On June 27, 2018, the Ohio House of Representatives passed a bill that prevents businesses from being liable for data breaches as long as the business has an appropriate cybersecurity program. To be eligible for the so-called “safe harbor,” a business must create, maintain, and comply with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal information.
Further, the business’s cybersecurity program must reasonably conform to one of the industry-recognized cybersecurity frameworks listed in the bill. The bill lists a number of appropriate cybersecurity frameworks, including, most relevant to healthcare providers, the security requirements of HIPAA and the HITECH Act.
Accordingly, as long as a healthcare provider abides by a written cybersecurity program that contains safeguards for the protection of personal information and that complies with HIPAA and the HITECH Act, the business will be protected against any tort action brought in Ohio by a person who was affected by a data breach.
Governor Kasich is expected to sign the bill into law soon. For further guidance on the whether your cybersecurity program complies with HIPAA and the HITECH Act, please reach out to one of the attorneys in KJK’s Healthcare Group.