What Is the Florida HIPAA Statute? State Privacy Laws and Compliance Explained

Florida does not have a single “HIPAA statute.” Instead, federal HIPAA rules set a baseline for Protected Health Information (PHI), while Florida statutes and regulations add stricter, state‑specific duties around patient privacy confidentiality, healthcare data storage compliance, security breach notification, and broader data security requirements. Where a Florida law is more protective or addresses public health reporting, it generally is not preempted by HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/399/does-hipaa-preempt-state-laws/index.html?utm_source=openai))

HIPAA Privacy Rule Overview

The HIPAA Privacy Rule governs how covered entities (health plans, most providers, clearinghouses) and their business associates use and disclose PHI. PHI is individually identifiable health information in any form (electronic, paper, oral) that relates to a person’s health, care, or payment for care. The rule also includes a “minimum necessary” standard requiring you to limit uses and disclosures to what is reasonably necessary for the purpose. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/160.103?utm_source=openai))

HIPAA permits certain disclosures without patient authorization, including for treatment, payment, health care operations, and specific public health purposes. These Public Health Exemptions at 45 CFR 164.512(b) allow disclosures to public health authorities to prevent or control disease and for other legally authorized activities. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.512?utm_source=openai))

Florida Public Health Exemptions

Florida law requires immediate reporting to the Department of Health for diseases of public health significance and authorizes the department to obtain and inspect relevant medical records for epidemiological investigations. Information reported is confidential, and supplying it does not violate practitioner‑patient confidentiality under state law. HIPAA separately permits these disclosures to public health authorities, aligning state and federal requirements. ([flsenate.gov](https://www.flsenate.gov/Laws/Statutes/2025/381.0031?utm_source=openai))

For hospitals and ambulatory surgical centers, Florida Statutes also recognize that patient records are confidential but specify limited circumstances for disclosure, including Department of Health access for epidemiological investigations—reinforcing the state’s Public Health Exemptions. ([flsenate.gov](https://www.flsenate.gov/Laws/Statutes/2024/395.3025?utm_source=openai))

Offshore Storage Restrictions

Florida’s Electronic Health Records Exchange Act requires any health care provider that utilizes certified electronic health record technology to ensure that all patient information stored in an offsite physical or virtual environment—including through third‑party or cloud services—is physically maintained in the continental United States or its territories or Canada. This mandate applies to qualified electronic health records stored using any technology that allows information to be retrieved, accessed, or transmitted. ([flsenate.gov](https://www.flsenate.gov/Laws/Statutes/2024/Chapter408/All))

As a licensing condition, many providers must attest—at initial application and renewals—under penalty of perjury that they comply with the offshore storage restriction, with noncompliance subject to disciplinary action by the Agency for Health Care Administration. These provisions make offshore storage a core element of healthcare data storage compliance in Florida. ([flsenate.gov](https://www.flsenate.gov/Laws/Statutes/2024/Chapter408/All))

Florida Information Protection Act Requirements

The Florida Information Protection Act (FIPA), section 501.171, applies broadly to businesses and, for notice purposes, governmental entities that hold personal information of Florida residents. Covered entities, governmental entities, and third‑party agents must take reasonable measures to protect electronic personal information—which explicitly includes medical history or treatment information, health insurance identifiers, biometric data, and geolocation—reflecting Florida’s emphasis on digital health data privacy. ([flsenate.gov](https://flsenate.gov/laws/statutes/2025/501.171?utm_source=openai))

If a breach affects 500 or more Floridians, you must notify the Florida Department of Legal Affairs (Attorney General) as expeditiously as practicable and no later than 30 days after determining a breach occurred; affected individuals also must be notified within the same 30‑day window (with a narrow law‑enforcement delay or good‑cause extension). If more than 1,000 individuals are notified, you must also notify nationwide consumer reporting agencies. ([flsenate.gov](https://flsenate.gov/laws/statutes/2025/501.171))

Third‑party agents that experience a breach must notify the covered entity within 10 days, enabling prompt security breach notification downstream. Florida also requires secure disposal of customer records when no longer retained and enforces violations (including notice failures) with civil penalties up to $500,000 per breach. ([flsenate.gov](https://flsenate.gov/laws/statutes/2025/501.171))

Where a covered entity follows notice rules set by its primary federal regulator—such as HIPAA breach notification—Florida deems that notice compliant with statewide individual notice requirements if a copy is timely provided to the department, streamlining overlapping obligations. ([florida.public.law](https://florida.public.law/statutes/fla._stat._501.171?utm_source=openai))

Healthcare Facility Licensing Provisions

Florida law adds granular patient‑record duties beyond HIPAA. For hospitals and ambulatory surgical centers, patient records are confidential and may be disclosed only in specific situations outlined by statute; the Department of Health may examine records for epidemiological investigations. For licensed practitioners, section 456.057 requires furnishing records to patients on request, maintaining confidentiality, implementing policies and training, and tracking disclosures to third parties—bolstering patient privacy confidentiality. ([flsenate.gov](https://www.flsenate.gov/Laws/Statutes/2024/395.3025?utm_source=openai))

