Florida Healthcare Compliance: FIPA Breach Notification + State Specifics
10 min read · Last reviewed May 23, 2026
The Florida Information Protection Act of 2014 (F.S. § 501.171) imposes a 30-day breach-notification window, AG notice for breaches affecting 500+ Florida residents, and per-day penalty exposure that can reach a $500,000 cap. For medical practices the single biggest divergence from HIPAA is the breach window: 30 days from determination under FIPA versus 60 days under 45 CFR § 164.404(b).
What FIPA actually requires
The Florida Information Protection Act of 2014 is codified at Florida Statutes § 501.171. It replaced and broadened the prior Florida breach statute and runs alongside the medical-records-specific rules in F.S. § 456.057 (practitioner records) and F.S. § 395.3025 (hospital records).
Core FIPA obligations:
- Reasonable measures to protect personal information under § 501.171(2) — covered entities and third-party agents must take reasonable measures to protect and secure data in electronic form containing personal information.
- Breach notice to individuals within 30 days under § 501.171(4)(a) — "as expeditiously as practicable" and not later than 30 days after determination of a breach or reason to believe a breach occurred.
- AG notice at 500+ residents under § 501.171(3)(a) — notice to the Florida Department of Legal Affairs within 30 days of determination when a breach affects 500 or more Florida residents. The notice must include synopsis, individuals affected, services offered (credit monitoring, identity theft prevention), and a copy of the consumer notice.
- Consumer reporting agency notice at 1,000+ residents under § 501.171(5).
- Reasonable disposal of records containing personal information under § 501.171(8) — must take reasonable measures to dispose, shred, erase, or otherwise modify.
- Florida Attorney General enforcement under § 501.171(9), with violations treated as unfair or deceptive trade practices under F.S. Chapter 501 Part II.
- No private right of action under § 501.171(10) — express statutory bar.
The personal-information definition at § 501.171(1)(g) reaches a Florida resident's first name (or initial) and last name in combination with: SSN, driver's license / state ID, financial account, medical history / condition / treatment / diagnosis (the healthcare nexus), health insurance policy number, or biometric data. The medical and health-insurance components are what make FIPA a direct concern for any Florida medical practice.
Where Florida is stricter than HIPAA
The comparison table.
| Topic | HIPAA | FIPA / Florida | Stricter | |---|---|---|---| | Individual breach-notice window | 60 days from discovery (45 CFR § 164.404(b)) | 30 days from determination (F.S. § 501.171(4)(a)) | Florida | | AG notice on breach | None directly; state AG enforcement permitted (42 USC § 1320d-5(d)) | Required at 500+ residents within 30 days (F.S. § 501.171(3)(a)) | Florida | | Personal-information scope | PHI (45 CFR § 160.103) | PHI elements + SSN + DL + financial + biometric (F.S. § 501.171(1)(g)) | Florida broader on identity data | | Medical-records retention | 6 years on compliance records (45 CFR § 164.530(j)(2)) — does not cover the chart | 5 years on practitioner records (F.S. § 456.057(13)); 7 years hospital (F.S. § 395.3025) | Florida governs chart retention | | Patient-access fee | Reasonable cost-based (45 CFR § 164.524(c)(4)) | Capped: $1.00/page pages 1–25, $0.25/page after page 25, + $1.00 search (64B8-10.003(2)) | Florida more prescriptive | | Disposal of records | Reasonable safeguards (45 CFR § 164.530(c)) | Reasonable measures, shred/erase (F.S. § 501.171(8)) | Tie; FIPA more explicit | | Penalty cap | $2,190,294 annual per identical violation (2026 HHS-adjusted; 45 CFR § 160.404 and 45 CFR Part 102) | $1,000/day per breach × 30 days + escalators; $500,000 cap (F.S. § 501.171(9)) | HIPAA cap higher; FIPA quick to accumulate | | Private right of action | None | Expressly barred (F.S. § 501.171(10)); FIPA-as-FDUTPA runs to AG/Department only | Tie |
What practices most often miss is the 30-day FIPA window. Counsel running a HIPAA four-factor analysis under 45 CFR § 164.402 may take weeks to determine whether a security incident is a reportable breach federally. FIPA does not give the practice that runway: once the practice has "reason to believe" a breach occurred, the 30-day clock starts. The defensible posture is to run the determination work in parallel from day one and not allow the HIPAA timeline to set the cadence for the Florida-resident notice.
