Ohio Incentivizing HIPAA Compliance
On August 3, 2018, Ohio Governor John Kasich signed the Ohio Data Protection Act, which will provide a legal safe harbor against data breach claims to businesses that implement specified cybersecurity controls. Ohio Senate Bill No. 220 (S.B. 220), also known as the Ohio Data Protection Act (the Act) goes into effect on November 2, 2018. The Act is intended to provide incentives for businesses to invest in a robust cybersecurity framework. The Act will be codified at O.R.C. §§ 1354.01-1354.05. Ohio is the first state in the country to implement a law that provides a data breach safe harbor for businesses.
The Act provides companies with an affirmative defense from tort claims arising out of a data breach concerning personal information if a written cybersecurity program is in place that “reasonably conforms to an industry recognized cybersecurity framework.” The Act recognizes the following as industry recognized cybersecurity frameworks :
- National Institute of Standards and Technology (NIST) “framework for improving critical infrastructure cybersecurity” along with NIST special publications 800-171; 800-53; and 800-53a;
- The Federal Risk and Authorization Management Program (FedRAMP) security assessment framework;
- The Center for Internet Security Critical Security controls for effective cyber defense;
- For Covered Entities, as defined by HIPAA rules, the security requirements of HIPAA set forth in the Code of Federal Regulations 45 CFR Part 164 subpart C and HITECH as set forth in 45 CFR part 162;
- Title V of the Gramm-Leach-Bliley Act of 1999, as applicable to financial institutions; and
- The payment card industry (PCI) data security standard, as applicable to companies that accept payment cards.
Additionally, the written cybersecurity program must:
(1) Protect the security and confidentiality of information;
(2) Protect against any anticipated threats or hazards to the security or integrity of information; and
(3) Protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or fraud.
(1) the size and complexity of the organization;
(2) the nature and scope of the activities of the covered entity;
(3) the sensitivity of the information to be protected;
(4) the cost and availability of tools to improve information security and reduce vulnerabilities; and
(5) the resources availability to the organization.
 The Act does not establish a minimum cybersecurity standard, nor does it impose liability upon businesses that do not comply with the Act.
 Additionally, the Act has not changed the duty for businesses to report data breaches involving Ohio residents.
As to how the requirements of the Act interact with HIPAA, Covered Entities will still be required to comply with the HIPAA rules.
HIPAA does not provide a private cause of action to individuals who are affected by a health care privacy breach. However, individuals affected by a HIPAA breach or violation may pursue a common law tort claim under state law when their information is disclosed in a manner that was not authorized. With the passage of the Act, Ohio Covered Entities now have an additional incentive to have HIPAA-compliant policies and secure protected health information, as doing so should provide an affirmative defense to any potential tort causes of action arising out of a data breach under Ohio law.
The Ohio Data Protection Act goes into effect on November 2, 2018. So far this year Ohio healthcare providers have reported over 74,000 breached patient files. Under this Data Protection Act if you are able to prove HIPAA compliance, you will automatically be protected against patient claims involving a data breach.
PCIHIPAA will walk you through the requirements and help you create a safe harbor if you are ever attacked. In addition you will be protected by:
|PCIHIPAA will walk you through the requirements to help you create a safe harbor if you are ever attacked.||Guaranteed Financial Protection with a $250,000 Data Breach and Cyber Insurance Policy when you utilize OfficeSafe.|
DMA Tech Solutions Has Partnered with PCIHIPAA to
Ensure You are HIPAA Compliant to take Advantage of the New Act.