Last November, Ohio enacted a law that we believe may be duplicated across other states and provide a strong financial incentive to comply with HIPAA and/or other information protection requirements. This legislation is known as The Cybersecurity Program Affirmative Defense and limits tort liability following a breach / unauthorized disclosure event IF the affected company has previously implemented a recognized industry framework (e.g. The HIPAA Rules). This framework must be based on the company's:
- size and complexity
- nature and scope
- protected information sensitivity
- cost and availability of tools to improve security and reduce risks, and
- resources to implement a program.
Successful phishing attacks are currently dominating the healthcare headlines and hacking events are a persistent second reason to enact a strong compliance and security program. We applaud Ohio for providing a financial incentive to protect ePHI and do not see this legislation as a shield from those citizens affected by a breach. Rather, we believe there should be different accountability mechanisms for those (honestly) trying to sustain a compliant and secure HIPAA security program and those that are not.