Implications of the Florida Information & Protection Act for Business Owners
For Florida organizations that handle sensitive healthcare information, federal HIPAA compliance has probably been a handful in and of itself. However, these organizations, along with all other Florida business owners, have an entirely separate set of information privacy standards to comply with.
Florida Governor Rick Scott implemented and signed The Florida Information and Protection Act (FIPA) into law on June 20th, 2014. And yes, just to keep things consistent, FIPA does indeed rhyme with HIPAA. The law went into effect as of July 1st, 2014, however, the regulations have some key differences compared to HIPAA’s collection of compliance standards.
Understanding FIPA: How Florida Business Owners are Impacted by The Act
The protection of client personal information is a huge responsibility. So much so, compliance standards have been codified into law. For business owners, this can seem like a huge and often frightening responsibility. However, taking the time to get to know the basics of compliance standards, can lift a huge weight off the shoulders of business owners and make data security less of a burden.
Let’s look at the top 5 things Florida business owners should know about FIPA:

FIPA Terms are Similar to HIPAA, But Definitions are Different

A covered entity is the legal jargon for who is impacted by Act regulations. Under HIPAA, covered entities include healthcare organizations only. However, under FIPA, the collection of covered entities is much more wide-reaching. FIPA regulations apply to any Florida business that acquires, maintains, stores, or uses personal information – the act is not limited to healthcare providers only.
Furthermore, the FIPA definition of “personally identifiable information” is also more expansive than personal information covered under HIPAA. Whereas HIPAA defines personal information as critical patient health data, FIPA defines personal information as client name’s, driver licenses, social security numbers, banking information and credit card numbers. This means any Florida business that collects, uses or stores client cardholder information is required to uphold FIPA compliance.

Implementing a Data Security Strategy is The Top Priority

FIPA requires all covered entities and their third-party vendors to implement reasonable measures for the secure protection of client data in electronic form. This means Florida business owners need to create deliberate FIPA policies and procedures to ensure consistent and reliable measures are implemented to protect client data.
For organizations already subject to HIPAA, adding FIPA provisions to existing HIPAA policies and procedures could be the best option. While Florida healthcare organizations may already be carefully safeguarding information in EMR programs, it’s critical to reexamine these protocols and others that might be holding ‘personal information’ as defined by FIPA.

Breach Notification Mandates

In the increasingly dangerous cybercrime climate, breaches happen all the time. Under FIPA, organizations have a series of obligations to uphold in the event of a breach. First and foremost, if a breach impacts over 500 people, organizations must notify the Department of Legal Affairs in writing. The written notice must include the specific details of the Breach and the Department may also ask organizations to forward a copy of their FIPA policies. This is slightly different than HIPAA, which only requires breach notification to the Department of Health & Human Services.
Second, if a breach impacts more than 1,000 individuals, organizations must notify all consumer reporting agencies. Additionally, if a third-party vendor experiences a breach, it must notify the covered entity within ten days, rather than the 60-day mandate under HIPAA.
Finally, FIPA requires that individuals impacted by a breach must be notified of the breach within thirty days. Again, this is more stringent than the 60-day HIPAA requirement for breach notification. However, it should be noted that FIPA does outline an exception to this rule that may enable providers to notify individuals in accordance with original HIPAA guidelines.

Proper Disposal of Client Information Records

FIPA requires organizations and third-party providers to implement all reasonable measures for proper disposal of customer records containing personal information.  FIPA specifically references the implementation of policies for shredding, erasing, or otherwise rendering the personal information undecipherable.
While HIPAA provides guidance on the disposal of records containing protected health information, this is the first time that the state of Florida has specifically set out similar specifications. Again, organizations will be required to create FIPA-compliant policies and procedures for record disposal or expand on existing HIPAA disposal policies and procedures.

What’s the Penalty for Non-Compliance?

If an organization or their third-party providers violate FIPA mandates, it will be deemed an unfair or deceptive trade practice and could result in a civil penalty of up to $500,000. The Department of Legal Affairs will be the enforcing body in the state of Florida, as FIPA does not allow the private right of action for individuals to pursue legal action in the case of data violation.
Next Steps: Strategies for Staying FIPA Compliant
So, now that we’ve nailed down the basics, Florida business owners are probably very alert to the fact that FIPA compliance is no joke. However, all the rules and legal mandates can understandably leave your head spinning. So, if you’re wondering the next steps for getting and staying compliant, let’s explore the top three priorities for FIPA compliance:

First, update company data protection policies and procedures accordingly to address areas where FIPA imposes additional requirements, like breach notification and investigation.
Second, ensure all contracts with third-party service providers reflect the implications of FIPA. Be sure all your vendors know what is required of them in terms of protecting data and issuing breach notifications.
Third, train your staff on FIPA compliance. Keeping staff informed about FIPA regulations and giving them strategies to maintain compliance is an incredibly beneficial strategy. Arming your workforce with knowledge, top-to-bottom, is the most efficient way to uphold consistent compliance.

As mentioned, the cybercrime landscape is only getting worse. For businesses, cyber attacks on client personal data can take a huge toll on business security and reputation. That’s why federal and state compliance regulations, like HIPAA and FIPA, are put in place. While many organizations may consider compliance standards an annoying burden, they exist to protect companies from the overwhelmingly negative impacts of an unexpected breach.
Wondering how your company is impacted by FIPA compliance regulations? Don’t waste any time getting compliance policies in place. If you need a hand laying out reliable FIPA policies, reach out to a local technology firm for guidance. When it comes to data security and compliance, checking in with the professionals can make all the difference.