In conjunction with its laws governing privacy and confidentiality of health information, the state of Ohio has enacted laws governing the maintenance of health information in an effort to protect confidential information against unauthorized disclosures.  Each state agency must have rules regarding the confidential personal information the agency keeps that include a mechanism for recording specific access of the information system by employees and an authentication measure used to access electronically kept confidential personal information.  Knowingly accessing confidential personal information in violation of a rule of a state agency, or knowingly using or disclosing confidential personal information in a manner prohibited by law is considered a violation of a state statute. 1  Every agency that maintains a personal information system must take reasonable precautions to protect personal information in the system from unauthorized use or disclosure; each agency must eliminate information from the system when it is no longer necessary and relevant to an authorized function of the agency.2

In addition to these broad requirements, the law governs the confidentiality of certain systems and program records.  The birth defects information system is considered confidential, and the director must maintain a record of users given access to the system; any user who violates the system’s confidentiality may be denied further access to the system.3  Each hospice program must store central clinical records to protect them against unauthorized use.4   Nursing homes must safeguard medical records against unauthorized use and must ensure their confidentiality.5  All healthcare facilities must take appropriate measures to protect against unauthorized use of medical records.6  Adult care facility resident records must be safeguarded against unauthorized use; individuals working in the facility must return resident records to the storage area and may not allow the records to remain open in the view of others in the facility.7