This proposal provides a focused legal framework to prevent excessive fees for legacy EHR data access (imposed by EHR vendors on hospital systems), enforce data portability requirements on vendors, and prohibit data ransom practices. It also introduces state funding support for hospitals facing vendor bankruptcy issues.
Proposed Legislation: Ohio Health Data Access and Portability Act
SECTION 1: PURPOSE
This Act aims to regulate fees associated with accessing legacy electronic health record (EHR) data and establish mandatory data portability requirements in Ohio (in order for it to not be a burden on the hospital to comply with the retention laws in place by the state). By addressing excessive costs and restrictive data retention practices, this legislation seeks to ensure fair and reasonable access to patient health records for hospitals transitioning between EHR vendors.
SECTION 2: DEFINITIONS
(a) "Electronic Health Record (EHR) System" refers to any software or digital platform used by healthcare providers to store, manage, and access patient health data.
(b) "Legacy EHR Data" refers to patient health records stored in an EHR system that is no longer actively used by a healthcare provider.
(c) "Vendor" refers to any company or entity that provides EHR software or related services to healthcare providers in Ohio, regardless of whether the vendor is physically located within the state.
(d) "Interoperability Standard" refers to federally recognized frameworks for electronic data exchange, including but not limited to HL7 FHIR and CCD formats.
SECTION 3: FEE REGULATION FOR LEGACY EHR DATA ACCESS
(a) An EHR vendor operating in Ohio or providing services to healthcare providers within Ohio may not charge unreasonable or excessive fees for continued access to legacy patient data during or after a transition to another EHR system. (perhaps just to make the bill for ehr’s providing services to healthcare providers in ohio and remove if the ehr vendor is operating in ohio because that really doesn’t matter)
(b) Fees must be reasonable, transparent, and cost-based, preventing excessive charges that act as financial barriers to hospitals.
(c) Vendors must provide a detailed justification for any fees charged for data access, subject to review and approval by the Ohio Department of Health.
(d) Failure to comply with these provisions may result in fines and penalties as determined by the Ohio Department of Health.
SECTION 4: MANDATORY DATA PORTABILITY & INTEROPERABILITY
(a) Upon termination of an EHR contract, the vendor must provide all patient records in a structured, exportable data format (e.g., HL7 FHIR, CCD, or JSON) within 30 days of the request. The format of the data provided by vendor to hospital should be negotiable and and approved by the hospital. There may be additional costs that need offset if the transfer is difficult (while it was bad practice for the vendor to design the application to make it difficult for proprietary and money reasons, but that should be forgiven and moved on, but at least the government may need to provide additional resources to help overcome the obstacles in providing an adequate file format)
(b) Vendors are prohibited from encrypting, restricting, or otherwise limiting access to patient data solely due to contract termination.
(c) These provisions align with federal interoperability efforts under the 21st Century Cures Act and provide additional state-level enforcement.
(d) Any vendor providing EHR services to Ohio-based healthcare providers must comply with this requirement, regardless of their state or country of incorporation.
(e) Vendors must provide reasonable access to the front-end application or equivalent interface necessary for viewing and retrieving legacy EHR data for a period not less than two (2) years post-contract termination to facilitate data migration.
SECTION 5: PROHIBITION OF "DATA RANSOM" PRACTICES
(a) No vendor, whether based within Ohio or outside the state, may condition continued access to legacy EHR data on the purchase of additional software, licenses, or services beyond the expiration of the original contract.
(b) Any such requirement shall be deemed an unfair business practice and subject to penalties under Ohio’s consumer protection laws.
(c) Hospitals and healthcare providers may file civil suits against vendors engaging in data ransom practices, with statutory damages determined by the court.
(d) This provision shall apply to all EHR vendors serving Ohio-based healthcare providers, irrespective of their state of incorporation or business location.
SECTION 6: ENFORCEMENT AND PENALTIES
(a) The Ohio Department of Health shall have the authority to investigate complaints regarding excessive fees, data access restrictions, and non-compliance with data portability requirements.
(b) Vendors found in violation of this Act shall be subject to fines up to $500,000 per instance and potential exclusion from state-funded healthcare contracts.
(c) Healthcare providers may seek legal recourse through civil suits for damages incurred due to non-compliance with this Act.
(d) Any vendor serving Ohio-based healthcare providers shall be subject to Ohio jurisdiction for the purposes of enforcement and litigation under this Act.
SECTION 7: STATE FUND ALLOCATION FOR VENDOR BANKRUPTCY SUPPORT
(a) In cases where an EHR vendor ceases operations due to bankruptcy or financial distress, the Ohio Department of Health shall establish an emergency fund to facilitate data migration and continued access for affected hospitals.
(b) The fund shall be used to provide financial assistance to hospitals for hiring third-party services to extract, convert, and migrate legacy patient data into a new EHR system.
(c) Hospitals applying for funds must demonstrate a lack of viable alternatives and the necessity of assistance for continued compliance with medical data retention laws.
(d) The Ohio Department of Health shall oversee the distribution of funds and ensure that hospitals use them solely for legacy data transition purposes.
SECTION 8: EFFECTIVE DATE
This Act shall take effect six months from the date of enactment to allow for vendor compliance and regulatory preparations.