This rule establishes guidelines for
regulating access to the confidential personal information that is maintained
by the Ohio department of developmental disabilities.
For the purposes of this rule, the
following definitions apply:
"Access," when used in this rule as a noun, means an
opportunity to copy, view, or otherwise perceive.
used in this rule as a verb, means to copy, view, or otherwise
"Computer system" means a "system," as defined in
of the Revised Code, that stores, maintains, or retrieves personal information
using electronic data processing equipment.
personal information" has the same meaning as defined in division (A)(1) of
of the Revised Code and identified by rules promulgated by the department in
accordance with division (B)(3) of section
of the Revised Code that reference the federal or state statutes or
administrative rules that make personal information maintained by the
"Department" means the Ohio department of developmental
"Employee" means each employee of the department
regardless of whether he or she holds an elected or appointed office or
position within the department.
contact" means contact with the information that is secondary or tangential to
the primary purpose of the activity that resulted in the
"Individual" means a natural person or the natural
person's authorized representative, legal counsel, legal custodian, or legal
"Information owner" means the individual appointed in
accordance with division (A) of section
of the Revised Code to be directly responsible for a system.
"Person" means a
"Personal information" has the same meaning as defined
in division (E) of section
of the Revised Code.
"Personal information system" means a "system" that
"maintains" "personal information" as those terms are defined in section
of the Revised Code. "System" includes manual and computer
"Research" means a methodical investigation into a
"Routine" means common place, regular, habitual, or
"System" has the same meaning as defined in division
(F) of section
of the Revised Code.
"Upgrade" means a substantial redesign of an existing
system for the purpose of providing a substantial amount of new application
functionality, or application modifications that would involve substantial
administrative or fiscal resources to implement, but would not include
maintenance, minor updates and patches, or modifications that entail a limited
addition of functionality due to changes in business or legal
Criteria for accessing confidential personal
Personal information systems of the
department are managed on a "need-to-know" basis whereby the information owner
determines the level of access required for an employee of the department to
fulfill his or her job duties. The determination of access to confidential
personal information shall be approved by the employee's supervisor and the
information owner prior to providing the employee with access to confidential
personal information within a personal information system. The department shall
establish procedures for determining a revision to an employee's access to
confidential personal information upon a change to that employee's job duties
including, but not limited to, transfer or termination. Whenever an employee's
job duties no longer require access to confidential personal information in a
personal information system, the employee's access to confidential personal
information shall be removed.
request for a list of confidential personal information
Upon the signed written request of any
individual for a list of confidential personal information about the individual
maintained by the department, the department shall:
identity of the individual by a method that provides safeguards commensurate
with the risk associated with the confidential personal
Provide to the individual the list of confidential
personal information that does not relate to an investigation about the
individual or is otherwise not excluded from the scope of Chapter 1347. of the
If all information relates to an investigation about
that individual, inform the individual that the department has no confidential
personal information about the individual that is responsive to the
Notice of invalid
discovery or notification that confidential personal information of a person
has been accessed by an employee for an invalid reason, the department shall
notify the person whose information was invalidly accessed as soon as practical
and to the extent known at the time. However, the department shall delay
notification for a period of time necessary to ensure that the notification
would not delay or impede an investigation or jeopardize homeland or national
security. Additionally, the department may delay the notification consistent
with any measures necessary to determine the scope of the invalid access,
including which individuals' confidential personal information was accessed
invalidly, and to restore the reasonable integrity of the system. Once the
department determines that notification would not delay or impede an
investigation, the department shall disclose the access to confidential
personal information made for an invalid reason to the person. "Investigation"
as used in this paragraph means the investigation of the circumstances and
involvement of an employee surrounding the invalid access of the confidential
Notification provided by the department shall inform
the person of the type of confidential personal information accessed and the
date of the invalid access.
be made by any method reasonably designed to accurately inform the person of
the invalid access, including written, electronic, or telephone
Appointment of a data privacy point of contact and
completion of a privacy impact assessment
The director of
the department shall designate an employee of the department to serve as the
data privacy point of contact.
