IV. Penalties for Wrongful Withholding or Disclosure

In many cases, state and federal laws set out explicit penalties for violation of specific duties with respect to confidentiality. The following is a list of federal and state laws that impose liability for violating various confidentiality laws or public records laws.

Federal Laws and Regulations:

It is likely that some of the following penalties apply to federal government agencies and employees only (see 1981 Op. Atty. Gen. No. 81-051); however, should a state agency that administers programs (such as ODJFS) violate both state and federal confidentiality laws, it is possible that some federal penalty may attach.

5 USC §552(a)(4)(B): On receipt of a complaint, gives federal district court jurisdiction to enjoin an agency from withholding records, and to order production of records improperly withheld from the complainant. Prior to making a determination, the court must examine the records in camera, and must give substantial weight to the agency’s affidavit concerning technical feasibility and reproducibility. Amended 6/30/16.

5 USC § 552a(g)(1): A person may bring a civil action for damages against any agency of the U.S. Government which violates the provisions of the Federal Privacy Act pertaining to release of information to the person who is the subject of the record, or failing to maintain an accurate record. Criminal penalties may be assessed to a person who intentionally discloses confidential information. The penalty is a fine of not more than five thousand dollars ($5,000). 12/19/14.

5 USC §552a(g)(3) & (4): A complainant may seek an injunction to enjoin an agency from withholding agency records and to order the production of any records improperly withheld. The court may assess the government reasonable attorney fees and costs. Amended 12/19/14.

42 USC § 1320d-5: Imposes a $100 to $1.5 million penalty for each HIPAA violation depending on whether or not the violation was willful and whether or not it was corrected. Penalty can be waived if Secretary finds that failure to comply was not due to willful neglect and to the extent that the payment of such penalty would be excessive relative to the compliance failure involved. (Amended effective 02/17/2010).

42 USC § 1320d-6: A person who knowingly and in violation of HIPAA uses or causes to be used a unique health identifier; obtains individually identifiable health information relating to an individual or discloses individually identifiable health information to another person can face up to a $50,000 fine or imprisoned for up to one year or both. The fine goes to $100,000 and five years in jail if done with false pretenses. If it is done with intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm up to $250,000 and up to 10 years in jail.

42 USC § 5106a(c)(4)(B)(ii): Requires each state to establish civil sanctions for violation of confidentiality by members and staff of child abuse and neglect, child fatalities and foster care citizen review groups. Amended 7/22/16.

State Statutes and Rules:

RC § 149.43(C): A person aggrieved by a violation of Division (B) of this Section by a failure to promptly prepare and make records available for inspection at all reasonable times during business hours; upon request, make copies available at cost within a reasonable time; or aggrieved by a governmental unit's failure to maintain public records in such a manner that they can be made available for inspection at all reasonable times during regular business hours; may commence a mandamus action to compel compliance, and receive reasonable attorney's fees. Effective 12/19/16.

RC § 307.629(C): Whoever permits or encourages the unauthorized dissemination of any information, document, or report presented to a child fatality review board, any statements made by review board members during meetings of the review board, any work products of the review board, and child fatality review data submitted by the child fatality review board to the department of health or a national child death review database, other than the report prepared pursuant to RC §307.626 is guilty of a misdemeanor of the second degree. (Amended 9/17/14).

RC § 1347.10: A person who is harmed by the use of personal information that relates to him or her, and that is maintained in a personal information system, may recover damages in a civil action from the person who intentionally maintains inaccurate, irrelevant, incomplete or untimely information; supplies false information; intentionally uses or discloses the personal information in a manner prohibited by law; or denies to the subject of the system the right to inspect and dispute the information at a time when inspection or correction might have prevented harm. A person who is harmed may also seek an injunction to prevent the harm, either in his/her own behalf or through the attorney general or any prosecuting attorney.

This section seems to impose personal liability on public employees who intentionally violate RC Chapter 1347. In addition, a case decided in 1983 indicated that negligent release of confidential information by a state agency resulting in damages, is the basis for a claim under Section 1347.10. This is true notwithstanding the fact that the statute requires intent. Petrie v. Forest Hills School Dist. Bd. of Education, 5. O App. 3d 115, 5 OBR 231, 449 NE2d 786 (1983).

RC § 1347.15(G) & (H): Paragraph (G) allows a person harmed by an ODJFS or other state employee's violation of the state's data access rule (which for ODJFS is OAC Rule 5101:9-22-16) to bring an action in the court of claims against any person who directly and proximately caused the harm. In addition Paragraph (H) prohibits state employees from knowingly accessing, using or disclosing confidential personal information in a manner that violates federal/state law or rule; prohibits state agency's from employing any individual who has been convicted of a data confidentiality violation; and affords whistleblower protection (under RC §124.341) to co-workers who report violations of state employee data access, use and disclosure laws. 4/7/09.

RC § 1349.192: Allows Court to impose civil penalties and to issue a temporary restraining order (TRO) and injunctive relief, for breaches of security that occur in state agencies, when the Court determines the state failed to comply with RC §1347.12. Eff. 2/17/06.

