Ohio Administrative Code
Title 173 - Department of Aging
Chapter 173-13 - Accessing Confidential Personal Information
Section 173-13-05 - Confidential personal information: restricting and logging access to CPI in computerized personal information systems

Universal Citation: OH Admin Code 173-13-05

Current through all regulations passed and filed through September 16, 2024

For personal information systems that are computer systems and contain CPI, ODA shall do the following:

(A) Access restrictions: Require a password or other authentication measure to access CPI that ODA keeps electronically.

(B) Acquisition of a new computer system: When ODA acquires a new computer system that stores, manages, or contains CPI, ODA shall include a mechanism for recording specific access by employees to CPI in the system.

(C) Upgrading existing computer systems: When ODA modifies an existing computer system that stores, manages, or contains CPI, ODA shall make a determination whether the modification constitutes an upgrade. Any upgrades to a computer system shall include a mechanism for recording specific access by employees to CPI in the system.

(D) Logging requirements regarding CPI in existing computer systems:

(1) ODA shall require employees who access CPI within computer systems to maintain a log that records that access.

(2) Employees do not need to record access to CPI under any one or more of the following circumstances:
(a) The employee is accessing CPI for official ODA purposes, including research, and the access is not specifically directed toward a specifically-named person or a group of specifically-named persons.

(b) The employee is accessing CPI for routine office procedures and the access is not specifically directed toward a specifically-named person or a group of specifically-named persons.

(c) The employee comes into incidental contact with CPI and the access of the information is not specifically directed toward a specifically-named person or a group of specifically-named persons.

(d) The employee accesses CPI about a person based upon a request made under either of the following circumstances:
(i) The person requests CPI about himself or herself.

(ii) The person makes a request that ODA take some action on that person's behalf and accessing the CPI is required in order to consider or process that request.

(3) For purposes of paragraph (D) of this rule, ODA may choose the form or forms of logging, whether in electronic or paper formats.

Replaces: 173-13-05

Disclaimer: These regulations may not be the most recent version. Ohio may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.