Ohio At Home
Ohio At HomeHEALTH CARE AGENCY

Ohio at Home Privacy and Data-Security Policy

(Last updated — April 2026)

Ohio at Home Healthcare (“OAH,” “we,” “our,” “us”) is committed to protecting the privacy, dignity, and legal rights of every person we support. This policy explains what information we collect, why we collect it, how we safeguard it, and what choices you have—including how we protect your privacy through our remote support services and privacy-first monitoring approach.

1 | HIPAA Compliance

Covered Entity

Ohio at Home Healthcare is a HIPAA covered entity because it bills Ohio Medicaid and managed care organizations electronically for covered healthcare services. All Protected Health Information (PHI) is handled in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations at 45 CFR Parts 160 and 164.

Minimum Necessary Rule

Staff access only the PHI required to perform their job duties.

Business Associates

Vendors with potential PHI exposure sign HIPAA-compliant Business Associate Agreements (BAAs).

Breach Notification

Any unauthorized access, use, or disclosure of unsecured PHI is reported to affected individuals no later than 60 calendar days following discovery of the breach, and to the Secretary of HHS as required by 45 CFR 164.404 and 164.408. If the breach affects 500 or more individuals, we also notify prominent media outlets in the affected jurisdiction.

2 | How We Use and Disclose Your Information

Under HIPAA, we may use or disclose your Protected Health Information for the following purposes without your written authorization:

Treatment

Using and sharing PHI among your authorized care team—including our internal staff and, where applicable, external providers involved in your care—to deliver, coordinate, and manage your services.

Payment

Submitting claims and documentation to Medicaid, managed-care organizations, and County Boards to obtain payment for services rendered.

Healthcare Operations

Quality improvement, auditing, staff training, compliance reviews, and business management activities necessary to run our organization.

Other Permitted Disclosures (Without Authorization)

Federal and state law also permits or requires us to disclose PHI without your authorization in specific circumstances, including:

  • Public health and safety activities, including mandatory reporting of abuse, neglect, or exploitation under Ohio law (including ORC 5123.61) and disease reporting
  • Law enforcement requests and judicial/administrative proceedings
  • Oversight agencies, including the Department of Developmental Disabilities (DODD), the Ohio Department of Medicaid (ODM), County Boards of DD, the Centers for Medicare & Medicaid Services (CMS), and the Ohio Attorney General
  • Averting a serious and imminent threat to health or safety
  • Workers’ compensation and occupational safety
  • Coroners, medical examiners, and funeral directors
  • Organ and tissue donation organizations
  • Health oversight activities and compliance audits

All other uses and disclosures require your written authorization. You may revoke any authorization in writing at any time.

3 | Information We Collect and Why

Data TypeSourcePurpose
Client demographics, care plans, medical historiesEnrollment forms, Individual Service Plan (ISP), Behavioral Plans, guardiansService delivery and billing
Individualized Education Programs (IEPs)Families or schools (when voluntarily shared; IEPs are education records that may be subject to FERPA—we receive them only with appropriate consent)Aligning support with educational goals—reinforcing skills, mentorship, and consistent language during engagements
Live audio and/or video streamsRemote Support sessions (during approved service windows)Real-time safety monitoring and coaching
Ambient sensor data (e.g., motion, environmental conditions, and presence/movement indicators)In-home safety sensing technologyRisk detection, safety alerts, and safety pattern analysis
Shift logs and Electronic Visit Verification (EVV)Direct Support Professional (DSP) / Remote Support Associate (RSA) entriesMedicaid compliance, quality audits
Incident reports and notesStaff documentationContinuous quality improvement
Website usage (cookies)ohioathome.comSite analytics and form submissions

We do not sell or rent any personal data.

4 | Our Privacy-First Approach to Remote Support

We understand that inviting monitoring technology into your home or your family member’s home is a significant decision that requires trust. Ohio at Home uses a privacy-first approach to remote support and monitoring. We select the least intrusive technology that meets each person’s safety needs and layer additional protections on top.

Least-Intrusive-First Principle

We begin with ambient, non-visual sensing technology—such as motion, environmental conditions, and presence/movement indicators—before considering more detailed monitoring. Visual monitoring is used only when clinically necessary and authorized by the individual and/or their guardian (if applicable).

Privacy Gating

Our system supports granular privacy controls. Audio monitoring, video monitoring, and ambient sensing can be enabled or disabled independently based on each person’s ISP and personal preferences. This means a person may have audio support without video, or ambient sensing without either.

Emergency Escalation Protocol

During ISP development, each individual and/or their guardian (if applicable) reviews and consents to an emergency escalation protocol. This protocol defines the narrow circumstances under which monitoring may temporarily exceed the individual’s standard privacy settings. Emergency escalation is authorized only when there is an imminent risk of death or serious physical harm to the individual.

