), except where Section 164.502(b)(2) provides otherwise (e.g., disclosure to the Individual or pursuant to an authorization).

6. DEFAULT & REMEDIES

6.1 Events of Default. (a) Material breach of any provision of Sections 3-5; (b) failure to comply with any applicable law regarding PHI; or (c) written notice of breach delivered by a governmental authority.

6.2 Notice & Cure. The non-breaching Party shall give written notice of default. The breaching Party shall have [30] days from receipt to cure, if curable.

6.3 Remedies. (a) Termination of this Authorization, in whole or in part; (b) limited injunctive relief to prevent imminent or continuing unauthorized Disclosure of PHI; (c) recovery of direct damages and any statutory damages authorized by Ohio Rev. Code Sections 3701.243(E) and 5122.99 as applicable; (d) reasonable attorney fees and costs to the prevailing Party.

7. RISK ALLOCATION

7.1 Indemnification.

Recipient shall indemnify, defend, and hold harmless CE and its affiliates from third-party claims, losses, or liabilities directly arising from Recipient's Use or Disclosure of PHI in violation of this Authorization or applicable law.

7.2 Limitation of Liability.

To the fullest extent permitted by law, aggregate liability under this Authorization shall not exceed the statutory damages or penalties authorized by HIPAA (42 U.S.C. Section 1320d-5) and applicable Ohio statutes. No Party shall be liable for incidental, consequential, or punitive damages except as required by statute.

7.3 Insurance (Optional).

Recipient shall maintain cyber/privacy liability insurance with limits of not less than $[1,000,000] per claim.

8. DISPUTE RESOLUTION

8.1 Governing Law.

This Authorization shall be governed by HIPAA and, to the extent not preempted, the laws of the State of Ohio.

8.2 Forum Selection.

The Parties consent to exclusive jurisdiction and venue in the state and federal courts located in [COUNTY], OHIO.

8.3 Optional Arbitration.

By mutual written election after a dispute arises, the Parties may submit the matter to binding arbitration administered by the American Arbitration Association under its Healthcare Payor Provider Rules.

8.4 Jury Trial.

Nothing herein waives any Party's constitutional right to a jury trial.

9. GENERAL PROVISIONS

9.1 Amendment & Waiver. Any amendment must be in writing and signed by all Parties. No waiver shall be deemed continuing unless expressly stated.

9.2 Assignment. No Party may assign without prior written consent, except CE may assign to a successor by merger or acquisition.

9.3 Severability. If any provision is held invalid, it shall be reformed to the minimum extent necessary, and the remaining provisions remain in effect.

9.4 Integration. This Authorization constitutes the entire agreement on its subject matter.

9.5 Counterparts & Electronic Signatures. Permitted; electronic signatures are equivalent to handwritten.

10. EXECUTION BLOCK

IN WITNESS WHEREOF, the Parties have executed this Authorization as of the Effective Date.

Individual / Patient

Signature: _________________________________

Printed Name: _____________________________

Date: __________________

If signing as Personal Representative, Guardian, or Authorized Person under ORC 3701.74:

Authority / Relationship: _____________________

Covered Entity

By: __________________________ Title: ____________________

Printed Name: _____________________________

Date: __________________

Recipient

By: __________________________ Title: ____________________

Printed Name: _____________________________

Date: __________________

SOURCES AND REFERENCES

• 45 C.F.R. Section 164.508 (required authorization elements)
• 42 C.F.R. Part 2 (substance use disorder records)
• Ohio Rev. Code Section 5122.31 (mental health records confidentiality)
• Ohio Rev. Code Section 3701.243 (HIV test results / disclosures)
• Ohio Rev. Code Section 3701.74 (patient access to medical records)
• Ohio Rev. Code Section 3701.741 (fees for copies of medical records)
• Ohio Rev. Code Section 5119.27 (substance use disorder treatment records; successor to former ORC ch. 3793)
• Ohio Rev. Code Section 1347.08 (rights of subjects of personal information)