A new law designed to protect Floridians from identity theft could have far-reaching repercussions on healthcare organizations that reside or do business in the Sunshine State.
Under the Florida Information Protection Act of 2014 (FIPA), any covered entity or third-party agent must now report breaches to the Florida Department of Legal Affairs and to consumers within 30 days (compared with the prior law's 45 days). If they show good cause, organizations may get a 15-day extension or receive a law enforcement extension. Violators can be fined $1,000 per day for the first 30 days and $50,000 for each subsequent 30-day period under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA); the fine is not to exceed $500,000.
The state also expanded "personal information" to include individuals' first name or first initial and last name, in combination with any one of the following: passport number; medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; or health insurance policy number, subscriber identification number, or any unique identifier health insurers use to classify individuals.
The law provides patients and consumers with more security, according to government officials. The healthcare industry accounted for 43.8% of all breaches in 2013, versus 34.9% in 2012, according to the Identity Theft Resource Center. Of the 269 healthcare breaches reported in 2013, about 17 -- or 6% -- occurred in Florida.
[It's time for healthcare providers to get serious about security compliance. Read Healthcare Organizations Prep For Increased Audits.]
"Florida consumers are one step closer to better protection from data breaches that can threaten the security of their identities and wreak havoc on their finances," Attorney General Pam Bondi said in a press release. The legislation "will expedite the reporting time for companies and government agencies when consumers' personal information is compromised in order to allow them to protect themselves from fraudulent activity."
The act, which passed unanimously, should slow the flood of data breaches, advocates said. Faster reporting times, an expanded collection of relevant data, and increased law enforcement involvement will encourage organizations to be more proactive and give law enforcement more opportunities to catch cybercriminals.
Beginning this month, healthcare organizations and business associates that operate in Florida must abide by both HIPAA and the state's stringent data privacy laws, Jennifer Christianson a partner at the law firm Carlton Fields Jorden Burt, said in an interview. Failure to comply is risky -- and potentially expensive. "I think there's been an increase in the amount of data theft, and there's certainly been increasing interest in pursuing consumer class actions and consumer litigation in general."
Florida's expanded law places even more onus on organizations to safeguard data. "Before, the definition of breach meant it was unlawful and unauthorized. Now it's just unauthorized." Christianson said. "The statute now requires a notification to the Attorney General for breaches, which is a big change. It requires consultation with local law enforcement; before, it was optional. If you believe notice to affected individuals is not required, you will have to go the extra step of consulting with relevant federal, state, or local agencies. You will have to document that for five years."
To date, 47 states have implemented data notification statutes, but Florida is one of only seven whose laws include a specific time period for alerting potential victims, according to a JD Supra blog. many other states say that organizations should notify within a "reasonable time," but Christianson predicted that other local governments will follow Florida's rule.
Healthcare organizations also must ensure that their business associates and other partners comply with privacy rules, Christianson said, and all organizations must review their insurance policies to ensure breaches are covered.
To comply with the new law, healthcare organizations should take the following steps:
- Appraise policies and procedures to verify that they are implemented effectively.
- Set up reporting for large printing jobs.
- Limit access to sensitive information.
- Review all employees' access to systems, data, and sensitive areas.
- Review business associate and contractor agreements and security.
- Consider the role of bring-your-own-device (BYOD) policies.
- Assess physical security, as well as cybersecurity.
- Ensure that customer record disposal policies meet new legal provisions.
- Create an investigative and reporting process if a breach occurs.
- Select an external partner for forensic investigations, audits, and other data breach services.
Under the new law, if a third-party service provider has a breach, the healthcare organization -- not the third-party organization -- is responsible for notifying patients. That makes it imperative for organizations to know more about their partners, Christianson said. "When you're making a decision to contract with a third-party [company], you need to think through all these issues to make sure you're compliant with Florida law. The law applies to all organizations, small and large and international. The definition of 'covered entity' under the statute is very large."
How does Florida's new law compare to what's going on in your state? Let us know in the comment section below.
Fully 75% of 536 respondents say their orgs are as or more vulnerable to malicious code attacks and security breaches compared with a year ago. And in the face of a crushing skills shortage, 40% subsist on no more than 5% of the IT budget. Where do we go from here? Get the Research: 2014 Strategic Security Survey report today (registration required).