The following is a list of federal and state laws that impose
criminal penalties and civil liability for improperly disclosing records that
are required to be kept confidential, or withholding records that are required
to be made available to the public.
Federal Laws and Regulations:
It is likely that some of the following penalties apply to
federal government agencies and employees only (see 1981 Op. Atty. Gen. No.
81-051); however, should a state agency that administers programs (such as
ODJFS) violate both state and federal confidentiality laws, it is possible that
some federal penalty may attach.
5 USC §552(a)(4)(B): On receipt of a complaint, gives
federal district court jurisdiction to enjoin an agency from withholding
records, and to order production of records improperly withheld from the
complainant. Prior to making a determination, the court must examine the
records in camera, and must give substantial weight to the agency’s affidavit
concerning technical feasibility and reproducibility. 6/30/16.
5 USC § 552a(g)(1) and (i): A person may bring a
civil action in federal court for damages against any agency of the U.S.
Government which violates the provisions of the Federal Privacy Act pertaining
to release of information to the person who is the subject of the record, or failing
to maintain an accurate record. Criminal penalties may be assessed to a person
who willfully discloses confidential information. The penalty if convicted is a
fine of not more than five thousand dollars ($5,000). 12/19/14.
5 USC §552a(g)(3) & (4): An individual may seek a
court injunction to stop an agency from withholding agency records that pertain
to the individual, and to order the production of any records improperly
withheld. The court may also hold the government liable and assess reasonable
attorney’s fees and costs for intentionally or willfully failing to maintain
accurate, relevant, timely, and complete records, or for maintaining records in
a manner that adversely affects the individual. 12/19/14.
18 USC 1905: Permits removal from employment and
imposition of fines and/or imprisonment for unauthorized disclosure of
confidential information (including information relating to trade secrets,
processes, operations, style of work, or apparatus, or to the identity,
confidential statistical data, amount or source of any income, profits, losses,
or expenditures of any person, firm, partnership, corporation, or association;
or any income return), obtained by a federal employee during the course of his/her/their
employment.
42 USC § 1320d-5: Imposes penalties ranging from $100
to $1.5 million for HIPAA violations, depending on whether or not the violation
was willful and whether or not it was corrected. Penalty can be waived if HHS
Secretary finds that failure to comply was not due to willful neglect and to
the extent that the payment of such penalty would be excessive relative to the
compliance failure involved.
42 USC § 1320d-6: A person who knowingly and in
violation of HIPAA uses or causes to be used a unique health identifier;
obtains individually identifiable health information relating to an individual
or discloses individually identifiable health information to another person can
face up to a $50,000 fine or imprisoned for up to one year or both. The fine goes
to $100,000 and five years in prison if done with false pretenses. If it is
done with intent to sell, transfer, or use the information for commercial
advantage, personal gain, or malicious harm up to $250,000 and up to 10 years
in prison.
42 USC § 5106a(c)(4)(B)(ii): Requires each state that
establishes a citizen review panel to establish civil sanctions for citizen
review panel members and staff who disclose to any person or government
official any identifying information about any specific child protection case,
or who disclose information to the public without statutory authorization.
State Statutes and Rules:
RC §124.341 & RC §4113.52:
Together, these statutes comprise the Ohio Whistleblower Protection Act, which
protects state employees from disciplinary action when they report violations
of state or federal statutes, rules or regulations, or the misuse of public
resources. See also RC §5104.10 for whistleblower protections related to
child care.
RC
§ 149.43(C): A person aggrieved by a violation of Division (B) of
this Section by a failure to promptly prepare and make records available for
inspection at all reasonable times during business hours; upon request, make
copies available at cost within a reasonable time; or aggrieved by a
governmental unit's failure to maintain public records in such a manner that
they can be made available for inspection or copying at all reasonable times
during regular business hours; may file a complaint in the Ohio court of claims
or an Ohio common pleas court, or commence a mandamus action to compel
compliance, and receive reasonable attorney's fees.
