Florida Breach Notification Law for Healthcare (FIPA): Requirements, Deadlines, and HIPAA Alignment

FIPA Overview

Florida’s Information Protection Act (FIPA) requires businesses, healthcare providers, governmental entities, and their service providers to implement data security safeguards and to notify affected individuals when certain personal information is accessed without authorization. For healthcare organizations, this operates alongside HIPAA and captures data elements that overlap with protected health information.

Who is covered and what data is in scope

• Covered entities include any organization that maintains electronic personal information of Florida residents, plus governmental entities and third‑party agents that store or process data on their behalf.
• Personal information includes a name in combination with data such as medical history or treatment information, health insurance identifiers, financial account credentials, biometrics, geolocation, and user name plus password for an online account.

Core security expectations

You must take reasonable measures to protect electronic personal information and dispose of customer records securely. These controls should be risk‑based and verifiable through internal reviews or compliance audits.

Breach Notification Requirements

What constitutes a breach

A breach is unauthorized access to electronic personal information. Good‑faith access by an employee or agent is not a breach if the data is not misused or further disclosed.

Breach notification timeline to individuals

• Notify affected Florida residents as expeditiously as practicable and without unreasonable delay, no later than 30 days after determining a breach or having reason to believe one occurred. This is the primary breach notification timeline under FIPA.
• One‑time 15‑day extension: You may request up to 15 additional days for individual notices by submitting a written good‑cause explanation to the Florida Department of Legal Affairs within the original 30‑day window.
• Law‑enforcement delay: Notices may be delayed if a written request states notification would interfere with a criminal investigation.

Risk‑of‑harm exception and documentation

If, after appropriate investigation and consultation with law enforcement, you reasonably determine the incident is not likely to result in identity theft or other financial harm, individual notice is not required. Document this determination in writing, retain it for five years, and provide the determination to the Florida Department of Legal Affairs within 30 days.

Notice content and delivery

• Content must include the date or estimated date range of the breach, a description of the personal information involved, and clear contact information for your organization.
• Delivery may be by mail or email. Substitute notice (website posting plus statewide media) is permitted if direct notice would cost over $250,000, the breach affects more than 500,000 individuals, or you lack valid contact details.

Reporting to Authorities

Florida Department of Legal Affairs (Attorney General)

• Report to the Florida Department of Legal Affairs within 30 days when a breach affects 500 or more Florida residents.
• Your written submission should include: a synopsis of events; the number of affected individuals; services offered to victims (for example, credit monitoring); a copy of the individual notice or an explanation of alternative actions; and a designated contact person.
• Upon request, you must provide supporting materials such as a police or incident report, a computer forensics report, your breach policies, and steps taken to remediate.

Consumer reporting agencies

If notices must be sent to more than 1,000 individuals at a single time, you must also notify nationwide consumer reporting agencies without unreasonable delay, describing the timing, distribution, and content of the consumer notices.

Third-Party Obligations

Vendors and other third‑party agents that maintain or process data for you must notify you of a breach as expeditiously as practicable, but no later than 10 days after determining a breach or having reason to believe one occurred. They must also provide all information you need to comply with FIPA’s notices. A third‑party may issue notices on your behalf, but any failure is treated as a violation against you, so oversight is essential.

Penalties for Non-Compliance

• Enforcement: Violations are treated as unfair or deceptive trade practices enforceable by the Florida Department of Legal Affairs.
• Civil penalties: For failing to provide required notices, penalties may reach $1,000 per day for the first 30 days, $50,000 for each subsequent 30‑day period (or portion) up to 180 days, and up to a $500,000 maximum per breach. These civil penalties apply per incident, not per impacted individual.
• Additional exposure: Investigations can lead to injunctive relief and mandated corrective actions. Routine readiness and compliance audits help demonstrate due diligence.
• No private cause of action: FIPA itself does not create a private right of action, though other legal theories may still be asserted.

