3.3 · Operations
Florida Specifics
Florida adds its own requirements on top of federal HIPAA. The state is a HIPAA state plus its own stack of laws and regulations, and an ABA consulting practice operating in Florida has to satisfy both layers. This page covers what stacks on top of HIPAA for Florida specifically.
HIPAA versus FIPA at a glance
Florida’s breach notification law is faster than the federal one. Any breach response plan tuned for Florida residents has to be tuned to the shorter clock.
| Question | HIPAA (federal) | FIPA (Florida) |
|---|---|---|
| Time to notify affected individuals | Within 60 days of discovery | Within 30 days of discovery |
| Threshold to notify a regulator | 500 or more residents | 500 or more Florida residents |
| Regulator notified | HHS Office for Civil Rights | Florida Department of Legal Affairs |
| Which clock applies when both do | FIPA wins | Plan to 30 days |
The Florida regulatory stack
| Source | What it requires |
|---|---|
| Florida Information Protection Act (FIPA) | Breach notification within 30 days of discovery. Notification of the Florida Department of Legal Affairs when 500 or more Florida residents are affected. |
| Agency for Health Care Administration (AHCA) | Oversees Florida health care providers, including ABA clinics on Florida Medicaid. Audits look for documented policies, dated versions, training records, and operation under the current Medicaid Provider Handbook for Behavior Analysis Services. |
| Florida Medicaid Provider Manual for Behavior Analysis Services | Documentation requirements stricter than commercial payors in places. Session notes, supervision documentation, parent training, and authorization paperwork have specific format and content requirements. The manual changes over time, so clinics need a documented process to know which version is in effect on a given date. |
| Florida Behavior Analysis Certification Board rules | Practitioner-level rules covering conduct, supervision ratios, scope of practice, and discipline. Apply at the individual clinician level. Referenced in the handbook chapters that describe BCBA and RBT responsibilities. |
| Florida Statutes Chapter 456 | General Florida health professions law. Covers patient access to records, retention periods, and confidentiality requirements that apply alongside HIPAA. Retention requirements can extend longer than HIPAA’s six years for certain record types. |
What this means for the platform
| Requirement | How the platform supports it |
|---|---|
| Florida-cited policy content | Every policy chapter cites Florida sources, not generic national ones. A clinic using the binder does not have to reinterpret a California policy for Florida. |
| Audit-ready evidence | The clinic can produce, on demand, the policy in effect on a given date, the staff who acknowledged it, and the evidence that training happened. |
| 30-day breach response | For Protected Health Information workloads, the Incident Response Runbook is tuned to the FIPA 30-day clock rather than HIPAA’s 60. |
| Records retention | Defaults to the longer of the applicable Florida requirement and HIPAA’s six years. |
For clinics in other states
As the platform expands beyond Florida, each new jurisdiction will need its own version of this page. The federal HIPAA layer stays the same; the state stack changes. We will add state-specific pages as we onboard the first clinic in each new state, rather than speculating about every state up front.