HIPAA Florida: What Are Florida HIPAA Laws?

Florida HIPAA Rules

What are Florida HIPAA Laws? Florida HIPAA compliance requires healthcare organizations to meet the federal HIPAA law, as well as Florida’s state privacy law. The Florida Information Protection Act of 2014 (FIPA) governs privacy rules for entities handling personal information. As such, the law can be thought of as “HIPAA Florida.” While it is important to comply with both laws, there are instances in which meeting the requirements of one law will satisfy the other. As a general rule whenever one law is stricter than the other, entities must ensure that they are complying with the stricter law.

What is “HIPAA Florida”?

FIPA serves as “HIPAA in Florida.”  

FIPA regulates “covered entities.” FIPA defines a covered entity as one of the following:

  • A sole proprietorship or corporation
  • A partnership, trust, or estate
  • A cooperative or association
  • Another commercial entity

That acquires, maintains, stores, or uses personal information. 

These entities can include government entities. Entities subject to regulation include both companies doing business in Florida, as well as those with clients or customers in Florida. 

What Information Does FIPA Protect?

FIPA protects “personal information.” 

“Personal information” means either of the following: 

An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:

  1. A social security number;
  2. A driver license or identification card number, passport number, military ID number, or other similar number issued on a government document used to verify identity;
  3. A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
  4. Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  5. An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; OR

A username or email address, in combination with a password or security question and answer that would permit access to an online account.

What Measures Does FIPA Impose?

Under FIPA, companies must take measures to ensure the protection of personal information. Companies maintaining this information are not only responsible for taking action to maintain the privacy of the information, but also must provide notification to affected individuals in the event of a breach. 

FIPA requires companies to take all “reasonable measures” to protect and secure personal information – whether in written or electronic form. These measures must also be taken by third-party vendors. The measures must be proactive, in order to protect individual personal information. That is, companies should take measures to prevent compromise of personal information by developing and implementing policies – as opposed to waiting to respond to a breach after it has occurred. 

In the event of a security breach affecting more than 500 people, covered entities must notify the Florida Attorney General as expeditiously as practicable, but no later than 30 days after determination of the breach or reason to believe a breach occurred. An additional 15 days is permitted if good cause for delay is provided in writing to the Attorney General  within 30 days after determination of the breach or reason to believe a breach occurred.

In cases of breaches affecting more than 500 people, notice must also be provided to affected individuals. In the event of a breach affecting less than 500 individuals, notice must be provided to affected individuals. If a breach affects over 1,000 people, notification must be given to the Florida Attorney General, to the affected individuals, and to credit reporting agencies.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Florida HIPAA Compliance

Now that we’ve discussed how to comply with the state law FIPA, it is important to understand what else you must do to be HIPAA compliant in Florida. First, we’d like to discuss some topics that we have frequently encountered when addressing Florida HIPAA compliance.

HIPAA Release Form Florida

HIPAA release forms in Florida are no different than federal HIPAA release forms. A release form is a document given to patients when a healthcare provider is seeking to use or disclose patient information in a manner other than for treatment, payment, or healthcare operations as dictated in the provider’s Notice of Privacy Practices. One reason may be to use patient information for marketing purposes, such as posting a patient testimonial online. Patients may also request a release form if they would like to designate a personal representative to be permitted access to their medical information.

HIPAA Training Florida

Just like with HIPAA release forms, Florida defers to the federal HIPAA law for their training requirements. Under HIPAA, employee training must be provided annually. HIPAA training material must include an overview of the law, cybersecurity best practices, and training specific to your organization’s internal HIPAA policies and procedures. To ensure that employees understand the training material and agree to adhere to it, employees must legally attest to the training.

Florida Data Breach Notification Law

While FIPA has its breach notification requirements, there is also a HIPAA equivalent. When a healthcare organization experiences a breach that affects the confidentiality, integrity, or availability of protected health information (PHI), the incident must be reported under HIPAA standards. The Florida Data Breach Notification Law requires breaches to be reported to the Florida Attorney General, while the HIPAA Breach Notification Rule requires PHI breaches to be reported to the Department of Health and Human Services (HHS). Depending on the circumstances of the breach, the incident may be reportable to both the Florida Attorney General and the HHS.

The FIPA breach notification requirements dictate a shorter timeline for breach reporting for larger breaches (30 days). HIPAA breach reporting requirements dictate that breaches affecting 500 or more patients be reported to the HHS and the media within 60 days, while breaches affecting less than 500 patients be reported within 60 days from the end of the calendar year in which it occurred (March 1st). No matter the size of the breach, under HIPAA, affected patients must be notified within 60 days.

Additional HIPAA Requirements

To be HIPAA compliant, you must follow the provisions of the HIPAA Privacy, Security, and Breach Notification Rules. That means in addition to the requirements mentioned above, there are additional measures that must be implemented. How do you comply with these Rules?

Conduct Security Risk Assessments and Remediate Gaps

Security risk assessments (SRAs) are an essential part of HIPAA as they determine where your security practices are lacking. By conducting an SRA, you identify weaknesses and vulnerabilities to your PHI so that you can address threats before they occur. To address gaps identified by conducting your SRA, you must implement remediation measures.

Implement HIPAA Policies and Procedures

HIPAA policies and procedures create guidelines for your business and employees on what is and is not appropriate in regards to PHI. It is essential that your organization’s policies and procedures relate directly to how your business operates. Effective policies and procedures dictate the proper uses and disclosures of PHI, how your organization protects PHI, and what to do in the event of a PHI breach.

Have Signed Business Associate Agreements