When emergency escalation occurs:

  • The on-duty Remote Support Associate immediately escalates monitoring to protect the individual’s health and safety.
  • The individual’s guardian or legal representative (if applicable) is notified immediately.
  • A supervisor reviews the escalation within the same shift.
  • The escalation is logged with the date, time, duration, reason, and staff involved.
  • An incident report is filed in accordance with the procedures described in Section 11.
  • An ISP review is scheduled within 30 days to evaluate whether privacy settings should be adjusted.
  • Return to standard monitoring levels is determined by the individual’s ISP and support team on a case-by-case basis.

Camera Placement Safeguards

Cameras are never placed in bathrooms under any circumstances.

In rare situations where health and safety needs require it—and only after the individual’s Human Rights Committee (HRC), a team that includes the individual, family members, and independent advocates who review decisions affecting the person’s rights, has reviewed and approved the arrangement—cameras may be placed in bedrooms. HRC approval for bedroom cameras must be renewed annually.

When bedroom cameras are in place, recording can be paused at any time through any of the following:

  • Guardian app (a free mobile app provided with your Remote Support service, available to individuals and guardians) — pause streaming and recording directly
  • Contact Remote Support — request a pause by phone or in-home device
  • Contact Administration — request a pause through your Care Coordinator or any OAH administrator

Supervisor Video Review

For prospective and current employees: If you work at OAH, the protections in this section define the boundaries of workplace monitoring during your shifts. Your supervisor can only review recorded video for the three purposes listed below—no exceptions.

Supervisors may review recorded video only for the following purposes:

  • Incident follow-up — reviewing events related to a fall, behavioral incident, or missed check-in
  • Quality assurance — evaluating staff performance and service delivery
  • Investigating a complaint or grievance — only with permission from both the support team and the individual (or their guardian)

No other use of recorded video is permitted.

No Always-On Surveillance

Live audio and video feeds activate only during approved service windows defined in the ISP. Outside of those windows, audio and video systems are inactive. Ambient sensing may continue to operate outside service windows as a safety net, but only to the extent authorized in the person’s ISP. Ambient sensors can be adjusted in detection level (for example, simple presence detection versus more detailed monitoring) or turned off entirely based on the individual’s preferences and ISP.

Ambient safety alerts are always logged and reviewed by staff. For individuals receiving actively monitored remote support, alerts are acknowledged and responded to in real time.

Encryption and Access Controls

All data streams are protected by industry-standard encryption (see Section 8 for details). Only credentialed, authorized staff may access live feeds or recorded data.

5 | Your Privacy Controls

Every individual receiving Remote Support services has personalized privacy controls documented in their Individual Service Plan (ISP). These controls are developed with the individual, their guardian (if applicable), and the County Board.

Adjusting Your Monitoring

You have several ways to make a change to your monitoring at any time. Temporary changes (such as pausing monitoring) take effect immediately. Permanent changes to your ISP privacy settings are coordinated with your Care Coordinator:

  • Contact Remote Support directly from your dedicated in-home device or your personal phone
  • Call our 24/7 support line at (614) 800-0672
  • Speak with your Care Coordinator to make a permanent change to your ISP privacy settings

What You Can Control

Depending on your ISP, you may:

  • Pause all monitoring temporarily
  • Disable video while keeping audio active (or vice versa)
  • Reduce monitoring to ambient sensing only
  • Adjust the detection level of ambient sensors (e.g., presence detection only)
  • Request that specific sensors be removed or powered down (as promptly as practicable, typically within 2 business days; urgent requests are prioritized)
  • Pause bedroom camera recording at any time via the Guardian app, Remote Support, or Administration (see Section 4)
  • Adjust your data recording and retention preferences (see Section 7)

Ending Services

You may end services entirely by providing 30-day notice per your service agreement. This notice period exists for administrative coordination—including records transfer, County Board notification, and continuity-of-care planning—and does not restrict your right to refuse any individual service or support at any time without reprisal (see Section 6).

6 | Your Rights

You have the right to see your records, correct mistakes, control how your information is shared, and raise concerns without consequences. Specifically, under HIPAA and state law you may:

  • Access your health information (see your records).
  • Request amendments to incorrect or incomplete records (ask us to fix mistakes).
  • Receive an accounting of disclosures (a list of who we have shared your information with, beyond your care team and billing).
  • Restrict certain uses or disclosures (within regulatory limits).
  • Request confidential communication (e.g., send mail to a different address).
  • Receive a copy of this privacy notice.
  • File a complaint without fear of retaliation.

Rights Under Ohio Law (ORC 5123.62)

As an individual receiving developmental disability services in Ohio, you also have the right to:

  • Participate in the development of your Individual Service Plan (ISP).
  • Refuse any service or support without reprisal.
  • Be free from abuse, neglect, exploitation, and unnecessary restraint or seclusion.
  • Privacy in personal affairs, communications, and visits.
  • Access advocacy services through your County Board of Developmental Disabilities (the local government agency that coordinates DD services in your county).
  • Be treated with dignity and respect in all interactions.

