In an effort to protect its citizens from identity theft, Florida has enacted a new law that increases security accountability for all enterprises, including healthcare providers that reside or do business in the state. The new Florida Information Protection Act of 2014 (FIPA) specifically requires businesses, healthcare, and governmental entities to take reasonable measures to protect personal information.
Some of the key changes introduced by FIPA are:
- A broader definition of “personal information” to include an individual’s first name, first initial, and last name or any middle name and last name, in combination with a Social Security number, driver’s license, or account, credit card, or debit card number. It also expands the definition to include health insurance policy or subscriber number or any unique identifier used by a health insurer to identify the individual; information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis; or financial information.
- A shorter timeline for notifying affected individuals – 30 days instead of 45. Notice must also be provided within 30 days to the Florida Department of Legal Affairs for any breach affecting 500 or more individuals.
- Encompasses “covered entities,” which are third-party agents that collect, maintain, store, or use personal information of Florida residents.
Healthcare organizations and business associates that operate in Florida must abide by both HIPAA and the state's stringent data privacy laws, Jennifer Christianson a partner at the law firm Carlton Fields Jorden Burt, told InformationWeek. Failure to comply is risky – and potentially expensive, she noted. Also, the new law states that if a third-party service provider experiences the breach, the healthcare organization – not the third-party organization – is responsible for notifying the affected individuals and the state attorney general.
Christianson stressed that healthcare organizations must ensure that their business associates and other partners comply with privacy rules and that all organizations must review their insurance policies to ensure breaches are covered.