Ohio Passes Safe Harbor for Healthcare Organizations and Businesses with Appropriate Cybersecurity Programs

July 31, 2018

Safe Harbor

On June 27, 2018, the Ohio House of Representatives passed a bill that prevents businesses from being liable for data breaches as long as the business has an appropriate cybersecurity program. To be eligible for the so-called “safe harbor,” a business must create, maintain, and comply with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal information.

Further, the business’s cybersecurity program must reasonably conform to one of the industry-recognized cybersecurity frameworks listed in the bill. The bill lists a number of appropriate cybersecurity frameworks, including, most relevant to healthcare providers, the security requirements of HIPAA and the HITECH Act.

Accordingly, as long as a healthcare provider abides by a written cybersecurity program that contains safeguards for the protection of personal information and that complies with HIPAA and the HITECH Act, the business will be protected against any tort action brought in Ohio by a person who was affected by a data breach.

Governor Kasich is expected to sign the bill into law soon. For further guidance on the whether your cybersecurity program complies with HIPAA and the HITECH Act, please reach out to one of the attorneys in KJK’s Healthcare Group.

KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.