Record‑retention duties also arise in Florida’s administrative rules. For example, physicians who are medical records owners must maintain patient records for at least five years from the last patient contact; special timelines and notice rules apply when a physician terminates practice or dies. These licensing‑related requirements complement HIPAA by setting concrete operational expectations for record custody and availability. ([law.cornell.edu](https://www.law.cornell.edu/regulations/florida/Fla-Admin-Code-Ann-R-64B8-10-002?utm_source=openai))

Separately, the Electronic Health Records Exchange Act’s offshore storage rule is tied to licensure through an attestation requirement, with noncompliance subject to discipline—integrating data storage location directly into healthcare facility licensing provisions. ([flsenate.gov](https://www.flsenate.gov/Laws/Statutes/2024/Chapter408/All))

Florida Digital Bill of Rights Impact

Florida’s Digital Bill of Rights (FDBR), effective July 1, 2024, imposes consumer data rights and controller duties, but it primarily targets very large “controllers” (e.g., those with over $1 billion in global revenue that also meet listed criteria). Most healthcare providers are not controllers under this definition. ([flsenate.gov](https://flsenate.gov/Laws/Statutes/2025/501.702?utm_source=openai))

Crucially, the FDBR exempts PHI under HIPAA, health records, and several research‑related data categories. For HIPAA‑covered entities and business associates, this means FDBR has little direct impact on PHI processing; however, non‑PHI consumer data collected via websites, apps, or devices may still trigger FDBR obligations if a provider otherwise meets the controller definition. ([flsenate.gov](https://flsenate.gov/Laws/Statutes/2024/Chapter501/All?utm_source=openai))

The FDBR also codifies consumer rights—access, correction, deletion, portability, and opt‑outs for targeted advertising, sale, and certain profiling—illustrating Florida’s broader digital privacy posture outside the traditional HIPAA framework. ([flsenate.gov](https://www.flsenate.gov/Laws/Statutes/2024/0501.705?utm_source=openai))

State Data Security Obligations

Beyond HIPAA’s Security Rule, Florida law establishes state‑level data security requirements. Under FIPA, you must implement reasonable administrative, technical, and physical safeguards for electronic personal information, promptly investigate incidents, provide security breach notification within statutory deadlines, manage third‑party agent responsibilities, and dispose of customer records securely. Together, these data security requirements aim to minimize risk across both PHI‑adjacent and non‑PHI data. ([flsenate.gov](https://flsenate.gov/laws/statutes/2025/501.171?utm_source=openai))

Florida’s professional practice rules and patient‑record statutes further require you to adopt confidentiality policies, train staff, and maintain disclosure logs—practical compliance steps that reinforce privacy by design in daily operations. ([flsenate.gov](https://flsenate.gov/laws/statutes/2024/456.057?utm_source=openai))

Conclusion

In Florida, HIPAA remains the baseline, but compliance hinges on layering in Florida‑specific rules: reportable public health disclosures, strict offshore storage limits for electronic health records, FIPA’s tight breach‑notification timelines and safeguards, facility‑licensing duties for record management, and the Digital Bill of Rights for certain large‑scale consumer data operations. Aligning these frameworks gives you defensible, end‑to‑end digital health data privacy and security.

FAQs.

What are the main provisions of the Florida HIPAA statute?

There is no single Florida “HIPAA statute.” HIPAA governs PHI uses and disclosures and sets the federal floor. Florida adds: (1) mandatory public health reporting and access for epidemiological investigations; (2) an offshore storage ban for EHR data physically maintained outside the U.S., its territories, or Canada; (3) FIPA security and breach‑notification rules (30‑day timelines, AG notice for 500+ individuals, 10‑day third‑party agent notice, secure disposal, and penalties); and (4) patient‑record confidentiality and operational duties under 395.3025 and 456.057. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.512?utm_source=openai))

How does Florida law regulate offshore storage of health records?

Providers that use certified EHR technology must ensure all patient information stored in offsite physical or virtual environments—including cloud and subcontracted facilities—is physically maintained in the continental U.S., its territories, or Canada. Many licensees must attest to compliance at licensure and renewal; violations can trigger disciplinary action by the health agency. ([flsenate.gov](https://www.flsenate.gov/Laws/Statutes/2024/Chapter408/All))

What obligations do Florida entities have under FIPA?

You must implement reasonable security measures for electronic personal information; notify affected individuals within 30 days of determining a breach (subject to limited delay), notify the Attorney General for breaches affecting 500+ Floridians within 30 days, and notify credit bureaus if more than 1,000 individuals are informed. Third‑party agents have 10 days to notify the covered entity of a breach. Secure disposal of customer records is required, and penalties for notice failures can reach $500,000 per breach. If you follow HIPAA’s breach‑notice process and send a copy to the department, Florida deems that notice compliant. ([flsenate.gov](https://flsenate.gov/laws/statutes/2025/501.171))

What exemptions exist in Florida’s digital privacy laws for health data?

Under the Florida Digital Bill of Rights, PHI under HIPAA, health records, certain research data, and 42 U.S.C. 290dd‑2 patient‑identifying information are exempt. The FDBR mainly targets very large “controllers” and typically does not apply to HIPAA‑regulated PHI, though non‑PHI consumer data held by large organizations may still be covered. ([flsenate.gov](https://flsenate.gov/Laws/Statutes/2024/Chapter501/All?utm_source=openai))