Where HIPAA is stricter than Florida
HIPAA wins in several areas:
- Security Rule technical safeguards. The HIPAA Security Rule at 45 CFR Part 164 Subpart C lists 18 standards. FIPA at § 501.171(2) requires only "reasonable measures to protect and secure" data — much less prescriptive. A HIPAA-compliant Security Rule program inherits more granular obligations than FIPA imposes on its face.
- Patient access rights structure. 45 CFR § 164.524 creates a comprehensive federal access right including format, fee, extension, and denial-grounds rules. Florida law at F.S. § 456.057(7) and 64B8-10.003 layers a fee schedule on top but the federal access framework remains the structural backbone.
- Accounting of disclosures. HIPAA at 45 CFR § 164.528 has no FIPA parallel.
- Breach-trigger methodology. HIPAA's four-factor risk assessment is more structured than FIPA's "breach or reason to believe a breach occurred" trigger.
- Annual penalty cap on a per-violation-type basis. HIPAA's 2026 HHS-adjusted $2,190,294 cap per identical violation (45 CFR Part 102) is higher than FIPA's $500,000 statutory maximum, although FIPA accumulates faster on a single incident.
Breach notification timeline
Florida runs notification in parallel with HIPAA:
- F.S. § 501.171(4)(a) individual notice — "as expeditiously as practicable" and no later than 30 days from determination of a breach or reason to believe one occurred. The 30-day clock can be extended an additional 15 days "for good cause" under § 501.171(4)(b) on written notice to the Department of Legal Affairs.
- F.S. § 501.171(3)(a) AG notice — to the Florida Department of Legal Affairs within 30 days when the breach affects 500+ Florida residents. The notice must include synopsis, number of affected residents, services offered, and the consumer notice copy. Departmental contact: [email protected] per the AG's published guidance.
- F.S. § 501.171(5) consumer reporting agency notice — at 1,000+ Florida residents, notice to consumer reporting agencies under 15 U.S.C. § 1681a is required without unreasonable delay.
- HIPAA parallel — 45 CFR § 164.404 60-day individual notice; § 164.408 HHS notice (immediate for 500+; annual roster for under 500).
- Substitute notice under § 501.171(4)(f) when cost exceeds $250,000, affected population exceeds 500,000, or contact info is insufficient.
Florida has an encryption safe harbor at § 501.171(4)(c): notification is not required if, after appropriate investigation and consultation with relevant federal, state, or local agencies responsible for law enforcement, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm. The investigation finding must be documented in writing and maintained for five years. The encryption posture supports that finding — unencrypted exposure rarely supports it.
Penalties and AG enforcement
The numbers:
- Per-day penalty under § 501.171(9)(a) — up to $1,000 per day for the first 30 days following the violation, then $50,000 per 30-day period thereafter (or portion thereof) for up to 180 days. For continuing violations exceeding 180 days, the total cap is $500,000.
- FDUTPA exposure (AG/Department only). Under § 501.171(9)(b), a FIPA violation is also a violation of F.S. Chapter 501 Part II (FDUTPA) — but read with § 501.171(10), which expressly forecloses any private cause of action. The FIPA-as-FDUTPA construction supplies AG and Department enforcement leverage; it does not unlock a private FDUTPA suit premised on the FIPA violation. Independent FDUTPA-actionable conduct (false advertising, separate unfair acts) can still support private claims on its own facts.