The data privacy
point of contact shall work with the chief privacy officer within the Ohio
department of administrative services office of information technology to
assist the department with both the implementation of privacy protections for
the confidential personal information that the department maintains and
compliance with section
of the Revised Code and the rules adopted pursuant to the authority provided by
The data privacy point of contact shall timely complete
the privacy impact assessment form developed by the Ohio department of
administrative services office of information technology.
reasons for authorized employees to access confidential personal
Performing the following functions
constitutes valid reasons for authorized employees to access confidential
Responding to a public records request.
Responding to a
request from an individual for the list of confidential personal information
the department maintains on that individual.
constitutional provision or duty.
statutory provision or duty.
administrative rule provision or duty.
any state or federal program requirements.
payment of claims or otherwise administering a program with individual
participants or beneficiaries.
Licensure, certification, and accreditation
Investigation or law enforcement
complying with an order of the court or subpoena.
matters (e.g., hiring, promotion, demotion, discharge, salary/ compensation
issues, leave requests/issues, timekeeping approvals/issues).
an executive order or policy.
Complying with a
department policy or a state administrative policy issued by the Ohio
department of administrative services, the office of budget and management, or
other similar state agency.
Complying with a
collective bargaining agreement provision.
furtherance of agency-specific programs as permitted by
Regulations that make personal information
The following regulations are the most
widely applicable legal provisions that make personal information maintained by
the department confidential. Other provisions may apply under particular
Division (D) of section
of the Revised Code (social services plan pursuant to Title XX of the Social
Division (G) of section
of the Revised Code (major unusual incident files and records).
Division (T) of
of the Revised Code (rights of persons with a developmental
5123.89 of the
Revised Code (developmental center records).
5126.044 of the
Revised Code (general confidentiality).
552a as in effect on the effective date of
this rule (social security numbers).
1232g as in effect on the effective date of
this rule (Family Educational Rights and Privacy Act statutes).
U.S.C. 1320d as in effect on the effective
date of this rule (Health Insurance Portability and Accountability Act
1396a(a)(5) as in effect on
the effective date of this rule (medicaid records).
45 C.F.R. parts
160 to 164 as in effect on the effective date of this rule (Health Insurance
Portability and Accountability Act rules).
information systems that are computer systems
For personal information systems that
are computer systems and contain confidential personal information, the
Restrict access to confidential personal information
that is kept electronically by requiring a password or other authentication
When the department acquires a new computer system that
stores, manages, or contains confidential personal information, include a
mechanism for recording specific access by employees to confidential personal
information in the system.
department modifies an existing computer system that stores, manages, or
contains confidential personal information, make a determination whether the
modification constitutes an upgrade. Any upgrades to a computer system shall
include a mechanism for recording specific access by department employees to
confidential personal information in the system.
The department shall require employees who access
confidential personal information within computer systems to maintain a log
that records that access. The department may choose the form or forms of
logging, whether in electronic or paper formats.
confidential personal information is not required to be entered into the log
under the following circumstances:
The employee is accessing confidential personal
information for official department purposes, including research, and the
access is not directed toward a specifically named individual or a group of
specifically named individuals.
The employee is
accessing confidential personal information for routine office procedures and
the access is not directed toward a specifically named individual or a group of
specifically named individuals.
comes into incidental contact with confidential personal information and the
access of the information is not directed toward a specifically named
individual or a group of specifically named individuals.
accesses confidential personal information about an individual based upon a
request made by an individual requesting confidential personal information
about himself/herself or the individual makes a request that the department
take some action on that individual's behalf that requires accessing
confidential personal information in order to process that
The department shall issue a log management policy that
Who shall maintain the log.
shall be captured in the log.
How the log is to
How long information kept in the log is to be
Nothing in this rule limits the department from
requiring logging in any circumstance that it deems necessary.
Admin. Code 5123-11-01
Five Year Review (FYR) Dates:
Prior Effective Dates: 10/01/2010,