Understanding Federal HIPAA and the New Florida FIPA!
If you thought you had your hands full trying to comply with the federal HIPAA Rules governing personal information, get ready for a brand new set of Florida regulations. On Friday, June 20, 2014, Governor Scott signed, “The Florida Information and Protection Act of 2014” into law. FIPA (which rhymes with HIPAA of course!), as we will affectionately refer to the new law, will go into effect on July 1, 2014. Because if you get “dinged” by HIPAA, you could also get “dinged” by FIPA, what are the top five things you need to know about FIPA?
- Similar Terms, New Definitions. The FIPA definition of a “covered entity” is much more expansive than the definition of a covered entity under HIPAA. It includes any business that acquires, maintains, stores, or uses personal information, not just those in the healthcare industry. The FIPA definition of “personal information” also includes more information than the definition of protected health information under HIPAA. For example, name with credit card number qualifies as “personal information.”
- Data Security. FIPA requires covered entities and third-party agents (similar to business associates) to take reasonable measures to protect and secure data in electronic form containing personal information. This means you will either need to create a FIPA policy and procedure or add the FIPA provisions to your HIPAA policies and procedures. Your organization may be carefully safeguarding programs containing medical information (e.g. EMR), but you will need to examine all programs storing identifying information that may amount to “personal information.”
- Breach Notification. FIPA creates additional obligations in the event of a breach. First, the covered entity will need to provide written notice to the Department of Legal Affairs (AKA Attorney General) within thirty (30) days if more than 500 people are involved in the breach. This notice must contain very specific elements and the Department may ask for a copy of the covered entity’s breach policies. (HIPAA does not require this, but requires notice to the Department of Health and Human Services.) Second, if more than 1,000 individuals are affected by the breach, the covered entity must notify all consumer reporting agencies. Third, if the third-party agent (similar to a business associate) has a breach, it must notify the covered entity with ten (10) days, rather than the up to sixty (60) days it previously had under HIPAA. Fourth, FIPA requires that affected individuals must be notified of the breach within thirty (30) days. This is more stringent than the sixty (60) day HIPAA requirement for breach notification, however, FIPA does provide an exception to this rule that may enable providers to notify individuals in accordance with the HIPAA rules.
- Disposal of Customer Records. Under FIPA, covered entities and third-party agents are required to take all reasonable measures to dispose of customer records containing personal information. FIPA specifically references shredding, erasing, or otherwise making the personal information unreadable or undecipherable. Although HIPAA provides guidance on the disposal of records containing protected health information, this is the first time that the state of Florida has specifically set out similar specifications. Again, you will need to create a FIPA policy and procedure on this or add to your HIPAA policy and procedure.
- Violation. A violation of FIPA by either a covered entity or a third-party agent will be treated as an unfair or deceptive trade practice and could result in a civil penalty of up to $500,000. The Department of Legal Affairs will be the enforcing body in the state of Florida, as FIPA does not create a private right of action for individuals to file suit.
You may be wondering, “What should I do next?” First, update your policies and procedures accordingly to address areas where FIPA imposes additional requirements (e.g. breach investigation, breach notification, etc.). Second, revise your business associate agreements to reflect the new implications of FIPA (e.g. 10 day reporting requirements, etc.). Third, train your staff on the updates. At The Bittinger Law Firm, we regularly assist our clients in reviewing their compliance programs to conform to the new regulations, as well as offer interactive training. If we can assist you or answer any questions regarding the effects of FIPA, please feel free to contact our office.