State Privacy Laws
U.S. state privacy laws address various aspects of data protection and privacy rights. Key areas include data breach notification requirements, consumer privacy rights, industry-specific regulations, employee privacy protections, privacy policies and disclosures, and enforcement mechanisms. States vary in their approach and stringency, creating a complex regulatory landscape that businesses and organizations must navigate to ensure compliance and safeguard individuals' personal information.
Florida has implemented a range of laws to safeguard individuals' privacy rights. This guide will navigate you through Florida's privacy laws, outlining key provisions and offering insights into how they impact various sectors.
Florida Information Protection Act of 2014
The Florida Information Protection Act of 2014 (FIPA) is a state law that provides procedures for the protection and security of the sensitive personal information of Floridians. It includes a comprehensive set of breach notification requirements.
Under FIPA, a “breach of security” or “breach” means unauthorized access of data in electronic form containing personal information.
Personal Information is defined as an individual’s first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security Number
- Driver’s license or other similar number issued on a government document used to verify identity
- Financial account number, in combination with a password
- Medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- Health insurance policy number or any unique identifier used by a health insurer to identify the individual.
- A username or e-mail address, in combination with a password
FIPA requires that covered entities like the University of Florida give notice to every individual from Florida whose personal information was accessed, or is reasonably believed to have been accessed, as a result of the breach. The notification requirements are based on the number of individuals affected by the breach.
HIPAA and Disclosures Under Florida State Law
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a broad federal law that is in part designed to provide national standards for protection of certain health information. As required by HIPAA, the federal Department of Health and Human Services (HHS) established regulations, which implement the federal law. These regulations are known as the Privacy Rule.
In general, the Privacy Rule prohibits health care providers from using or disclosing a patient’s protected health information (PHI) without written authorization from the patient except for treatment, payment and health care operations. However, the Privacy Rule provides exceptions to this prohibition for a number of public policy reasons. Such exceptions include, but are not limited to, reporting certain injuries to law enforcement officials, reporting child abuse or vulnerable adult abuse, reporting the occurrence of certain diseases to public health officials, and complying with court orders and subpoenas.
When determining whether a health care provider may use or disclose PHI without the patient’s authorization, both state and federal law must be considered. The Privacy Rule provides an extensive list of permitted disclosures, however, where state laws provide greater privacy protections or privacy rights with respect to patients’ PHI, state laws will apply, overriding HIPAA.
To learn more about cases when Florida state law may preempt HIPAA, please visit HIPAA and Disclosures Under Florida State Law.