- Licensure consequences. Florida Department of Health practitioner licensure boards (Board of Medicine, Board of Nursing, etc.) receive notice of significant data-security failures under F.S. Chapter 456 and may impose separate disciplinary action.
- HIPAA parallel exposure under 45 CFR § 160.404 — OCR Civil Monetary Penalties on the same incident. The Florida AG and OCR coordinate.
- AHCA reporting for licensed facilities under F.S. Chapter 395 — separate from FIPA, but adverse-incident reporting timelines under F.S. § 395.0197 can be triggered by the same data-security event.
The $500,000 FIPA cap is lower than HIPAA's annual maximum ($2,190,294 in 2026), but FIPA exposure compounds faster on a delayed-notice scenario: $1,000/day × 30 days = $30,000, then $50,000 per 30-day period reaches the cap inside seven months. The combination of FIPA + FDUTPA (state enforcement) + HIPAA enforcement makes Florida a multi-front exposure environment for the state.
Compliance checklist for Florida practices
A Florida-specific overlay to a HIPAA program:
- 30-day breach-notification workflow triggering individual notice and AG notice (at 500+ residents) on FIPA's clock — run the HIPAA four-factor analysis in parallel, not in sequence.
- AG notice template ready to file with the Florida Department of Legal Affairs at [email protected], including all § 501.171(3)(a) content elements.
- 15-day extension protocol documented in writing under § 501.171(4)(b) for any breach where the 30-day clock will not realistically support the investigation.
- Florida-compliant fee schedule for patient-record requests — $1.00/page pages 1–25, $0.25/page after page 25, plus a $1.00 search fee and actual reproduction cost for oversize/specialty records, documented for every release under 64B8-10.003(2).
- Five-year practitioner record retention under F.S. § 456.057(13) for adult patients; minor records to age 21 or five years from last contact, whichever is later.
- Seven-year hospital record retention under F.S. § 395.3025 if the practice is licensed as a hospital.
- Disposal protocol under § 501.171(8) — written procedure for shred, erase, or destruction of personal information at end of retention, with a disposal log.
- Encryption posture on every workstation, portable medium, and ePHI-bearing device — supports both HIPAA Security Rule documentation and the § 501.171(4)(c) safe-harbor determination.
- Vendor mapping. § 501.171(7) makes a covered entity responsible for third-party agents' compliance. The HIPAA BAA at 45 CFR § 164.504(e) needs a Florida addendum confirming the agent will support 30-day notification and the AG-notice scope.
- Workers' compensation overlay under F.S. Chapter 440 for any practice that bills WC — separate authorization and reporting timelines apply alongside HIPAA and FIPA.
- Florida-specific workforce training covering FIPA breach triggers, the 30-day clock, and patient-records release rules — layered on standard HIPAA training and documented.
The d3rx compliance binder state-overlay branches on Florida and produces the § 501.171 breach-response workflow, the AG-notice template, the F.S. § 456.057 retention schedule, and the patient-access fee schedule a Florida practice runs alongside its federal HIPAA backbone. It is an administrative documentation aid; the practice and its counsel remain responsible for executing the controls and responding to any Florida AG inquiry under FIPA or FDUTPA.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Florida Healthcare Compliance: FIPA Breach Notification + State Specifics. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Is the FIPA breach window 30 days from discovery or from determination?
From determination. F.S. § 501.171(4)(a) requires notification 'as expeditiously as practicable, but no later than 30 days after the determination of a breach or reason to believe a breach occurred.' That is half of HIPAA's 60-day window at [45 CFR § 164.404(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404). The 30-day clock is short — counsel should be running the four-factor HIPAA analysis under [45 CFR § 164.402](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402) in parallel from day one of incident discovery so determination happens promptly.
Does FIPA apply to my practice if I am located in Georgia but treat Florida residents?
