Oklahoma Enacts Hospital Cybersecurity Protection Act | Practical Law

Oklahoma Enacts Hospital Cybersecurity Protection Act | Practical Law

Oklahoma has enacted the Oklahoma Hospital Cybersecurity Protection Act of 2023, which provides hospitals with an affirmative defense against certain data breach-related actions if they create, maintain, and comply with a specified written cybersecurity program.

Oklahoma Enacts Hospital Cybersecurity Protection Act

Practical Law Legal Update w-039-3069 (Approx. 3 pages)

Oklahoma Enacts Hospital Cybersecurity Protection Act

by Practical Law Data Privacy & Cybersecurity
Published on 27 Apr 2023Oklahoma
Oklahoma has enacted the Oklahoma Hospital Cybersecurity Protection Act of 2023, which provides hospitals with an affirmative defense against certain data breach-related actions if they create, maintain, and comply with a specified written cybersecurity program.
On April 26, 2023, Oklahoma Governor Kevin Stitt approved HB 2790, the Oklahoma Hospital Cybersecurity Protection Act of 2023. The law:
  • Covers any for-profit or nonprofit hospital, as defined by Oklahoma's licensing law, that is owned or managed by hospitals subject to HIPAA.
  • Incentivizes hospitals to adopt written cybersecurity programs with administrative, technical, and physical safeguards that protect defined personal and restricted information.
The law also provides an affirmative defense to certain actions alleging that a failure to implement reasonable information security controls resulted in a data breach if the hospital's appropriate written cybersecurity program:
  • Is designed to protect:
    • the security and confidentiality of defined personal and restricted information;
    • against any anticipated threats or hazards to the information's security or integrity; and
    • against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to affected individuals.
  • Reasonably conforms with current versions of HIPAA and the HITECH Act or any updates to those regimes within one year of the update's effective date.
The scale and scope of a hospital's written cybersecurity program is appropriate if it is based on certain factors, including:
  • The hospital's size and complexity.
  • The nature and scope of its activities.
  • The sensitivity of the information it protects.
  • The cost and availability of information security tools.
  • The hospital's available resources.
The hospital's program must also include requirements to conduct a documented program review, evaluation, and update at least annually. The law is effective November 1, 2023.