64K-1.005. Privacy of Controlled Substance Prescription Dispensing Information  

1(1) Breaches in database security discovered by the program manager or support staff must be reported to the Department’s Chief Privacy Officer immediately upon discovery of the breach. Any system user who suspects or becomes aware of a breach in security must report the suspected or actual breach to the program manager or support staff as soon as possible, but no later than one business day after discovery.

69(2) The program manager or support staff will notify the agency administrator by email each time a request for information is made by an agency authorized user.

96(3) Information from the database disseminated in any form by the program to any entity is considered protected health information, and the use of it is governed by any and all applicable state and federal laws. All information accessed or provided to an authorized agency, entity, or individual shall be labeled “CONFIDENTIAL: This information obtained from E-FORCSE153® 154contains confidential controlled substance prescription dispensing information. Release or disclosure of confidential and exempt information may be a third degree felony.”

175(4) Each registered agency shall be accountable for all confidential and exempt information received by authorized users. The agency shall have an auditable, continuous chain of custody record of the receipt and transfer of confidential and exempt information. When confidential and exempt information is transferred from one agency to another during the transaction of official business, the receiving agency shall maintain the confidential and exempt information in the same manner.

245(5) It is unlawful to access or request information for a prohibited purpose or to disclose or release confidential or exempt information. Failure to comply with section 272893.0551(5), F.S., 274may result in suspension of access to the database. The program manager will notify agency administrators of any alleged failure to comply. Agency administrators must investigate the alleged compliance failure and report its findings to the program manager immediately. Access privileges may be reinstated upon request in writing to the program manager who shall determine if the investigation is complete and reinstatement is appropriate. Prior to reinstatement the suspended user must submit proof of completion of the “E-FORCSE352® 353Information Security and Privacy Training Course,” effective 1/2015, incorporated by reference and available at 368http://www.flrules.org/Gateway/reference.asp?No=Ref-06464, 370within the last 30 days to the program manager.

379(6) All information released by an authorized user to a criminal justice agency shall have all information that is not the subject of the active investigation redacted by the authorized user prior to release.

413(7) To prevent inadvertent release or disclosure of the confidential and exempt information in the database, pharmacists, prescribers and dispensers should avoid downloading and printing information from the database.

442Rulemaking Authority 444893.055 FS. 446Law Implemented 448893.055, 449893.0551 FS. 451History–New 11-24-11, Amended 2-17-16, 12-11-19.