Ohio’s new cybersecurity safe harbor law takes effect
On November 2, 2018, Ohio’s new cybersecurity law became effective and provides entities with cybersecurity programs that meet certain requirements an affirmative defense against certain tort actions. This would include a lawsuit brought under state law by an individual alleging the failure to implement security controls resulted in a data breach concerning personal information or restricted information. Health care providers and health plans covered by HIPAA will benefit from this law; however, they should ensure that they meet the requirements to receive this protection and must be aware of the interplay between Ohio law and HIPAA.
The new Ohio law is applicable to “covered entities,” which is more broadly defined than that term as used in HIPAA, but would include health care providers and health plans. Further, this law protects “personal information” (defined in R.C. 1345.01(D) and R.C. 1349.19(A)(7)) and “restricted information” (defined in R.C. 1345.01(E)). These terms cover more than protected health information, as defined in HIPAA, but protected health information likely contains “personal information” and/or “restricted information.”
Under R.C. 1345.02, the new law provides that an entity will qualify for the affirmative defense against lawsuits for a data breach if the entity creates, maintains and complies with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal information and/or restricted information and that reasonably conforms to an industry recognized cybersecurity framework. Under R.C. 1354.03, a cybersecurity program will conform to an industry recognized cybersecurity framework if the entity is regulated by one of several federal laws, including HIPAA, and the cybersecurity program reasonably conforms to the current version of that law. The law provides several other ways in which a cybersecurity program can qualify for the affirmative defense, such as being in compliance with the NIST Cybersecurity Framework.
HIPAA covered entities in Ohio should ensure that their HIPAA security policies are in a form that will satisfy these requirements and allow the covered entity to take the protection afforded by the new Ohio law. While the new law does not allow a covered entity or business associate to avoid HIPAA penalties levied by the Office of Civil Rights, it does provide protection against lawsuits under state law that may stem from loss of data due to hacking, malware or other cybersecurity attacks.