Ohio Revised Code
Chapter 3965 | Cybersecurity Requirements for Insurance Companies
Section 3965.07 | Exemptions.

Effective: March 20, 2019
Latest Legislation: Senate Bill 273 - 132nd General Assembly
(A) A licensee is exempt from the requirements of section 3965.02 of the Revised Code if it meets any of the following criteria:
(1) The licensee has fewer than twenty employees.
(2) The licensee has less than five million dollars in gross annual revenue.
(3) The licensee has less than ten million dollars in assets, measured at the end of the licensee's fiscal year.
(B)(1) A licensee subject to and in compliance with the privacy and security rules of 45 C.F.R. Parts 160 and 164 shall be deemed to meet the requirements of this chapter, except those pertaining to notification under section 3965.04 of the Revised Code. The licensee shall submit a written statement to the superintendent certifying its compliance with 45 C.F.R. Parts 160 and 164. The information furnished by a licensee pursuant to section 3965.04 of the Revised Code shall be confidential in accordance with section 3965.06 of the Revised Code.
Each licensee shall maintain for examination by the superintendent all records, schedules, and data supporting the certificate of compliance for a period of five years. To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address such areas, systems, or processes. Such documentation shall be available for inspection by the department.
(2) Notwithstanding any other provision of this chapter, a licensee subject to HIPAA shall comply with the requirements of any subsequent amendments to HIPAA in the timeframe established in the applicable amendments to HIPAA.
(C) An employee, agent, representative, independent contractor, or designee of a licensee, who is also a licensee, is exempt from section 3965.02 of the Revised Code and need not develop its own information security program to the extent that the employee, agent, representative, independent contractor, or designee is covered by the information security program of the other licensee.
(D) If a licensee ceases to qualify for an exemption, the licensee shall have one hundred eighty days after the date it ceases to qualify to comply with this chapter.