Framework Legislation: Ohio Health Data Access and Portability Act
This is meant to provide a focused legal framework to prevent excessive fees for legacy EHR data access, enforce data portability requirements on vendors, and prohibit data ransom practices.

SECTION 1. PURPOSE

This Act eliminates fees for accessing data in legacy electronic health record (EHR) applications. It defines legacy healthcare data as already paid for, and any fee for accessing such data as information blocking under state and federal law. The Act creates a vendor grant program to reimburse reasonable costs, ensuring hospitals and patients receive timely, cost-free access to their records, while preserving interoperability and data portability.

SECTION 2. DEFINITIONS

(a) “Electronic Health Record (EHR) System” means any software or digital platform used by healthcare providers to store, manage, and access patient health information during active clinical operations.

(b) “Legacy Data” means electronic health information that:

  1. Resides in an EHR system no longer actively used by a healthcare provider for live patient care;

  2. Is maintained solely for compliance, retention, or historical reference; and

  3. Was previously generated, captured, or stored in an EHR system that contained live, non-legay data during its period of active use.

(c) “Vendor” means any entity that has provided an EHR system which, at any point, contained live, non-legacy data for a healthcare provider in Ohio, regardless of where the vendor is incorporated or located.

(d) “Baseline Access” means the minimum, no-cost ability for a healthcare provider to view, retrieve, and export legacy data necessary for compliance, migration, or continuity of care.

(e) “FHIR-Compliant API” means an application programming interface that meets the standards for Fast Healthcare Interoperability Resources (FHIR) as adopted by the Office of the National Coordinator for Health Information Technology (ONC).

(f) “Data Blocking” means any practice that interferes with, prevents, or conditions access to electronic health information, including the imposition of any fee, charge, or cost for access to legacy data.

(g) “Data Ransom” means conditioning access to legacy data on payment, purchase of additional software, or continuation of licenses or services.

SECTION 3. LEGACY DATA CARE

The following practices shall constitute information blocking under both Ohio law and federal law (42 U.S.C. § 300jj–52; 45 CFR Part 171):

(a) Access.

  1. Vendors shall provide healthcare providers with baseline access to legacy data free of charge.

  2. Vendors may not condition baseline access on payment, purchase of additional software, continuation of a contract, or any other requirement.

  3. A vendor’s failure to provide baseline access as required under this subsection constitutes information blocking.

  4. Vendors are solely responsible for incurring the initial costs of providing baseline access. Demonstrable, reasonable costs may later be reimbursed through the Vendor Grant Program established under Section 6.

(b) Portability.

  1. Upon termination of an EHR contract, vendors shall, at the election of the healthcare provider, provide legacy data either by:

    • Delivering all patient records in a structured, exportable, and readable format within thirty (30) days; or

    • Maintaining baseline access to legacy data through standardized FHIR-compliant APIs for no fewer than two (2) years.

  2. The format or method of delivery shall be subject to approval by the healthcare provider.

  3. A vendor’s failure to provide portability as required under this subsection constitutes information blocking.

(c) Interoperability.

  1. Vendors are prohibited from encrypting, restricting, or otherwise limiting access to legacy data needed for compliance, migration, or continuity of care.

  2. Nothing in this Act shall prevent healthcare providers from contracting with third-party services for aggregation, storage, or management of legacy data, provided that baseline access has first been made available at no cost by the vendor.

  3. A vendor’s interference with interoperability as prohibited under this subsection constitutes information blocking.

SECTION 4. ENFORCEMENT

(a) The Ohio Department of Health shall have authority to:

  1. Investigate complaints of data blocking, data ransom practices, and non-compliance with this Act;

  2. Audit vendors’ practices related to legacy data access and portability;

  3. Issue determinations of violation and order corrective actions;

  4. Refer findings of data blocking to the appropriate federal agencies, including the Office of Inspector General (OIG) and the Office of the National Coordinator for Health Information Technology (ONC), for enforcement of federal information blocking penalties.

(b) Vendors serving Ohio-based healthcare providers shall be deemed to consent to Ohio jurisdiction for enforcement of this Act.

(c) Healthcare providers may also bring civil actions for damages incurred due to violations of this Act.

SECTION 5. PENALTIES

(a) A vendor found in violation of this Act may be subject to:

  1. Civil fines of up to $500,000 per instance under Ohio law;

  2. Exclusion from state-funded healthcare contracts for a period determined by the Ohio Department of Health;

  3. Repayment of any improperly obtained grant funds, with interest;

  4. Any federal penalties applicable under 42 U.S.C. § 300jj–52 and 45 CFR Part 171, including decertification of health IT under 45 CFR § 170.401 and civil monetary penalties imposed by OIG.

(b) Each day of non-compliance may constitute a separate violation for purposes of penalty assessment.

(c) Penalties under this section shall be cumulative and in addition to any other remedies provided by state or federal law.

SECTION 6. VENDOR GRANT PROGRAM

(a) Eligibility. A vendor that asserts a financial burden in providing baseline access to legacy data may apply for reimbursement under this section.

(b) Application Requirements. Applications shall include:

  1. Itemized documentation of costs directly attributable to providing baseline access;

  2. Sworn certification by an officer of the vendor that the information is accurate and complete;

  3. Disclosure of all fees previously charged for legacy data access in the past five (5) years;

  4. Evidence of measures taken to minimize costs.

(c) Review and Approval.

  1. Applications shall be reviewed by the Ohio Department of Health.

  2. The Department may approve, modify, or deny reimbursement requests.

  3. Approval shall be limited to demonstrable, reasonable costs that could not otherwise be absorbed or mitigated by the vendor.

(d) Public Transparency.

  1. All applications and supporting documents shall be public records under Ohio law.

  2. The Department shall maintain a publicly accessible registry of vendor applications, approvals, denials, and grant amounts.

(e) Conditions.

  1. A vendor receiving grant funds remains prohibited from charging providers or patients for access to legacy data.

  2. Any vendor submitting false or misleading information shall repay the state in full, with interest, and may be barred from future eligibility.

SECTION 7. VENDOR BANKRUPTCY CONTINGENCY FUND

(a) In the event of vendor bankruptcy or cessation of operations, the Ohio Department of Health shall establish an emergency fund to ensure continuity of access and migration of legacy data for affected hospitals.

(b) This fund may provide direct financial support to healthcare providers for data extraction and migration to a new system.

SECTION 8. EFFECTIVE DATE

This Act shall take effect thirty (30) days after enactment.