May 20, 2014
The Florida Legislature passed Senate Bill 1524, or the Florida Information Protection Act of 2014, on April 30, 2014. If signed by the governor, starting July 1, 2014, the law will impose stringent new requirements on numerous Florida businesses that handle personal information. According to the Florida Office of the Attorney General (AG), the purpose of the bill is to better protect the confidential personal information of Floridians and hold accountable those who attempt to breach the security of that information. If the bill becomes a law, it will likely have a significant impact on Florida health care providers and health plans.
Florida‘s Current Law.
Section 817.5681, Florida Statutes, requires any person conducting business in Florida that maintains computerized personal information to provide notice of a security breach of that system within 45 days. Currently, the law does not require a notice of a breach of health information. However, many entities that hold such information must provide breach notices in accordance with federal Health Insurance and Portability and Accountability Act (HIPAA) regulations.
As is, the law states that entities do not have to notify individuals of a breach if after an appropriate investigation or after consulting with law enforcement, it is determined the breach will not likely result in harm to the individuals whose information was compromised.
Details of the New Bill.
If signed, this law will replace the existing statute in Florida. The bill includes the following changes to the current law:
- Requires proper notice to be provided to consumers within 30 days unless good cause is shown for an additional 15-day delay;
- Requires proper notice to be provided to the AG for a breach affecting 500 or more individuals;
- Defines what information must be included in a proper notice;
- Expands the definition of personal information to include health insurance, medical information, financial information and online account information, such as security questions and answers, email addresses and passwords;
- Expands the data breach statute to include state governmental entities and their instrumentalities;
- Requires businesses and state government entities to take reasonable measures to protect data;
- Requires the AG to provide an annual report to the Legislature regarding data breaches by governmental entities; and
- Authorizes enforcement actions under Florida’s Unfair and Deceptive Trade Practices Act for any statutory violations.
To read the entire Florida Information Protection Act of 2014, click here.
What This Means for Florida Health Care Providers.
According to the bill, civil penalties could be imposed in the amount of $1,000 per day for the first 30 days, and $50,000 for each subsequent 30-day period.
This bill could have a significant effect on Florida health care providers. Currently HIPAA-covered entities have 60 days to notify individuals of a health information breach, and may be able to avoid sending notice if they demonstrate that it is unlikely the information has been compromised. However, under the bill, to avoid notifying the patient, a health entity would first have to consult with law enforcement. The bill does state that notice provided in accordance with federal rules is deemed to be in compliance. That may help in situations where HIPAA does not require notices because there is low probability that the information is compromised.
If the bill becomes a law, HIPAA-covered entities in Florida will need to update their breach policies and procedures to ensure compliance. This would also be a good time to strengthen existing privacy and security policies.
Also keep in mind that many entities that have protected health information (PHI) but are not HIPAA-covered entities will now have security compliance standards to follow. If your business has PHI but is not a covered entity, this bill may force you to significantly alter your business process.
What do you think about the Florida Information Protection Act of 2014? In what ways do you think it might affect your business? Please leave any thoughtful comments below.