By Megan Williams, contributing writer
The state’s new data privacy law goes beyond HIPAA and could be an additional burden for healthcare business associates
America’s quirkiest peninsula is stepping up its data privacy security laws.
The Florida Information Protection Act of 2014 (FIPA), is garnering attention, not just because of its state of origin, but also because the details of the law make some interesting changes in terms of what’s protected and who the law applies to — this is especially important news to any solutions providers with business associate agreements in Florida.
It’s perhaps most important to understand that FIPA does not replace HIPAA. It simply takes the data protection concepts a step further, and applies them to even non-healthcare entities.
It’s also worth noting that FIPA, unlike HIPAA, does not differentiate between small and large breaches — security violations of all sizes are subject to notifications.
Lastly, and this is especially important for solutions providers, the law includes a comprehensive set of breach notification requirements for both covered entities and business associates. These requirements are based on the number of individuals affected by the breach. Civil penalties could be imposed up to $1,000 per day for the first 30 days, and $50,000 for each subsequent 30-day period.
The law, signed into effect July 1 of this year, makes multiple changes to how data is addressed, including the following:
- Requires proper notice to be provided to consumers within 30 days unless good cause is shown for an additional 15-day delay
- Requires proper notice to be provided to the attorney general for a breach affecting 500 or more individuals
- Defines what information must be included in a proper notice
- Expands the definition of personal information to include health insurance, medical information, financial information and online account information, such as security questions and answers, email addresses, and passwords
- Expands the data breach statute to include state governmental entities and their instrumentalities
- Requires businesses and state government entities to take reasonable measures to protect data
- Requires the attorney general to provide an annual report to the legislature regarding data breaches by governmental entities
- Authorizes enforcement actions under Florida’s Unfair and Deceptive Trade Practices Act for any statutory violations.
The bill does butt heads with HIPAA in a few areas. While HIPAA allows covered entities 60 days to notify individuals of an information breach (giving them the opportunity to avoid having to send notice if they can prove it was unlikely that the information was compromised) under FIPA, that same health entity would have to consult with law enforcement. It also means that many entities that deal with protected health information (PHI), but do not qualify as HIPAA-covered entities, will now have security compliance standards that impact them. Their formal business processes should be updated accordingly.
According to Ann Bittinger, a Jacksonville-based attorney who specializes in healthcare industry compliance, “Historically, Florida has been more lax in HIPAA regulations and in personal information law than other states … We’re in a world of outsourcing so that relationship with a [storage] vendor is so important. You have to really police your vendors, inspect contracts, and ask for proof of insurance and security measures, if they’re holding your records.”
Keep up with further developments on healthcare law like these by subscribing to Business Solutions newsletters.