Florida HIPAA laws are the laws that apply in Florida to Covered Entities and Business Associates that preempt, or are additional to, HIPAA. It is important to be aware when Florida HIPAA laws apply in order to avoid fines and possible jail terms for non-compliance.
Section 45 CFR §160.103 of the HIPAA Administrative Simplification Regulations states “a standard, requirement, or implementation specification adopted under this subchapter (the Administrative Simplification Regulations) that is contrary to a provision of State law preempts the provision of State law”. The standard then lists a number of exceptions to the rule, one of which is when:
“The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter (the HIPAA Privacy Rule).”
This means that, while HIPAA sets a federal floor for the privacy of individually identifiable health information (also known as Protected Health Information or PHI), if a State law – or part of a State law – has more stringent requirements, the relevant part of the State law applies, even if to only one standard, requirement, or implementation specification of the Privacy Rule.
It can also be the case State law places additional requirements on Covered Entities Associates so that, as well as complying with the relevant HIPAA standard, Covered Entities also have to comply with the relevant State provision. This is certainly the case in Florida, where there are several examples of Florida HIPAA laws adding to Covered Entities’ compliance workloads.
When Does Florida Law Preempt HIPAA?
There are several occasions when Florida law preempts HIPAA, and it is usually the case the preemptive provision of Florida law relates to 45 CFR §164.512 of the Privacy Rule – “Uses and Disclosures for which an authorization or opportunity to agree or object is not required”. This section extends permitted uses of PHI beyond uses for treatment, payment, and health care operations.
However, whereas HIPAA “permits” the uses and disclosures in this section, there are several occasions when Florida law either “mandates” a disclosure, “limits” what disclosures can consist of, or “prohibits” disclosures of any kind. Examples of some occasions when Florida law preempts HIPAA include:
- Under §164.512 of the Privacy Rule, Covered Entities may disclose PHI to law enforcement to report certain physical injuries. However, under Florida Statute §790.24, Covered Entities are required to report gunshot wounds indicating an act of violence and – under Florida Statute §877.155 – report second and third-degree burns believed to be caused by violence or unlawful activity.
- In a similar vein, §164.512 permits Covered Entities to disclose PHI to law enforcement to determine whether a violation of law by a person other than the victim has occurred. However, Florida Statutes §395.3025 and §456.057 respectively prohibit hospitals and independent healthcare professionals from disclosing information in such circumstances without a subpoena.
- More confusing are the Florida Statutes relating to reporting sexual battery, child abuse, and domestic assaults – all of which are permitted by §164.512. However, in Florida, sexual battery, child abuse, and the sexual abuse of a patient by a member of a hospital’s workforce must be reported, but suspected domestic assaults not accompanied by life-threatening injuries must not be reported.
These are just a handful of examples of when Florida law preempts HIPAA, and Covered Entities and Business Associates need to be aware of the full range of circumstances due to the potential of inadvertently violating Florida HIPAA laws. Therefore, if you are a HIPAA Covered Entity or Business Associate, and you are not aware of your compliance obligations under Florida HIPAA laws, you are advised to seek professional compliance advice.
When Do Additional Laws Apply?
In addition to the occasions when Florida HIPAA laws apply, there also occasions when additional Florida laws apply to HIPAA Covered Entities and Business Associates. The most significant of the additional Florida laws is Florida Statute §501.171 – The Security of Confidential Personal Information – as created by the Florida Information Protection Act 2014.
This Statute applies to all commercial entities in Florida that acquire, maintain, store, or use personal information and – unlike some other State privacy laws – there is no exemption for HIPAA Covered Entities and Business Associates nor for Protected Health Information (*). Indeed, the Statute lists a number of identifiers that would not necessarily be considered PHI under HIPAA.
(*) Some exemptions exist for psychiatric and SUD records.
Beyond the additional identifiers, there is little in the Statute that conflicts with HIPAA´s data protection provisions – the Statute requiring Covered Entities and Business Associates to “take reasonable measures to protect and secure data in electric form containing personal information”. However, when a data breach occurs, Covered Entities have to comply with additional breach notification requirements.
Should a data breach affecting more than 500 individuals occur, in addition to notifying affected individuals and HHS’ Office for Civil Rights, Covered Entities are required to notify Florida’s Department of Legal Affairs within 30 days. If the breach occurs at a Business Associate, they are required to notify the Covered Entity within 10 days of the breach being discovered.
Reports to the Department of Legal Affairs must be accompanied by a police report, incident report, and/or computer forensics report, a copy of all policies in place regarding data breaches, and a list of the steps that have been taken to rectify the breach. Additionally, if a data breach affects more than 1,000 residents of Florida, Covered Entities are required to notify credit reporting agencies.
The Penalties for Florida HIPAA Laws Violations
The penalties for Florida HIPAA laws violations vary according to the nature of the violation and the Statute. For example, the failure to notify law enforcement of an injury attributable to sexual battery is a misdemeanor of the first degree under Florida Statute §794.027 which can be punished with a fine of up to $1,000 and/or a prison term of up to one year.
There are no penalties listed for violations of the Florida Information Protection Act with the exception of civil monetary penalties for data breach notifications that exceed the required time limit. Under the Act, the failure to provide timely notifications is a violation of the Florida Deceptive and Unfair Trade Practices Act, for which the penalties are $1,000 per day for the first 30 days and $50,000 for each 30-day period thereafter up to a maximum penalty of $500,000.
It is important to be aware that penalties for breaches of Florida HIPAA laws are in addition to any fines issued by HHS’ Office for Civil Rights and/or Florida´s State Attorney General. Therefore, if your organization is a Covered Entity or Business Associate that collects, receives, maintains, or transmits information pertaining to residents of Florida, it may be necessary to ensure you are familiar with which laws apply to your organization to mitigate the risk of a Florida HIPAA laws violation.
The post Florida HIPAA Laws appeared first on HIPAA Journal.