Compliance Requirements: Florida

Florida healthcare providers must follow two compliance frameworks. Federal HIPAA sets national standards, and Florida has stricter privacy and breach-notice laws. This guide explains both layers, where they diverge, and what your practice must do to satisfy both.

Florida Quick Take

HIPAA is the base rule. Florida adds more steps. If a breach hits 500 or more Florida people, tell the state fast. Tell patients as soon as you can. Keep records for the right time. Train staff. Sign BAAs. Use MFA. Keep proof. Review the plan each year. These simple steps help your team stay ready.

Internal links: What Is HIPAA? · Complete HIPAA Compliance Guide 2026 · HIPAA Breach Notice Rule

Federal HIPAA in Florida: The Basics

HIPAA applies to covered groups and business partners across the country. This includes Florida healthcare providers that send health information online. The three core rules are Privacy, Security, and Breach Notice. They set the minimum compliance standards for all covered groups. Florida state law then adds additional duties that your practice must also satisfy.

Key federal rules every Florida provider must meet:

• Conduct and document an annual security risk assessment under 45 CFR §164.308(a)(1)
• Implement admin, physical, and technical safeguards for all ePHI
• Execute signed Business Associate Agreements (BAAs) with all vendors that handle PHI
• Provide individual breach notices within 60 days of discovery (45 CFR §164.404)
• Notify HHS within 60 days for breaches affecting 500 or more people

Florida State Privacy Laws Healthcare Providers Must Know

Florida has four state statutes that add to HIPAA rules. Each statute creates its own rules, even if you follow HIPAA.

Florida Information Protection Act (FIPA) — §501.171

FIPA is Florida's main data breach law. It applies to any organization that collects, stores, or uses personal information from Florida residents. That term includes medical history, health insurance information, and biometric data. Key FIPA duties for healthcare providers:

• 30-day breach notice to Florida AG: If a breach affects 500 or more Florida residents, the organization must notify the Florida Attorney General within 30 days. HIPAA gives up to 60 days, so the Florida deadline is stricter.
• Individual notice: Affected Florida residents must be told as soon as possible. Do not delay without a good reason.
• AG notice content: Tell the AG what happened, how many people were affected, what help you offered, and who the AG can contact. Include a copy of the notice sent to patients.
• Civil penalties: Violations can result in civil penalties up to $500,000 per breach incident, enforced by the Florida AG.

Florida Medical Records Act

Florida's Medical Records Act sets rules for record retention, patient access, and record release. Key points:

• Retention: Medical records must be retained for at least 5 years from the date of the last patient contact, or until the patient reaches age 21 — whichever is later. Pediatric records often need to be kept longer than HIPAA's 6-year documentation standard.
• Written authorization required: In most cases, records may be released to third parties only with written patient approval. Treatment, payment, and operations have specific exceptions.
• Copy fees regulated: Florida law caps the fees providers may charge for reproducing medical records. As of 2025, providers may charge up to $1.00 per page for the first 25 pages, $0.25 per page thereafter, plus reasonable costs for retrieval and certification.
• Patient access timeframe: Providers must respond to record access requests within a reasonable time; Florida courts have interpreted this as generally within 30 days.

HIV/AIDS Privacy Law — §381.004

Florida's HIV/AIDS privacy statute is among the most protective in the country. Key rules:

• Written informed consent is required before HIV testing
• HIV test results may be shared only with the patient, treating providers who are directly tied in care, and certain parties listed in the law. In limited cases, this includes the Department of Health.
• Wrongful sharing of HIV test results is a first-degree misdemeanor under Florida law.
• These protections apply in addition to HIPAA Privacy Rule rules. Standard HIPAA treatment, payment, and operations exceptions do not override them.

Mental Health Records: Florida Baker Act Provisions

The Florida Mental Health Act (commonly called the Baker Act, §394.451 et seq.) gives extra privacy protection to people who receive mental health evaluation or treatment. Baker Act records:

• May be shared only with patient consent or under a specific legal exception, such as a court order or emergency.
• Do not follow the usual HIPAA treatment-and-operations disclosure rules.
• Must often be kept separate from general medical records.
• Providers should train staff on the difference between Baker Act privacy rules and standard HIPAA permissions.

