FIPA & HIPAA | How They Differ & Why It Matters

There’s typically confusion for some of our health care clients in the State of Florida concerning these laws relating to protected health information as well as personal information protection.

We’ll dive in to define the differences between FIPA & HIPAA. Then we’ll go deeper to explain just how important it is to take both laws seriously when it comes to protecting the confidentiality and integrity of patient personal information and avoiding legal ramifications that could impact your business and your health care practice.

Note: Health care facilities that interact with patient health information, or store or manage their personal data and address confidentiality issues must have best practices, training, and legal steps in place for any employee or individual who has access to this data. Our firm is highly experienced in counseling clients on these topics and we can provide you the legal help you need.

Defining FIPA and HIPAA

Businesses and organizations could be subject to FIPA and/or HIPAA based on the data that is collected, stored and managed as a part of your business operations. Let’s explore their differences.

FIPA

In simplest terms, FIPA (Florida Information Protection Act of 2014) is specifically a Florida law related to the security of confidential personal information which can extend beyond health information to personal data stored in electronic formats and data breaches.

• Businesses and organizations are expected to implement reasonable measures to safeguard any personal information they acquire, store or manage
• If a data security breach knowingly occurs, specified entities are required to notify the Department of Legal Affairs and the individuals affected within 30 days of discovery. Depending on the number of records breached, different requirements may apply
• Entities must report annually on the requirements for disposal of customer records
• Fines for FIPA violations can be steep. A violation of FIPA could result in a civil penalty imposed by the State of up to $500,000

HIPAA

HIPAA (Health Insurance Portability Accountability Act) on the other hand represents patient health information protection at the federal level.

Overall, the goal of HIPAA is to streamline the process to exchange information and to make health information more readily accessible to patients. But in 2003, the HIPAA Privacy Rule went into effect creating a federal standard for protecting the privacy of health information. For the State of Florida, that Privacy Rule also requires the Department of Health (DOH) to comply with Florida laws that provide greater protection to patients. 

In general, HIPAA prohibits the use and disclosure of health information without written permission from the patient. In recent years it has been expanded to include HITECH which addresses the privacy and security concerns associated with the electronic transmission of health information or electronic protected health information (ePHI), in part, through several provisions that increase the liability for non-compliance of the HIPAA rules.

• Health care providers are required to have patients sign an Authorization to Disclose
• Certain disclosure may also be made by a health care provider without patient authorization to accomplish public health activities and other permitted uses as set forth in the Privacy Rule.
• Maximum penalties for HIPAA violations may be $1.5 million

Understanding Accountability of FIPA and HIPAA

There are many ways businesses could overlook their role regarding FIPA and HIPAA protections. Training your internal employees or contractors is an important step in protecting your business. Consider this comparison chart to better understanding the accountabilities of these laws.

Issue	HIPAA Compliance Requirements	FIPA Compliance Requirements
Who has to comply with the privacy rules and security standards?	Covered entities are providers of health care services or health plans.	Covered entities include any business that acquires, maintains, stores, or uses personal information, including non-Florida based entities.
What information is protected?	PHI including billing information.	Much wider scope of information includes credit card numbers, online account credentials, social security numbers.
Breach notification	If privacy or security requirements are breached, covered entity must notify customer/patient. If more than 500 individuals are affected, covered entity must provide notice to Department of Health and Human Services. If a Business Associate breaches, it must notify covered entity in 60 days.	If privacy/security requirements are breached, covered entity must notify customer/patient. If more than 500 people are affected, covered entity must provide notice to Florida Attorney General. If more than 1,000 individuals affected, covered entity must provide notice to all consumer reporting agencies. If a third-party agent breaches, must notify covered entity in 10 days.
Disposal of customer/patient records	Once records are no longer to be retained pursuant to state law, covered entity must shred, erase, or otherwise make PHI unreadable, unusable, or indecipherable.	Same as HIPAA.
Requirements for providing copies of PHI	Covered entity must provide patients with PHI within 30 days of request in the form requested if producible in such form; if maintain records in electronic format, patient has right to receipt of PHI in electronic format.	N/A
Training	Employees must be trained on HIPAA requirements as necessary to carry out job functions and within reasonable time for any material changes in HIPAA requirements. Must document training.	N/A

When to Seek Legal Help

Having legal oversight of your business operations and a review of your policies and procedures to ensure both FIPA and HIPAA are accounted for can help mitigate future concerns and penalties.

As a business operating in the State of Florida our firm can help your organization:

• Understand the laws
• Determine what training you might need to provide your staff or contractors about these laws
• Navigate the legal steps if you experience a breach

Need Legal Advice? Let’s Talk

Contact the law offices of Howell, Buchan & Strong, Attorneys at Law for your free consultation at any one of our locations:

Orlando (407) 717-1773 |Tallahassee (850) 877-7776 | Tampa (813) 833-6726 | Sarasota (941) 779-4348