Right to Be Informed of Incidents

Under Ohio’s incident reporting rules (Ohio Administrative Code [OAC] 5123-17-02) and your service agreement with OAH, you also have the right to be informed of incidents involving your care, access incident documentation, and participate in follow-up reviews.

To exercise these rights, contact our Privacy Officer (see Section 12).

7 | Data Retention

Every individual has a personalized data retention plan established in coordination with their guardian (if applicable) and County Board. The following table describes the default retention periods:

RecordDefault RetentionNotes
PHI and service notes7 years after service terminationPer the OAH Medicaid provider agreement and applicable Ohio Medicaid regulations
Recorded audio/video from Remote Support sessions7 days (default)Adjustable per your ISP, from as low as 24 hours to no recording at all. Recordings associated with reported incidents are retained for 7 years, regardless of the individual’s default preference.
Ambient sensor alert logs2 years
Shift logs and Electronic Visit Verification (EVV) records7 yearsPer the OAH Medicaid provider agreement and applicable Ohio Medicaid regulations
Incident reports and notes7 yearsPer OAC 5123-17-02 and applicable Ohio Medicaid regulations
SMS/messaging consent and logsDuration of participation plus 2 yearsFor TCPA compliance
Website form submissions12 months

8 | Security Safeguards

  • Role-based access with multi-factor authentication (MFA)
  • Industry-standard encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
  • 24/7 intrusion monitoring and encrypted backups
  • Annual penetration testing and HIPAA workforce training
  • Cloud infrastructure audited to industry security standards

9 | Website and Cookie Notice

We use minimal first-party cookies for analytics and form security. No third-party ad trackers are installed. You can disable cookies in your browser; site functionality remains largely unaffected.

10 | SMS / Text Messaging Privacy

Ohio at Home Healthcare may send SMS/text messages to your mobile phone number for the following purposes:

  • Identity verification codes (one-time passwords)
  • Health and safety monitoring alerts and notifications
  • Responses to messages you send to us
  • Appointment and schedule reminders
  • Urgent notifications requiring immediate attention

Consent

By providing your phone number and consenting to receive text messages, you agree to receive the communications described above. You may receive messages from automated systems. Consent is not a condition of service.

Message Frequency and Rates

Message frequency varies based on your interactions, monitoring activity, and system events. Message and data rates may apply. Check with your wireless carrier for details about your text messaging plan.

Data We Collect

In connection with our messaging program, we collect your phone number, message content (sent and received), consent and opt-in/opt-out records with timestamps, and message delivery status.

How We Use Your Data

Your phone number and messaging data are used solely to provide the messaging services described above—delivering text messages you have consented to receive, processing your opt-in and opt-out requests, maintaining records of consent as required by law, and improving our messaging services.

Data Sharing

We do not sell, rent, loan, trade, lease, or otherwise transfer for profit any phone numbers or personal information collected through our SMS program to any third party for their marketing purposes.

Your messaging data may be processed by our cloud communications provider solely for the purpose of delivering messages. This provider is bound by applicable data protection agreements.

Opt-Out and Help

You may opt out of text messages at any time by replying STOP to any message or contacting us at support@ohioathome.com or (614) 800-0672. Upon opting out, you will receive one final confirmation message. For help, reply HELP to any message. See our full Messaging Terms of Service for details, or sign up for text alerts.

11 | Incident Reporting

Ohio at Home Healthcare maintains a comprehensive incident reporting process in accordance with Ohio Administrative Code 5123-17-02. Incidents detected through remote monitoring, ambient sensors, or direct observation are documented and reported as follows:

Incident TypeReporting Process
Major Unusual Incidents (MUI)Initial report filed with the County Board of DD via the DODD Incident Tracking System by 4:00 PM the next business day. Guardian/legal representative notified promptly. Full investigation completed within required regulatory timelines.
Unusual Incidents (UI)Documented internally and reported to the County Board per OAC 5123-17-02 requirements. Guardian/legal representative notified promptly.
Sensor-detected eventsLogged automatically; reviewed by staff according to the individual’s monitoring plan; escalated to MUI/UI process if criteria are met.

Individuals and their guardians have the right to be informed of all incidents, access incident documentation, and participate in follow-up investigations. Contact your Care Coordinator or our Privacy Officer for incident records.

12 | Contact Us

Privacy Officer

Ohio at Home Healthcare

875 N High St, Suite 300, Columbus, OH 43215

privacy@ohioathome.com | (614) 800-0672

If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at ocrportal.hhs.gov or (800) 368-1019.

13 | Policy Updates

We review this policy annually or whenever regulations change. New versions will be posted on ohioathome.com with the “Last updated” date amended. We will make reasonable efforts to provide written notice of material changes to active clients and guardians before the changes take effect, or as soon as practicable thereafter.

Thank you for trusting Ohio at Home Healthcare. Our mission is to pair effective safety tools with compassionate human care—while respecting your right to privacy every step of the way.