Framework Legislation: Ohio Health Data Access and Portability Act
This is meant to provide a focused legal framework to prevent excessive fees for legacy EHR data access, enforce data portability requirements on vendors, and prohibit data ransom practices.
SECTION 1: PURPOSE
This Act aims to regulate fees associated with accessing data in legacy electronic health records (EHR) applications. It would make current data ransom practices illegal.
SECTION 2: DEFINITIONS
(a) "Electronic Health Record (EHR) System" refers to any software or digital platform used by healthcare providers to store, manage, and access patient health data.
(b) "Legacy EHR Data" refers to patient health records stored in an EHR system that is no longer actively used by a healthcare provider.
(c) "Vendor" refers to any company or entity that provides EHR software or related services to healthcare providers in Ohio, regardless of whether the vendor is physically located within the state.
(d) "Interoperability Standard" refers to federally recognized frameworks for electronic data exchange, including but not limited to HL7 FHIR and CCD formats.
SECTION 3: FEE REGULATION FOR LEGACY EHR DATA ACCESS
(a) An EHR vendor providing services to healthcare providers within Ohio may not charge unreasonable or excessive fees for continued access to legacy patient data during or after a transition to another EHR system.
(b) Fees must be reasonable, transparent, and cost-based, preventing excessive charges that act as financial barriers to hospitals.
(c) Vendors must provide a detailed justification for any fees charged for data access, subject to review and approval by the Ohio Department of Health.
(d) Failure to comply with these provisions may result in fines and penalties as determined by the Ohio Department of Health.
SECTION 4: MANDATORY DATA PORTABILITY & INTEROPERABILITY
(a) Upon termination of an EHR contract, the vendor must provide all patient records in a structured, exportable data format within 30 days of the request. The format of the data provided by vendor to hospital should be negotiable and and approved by the hospital. The vendor is solely responsible for providing the hospital network in this readable format and must incur any costs to do it.
(b) Vendors are prohibited from encrypting, restricting, or otherwise limiting access to patient data solely due to contract termination.
(c) These provisions align with federal interoperability efforts under the 21st Century Cures Act and provide additional state-level enforcement.
(d) Any vendor providing EHR services to Ohio-based healthcare providers must comply with this requirement, regardless of their state or country of incorporation.
(e) Vendors must provide reasonable access to the front-end application or equivalent interface necessary for viewing and retrieving legacy EHR data for a period not less than two (2) years post-contract termination to facilitate data migration.
SECTION 5: PROHIBITION OF "DATA RANSOM" PRACTICES
(a) No vendor, whether based within Ohio or outside the state, may condition continued access to legacy EHR data on the purchase of additional software, licenses, or services beyond the expiration of the terms of the contract where the application is in a read-write state.
.
(b) Any such requirement shall be deemed an unfair business practice and subject to penalties under Ohio law.
(c) Hospitals and healthcare providers may file civil suits against vendors engaging in data ransom practices, with statutory damages determined by the court.
(d) This provision shall apply to all EHR vendors serving Ohio-based healthcare providers, irrespective of their state of incorporation or business location.
SECTION 6: ENFORCEMENT AND PENALTIES
(a) The Ohio Department of Health shall have the authority to investigate complaints regarding excessive fees, data access restrictions, and non-compliance with data portability requirements.
(b) Vendors found in violation of this Act shall be subject to fines up to $500,000 per instance and potential exclusion from state-funded healthcare contracts.
(c) Healthcare providers may seek legal recourse through civil suits for damages incurred due to non-compliance with this Act.
(d) Any vendor serving Ohio-based healthcare providers shall be subject to Ohio jurisdiction for the purposes of enforcement and litigation under this Act.
SECTION 7: STATE FUND ALLOCATION FOR VENDOR BANKRUPTCY SUPPORT
(a) In cases where an EHR vendor ceases operations due to bankruptcy or financial distress, the Ohio Department of Health shall establish an emergency fund to facilitate data migration and continued access for affected hospitals.
(b) The fund shall be used to provide financial assistance to hospitals for hiring to extract and migrate legacy patient data into a new EHR system.
SECTION 8: EFFECTIVE DATE
This Act shall take effect one month from the date of enactment to allow for vendor compliance and regulatory preparations.