Interaction with HIPAA

Alignment and key differences

• HIPAA’s Breach Notification Rule generally allows up to 60 days to notify individuals of breaches of unsecured protected health information. FIPA’s default timeline is faster—no later than 30 days.
• If you are regulated by a primary or functional federal regulator such as HHS under HIPAA and you notify individuals in accordance with those federal rules, FIPA deems that individual notice compliant—provided you also timely furnish a copy of that notice to the Florida Department of Legal Affairs.
• Even when relying on HIPAA timing and content, the Florida Attorney General reporting threshold (500+ Florida residents within 30 days) and the 1,000‑person consumer‑reporting‑agency trigger still apply.

Practical approach for healthcare

In practice, healthcare organizations should operationalize FIPA’s 30‑day pace, coordinate HIPAA and FIPA notices in parallel, and prepare materials for the Florida Department of Legal Affairs at the same time they finalize patient notifications. This reduces timing risk and ensures consistent, accurate messaging about protected health information.

Vendor Risk Management

Contract and oversight essentials

• Contractually require data security safeguards aligned to your risk profile (encryption, access controls, MFA, logging, segmentation, secure disposal) and mandate prompt third‑party breach notification—10 days or faster.
• Define incident response roles, the breach notification timeline, cooperation duties, and evidence preservation. Reserve rights to conduct or commission compliance audits and on‑site assessments.
• Obligate vendors to share forensic findings and provide information necessary for Florida Department of Legal Affairs reporting.

Due diligence and readiness

• Perform pre‑contract diligence (security questionnaires, SOC 2/ISO artifacts, penetration test summaries) and ongoing monitoring tied to risk tiers.
• Run tabletop exercises that cover FIPA’s deadlines, HIPAA coordination, and third‑party breach notification workflows.
• Map data flows to ensure you can quickly identify affected residents, determine the appropriate notice method, and meet substitute notice thresholds if needed.

Conclusion

FIPA imposes clear, accelerated duties: safeguard personal data, notify individuals within 30 days, report 500+ resident breaches to the Florida Department of Legal Affairs, and coordinate with HIPAA. Solid vendor governance and well‑rehearsed incident response are the fastest path to timely, accurate, and defensible compliance.

FAQs

What are the notification deadlines under Florida's breach notification law?

You must notify affected individuals without unreasonable delay and no later than 30 days after determining a breach or having reason to believe one occurred. You may request a single 15‑day extension for individual notices by submitting a written good‑cause explanation to the Florida Department of Legal Affairs within the initial 30 days. Separately, if 500 or more Florida residents are affected, notify the Florida Department of Legal Affairs within 30 days; if more than 1,000 individuals are notified at one time, also notify nationwide consumer reporting agencies without unreasonable delay.

How does FIPA differ from HIPAA in healthcare breach notifications?

HIPAA allows up to 60 days to notify individuals of breaches of unsecured protected health information, while FIPA sets a faster default timeline of 30 days. For HIPAA‑regulated entities, providing HIPAA‑compliant individual notice is deemed compliant with FIPA’s individual notice if you also timely provide a copy of that notice to the Florida Department of Legal Affairs. Florida’s thresholds to notify the Attorney General (500+ residents) and consumer reporting agencies (1,000+ individuals) still apply.

Who must be notified in the event of a large data breach?

Notify affected individuals; the Florida Department of Legal Affairs if 500 or more Florida residents are impacted (within 30 days); and nationwide consumer reporting agencies if notices will be sent to more than 1,000 individuals at a single time. If protected health information is involved and you are a HIPAA‑regulated entity, you must also follow HIPAA’s reporting to HHS.

What penalties exist for non-compliance with FIPA?

Violations are enforceable by the Florida Department of Legal Affairs as unfair or deceptive trade practices. Civil penalties for failing to provide required notices can reach $1,000 per day for the first 30 days, $50,000 for each subsequent 30‑day period (or portion) up to 180 days, and up to a $500,000 maximum per breach. These penalties apply per incident, not per affected individual.