20 Tests Healthcare CIOs Must Juggle

Many have argued the federal government should pass a single breach notification law that levels the playing field to protect consumer privacy for businesses that accept sensitive, personally identifiable information. So far Congress has been reluctant to do so, and as a result more than 40 states now have their own versions of this law, some of which have gone beyond what the federal government requires in other statutes, such as the Health Insurance Portability and Accountability Act (HIPAA).

California, for instance, has a five-day reporting requirement for in-state entities when there is a breach. Texas passed a comprehensive law last year affecting folks both inside and outside the state. Massachusetts has a more comprehensive breach law that goes beyond simply addressing notifications. Wisconsin has a more stringent law relating to misdirected faxes, and Minnesota is rumored to be considering laws based on the California system.

Then there's Florida. Florida's new law, which went into effect on July 1, is worth watching. This law fundamentally changes the playing field in terms of what information is protected and who the law applies to. It also affects the notification schema and does not distinguish between small and large breaches. To top it all off, it does not replace HIPAA -- it is an addition to HIPAA. This means healthcare organizations and business associates (BAs) must meet two separate breach standards with two very different timelines. The six million dollar question: What, if any, impact will Florida's new law have on other states that are contemplating their own breach laws to protect consumer information?

[For more on the Florida Information Protection Act of 2014, see Florida Law Aims To Tighten Data Security.]

To understand the potential implications of the new law better, it's helpful to clarify the differences between the Florida Information Protection Act (FIPA) and HIPAA. First, Florida's statement regarding the applicability of the statute is far broader, listing both government and private institutions that collect personally identifiable information as covered entities. So while HIPAA is very specific to the types of organizations it applies to, FIPA does not discriminate.

The second big difference is the law's treatment of large versus small breaches. Once again, FIPA does not differentiate -- all breaches, large or small, are subject to notifications. FIPA, like HIPAA, stipulates civil monetary penalties (CMPs), but unlike HIPAA, Florida's CMPs are rolled out on a much different schedule. They are initially assessed daily, then weekly -- and finally, there is an annual limit of $500,000.

The law includes the most comprehensive set of breach notification requirements for both covered entities (CEs) and BAs. Notification requirements are based on the number of individuals impacted. When 500 or more individuals are impacted, notification must be made to the State Attorney General (SAG) and to all individuals involved. For breaches affecting more than 1,000 individuals, the entity must notify all credit agencies in addition to the SAG and individuals involved. Breaches involving fewer than 500 records require notifications only to the individuals affected. Covered entities are responsible for the actions of their subcontractors and agents.

Finally, the rule also provides for the CE to notify and include local law enforcement in the decision to notify. The questions remain: Will Florida's new law influence other states to follow suit? And will the government finally issue a common breach notification law so we don't end up with multiple versions across different states?

Fully 75% of 536 respondents say their orgs are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget. Where do we go from here? Get the Research: 2014 Strategic Security Survey report today (registration required).