Ohio Breach Notification Law for Healthcare Providers: Requirements and Deadlines

Overview of Ohio Breach Notification Law

Scope and applicability

Ohio Revised Code 1349.19 is the state’s data breach notification statute. It applies to any person or business that owns or licenses computerized personal information about Ohio residents—including hospitals, clinics, group practices, and business associates handling data for healthcare providers.

Trigger for notification

You must provide data breach notification when there is unauthorized access and acquisition of computerized personal information that compromises its security and is reasonably likely to result in identity theft or fraud. Ohio allows time to determine the scope of the incident and restore system integrity, but you may not delay unreasonably.

Important notes

Encryption provides a significant safe harbor: if the personal information was encrypted and the encryption keys were not compromised, notification is typically not required. This overview supports healthcare provider compliance and is for general information, not legal advice.

Definitions of Personal Information

What counts as personal information

For Ohio breach notification purposes, “personal information” means an Ohio resident’s first name or first initial and last name in combination with any one of the following data elements, when the data are not encrypted, redacted, or otherwise unreadable:

• Social Security number.
• Driver’s license number or state identification card number.
• Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a financial account.

Exclusions and clarifications

Personal information generally refers to computerized data. Publicly available information lawfully made public from government records is excluded. Medical or clinical details alone do not trigger Ohio’s data breach notification statute unless they are part of “personal information” as defined; however, those data may be protected health information (PHI) under HIPAA, which carries separate HIPAA breach notification obligations.

Notification Timing and Methods

Timing

Provide notice in the most expedient time possible and without unreasonable delay, and no later than 45 days after discovering the breach. Law enforcement may request that you delay notification if immediate notice would impede a criminal investigation; document any such request and resume notice as soon as the delay is lifted.

Permitted delivery methods

• Written notice sent to the resident’s last known postal address.
• Electronic notice, if consistent with the federal E-SIGN Act and if the resident has consented to electronic communications.
• Telephone notice, where appropriate and consistent with applicable law.

Notice content (practical guidance)

Craft clear, consumer-friendly notices that describe what happened, the types of personal information involved (without revealing full numbers), what you are doing in response, and actionable steps the individual can take. Include contact points where affected individuals can obtain assistance.

Substitute Notice Protocols

When substitute notice is allowed

You may use substitute notice if any of the following are true:

• The cost of providing individual notice would exceed $250,000, or
• The affected class of Ohio residents exceeds 500,000 individuals, or
• You do not have sufficient contact information to provide individual notice.

How to execute substitute notice

Substitute notice must include all of the following components:

• Email notice to affected persons for whom you have valid email addresses.
• Conspicuous posting of the notice on your website.
• Notification through major statewide media.

Obligations for Credit Reporting Agency Notifications

When to notify consumer reporting agencies

If you must notify more than 1,000 Ohio residents at one time, you must also notify each nationwide consumer reporting agency without unreasonable delay. This obligation is in addition to the notices you send to affected individuals.

What to include

Your credit reporting agency notification should state the timing of the individual notices, the distribution method you used, and the content of those notices. Do not include the personal information of specific individuals in the submission to the agencies.

Interaction with HIPAA Regulations

Overlap and which rule controls

For breaches involving PHI, HIPAA breach notification requirements apply alongside Ohio law. If both apply, follow the stricter elements of each. In practice, this means meeting Ohio’s 45-day outside limit while also satisfying HIPAA’s content and reporting requirements.

Key HIPAA breach notification elements

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Notify the U.S. Department of Health and Human Services (HHS); for breaches involving 500 or more individuals, report to HHS within 60 days of discovery and provide media notice in the affected state or jurisdiction.
• Apply HIPAA’s risk assessment to determine whether an incident constitutes a reportable breach (unless secured via strong encryption).

Coordinating HIPAA and Ohio requirements

Plan to deliver individual notices within 45 days to satisfy Ohio’s deadline, incorporate HIPAA-required content, and separately complete any Ohio-specific steps—such as credit reporting agency notification—when applicable. Align timelines across workstreams so all notices go out consistently.

Compliance Best Practices

• Maintain an incident response plan that assigns roles, sets decision points for breach determinations, and maps Ohio Revised Code 1349.19 and HIPAA breach notification steps.
• Encrypt portable devices and backups; manage keys separately to preserve the encryption safe harbor.
• Log and monitor access to systems containing personal information and PHI to speed investigation and scoping.
• Pre‑draft notification templates for individuals, media, and credit reporting agencies; validate they meet both HIPAA breach notification and Ohio substitute notice requirements.
• Keep accurate contact data for patients, plan members, and former patients; maintain procedures to verify and update addresses and emails.
• Contract with vendors and business associates to ensure prompt incident reporting, cooperation on forensics, and allocation of notification duties.
• Document every step—discovery date, investigation milestones, law enforcement delays, notification dates—to prove healthcare provider compliance.

By understanding Ohio Revised Code 1349.19, aligning to HIPAA breach notification, and operationalizing clear timelines, methods, and substitute notice protocols, you can deliver timely, accurate data breach notification and reduce risk to your patients and organization.

FAQs

What personal information triggers Ohio's breach notification law?

Personal information includes an Ohio resident’s name (first name or first initial plus last name) combined with one of the following when not encrypted or redacted: Social Security number; driver’s license or state ID number; or an account, credit, or debit card number together with any required security or access code or password that permits account access.

How soon must healthcare providers notify affected individuals?

You must notify in the most expedient time possible, without unreasonable delay, and no later than 45 days after discovery of the breach. If HIPAA applies, its 60‑day outer limit also applies—so target Ohio’s shorter 45‑day deadline to satisfy both. Law enforcement may request a temporary delay if notice would impede an investigation.

When is substitute notice required?

Use substitute notice only when individual notice is impracticable—specifically, when notice would cost more than $250,000, when over 500,000 Ohio residents are affected, or when you lack sufficient contact information. Substitute notice must include email (where available), conspicuous website posting, and statewide media notice.

How does HIPAA interact with Ohio's breach notification law?

HIPAA governs breaches of unsecured PHI, while Ohio Revised Code 1349.19 governs breaches of defined personal information. When both apply, comply with each and follow the stricter elements—typically Ohio’s 45‑day timeline—while completing HIPAA’s individual, HHS, and (if applicable) media notices. Ohio‑specific steps, such as credit reporting agency notification, may still be required when thresholds are met.