Florida Breach Notice Rules

Florida providers that face a data breach must manage two notice tracks. Each one has a different deadline. If you miss the shorter FIPA deadline, you can still violate Florida law even if you meet HIPAA's timeline.

FIPA: 30-Day AG Notice for Large Breaches

If a breach affects 500 or more Florida residents, FIPA requires the following actions:

1. Day 0: Breach discovered
2. As soon as possible: Begin forensic investigation and risk assessment
3. Within 30 days: Notify the Florida Attorney General's office (submit via the FL AG online portal)
4. Without unreasonable delay: Notify all affected Florida people

For breaches affecting fewer than 500 Florida residents, AG notice is not required, but individual notice remains mandatory without unreasonable delay.

Florida AG Notice Rules

The Florida AG notice must be submitted online at myfloridalegal.com. It must include:

• A description of the incident, including dates of breach and discovery
• The type of personal information involved
• The number of Florida people affected
• Steps taken to contain the breach
• Services offered to affected people (credit monitoring, etc.)
• Contact information for the reporting entity

HHS Notice Under HIPAA: Aligning the Timelines

For a breach that affects 500 or more Florida residents, providers must manage several deadlines at once:

• FIPA AG notice: 30 days from breach determination. This is the strict deadline.
• HIPAA notice to people: 60 days from discovery.
• HIPAA notice to HHS: 60 days from discovery when 500 or more people are affected.
• HIPAA media notice: 60 days from discovery when 500 or more people in the state are affected.

Practical guidance: Start the HIPAA four-factor risk review as soon as you find a breach. If the assessment confirms a reportable breach, start FIPA AG notice preparation in parallel. Do not wait for the HIPAA analysis to conclude before initiating FIPA compliance steps.

HB 1547 and Florida Digital Health

In 2023, Florida passed House Bill 1547, which updates rules for telehealth platforms and health information exchanges. These changes will take effect in 2024. Key points for HIPAA compliance:

• Florida telehealth platforms must use security controls that meet HIPAA and Florida digital health rules.
• Health data exchanges with Florida resident data must follow state data rules and HIPAA sharing rules.
• Providers should confirm that BAAs cover Florida duties, not only federal HIPAA duties.

HIPAA Compliance for Florida Telehealth Providers

Florida has become a leading state for telehealth services. Florida's SB 312 expanded telehealth practice rights for Florida-licensed providers in 2019. Telehealth programs must meet these compliance rules:

• Platform security: Any telehealth platform that sends or receives ePHI for Florida patients must meet HIPAA technical safeguard rules. This includes encryption in transit and at rest
• BAAs with telehealth vendors: Every telehealth platform provider is a business associate. A signed BAA should be in place before patient sessions begin
• FIPA applicability: Telehealth sessions create ePHI covered by FIPA. A cyber incident involving session data may be reportable under HIPAA and FIPA
• Out-of-state providers: Out-of-state providers may fall under FIPA when they treat Florida residents by telehealth

HIPAA Penalties in Florida (2025 Updated Rates)

Florida healthcare providers face penalties from two enforcement bodies:

Federal OCR Enforcement

HHS Office for Civil Rights enforces HIPAA with four penalty tiers (2025 inflation-adjusted amounts):

• Tier 1 — Lack of awareness: $141 – $71,162 per violation
• Tier 2 — Reasonable cause: $1,424 – $71,162 per violation
• Tier 3 — Willful neglect, corrected: $14,308 – $71,541 per violation
• Tier 4 — Willful neglect, not corrected: $71,162 – $2,134,831 per violation

Florida AG Enforcement (FIPA)

• Civil penalties up to $500,000 per breach incident
• Additional penalties for each day the AG notice requirement is violated beyond the 30-day deadline
• The Florida AG has authority to bring action in circuit court and seek injunctive relief