RC § 307.629(D): Whoever permits or encourages the
unauthorized dissemination of any information, document, or report presented to
a child fatality review board, any statements made by review board members
during meetings of the review board, any work products of the review board, and
child fatality review data submitted by the child fatality review board to the
department of health or a national child death review database, other than the
report prepared pursuant to RC §307.626, is guilty of a misdemeanor of the
second degree. 4/3/23.
RC § 1347.10: A person who is harmed by the use of
personal information that relates to him or her that is maintained in a
personal information system, may recover damages in a civil action from the
person who intentionally: maintains inaccurate, irrelevant, incomplete or
untimely information; uses or discloses the personal information in a manner
prohibited by law; supplies, uses or discloses false information; or denies to
the subject of the information the right to inspect and dispute the information
at a time when inspection or correction might have prevented harm. A person who
is harmed may also seek an injunction to prevent the harm, either in her/his
own behalf or through the attorney general or any prosecuting attorney. This
section seems to impose personal liability on public employees who
intentionally violate RC Chapter 1347.
RC § 1347.15(G) & (H): Paragraph (G) allows a
person harmed by an ODJFS or other state employee's violation of the state's
data access rule (which for ODJFS is OAC Rule 5101:9-22-16) to bring an action in the court
of claims against any person who directly and proximately caused the harm. In
addition Paragraph (H) prohibits state employees from knowingly accessing,
using or disclosing confidential personal information in a manner that violates
federal/state law or rule; prohibits state agency's from employing any
individual who has been convicted of a data confidentiality violation; and
affords whistleblower protection (under RC §124.341)
to co-workers who report violations of state employee data access, use and
disclosure laws. 4/7/09.
RC
§ 1349.192: Allows court to impose civil penalties and to issue a
temporary restraining order (TRO) and injunctive relief, for breaches of security
that occur in state agencies, when the court determines the state failed to
comply with RC §1347.12. 2/17/06.
RC
§ 1347.99: A public official, public employee, or other person who
maintains, or is employed by persons who maintain, personal information systems
for a state or local agency, who purposely refuses to: (1) inform the person
who is asked to supply personal information whether the person is required to
or may refuse to supply the information; (2) develop and follow procedures to
maintain information with the accuracy, relevancy, timeliness, and completeness
needed to assure fairness in any determinations that are based on the
information; (3) take reasonable precautions to protect the information from
unauthorized modification, use, disclosure or destruction; (4) collect,
maintain and use only personal information that is necessary and relevant to
the functions the agency is required or authorized to perform, and eliminate
personal information from the system when no longer needed or relevant for
those functions; (5) inform a person supplying information of the other
agencies or organizations that have access to information in the system; (6)
permit the subject of the information in the system the right to inspect her
own information, subject to certain exceptions; (7) inform the subject of the
types of uses made of personal information, including the identity of those
granted system access; or (7) withhold information from the subject when a physician,
psychiatrist or psychologist determines that disclosure would have an adverse
impact on the subject of the information, is guilty of a minor misdemeanor.
Paragraph (B) states that anyone who violates RC §1347.15(H)(1) or (2), by
knowingly accessing, using, or disclosing confidential personal information in
a manner prohibited by law, is guilty of a first degree misdemeanor. 4/7/09.
RC § 2151.99(A): Whoever violates the non-disclosure
provisions of RC §2151.421(I)(2), which prohibits the unauthorized
disclosure of the contents of reports of child abuse or neglect, is guilty of a
misdemeanor of the fourth degree. This statute also makes improper retention or
use of fingerprints or photographs or records of arrests or custody of children
(other than as provided in RC §2151.313(B) and (C)) a
fourth degree misdemeanor. Under (A)(2) and (C)(2), the penalty for any
mandated reporter who fails to report abuse/neglect, when that mandated
reporter is also providing direct care or supervision for the child, or who is
a member of the same church, religious society or faith as a cleric who is
known to have committed abuse or neglect, is a first degree misdemeanor.
6/11/21.
RC § 2913.04(B) and (G): Prohibits persons, by any
manner or means, from knowingly gaining access to, attempting to gain access
to, or causing access to be gained to any computer, system, network,
telecommunications device/service, or information services without the consent
of the owner, or beyond the scope of the owner’s express or implied consent.
