The state’s new data privacy law goes beyond HIPAA and could be an additional burden for healthcare business associates
America’s quirkiest peninsula is stepping up its data privacy security laws.
The Florida Information Protection Act of 2014 (FIPA), is garnering attention, not just because of its state of origin, but also because the details of the law make some interesting changes in terms of what’s protected and who the law applies to — this is especially important news to any solutions providers with business associate agreements in Florida.
It’s perhaps most important to understand that FIPA does not replace HIPAA. It simply takes the data protection concepts a step further, and applies them to even non-healthcare entities.
It’s also worth noting that FIPA, unlike HIPAA, does not differentiate between small and large breaches — security violations of all sizes are subject to notifications.
Lastly, and this is especially important for solutions providers, the law includes a comprehensive set of breach notification requirements for both covered entities and business associates. These requirements are based on the number of individuals affected by the breach. Civil penalties could be imposed up to $1,000 per day for the first 30 days, and $50,000 for each subsequent 30-day period.
The law, signed into effect July 1 of this year, makes multiple changes to how data is addressed, including the following:
The bill does butt heads with HIPAA in a few areas. While HIPAA allows covered entities 60 days to notify individuals of an information breach (giving them the opportunity to avoid having to send notice if they can prove it was unlikely that the information was compromised) under FIPA, that same health entity would have to consult with law enforcement. It also means that many entities that deal with protected health information (PHI), but do not qualify as HIPAA-covered entities, will now have security compliance standards that impact them. Their formal business processes should be updated accordingly.
According to Ann Bittinger, a Jacksonville-based attorney who specializes in healthcare industry compliance, “Historically, Florida has been more lax in HIPAA regulations and in personal information law than other states … We’re in a world of outsourcing so that relationship with a [storage] vendor is so important. You have to really police your vendors, inspect contracts, and ask for proof of insurance and security measures, if they’re holding your records.”
Keep up with further developments on healthcare law like these by subscribing to Business Solutions newsletters.