Florida HIPAA Compliance Checklist

Use this checklist to verify your organization meets both federal HIPAA and Florida state rules:

• Annual HIPAA security risk assessment completed, with results documented
• Signed BAAs in place with vendors that handle PHI, including telehealth, EHR, and cloud vendors
• Breach response plan updated for the FIPA 30-day AG notice deadline and submission steps
• Medical records retention schedule meets Florida rules: 5 years minimum, or age 21 for minors
• Staff trained on HIV/AIDS privacy (§381.004) and Baker Act record restrictions
• Telehealth platforms verified for HIPAA compliance, with signed BAAs
• FIPA notice-to-AG procedure documented. A named person owns it
• MFA and encryption active for all systems that contain ePHI
• Staff training completed and documented in the past 12 months
• Notice of Privacy Practices current and given to all new patients

Frequently Asked Questions

Does Florida have its own health privacy law beyond HIPAA?

Yes. Florida's Information Protection Act (FIPA, §501.171) adds breach notice rules. Large breaches have a 30-day deadline, which is stricter than HIPAA's 60-day rule. Florida also has the Medical Records Act (§456.057) governing records access, retention, and copy fees, and separate privacy laws for HIV/AIDS testing results (§381.004) and mental health records under the Baker Act (§394.451).

How quickly must Florida healthcare providers notify patients of a breach?

HIPAA requires individual notice within 60 calendar days of breach discovery. Florida's FIPA requires notice to the Florida Attorney General within 30 days if the breach affects 500 or more Florida residents. The 30-day FIPA deadline is the controlling timeline for large breaches involving Florida residents — you cannot wait the full 60 days that HIPAA allows.

What are Florida's medical records retention rules?

Under §456.057, Florida healthcare practitioners must keep medical records for at least 5 years after the last patient contact. For minors, records may need to be kept until the patient turns 21. This applies to both paper and electronic records. HIPAA separately requires retaining HIPAA-related policies and documentation for 6 years from creation or last effective date.

Are Florida telehealth providers subject to both HIPAA and FIPA?

Yes. Florida-licensed providers who offer telehealth to Florida residents must follow HIPAA for ePHI. They must also follow FIPA for breach notices. Florida's telehealth statutes (expanded by SB 312) do not create HIPAA exemptions — all standard HIPAA safeguards apply. Additionally, out-of-state providers treating Florida residents via telehealth are subject to FIPA's breach notice rules.

Who enforces healthcare privacy in Florida?

Federal HIPAA is enforced by HHS Office for Civil Rights (OCR). Florida's FIPA and Medical Records Act are enforced by the Florida Attorney General's office. The Florida Department of Health enforces license rules for practitioners. This includes record-keeping duties under the Medical Practice Act. Both enforcement bodies may act independently — an OCR settlement does not preclude a separate FIPA action by the Florida AG.

Conclusion

Florida healthcare providers face a dual compliance burden: federal HIPAA sets the floor, and Florida state law — particularly FIPA's 30-day breach notice timeline — raises the bar in key areas. The most common failure point is not HIPAA itself, but the FIPA obligation that runs on a shorter clock. Build your breach response plan around the 30-day FIPA deadline, and HIPAA compliance will follow naturally. One Guy Consulting helps Florida healthcare organizations implement both layers correctly. Book a consultation today.

Sources

• HHS.gov — HIPAA for Professionals
• Florida Statutes §501.171 — Security of Confidential Personal Information (FIPA)
• Florida Statutes §456.057 — Medical Records
• Florida Statutes §381.004 — HIV/AIDS Privacy
• Florida Attorney General — Data Breach Notice
• HHS — HIPAA Breach Notice Rule

---

Related Reading: State Privacy Laws vs. Federal HIPAA Rules · Illinois HIPAA Compliance Rules · Texas HIPAA Compliance Rules

Need help building a Florida-compliant HIPAA program? One Guy Consulting provides practical HIPAA guidance for covered groups and business partners across Florida. Book a consultation · HIPAA consulting services