June 22, 2023

Volume XIII, Number 173


June 22, 2023

Subscribe to Latest Legal News and Analysis

June 21, 2023

Subscribe to Latest Legal News and Analysis

June 20, 2023

Subscribe to Latest Legal News and Analysis

Florida Imposes a Ban on Offshoring Storage of Medical Information

On May 8, 2023, Governor DeSantis signed Bill CS/CS/SB 264 amending the Florida Electronic Health Records Exchange Act. Effective July 1, 2023, this new law will require that the offsite storage of certain personal medical information be physically maintained in the continental U.S., U.S. territories, or Canada.

Specifically, Section 408.051 of the Florida Statutes has been amended to require health care providers that utilize certified electronic health record technology to ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, be physically maintained in the continental United States, U.S. territories or Canada.1 This requirement applies to all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted; therefore, entities that currently store qualified electronic health records outside the United States or Canada, including using vendors who may store such records even temporarily, should review their practices in light of the new statutory language.

This law will be applicable to the following Florida licensed providers:

  • Providers regulated by the Florida Agency for Health Care Administration (“AHCA”) including but not limited to health care clinics, hospitals, home medical equipment providers, nursing homes, home health agencies, adult day care centers, hospices, and ambulatory surgery centers;

  • Certain licensed health care practitioners including physicians, pharmacists, dentists, chiropractors, podiatrists, naturopathic physicians, physician assistants, acupuncturists, optometrists, registered nurses, advanced practice registered nurses, midwifes, speech-language pathologists, occupational therapists, respiratory therapists, dieticians, orthotists, prosthetists, electrologists, massage therapists, licensed clinical laboratory personnel, medical physicists, opticians, physical therapists, psychologists, clinical social workers, marriage and family therapists, mental health counselors, audiologists, and radiological personnel;

  • Pharmacies;

  • Certain mental health and substance abuse service providers and their clinical and non-clinical staff who provide inpatient or outpatient services;

  • Licensed continuing care facilities; and

  • Home health aides.

Providers should review and consult with their vendors to determine where electronic patient information subject to this prohibition is stored and to ensure compliance with these new requirements. If patient information is stored outside of the United States, its territories, or Canada, providers should take action to transfer such information back to the United States, its territories, or Canada prior to July 1, 2023, as well as to confirm that all relevant patient information that may be stored or maintained offshore is destroyed in a secure manner.

Finally, this new law requires providers licensed by AHCA to sign an affidavit at the time of any initial or renewal application to attest under penalty of perjury that they are in compliance with this new offshore storage prohibition.

1 “Certified electronic health record technology” means a qualified electronic health record that is certified pursuant to s. 3001(c)(5) of the Public Health Service Act as meeting standards adopted under s. 3004 of such act which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals. Fla. Stat. § 408.051(2)(a).

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XIII, Number 171

About this Author

Romain Balard Miami Healthcare Attorney Polsinelli

Romain Balard is an Associate in Polsinelli's Health Care Alignment and Organization practice. Romain focuses on complex regulatory, operational, and transactional matters. Romain regularly advises health care related businesses and organizations on regulatory and transactional matters, including:

  • General regulatory compliance

  • Compliance with the Stark Law and the Anti-Kickback Statute

  • Licensure issues

  • Medicare and Medicaid...

 Marisa Rodriguez Wilson Miami Healthcare Attorney Polsinelli

Marisa Rodriguez Wilson is a Shareholder at Polsinelli's Miami office. She represents health care providers and other health care industry entities at both the state and federal level. With a wide-range of experience, Marisa successfully advises clients in with operational and compliance issues, complex regulatory matters and licensing matters. She provides guidance on Medicare, Medicaid, Medicare Advantage and other managed care related matters. Marisa also assists in the sale and purchase of health care entities.

Marisa’s previous experience...