Ohio Administrative Code
Title 4731 - State Medical Board
Chapter 4731-8 - Personal Information Systems
Section 4731-8-06 - Restricting and logging access to confidential personal information in computerized personal information systems

Universal Citation: OH Admin Code 4731-8-06

Current through all regulations passed and filed through March 18, 2024

For personal information systems that are computer systems and contain confidential personal information, the board shall do the following:

(A) Access restrictions. Access to confidential personal information that is kept electronically shall require a password or other authentication measure.

(B) Acquisition of a new computer system. When the board acquires a new computer system that stores, manages or contains confidential personal information, the board shall include a mechanism for recording specific access by employees of the board to confidential personal information in the system.

(C) Upgrading existing computer systems. When the board makes an upgrade to a computer system, as that term is defined in rule 4731-8-02 of the Administrative Code, to an existing computer system that stores, manages or contains confidential personal information, the upgrade shall include a mechanism for recording specific access by employees of the board to confidential personal information in the system.

(D) Logging requirements regarding confidential personal information in existing computer systems.

(1) Employees who access confidential personal information within computer systems shall maintain a log that records that access.

(2) Access to confidential information is not required to be entered into a log under the following circumstances:
(a) The employee is accessing confidential personal information for official board purposes, including research, and the access is not specifically directed toward a specifically named individual or a group of specifically named individuals.

(b) The employee is accessing confidential personal information for routine office procedures and the access is not specifically directed toward a specifically named individual or a group of specifically named individuals.

(c) The employee comes into incidental contact with confidential personal information and the access of the information is not specifically directed toward a specifically named individual or a group of specifically named individuals.

(d) The employee accesses confidential personal information about an individual based upon a request made under either of the following circumstances:
(i) The individual requests confidential personal information about himself/herself; or

(ii) The individual makes a request that the board take some action on that individual's behalf and accessing the confidential personal information is required in order to consider or process that request.

(E) Log management. The board shall issue a policy that specifies the following:

(1) The form or forms for logging;

(2) Who shall maintain the logs;

(3) What information shall be captured in the logs;

(4) How the logs are to be stored; and

(5) How long information kept in the logs is to be retained.

(F) Nothing in this rule limits the board from requiring logging in any circumstance that it deems necessary.

Five Year Review (FYR) Dates: 04/21/2016 and 04/21/2021
Promulgated Under: 119.03
Statutory Authority: 1347.15
Rule Amplifies: 1347.15
Prior Effective Dates: 12/31/10

Disclaimer: These regulations may not be the most recent version. Ohio may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.