By Robert J. Fisher, Attorney, ByrdAdatto

If you work in a medical spa, you are undoubtedly using the internet in more ways than one. In the age of electronic health records, online patient portals, and rapidly expanding telemedicine, there is an ever growing amount of personal and medical information available to be illegally accessed by wrongdoers with keyboards. As a result, federal and state governments and agencies have taken the "stick" approach by penalizing those who fail to protect their data, such as the $16 million payment Anthem made to the federal government in August for a breach that exposed the personal information of nearly 79 million people, and by recognizing a private cause of action for individuals to sue companies who violate HIPAA standards (see our previous article here).

In contrast, Ohio has recently taken the "carrot" approach by passing the Cybersecurity Safe Harbor Act ("Cyber Act") that takes a new angle on the data breach issue by incentivizing companies to develop data security plans by offering legal protection rather than by fear of penalty. In the first law of its kind, the Cyber Act allows companies to use an affirmative defense against tort claims resulting from a data breach if an adequate cyber-protection program was in place at the time of the breach.

However, for a company to use the safe harbor, its cyber-protection protocol must meet the criteria set forth by the Cyber Act. Specifically, healthcare companies and practices must meet sector-specific laws and standards such as HIPAA and HITECH both in the written plan protocol, and its implementation. Additionally, the Cyber Act is not one size fits all as each security plan must be tailored in complexity and scope based on certain factors such as structure of the company, sensitivity of information, cost effectiveness of security improvements, and availability of tools.

While this law is specific to Ohio, it may be a sign of laws to come nationwide that would further encourage healthcare companies to protect themselves from suit by implementing strengthened data protection plans. Further, it indicates that HIPAA continues to be the standard on which healthcare companies need to base their compliance programs, regardless of whether HIPAA specifically applies to them. As such, we continue to recommend that all healthcare companies and medical practices protect themselves by preparing and enacting a HIPAA compliant data protection plan, or having their current plan audited for sufficiency.

For more information on best practices, laws and regulations, attend The 2019 Medical Spa Show in Las Vegas, NV.

Robert J. Fisher's passion for healthcare traces back to his high school days of shadowing doctors. His passion evolved in college to study as a pre-med major. The last major evolution of Robert's interest in health care was the transition to an interest in health care law. With this education, a business attorney for a father, and a renowned orthopedic surgeon for a father-in-law, Robert has the pedigree for success as a business and health care attorney at ByrdAdatto.