Healthcare // Security & Privacy
News
7/7/2014
02:05 PM
Connect Directly
RSS
E-Mail
50%
50%

Florida Law Aims To Tighten Data Security

Florida's new data privacy law increases security accountability for all enterprises; healthcare providers could face greater burden to protect patients' personal information.

Healthcare Dives Into Big Data
Healthcare Dives Into Big Data
(Click image for larger view and slideshow.)

A new law designed to protect Floridians from identity theft could have far-reaching repercussions on healthcare organizations that reside or do business in the Sunshine State.

Under the Florida Information Protection Act of 2014 (FIPA), any covered entity or third-party agent must now report breaches to the Florida Department of Legal Affairs and to consumers within 30 days (compared with the prior law's 45 days). If they show good cause, organizations may get a 15-day extension or receive a law enforcement extension. Violators can be fined $1,000 per day for the first 30 days and $50,000 for each subsequent 30-day period under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA); the fine is not to exceed $500,000.

The state also expanded "personal information" to include individuals' first name or first initial and last name, in combination with any one of the following: passport number; medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or health insurance policy number, subscriber identification number, or any unique identifier health insurers use to classify individuals.

The law provides patients and consumers with more security, according to government officials. The healthcare industry accounted for 43.8% of all breaches in 2013, versus 34.9% in 2012, according to the Identity Theft Resource Center. Of the 269 healthcare breaches reported in 2013, about 17 -- or 6% -- occurred in Florida.

[It's time for healthcare providers to get serious about security compliance. Read Healthcare Organizations Prep For Increased Audits.]

"Florida consumers are one step closer to better protection from data breaches that can threaten the security of their identities and wreak havoc on their finances," Attorney General Pam Bondi said in a press release. The legislation "will expedite the reporting time for companies and government agencies when consumers' personal information is compromised in order to allow them to protect themselves from fraudulent activity."

The act, which passed unanimously, should slow the flood of data breaches, advocates said. Faster reporting times, an expanded collection of relevant data, and increased law enforcement involvement will encourage organizations to be more proactive and give law enforcement more opportunities to catch cybercriminals.

(Source: fujixerox.com)
(Source: fujixerox.com)

Beginning this month, healthcare organizations and business associates that operate in Florida must abide by both HIPAA and the state's stringent data privacy laws, Jennifer Christianson a partner at the law firm Carlton Fields Jorden Burt, said in an interview. Failure to comply is risky -- and potentially expensive. "I think there's been an increase in the amount of data theft, and there's certainly been increasing interest in pursuing consumer class actions and consumer litigation in general."

Florida's expanded law places even more onus on organizations to safeguard data. "Before, the definition of breach meant it was unlawful and unauthorized. Now it's just unauthorized." Christianson said. "The statute now requires a notification to the Attorney General for breaches, which is a big change. It requires consultation with local law enforcement; before, it was optional. If you believe notice to affected individuals is not required, you will have to go the extra step of consulting with relevant federal, state, or local agencies. You will have to document that for five years."

To date, 47 states have implemented data notification statutes, but Florida is one of only seven whose laws include a specific time period for alerting potential victims, according to a JD Supra blog. many other states say that organizations should notify within a "reasonable time," but Christianson predicted that other local governments will follow Florida's rule.

Healthcare organizations also must ensure that their business associates and other partners comply with privacy rules, Christianson said, and all organizations must review their insurance policies to ensure breaches are covered.

To comply with the new law, healthcare organizations should take the following steps:

  • Appraise policies and procedures to verify that they are implemented effectively.
  • Set up reporting for large printing jobs.
  • Limit access to sensitive information.
  • Review all employees' access to systems, data, and sensitive areas.
  • Review business associate and contractor agreements and security.
  • Consider the role of bring-your-own-device (BYOD) policies.
  • Assess physical security, as well as cybersecurity.
  • Ensure that customer record disposal policies meet new legal provisions.
  • Create an investigative and reporting process if a breach occurs.
  • Select an external partner for forensic investigations, audits, and other data breach services.

Under the new law, if a third-party service provider has a breach, the healthcare organization -- not the third-party organization -- is responsible for notifying patients. That makes it imperative for organizations to know more about their partners, Christianson said. "When you're making a decision to contract with a third-party [company], you need to think through all these issues to make sure you're compliant with Florida law. The law applies to all organizations, small and large and international. The definition of 'covered entity' under the statute is very large."

How does Florida's new law compare to what's going on in your state? Let us know in the comment section below.

Fully 75% of 536 respondents say their orgs are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget. Where do we go from here? Get the Research: 2014 Strategic Security Survey report today (registration required).

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/9/2014 | 9:06:01 AM
Re: Nice proposal, but...
Yes, @MoarSauce, there is the nervousness that does seem to accompany every national election when you live in Florida! I live in Brevard County and our election commissioner recently unveiled new voting machines, piloted during a very small local election. I don't believe our region suffered from any major problems during the past two presidential elections (other than long lines at times), but there's always a risk when new machines are implemented (in any state!). 

