Florida enacted a new data breach reporting law, the Florida Information Protection Act (“FIPA”), which will affect most, if not all, healthcare businesses. The law became effective the first of this month (July 1, 2014).
The deadline for data breach reporting under FIPA is now 30 days, shortened from 45 days in the previous version of the statute. Sec. 501.171(3)(a). However, the Florida’s Department of Legal Affairs may grant a 15 day extension of time for good cause. Because HIPAA requires data breaches to be reported within no later than 60 days, this new law requires data breaches to be reported to Florida’s Department of Legal Affairs before reporting must be made with the Secretary of Health and Human Services. 45 C.F.R. §§ 164.400-414; further details on HIPAA reporting requirements are available here.
FIPA is codified within Florida’s chapter on consumer protection statutes at Sec. 501.171, Fla. Stat. and replaces a data breach provision previously located with the criminal code. Despite its transition from criminal statute to a civil statute, the law explicitly states that it does not provide a private cause of action. Sec. 501.171(10), Fla. Stat.
A copy of the statute can be found, in bill form, here.