South Florida Hospital News
Sunday August 25, 2019

test 2

August 2014 - Volume 11 - Issue 2




Florida Expands Data Security Obligations Beyond Healthcare

By now, Covered Entities, their Business Associates and their sub-Business Associates should have taken the steps necessary to comply with HIPAA-HITECH (the "Health Insurance Portability and Accountability Act of 1996", as amended by the "Health Information Technology for Economic and Clinical Health Act"). All of these businesses, ideally, have completed their risk assessments, implemented HIPAA-HITECH compliance plans and policies, educated their workforces, and entered into Business Associate Agreements.
HIPAA-HITECH, however, is not the end of the obligation to protect patients/clients/customers' private information. Rather, HIPAA-HITECH is intended to serve as the minimum standard for what needs to be done in order to maintain the privacy and security of the ever-growing amount of information businesses collect from their patients, clients, customers and staff (collectively referred to in this article as "Customers"). The Federal Trade Commission has become increasingly active in prosecuting businesses that fail to take steps designed to protect their Customers' data. In addition, Florida and other states have adopted their own schemes for ensuring that businesses protect the privacy and security of their Customers private information.
Businesses involved in the healthcare industry, as well as businesses in other industries, operate at their peril if they ignore these state obligations.
The Florida Information Protection Act of 2014 ("FIPA") was enacted during the Florida Legislature's most recent session. This statute imposes obligations on all businesses to protect the "personal information" they receive from their Customers. A businesses' obligation to comply with FIPA is independent of whether or not it also is subject to HIPAA-HITECH.
FIPA is broader than HIPAA-HITECH in at least two significant ways: First, "any commercial entity that acquires, maintains, stores, or uses 'personal information'", not just Covered Entities and Business Associates, are required to comply with FIPA. Second, FIPA defines "personal information" as including not only HIPAA-HITECH protected PHI, but also "an individual's first name or first initial and last name, plus either their "user name or e-mail address, in combination with a password or security question" and answer, financial account or credit/debit card information in combination with the required security code, a passport, or military identification number.
Despite their differences, FIPA also is similar to HIPAA-HITECH in some significant ways. First, both statutes are responses to the growing reliance on electronic technology, massive data collection and the concern with how that data is used. Second, under both statutes encrypted "personal information"/PHI is not subject to the same risk of sanction if it is inadvertently disclosed to an unauthorized party (for example, a hacker).
FIPA requires any commercial entity that "acquires, maintains, stores, or uses personal information" (not just Covered Entities and Business Associates) to report a breach. Notwithstanding HIPAA-HITECH's requirements, breaches involving 500 or more individuals in Florida must be reported to the Department of Legal Affairs within 30 days. In addition, each individual whose personal information has been disclosed without authorization must be notified. In contrast to HIPAA-HITECH, if the breach involves more than 1,000 individuals at a single time, "all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis" also must be notified.
The Florida Attorney General enforces FIPA civilly, under the Florida Unfair or Deceptive Trade Practices Act ("FUDTPA"). Violators may be subject to a civil penalty of as much as $500,000. Please keep in mind, when applicable, a violation of FIPA does not prevent the Florida Attorney General, the Office of Civil Rights, the Department of Justice, or the Federal Trade Commission from also seeking to impose civil or criminal sanctions under HIPAA-HITECH. Although there is no private right of action under FIPA (or HIPAA-HITECH), the failure to comply with either statutes' requirements may be used as evidence of negligence in an action brought by an individual whose personal information is improperly disclosed.
Healthcare providers and vendors, for good reason, have focused on complying with HIPAA-HITECH. However, they and other business cannot afford to ignore the broader legal environment. Businesses, whether publicly traded companies with thousands of employees or sole proprietorships, must increasing rely on electronic data and communications. This is creating new risks and obligations that all businesses need to be aware of and address. To the extent possible, businesses should strive to adopt policies and procedures that address both the federal and Florida schemes for protecting the security and privacy of their Customers with as little duplication as possible. While this may require the assistance of outside legal and technical expertise, it is far less expensive to act preemptively than trying to explain to a federal or Florida investigator (or private party) why what they believe to be a violation of one or more of these statutes should not be prosecuted.
Stephen H. Siegel is Of Counsel for the statewide law firm Broad and Cassel’s Fort Lauderdale and Miami offices. He is a Florida Bar Certified-Health Law Attorney and can be reached at or (305) 373-9424.
Share |