Healthcare // Security & Privacy
Commentary
7/16/2014
12:15 PM
Mac McMillan
Mac McMillan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Data Breach Notification Law: Will Florida Lead?

Florida's stringent new breach notification law might encourage lawmakers to finally enact a federal standard.

20 Tests Healthcare CIOs Must Juggle
20 Tests Healthcare CIOs Must Juggle
(Click image for larger view and slideshow.)

Many have argued the federal government should pass a single breach notification law that levels the playing field to protect consumer privacy for businesses that accept sensitive, personally identifiable information. So far Congress has been reluctant to do so, and as a result more than 40 states now have their own versions of this law, some of which have gone beyond what the federal government requires in other statutes, such as the Health Insurance Portability and Accountability Act (HIPAA).

California, for instance, has a five-day reporting requirement for in-state entities when there is a breach. Texas passed a comprehensive law last year affecting folks both inside and outside the state. Massachusetts has a more comprehensive breach law that goes beyond simply addressing notifications. Wisconsin has a more stringent law relating to misdirected faxes, and Minnesota is rumored to be considering laws based on the California system.

Then there's Florida. Florida's new law, which went into effect on July 1, is worth watching. This law fundamentally changes the playing field in terms of what information is protected and who the law applies to. It also affects the notification schema and does not distinguish between small and large breaches. To top it all off, it does not replace HIPAA -- it is an addition to HIPAA. This means healthcare organizations and business associates (BAs) must meet two separate breach standards with two very different timelines. The six million dollar question: What, if any, impact will Florida's new law have on other states that are contemplating their own breach laws to protect consumer information?

[For more on the Florida Information Protection Act of 2014, see Florida Law Aims To Tighten Data Security.]

To understand the potential implications of the new law better, it's helpful to clarify the differences between the Florida Information Protection Act (FIPA) and HIPAA. First, Florida's statement regarding the applicability of the statute is far broader, listing both government and private institutions that collect personally identifiable information as covered entities. So while HIPAA is very specific to the types of organizations it applies to, FIPA does not discriminate.

The second big difference is the law's treatment of large versus small breaches. Once again, FIPA does not differentiate -- all breaches, large or small, are subject to notifications. FIPA, like HIPAA, stipulates civil monetary penalties (CMPs), but unlike HIPAA, Florida's CMPs are rolled out on a much different schedule. They are initially assessed daily, then weekly -- and finally, there is an annual limit of $500,000.

The law includes the most comprehensive set of breach notification requirements for both covered entities (CEs) and BAs. Notification requirements are based on the number of individuals impacted. When 500 or more individuals are impacted, notification must be made to the State Attorney General (SAG) and to all individuals involved. For breaches affecting more than 1,000 individuals, the entity must notify all credit agencies in addition to the SAG and individuals involved. Breaches involving fewer than 500 records require notifications only to the individuals affected. Covered entities are responsible for the actions of their subcontractors and agents.

Finally, the rule also provides for the CE to notify and include local law enforcement in the decision to notify. The questions remain: Will Florida's new law influence other states to follow suit? And will the government finally issue a common breach notification law so we don't end up with multiple versions across different states?

Fully 75% of 536 respondents say their orgs are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget. Where do we go from here? Get the Research: 2014 Strategic Security Survey report today (registration required).

Mac McMillan is co-founder and CEO of CynergisTek Inc., a firm specializing in the areas of information security and regulatory compliance in healthcare. He is the current Chair of the HIMSS Privacy & Security Policy Task Force and was recognized in 2012 as an HIMSS Fellow. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DocM267
50%
50%
DocM267,
User Rank: Apprentice
8/15/2014 | 3:06:12 PM
Uniform data breach
One piece that Mac didn't mention is that the Florida law (and most of the state laws) have a much more restricted definition of the identifiers that trigger a breach (they mostly look at financial impact), whereas HIPAA is much broader.  There are likely to be fewer health data breaches under FIPA than under HIPAA.
EntRiskTechnologies
50%
50%
EntRiskTechnologies,
User Rank: Apprentice
7/21/2014 | 6:52:02 PM
Re: Is there a common denominator for health data breach notification?
I think it is a symptom of Washington not being directly affected by a catastrophic cyber attack at the moment. Our government seems to have become very reactionary, vice proactive. I cover this in today's blog here.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
7/17/2014 | 12:15:51 PM
Is there a common denominator for health data breach notification?
For any organization operating in multiple states, I'd think one challenge would be defining the superset of all these laws in order to formulate a consistent policy and business process for responding to incidents. How tough is that?

What's the political reason for the federal government's inaction? Or is it just a symptom of Washington gridlock in general?
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.