Violations can be fifth, fourth, third or second degree felonies, depending on
the extent of harm. 3/23/18.
RC § 2913.42: No person without privilege to do so,
and with purpose to facilitate or perpetrate fraud, shall falsify, destroy,
remove, conceal, alter, deface, or mutilate any writing, computer software,
data, or record; or utter any writing or record knowing it has been tampered
with. Violations can be 1st degree misdemeanors up to 3rd degree felonies.
9/30/11.
RC § 2921.14: Knowingly making or causing another
person to make a false report of child abuse and/or neglect to a PCSA (pursuant
to RC
2151.421(B)) is a first degree misdemeanor.
RC § 3107.99: Whoever violates RC 3107.17(B)(1) is guilty of a 3rd degree
misdemeanor.
RC § 3121.99: Whoever improperly provides financial
information obtained from a financial institution pursuant to an account
information access agreement for child support purposes is subject to six
months in jail or a five hundred dollar fine or both. This statute also
provides a fifty dollar fine for a first offense of failing to report to a CSEA
certain information (e.g., new employment, change in income, name of new
employer, business address of new employer, telephone number of new employer,
change of account wherein deduction is coming, change of personal address,
change of name, phone number, etc.), one hundred dollars for a second offense
and no more than five hundred dollars for subsequent offenses. The statute also
provides for a five hundred dollar fine for any employer terminating, imposing
disciplinary action or refusing to hire an individual because the employer
receives a notice to withhold wages for child support purposes. 3/22/01.
RC § 3125.99: Whoever violates RC §3125.50
(which prohibits disclosure of information concerning obligors and obligees
receiving Title IV-D support enforcement program services) shall be fined not
more than $500 or imprisoned not more than six months or both. 3/22/01.
RC § 3701.244: A person or agency that knowingly
violates RC
§3701.243 (confidentiality of HIV testing info) may be found liable
in a civil action brought by the individual harmed by the disclosure, and may
be ordered to pay compensatory damages and attorney fees.
RC § 4141.22: Disqualifies individuals from holding
any appointment or employment with ODJFS, a county family services agency, or a
workforce development agency, if they disclose unemployment information in a
way not permitted under RC 4141.21 or 4141.43.
RC § 4141.99: Whoever violates the disclosure
restrictions in RC §4141.22 is subject to a fine of not less than
$100 nor more than $1,000 or imprisonment of not more than one year, or both.
RC §5101.181and RC §5101.182:
State that the director of job and family services, county director of job and
family services, county prosecutors, attorney general, auditors of state or any
agent or employee of those officials having access to information or documents
received as a result of a Social Security number match of public assistance
recipients and Ohio income tax records, workers compensation records, state
retirement records, and state personnel records may not divulge information
from these matches except to determine overpayments, audits, investigations,
prosecution, or in accordance with a proper judicial order. Any person
violating these sections shall be disqualified from acting as an agent or
employee or in any other capacity under appointment or employment of any state
or county board, commission, or agency. 12/31/17 & 9/29/11.
RC § 5101.28(D): Precludes civil liability of ODJFS
and CDJFS for damages when either agency provides information to law
enforcement agencies pursuant to divisions A, B, and C of RC §5101.28.
RC § 5101.99: Whoever violates the provisions of RC 5101.27(A)
(release of public assistance recipient information without authorization) is
guilty of a 1st degree misdemeanor. And, whoever violates the SACWIS &
SAAPSIS confidentiality provisions in RC 5101.133 and RC 5101.631(C)(2), respectively, and adult
abuse/neglect reporting requirement in RC 5101.63(A), is guilty of a 4th degree misdemeanor.
RC § 5160.99: Whoever violates the provisions of RC § 5160.45(B)
(release of medical assistance recipient information without statutory
authorization) is guilty of a 1st degree misdemeanor.
OAC rule 4141-43-01: Permits the director of ODJFS to
prohibit future exchange or disclosure of information to a state department,
governmental agency, or other requesting party (or to any of its employees) if
the director finds that wage, claim, employment and training, or employer
information was redisclosed while in the custody of that party/individual.