Florida now has one of the strictest breach notification laws in the country
Effective July 1, 2014 Fl. Stat. § 817.5681 was replaced by § 501.171. The new statute made several significant modifications to Florida Breach Notification Law. This bill was unanimously passed by the Florida Legislature and signed by the Governor.
The law requires a Covered Entity, or third- party agent, to report a breach, or a suspected breach of PHI belonging to a Florida resident, to the affected party within 30 days. A notification of the breach must be provided to any resident of FL whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. For example, a fax containing even one patient's health information (PHI) sent to the wrong fax number constitutes a breach and requires patient notification. It is the obligation of the Covered Entity to notify their patient. Notification is not required if, after an appropriate investigation or consultation with relevant governmental law enforcement agencies, it is determined that the breach has not and will not likely result in harm to the individuals whose personal information has been compromised.
Previously, Florida law required breaches to be reported to affected parties within 45 days; reporting of a “suspected” breach was not required, nor was notification to FDLA.
Under the new law, a breach affecting 500 or more Floridians must be reported to the Florida Department of Legal Affairs (FDLA) within 30 days of its discovery. Notice to the Department of Legal Affairs is required to include: synopsis of the events surrounding the breach, # of individuals affected, any services offered without charge to the individuals (e.g. credit protection), copy of the notice to individuals and the name of a contact person. Upon request by the State’s Attorney General additional information such as, a copy of the police report, incident report or computer forensics report, description of the steps taken to rectify the breach, breach policies and supplemental information regarding the breach, may need to be provided. If breach notification is not provided timely, violators of the new law may be fined $1,000 per day for the first 30 days and $50,000 for each subsequent 30 day period under the Florida Deceptive and Unfair Trade Practices Act; the fine may not exceed $500,000.
This is in addition to the reporting imposed by HIPAA and the HITECH act, which require any breach affecting more than 500 indivduals to be reported to the Secretary of Health and Human Services within 60 days.
A third-party agent, who maintains computerized personal information on behalf of another entity, must notify that entity within 10 days of discovery of a data breach. The two parties may come to an agreement on who will provide notice to affected individuals. However, if no agreement is reached, then the entity having the direct relationship with the affected individuals will be responsible for complying with the notification procedures required by law. Finally, FIPA provides that in the event that more than 1,000 individuals require notification at a single time, the entity must also notify all consumer reporting agencies that compile and maintains files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
The law also expanded “personal information” to include the individual’s first name or first initial and last name, in combination with any one of the following: driver’s license number, medical history, mental or physical condition, medical treatment or diagnosis by a healthcare professional, health insurance policy number, or any unique identifier health insurers may use to classify individuals.
Passage of FIPA places an even greater onus on healthcare entities to safeguard patient data.
More information about this legislation can be found here.