Florida builds upon HIPAA with FIPA
HIM-HIPAA Insider, August 18, 2014
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Organizations in Florida have one more thing to worry about following a breach of personal information or a security breach. The Florida Information Protection Act of 2014 (FIPA), which went into effect July 1, requires covered entities (CE) or third-parties to notify affected individuals and the Florida Department of Legal Affairs (DLA) of a breach of security or PHI within 30 days of discovery unless delayed by law enforcement. Previously, state law required CEs and third-parties to notify affected individuals of a breach within 45 days.
FIPA set forth a detailed definition of “personal information,” which includes an individual’s first name or first initial and last name combined with one of the following:
- Social Security number
- A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity
- A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
- An individual’s health insurance policy number or subscriber identification number or any unique identifier used by a health insurer to identify the individual
- A user name or email address combined with a password or security question and answer that would permit access to an online account
The law states that the definition of a CE goes beyond healthcare organizations to include “a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.”
Unlike HIPAA, FIPA places little responsibility for breach notification upon third-parties. FIPA requires third-parties notify the CE of a breach within 10 days of discovery, at which time the CE is responsible for breach notification.
FIPA is enforced by the DLA under the Florida Deceptive and Unfair Trade Practices Act. Violators may face civil prosecution and/or fines not exceeding $500,000 for violating the state breach notification requirements. The DLA will submit a breach report to the Legislature by February 1 each year. CEs and third-parties must still comply with HIPAA regulations in addition to FIPA.
This article originally appeared on HCPro’s HIPAA Update blog. Stay up to date on all things HIPAA by signing up for e-mail updates from this blog.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Complications from immobility by body system
- Differentiate between types of wound debridement
- OB services: Coding inside and outside of the package
- Q&A: Primary, principal, and secondary diagnoses
- Nursing responsibilities for managing pain
- The consequences of an incomplete medical record
- Practice the six rights of medication administration
- CDC alert: Screen for international travel as Ebola cases increase
- E-mailed
-
- CDC alert: Screen for international travel as Ebola cases increase
- Differentiate between types of wound debridement
- Q&A: Bill blood administration the same way for inpatient and outpatient accounts
- Q&A: A second look at encephalopathy as integral to seizures/CVA
- Performing a SWOT analysis
- Leadership training for charge nurses
- Helping Charge Nurses understand their leadership role (Part 2 of 3)
- Developing a Fall-Prevention Program
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Coding tip: Watch for different codes for SI joint injections
- Searched