RC § 1347.99: A public official, public employee, or other person who maintains, or is employed by persons who maintain, personal information systems for a state or local agency, who purposely refuses to:

(1)      inform the person who is asked to supply personal information whether the person is required to or may refuse to supply the information;

(2)      assure that the information is accurate, relevant, timely, and complete;

(3)      take reasonable precautions to protect the information from unauthorized use;

(4)      collect, maintain and use only necessary information;

(5)      inform a person supplying information of the other agencies or organizations that have access to information in the system;

(6)      provide the subject of the system access to her own information subject to certain exceptions;

(7)      withhold information when a physician, psychiatrist or psychologist determines that disclosure would have an adverse impact on the subject of the information;

(8)      or investigate any disputed information and delete information found to be inaccurate, is guilty of a minor misdemeanor.

Effective 04/07/09, HB 648 added Paragraph (B), which states that anyone who violates RC §1347.15(H)(1) or (2), by knowingly accessing, using, or disclosing confidential personal information in a manner prohibited by law, is guilty of a first degree misdemeanor. Eff. 4/7/09.

RC § 2151.99: Whoever violates the non-disclosure provisions of RC §2151.421(H)(1)(I)(2), which prohibits the unauthorized disclosure of the contents of reports of child abuse or neglect, is guilty of a misdemeanor of the fourth degree. This statute makes improper retention or use of fingerprints or photographs of children (out of compliance with RC §2151.313) a fourth degree minor misdemeanor. The penalty for any mandated reporter who fails to report abuse/neglect, when that mandated reporter is also providing direct care or supervision for the child, is a first degree misdemeanor. Amended eff. 3/14/17.

RC § 2921.14: Knowingly making or causing another person to make a false report of child abuse and/or neglect to a PCSA (pursuant to RC § 2151.421(B)) is a first degree misdemeanor.

RC § 3107.43: Makes unauthorized release of information regarding the birth name of an adopted person or the identity of an adopted person's biological parents or biological siblings a minor misdemeanor. Repealed 3/20/15.

RC § 3107.99: Whoever violates RC 3107.17(B)(1) is guilty of a 3rd degree misdemeanor.

RC § 3121.99: Whoever improperly provides financial information obtained from a financial institution pursuant to an account information access agreement for child support purposes is subject to six months in jail or a five hundred dollar fine or both. This statute also provides a fifty dollar fine for a first offense of failing to report to a CSEA certain information (e.g. new employment, change in income, name of new employer, business address of new employer, telephone number of new employer, change of account wherein deduction is coming, change of personal address, change of name, phone number, etc.), one hundred dollars for a second offense and no more than five hundred dollars for subsequent offenses. The statute also provides for a five hundred dollar fine for any employer terminating, imposing disciplinary action or refusing to hire an individual because the employer receives a notice to withhold wages for child support purposes. Effective 3/22/01.

RC § 3125.99: Whoever violates RC § 3125.50 (which prohibits disclosure of information concerning applicants for and recipients of Title IV-D support enforcement, as well as certain obligor and obligee data) shall be fined not more than $500 or imprisoned not more than six months or both. Effective 3/22/01.

RC § 3701.244: A person or agency that knowingly violates RC §3701.243 (confidentiality of HIV testing info) may be found liable in a civil action brought the individual harmed by the disclosure, and may be ordered to pay compensatory damages and attorney fees.

RC § 4141.22: Sets a penalty for individuals who disclose UC & employment services information not in compliance with RC Chapter 4141. The penalty is disqualification from holding any appointment or employment with ODJFS, a county job and family services agency or a workforce development agency.

RC § 4141.99: Whoever violates the disclosure restrictions set out in RC § 4141.22 is subject to a fine of not less than $100 nor more than $1,000 or imprisonment of not more than one year, or both.

RC §5101.181  and  RC §5101.182: State that the director of Job and Family Services, district director of Job and Family Services, county director of job and family services, county prosecutors, attorney general, auditors of state or any agent or employee of those officials having access to information or documents received as a result of a social security number match of public assistance recipients and Ohio income tax records, workers compensation records, state retirement records, and state personnel records may not divulge information from these matches except to determine overpayments, audits, investigations, prosecution, or in accordance with a proper judicial order. Any person violating these sections shall be disqualified from acting as an agent or employee or in any other capacity under appointment or employment of any state or county board, commission, or agency. Eff. 9/29/13 & 9/29/11.

RC § 5101.28(D): Precludes civil liability of ODJFS and CDJFS for damages when either agency provides information to law enforcement agencies pursuant to division A, B, and C of RC §5101.28.

RC § 5101.99: Whoever violates the provisions of RC § 5101.27(A) (release of public assistance recipient information without authorization under the statute) or RC § 5101.61(A) is guilty of a first degree misdemeanor. Whoever violates RC 5101.61(A) (mandatory reporters of adult abuse or neglect) shall be fined up to $500. And, whoever violates the SACWIS confidentiality provisions in RC 5101.133 is guilty of a 4th degree misdemeanor. Amended eff. 9/29/15.

RC § 5160.99: Whoever violates the provisions of RC § 5160.45(B) (release of medical assistance recipient information without authorization under the statute) is guilty of a first degree misdemeanor.

OAC rule 4141-43-01: Permits the director of ODJFS to prohibit future exchange or disclosure of information to any employee or employees of a one stop system partner, state department, governmental agency, or other requesting party if the director finds that wage, claim, employment and training, or employer information in the custody of the employee or employees is redisclosed without authorization.