New Bill on Cybersecurity Requirements for Health Insurance Companies in Ohio

From March 20, 2019, insurance firms based in Ohio will need to follow Senate Bill 273. This new law requires insurance companies to create and enforce a written information security program to protect both business and personal data.

The information security program should consist of a complete internal risk assessment to determine the risk and hazards to data and systems. After the risk assessment, security measures must be put in place to safeguard all nonpublic data that could result in a material adverse effect to business operations or can harm customers should unauthorized persons exposed or access the information.

Nonpublic information consists of financial data, health data, and identifiers like Social Security numbers, state ID cards, driver’s license numbers, biometric data, credit/debit card numbers, account numbers, security/access codes that allow financial account access, and any data (excluding age or gender) that is generated by or taken from a healthcare organization or consumer that may be employed to identify a person with regards to physical/mental health, healthcare provision, or healthcare payment.

The security program need to make sure that data and data systems are secure, that risks to the security and reliability of data and data systems are mitigated, safety measures need to be put in place to avoid unauthorized information access, and a system must be set up to be sure that nonpublic data is permanently deleted if not needed any more.

Licensees are necessary to select a party to be in charge of the security program and should determine reasonably foreseeable risks that could jeopardize the privacy, integrity, and accessibility of nonpublic data. Risks need to be evaluated for the possibility of a breach and potential harm that may occur. Risks should be managed, and sufficient security measures must be set up to deal with threats . Review of safeguards’ key controls, networks, and procedures is necessary at least every year to maintain effectiveness.

The security program must be based on the size and structure of the licensee, the usage of third-party service providers, the nature of the licensee’s activities and data sensitivity.

In case of a security breach resulting to the unauthorized access of data systems or nonpublic data which could cause material damage to a consumer or an adverse impact on normal business operations, the notification of the Ohio Superintendent of Insurance must be done in three days from the discovery of breach if the Licensee is located in Ohio. The Ohio Superintendent of Insurance should also get notifications of a security breach that impacts at least 250 residents in Ohio or requires a notification of a government organization. Notifications should be sent to consumers impacted by the security event as per other state laws.

The new law is applicable to all people and licensed non-government entities covered by the insurance regulations in Ohio with 20 or more workers, over $5 million in gross yearly revenue, or over $10 million in assets.

Health Insurance Portability and Accountability Act (HIPAA) compliant entities will be deemed in compliance with Senate Bill 273. Licensees have one year to follow the new prerequisites. The effective date of compliance is on March 20, 2020.