Florida Bans Offshore Storage of Electronic Health Records
In May 2023, the Florida Legislature passed an update to the Florida Electronic Health Records Exchange Act that prohibits healthcare providers that use certified health record technologies from storing electronic health records outside the United States, its territories, or Canada. On May 8, 2023, Governor Ron DeSantis of Florida signed the update into law.
The ban also covers patient information stored through a third-party or subcontracted computing facility or cloud computing service, which must similarly maintain the data in the continental United States, its territories, or Canada. When the ban takes effect it will no longer be possible to use overseas vendors that do not store patient data in the United States, its territories, or Canada. All healthcare providers covered by the Florida Electronic Health Records Exchange Act must comply with the updated law by July 1, 2023.
“Certified electronic health record technology” is defined as “a qualified electronic health record that is certified pursuant to s. 3001(c)(5) of the Public Health Service Act as meeting standards adopted under s. 3004 of such act, which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals.”
“Qualified electronic health record” is defined as “an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Covered healthcare providers include hospitals, ambulatory surgery centers, pharmacies, home health agencies, hospices, laboratories, mental health treatment facilities, substance abuse services, and licensed healthcare providers such as physicians, nurses, dentists, therapists, podiatrists, and massage therapists, therefore, the update applies to HIPAA-regulated entities and also healthcare practitioners that are not covered under HIPAA.
Healthcare providers should conduct an audit to confirm the locations where health records are stored to ensure that they are compliant. If a cloud vendor is used to store patient information, data centers must be located in the specified regions. If contracted third parties are used to provide support services such as managed service providers, IT support companies, scheduling support providers, and other vendors, they, along with any subcontractors they use, should be prohibited from storing patient information outside of the United States, its territories, or Canada. These restrictions will need to be reflected in contracts, business associate agreements, and data processing agreements. If an audit confirms patient data is stored in prohibited locations, steps should be taken to move patient data to a compliant storage location ahead of the compliance deadline.