Florida Imposes a Ban on Offshoring Storage of Medical Information
On May 8, 2023, Governor DeSantis signed Bill CS/CS/SB 264 amending the Florida Electronic Health Records Exchange Act. Effective July 1, 2023, this new law will require that the offsite storage of certain personal medical information be physically maintained in the continental U.S., U.S. territories, or Canada.
Specifically, Section 408.051 of the Florida Statutes has been amended to require health care providers that utilize certified electronic health record technology to ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, be physically maintained in the continental United States, U.S. territories or Canada.1 This requirement applies to all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted; therefore, entities that currently store qualified electronic health records outside the United States or Canada, including using vendors who may store such records even temporarily, should review their practices in light of the new statutory language.
This law will be applicable to the following Florida licensed providers:
Providers regulated by the Florida Agency for Health Care Administration (“AHCA”) including but not limited to health care clinics, hospitals, home medical equipment providers, nursing homes, home health agencies, adult day care centers, hospices, and ambulatory surgery centers;
Certain licensed health care practitioners including physicians, pharmacists, dentists, chiropractors, podiatrists, naturopathic physicians, physician assistants, acupuncturists, optometrists, registered nurses, advanced practice registered nurses, midwifes, speech-language pathologists, occupational therapists, respiratory therapists, dieticians, orthotists, prosthetists, electrologists, massage therapists, licensed clinical laboratory personnel, medical physicists, opticians, physical therapists, psychologists, clinical social workers, marriage and family therapists, mental health counselors, audiologists, and radiological personnel;
Certain mental health and substance abuse service providers and their clinical and non-clinical staff who provide inpatient or outpatient services;
Licensed continuing care facilities; and
Home health aides.
Providers should review and consult with their vendors to determine where electronic patient information subject to this prohibition is stored and to ensure compliance with these new requirements. If patient information is stored outside of the United States, its territories, or Canada, providers should take action to transfer such information back to the United States, its territories, or Canada prior to July 1, 2023, as well as to confirm that all relevant patient information that may be stored or maintained offshore is destroyed in a secure manner.
Finally, this new law requires providers licensed by AHCA to sign an affidavit at the time of any initial or renewal application to attest under penalty of perjury that they are in compliance with this new offshore storage prohibition.
1 “Certified electronic health record technology” means a qualified electronic health record that is certified pursuant to s. 3001(c)(5) of the Public Health Service Act as meeting standards adopted under s. 3004 of such act which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals. Fla. Stat. § 408.051(2)(a).