In the case of the data privacy laws, I personally think one reason Florida is being so proactive is that the region has seen a lot of victims because of its population. There are many crimes against seniors here, and this is one way in which the state can try to add another layer of protection for elderly residents (and everyone else, of course). Would have to look up the stats but I read somewhere a few months ago (perhaps Florida Today?) that Florida has a higher rate of crimes against seniors, which would make sense.
moarsauce123
0%
100%
moarsauce123,
User Rank: Ninja
7/9/2014 | 5:58:33 AM
Nice proposal, but...
... Florida should first make sure that they get something simple and straight forward like an election right. I bet there will be again massive issues in Miami-Dade.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/8/2014 | 2:45:13 PM
Re: More excessive government regulation
Yes, it certainly is an election year (and already I've had notices stuck on my door and a mailbox stuffed full of fliers)! I cannot see how a small practice could feasibly cope with this new law without outside assistance. Thinking of a one- or two-doctor practice, where the burden for this type of compliance would fall upon the office manager, there really is no alternative but to find a partner that's proven to have successfully worked with other healthcare organizations (in Florida?) to address privacy, security, governance, and complaince. 
RobertS465
50%
50%
RobertS465,
User Rank: Apprentice
7/8/2014 | 1:57:36 PM
More excessive government regulation
Wow!  More burdensome regulations on Florida's businesses!  And from a Republican government.  What a surprise!  Oh, wait...it's an election year!

 
Alison_Diana
100%
0%
Alison_Diana,
User Rank: Author
7/8/2014 | 10:07:14 AM
Re: Good for consumers, but the burden falls on IT to ensure compliance!
If I was a Florida business, I'd probably begin by limiting my partnerships. I'd definitely work with a proven, third-party expert in auditing, security, risk, and compliance to review business associate agreements. I'd imagine large hospitals are really scrutinizing their partners -- and perhaps those smaller partners that survive that scrutiny can then use this as a marketing tool in some way. After all, if you are strong enough to pass XYZ Hospital's risk/security/compliance benchmarks, then it must say something about your technologies, processes, and procedures?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/8/2014 | 10:03:55 AM
Re: security solution?
Thanks, @Bob, for sharing one piece of the security equation. As you say, mobile devices are one of (if not the top) way in which data is stolen or lost, so individuals and organizations must take special care to protect them. As we've seen from some feel-good news pieces, not everyone who finds a lost device is a thief; often times, people want to do the right thing but have no idea who the rightful is or how to find the real owner. This type of solution resolves that problem! 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/8/2014 | 10:01:18 AM
Re: Good for consumers, but the burden falls on IT to ensure compliance!
@Tim - Thanks for sharing your expert opinion. I agree: As a Florida consumer, this provides me with a greater level of security. But part of me is thankful I no longer operate my one-person business! All organizations -- from sole proprietarships to massive conglomerates -- certainly should consider how they can automate as much of this process as possible. Ignorance of the law is no defense, and there are well-qualified experts within a range of budgets that can provide consulting and technological assistance to the entire spectrum of healthcare and non-healthcare organizations that do business in Florida (and elsewhere).

I agree with you, Tim, that more states are likely to follow Florida's model. I think consumers are frustrated by the constant flood of breaches and they feel helpless so they're turning to local lawmakers for assistance. These elected officials have to do something to appease voters, so they're enacting more stringent local laws.
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
7/7/2014 | 11:29:27 PM
Re: Good for consumers, but the burden falls on IT to ensure compliance!
Very good for consumers - but it is going to be hard to manage third party risks. No one expects to have a breach, contingencies are planned for. But how much can you really rely on third party trust?

This whole issue reminds me of cloud computing to some degree because that's a third party trust as well. I think the unfortunate truth is that it will take another serious breach before we fully understand the implications of this Florida law. 
BobH088
50%
50%
BobH088,
User Rank: Apprentice
7/7/2014 | 8:52:40 PM
security solution?
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
TimSed_Dell
50%
50%
TimSed_Dell,
User Rank: Apprentice
7/7/2014 | 5:14:29 PM
Good for consumers, but the burden falls on IT to ensure compliance!
Thanks Alison - this is reminiscent of HIPAA and the heightened attention required by agencies and those working with agencies.

This also brings new levels of auditing into play for a much wider audience, since in effect, everyone is a consumer, and what was previously considered public data, has now been marked as private. While this is great for the Florida consumer, the burden on Florida retailers (and other commercial industries that deal with personal data), will have to implement deeper auditing (and hopefully software to automate as much as possible to enable continuous auditing) so that they aren't caught out with a data breach that causes leaks of consumers data, a fine or worst of all, damage to the corporate image (negative publicity) such that consumers no longer trust the retailer. We have certainly seen negative impacts on large retailers who have suffered from lax security and data breaches.

I think we'll see more states following Florida's lead!

 

Tim Sedlack

Sr Product Manager - Dell Software Group
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.