By: Jackie Bain
FIPA is the Florida Information Protection Act of 2014. It became elective on July 1, 2014. Many people consider FIPA to be Florida’s state law counterpart to the Federal Government’s Health Information Protection and Administration Act of 1996 (“HIPAA). However, FIPA is, in many respects, more far reaching than HIPAA. Those who transact business in the State of Florida are well-served to be knowledgeable about FIPA.
FIPA affects more than just health care providers and those in the healthcare industry. Under FIPA, any business that acquires, stores, maintains or uses personal information must take reasonable measures to safeguard that information. “Personal information” includes the use of a person’s first and last name (or first initial and last name) in conjunction with his or her social security number, driver’s license or other government identification number, bank account number, credit or debit card number and password or pin, medical history, or health insurance policy number. A convenience store that might have access to a person’s name and credit card number is just as accountable under FIPA as a hospital who might store that person’s medical history and insurance information.
In the event that a large breach (more than 500 records) has occurred, and in addition to any reporting obligations an entity might have under HIPAA, the entity that discovered the breach must also notify Florida’s Department for Legal Affairs within 30 days of discovery. This is half of time timeline for notification imposed by HIPAA. Additionally, if a breach affects more than 1000 records, the entity must also report to all consumer credit reporting agencies.
Finally, if a third party agent is responsible for the perceived breach, the third party must notify the affected entity within 10 days (rather than the 60 afforded by HIPAA). This means that a third party that might hold personal information has very little time to investigate a perceived breach, and should err on the side of reporting to the entity it serves.
There is no private cause of action under the law, meaning, for example, that a consumer cannot bring a private cause of action against a pharmacy for a data breach involving the consumer’s health insurance policy number. However, the fines involved in a FIPA violation can be hefty: a violation of FIPA may result in a civil penalty of up to $500,000 to be imposed by the State. These fines are distinct from any fines that HHS might impose under HIPAA.
Does your business have a HIPAA compliance policy? Has it been updated to account for any FIPA considerations? If your business is not subject to HIPAA, might it still be subject to FIPA?
Both HIPAA and FIPA present certain challenges for service providers. At the end of the day, it is important for a service provider to recognize that s/he has an obligation not only to run a successful business, but also to maintain its consumer’s financial and health information with a reasonable degree of confidentiality. Compliance is a less cumbersome burden if it is introduced into your business model early on and assessed often.