Florida HIPAA Compliance
Now that we’ve discussed how to comply with the state law FIPA, it is important to understand what else you must do to be HIPAA compliant in Florida. First, we’d like to discuss some topics that we have frequently encountered when addressing Florida HIPAA compliance.
HIPAA Release Form Florida
HIPAA release forms in Florida are no different than federal HIPAA release forms. A release form is a document given to patients when a healthcare provider is seeking to use or disclose patient information in a manner other than for treatment, payment, or healthcare operations as dictated in the provider’s Notice of Privacy Practices. One reason may be to use patient information for marketing purposes, such as posting a patient testimonial online. Patients may also request a release form if they would like to designate a personal representative to be permitted access to their medical information.
HIPAA Training Florida
Just like with HIPAA release forms, Florida defers to the federal HIPAA law for their training requirements. Under HIPAA, employee training must be provided annually. HIPAA training material must include an overview of the law, cybersecurity best practices, and training specific to your organization’s internal HIPAA policies and procedures. To ensure that employees understand the training material and agree to adhere to it, employees must legally attest to the training.
Florida Data Breach Notification Law
While FIPA has its breach notification requirements, there is also a HIPAA equivalent. When a healthcare organization experiences a breach that affects the confidentiality, integrity, or availability of protected health information (PHI), the incident must be reported under HIPAA standards. The Florida Data Breach Notification Law requires breaches to be reported to the Florida Attorney General, while the HIPAA Breach Notification Rule requires PHI breaches to be reported to the Department of Health and Human Services (HHS). Depending on the circumstances of the breach, the incident may be reportable to both the Florida Attorney General and the HHS.
The FIPA breach notification requirements dictate a shorter timeline for breach reporting for larger breaches (30 days). HIPAA breach reporting requirements dictate that breaches affecting 500 or more patients be reported to the HHS and the media within 60 days, while breaches affecting less than 500 patients be reported within 60 days from the end of the calendar year in which it occurred (March 1st). No matter the size of the breach, under HIPAA, affected patients must be notified within 60 days.
Additional HIPAA Requirements
To be HIPAA compliant, you must follow the provisions of the HIPAA Privacy, Security, and Breach Notification Rules. That means in addition to the requirements mentioned above, there are additional measures that must be implemented. How do you comply with these Rules?
Conduct Security Risk Assessments and Remediate Gaps
Security risk assessments (SRAs) are an essential part of HIPAA as they determine where your security practices are lacking. By conducting an SRA, you identify weaknesses and vulnerabilities to your PHI so that you can address threats before they occur. To address gaps identified by conducting your SRA, you must implement remediation measures.
Implement HIPAA Policies and Procedures
HIPAA policies and procedures create guidelines for your business and employees on what is and is not appropriate in regards to PHI. It is essential that your organization’s policies and procedures relate directly to how your business operates. Effective policies and procedures dictate the proper uses and disclosures of PHI, how your organization protects PHI, and what to do in the event of a PHI breach.
Have Signed Business Associate Agreements