Yes. F.S. § 501.171(1)(b) defines 'covered entity' as 'a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.' The Florida AG has asserted FIPA jurisdiction over out-of-state entities holding Florida-resident data. Telehealth into Florida pulls FIPA in alongside HIPAA.
What is the Florida medical-records retention period?
Florida Statute § 456.057(13) requires licensed health-care practitioners to retain patient records for at least **five years** from the last patient contact. Hospitals retain records for **seven years** under F.S. § 395.3025. Minor patients' records run from the date of last contact OR until the patient reaches age 21, whichever is later. HIPAA at [45 CFR § 164.530(j)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530) imposes a six-year retention on policies and procedures and certain compliance records — not the medical record itself. Florida's medical-records retention is the controlling rule for the chart.
What is the Florida patient-access deadline for medical records?
F.S. § 456.057(7)(a) requires furnishing records to the patient 'in a timely manner.' Florida Board of Medicine rule [64B8-10.003](https://flrules.elaws.us/fac/64b8-10.003) interprets 'timely' as within **30 days** of receipt of a written request — same as HIPAA's [45 CFR § 164.524(b)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524). The Florida fee schedule under 64B8-10.003(2) is more prescriptive than HIPAA's 'reasonable cost-based fee' standard, capping physician copy fees at **$1.00 per page for pages 1–25**, then **$0.25 per page after page 25**, plus actual reproduction cost for oversize or specialty records and a one-time $1.00 search fee.
Does Florida have a healthcare-specific breach statute beyond FIPA?
No single healthcare-specific breach statute — but F.S. § 408.061 imposes confidentiality on patient records held by the Agency for Health Care Administration (AHCA), and licensed facilities under F.S. Chapter 395 carry separate AHCA reporting obligations on certain adverse incidents. The FIPA framework at F.S. § 501.171 is the breach-notification regime for medical practices generally.
Can a Florida patient sue my practice for a FIPA violation?
No private right of action. F.S. § 501.171(10) expressly states that section 'does not establish a private cause of action.' § 501.171(9)(b) deems a FIPA violation to also be a violation of FDUTPA, but the FIPA-as-FDUTPA construction empowers the Florida Department of Legal Affairs (Attorney General) and the Department to enforce — not private plaintiffs. Treat private FIPA-based claims as foreclosed; the practical exposure runs through AG enforcement and any *independent* FDUTPA-actionable conduct.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.404(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404
- Florida Statutes § 501.171https://www.flsenate.gov/Laws/Statutes/2024/501.171
- 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402
- 45 CFR Part 164 Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- 45 CFR § 164.524https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- 45 CFR § 164.528https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.528
- § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
- 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
- 45 CFR § 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
California Healthcare Compliance: CMIA + HIPAA — Where They Diverge
9 min readState ComplianceTexas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAA
8 min readState ComplianceNew York SHIELD Act for Medical Practices: The Reasonable Safeguards Standard
9 min readRelated across the archive
- ComplianceCalifornia Healthcare Compliance: CMIA + HIPAA — Where They DivergeCalifornia's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.
- ComplianceNew York SHIELD Act for Medical Practices: The Reasonable Safeguards StandardNY SHIELD Act (Gen. Bus. Law § 899-bb) vs HIPAA for medical practices: reasonable safeguards, expanded breach scope under § 899-aa, 30-day notice outer bound, $250k AG penalty exposure.
- ComplianceTexas HB 300 for Medical Practices: Training, Audits, and What Differs from HIPAATexas HB 300 (Health & Safety Chapter 181) vs HIPAA: broader covered entities, mandatory 90-day training, 15-day EHR access, $1.5M/year AG penalty cap.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- GlossaryePHI (Electronic Protected Health Information)PHI that is created, received, maintained, or transmitted in electronic form.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- StateFlorida healthcare compliance overlayFlorida's FIPA is one of the most aggressive breach statutes in the country, with a 30-day notice clock (with a 15-day discretionary extension on good cause shown to the AG).