Ohio Code 3965.07 – Exemptions
(A) A licensee is exempt from the requirements of section 3965.02 of the Revised Code if it meets any of the following criteria:
Terms Used In Ohio Code 3965.07
- Assets: (1) The property comprising the estate of a deceased person, or (2) the property in a trust account.
- Fiscal year: The fiscal year is the accounting period for the government. For the federal government, this begins on October 1 and ends on September 30. The fiscal year is designated by the calendar year in which it ends; for example, fiscal year 2006 begins on October 1, 2005 and ends on September 30, 2006.
- HIPAA: means the "Health Insurance Portability and Accountability Act of 1996" Pub. See Ohio Code 3965.01
- Information security program: means the administrative, technical, and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle nonpublic information. See Ohio Code 3965.01
- Licensee: includes an insurer. See Ohio Code 3965.01
(1) The licensee has fewer than twenty employees.
(2) The licensee has less than five million dollars in gross annual revenue.
(3) The licensee has less than ten million dollars in assets, measured at the end of the licensee’s fiscal year.
(B)(1) A licensee subject to and in compliance with the privacy and security rules of 45 C.F.R. Parts 160 and 164 shall be deemed to meet the requirements of this chapter, except those pertaining to notification under section 3965.04 of the Revised Code. The licensee shall submit a written statement to the superintendent certifying its compliance with 45 C.F.R. Parts 160 and 164. The information furnished by a licensee pursuant to section 3965.04 of the Revised Code shall be confidential in accordance with section 3965.06 of the Revised Code.
Each licensee shall maintain for examination by the superintendent all records, schedules, and data supporting the certificate of compliance for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation shall be available for inspection by the department.
(2) Notwithstanding any other provision of this chapter, a licensee subject to HIPAA shall comply with the requirements of any subsequent amendments to HIPAA in the timeframe established in the applicable amendments to HIPAA.
(C) An employee, agent, representative, independent contractor, or designee of a licensee, who is also a licensee, is exempt from section 3965.02 of the Revised Code and need not develop its own information security program to the extent that the employee, agent, representative, independent contractor, or designee is covered by the information security program of the other licensee.
(D) If a licensee ceases to qualify for an exemption, the licensee shall have one hundred eighty days after the date it ceases to qualify to comply with this chapter.