New Regulations in Effect July 1st Impact Florida Healthcare Providers Storage of Electronic Health Records
Trish Thomas, Advantum Health
In May of 2023, the Florida Legislature passed an amendment to the Florida Electronic Health Records Exchange Act that prohibits certain healthcare providers from storing electronic health records offshore. On May 8th, Governor DeSantis signed the update into law.
Effective July 1st, 2023, the new law (CS/CS/SB 264, Chapter 2023-33, Laws of Florida) amends the Florida Electronic Health Records Exchange Act, requiring healthcare providers who use certified electronic health record technology to ensure that patient information is physically maintained in the continental United States, U.S. territories or Canada.
The new regulations cover patient information stored through third-party or subcontracted computing facilities and cloud computing services, so Florida healthcare providers must ensure that their vendors – whether offshore or onshore – similarly maintain patient data in compliance with the law.
The ban on offshoring health information is stricter than HIPAA and other health privacy and security laws. Florida healthcare licensees subject to the regulations must attest upon initial licensure and future renewals that they are in compliance with the new requirements.
Impacted providers include, but are not limited to:
- Hospitals
- Clinics
- Ambulatory surgical centers (ASCs)
- Labs
- Pharmacies
- Home health agencies
- Hospices
- Nursing homes
Individual practitioners subject to the law include, but are not limited to:
- Physicians
- Physician assistants (PAs)
- Registered nurses
- Pharmacists
- Dentists
- Chiropractors
- Podiatrists
- Behavioral health providers
- Licensed therapists (i.e. physical, respiratory, occupational)
- Speech-language pathologists
- Audiologists
The new Florida law applies specifically to healthcare providers who use “certified electronic health record technology”, or CEHRT, which meets federal interoperability standards.
What should you do if you are subject to the new regulations?
Advantum suggests the following approach:
- Verify that you are subject to the new Florida HIPAA offshoring law.
- Confirm all locations and vendors throughout your operations that store patient records.
- Conduct an audit to confirm the locations where your health records are stored to ensure that they are compliant. This includes your internal storage of patient records as well as third party vendors and cloud storage providers.
- Validate compliance with your vendors and partners. If patient information is stored by a cloud vendor, their data centers must be located within the approved regions. If contracted third parties are used to provide managed services or IT support, they, along with any subcontractors they use, must be prohibited from storing patient information outside of the United States, its territories, or Canada.
- Update your contracts and agreements to reflect that compliance with the new law is mandatory.
- If the audit confirms that patient data is stored in prohibited locations, take immediate steps to move patient information to a compliant storage location.
Health care providers who are subject to the law and are non-compliant are subject to disciplinary action by Florida’s Agency for Health Care Administration, the agency that regulates health care licenses in Florida.
Advantum Health clients can rest assured that their healthcare records are completely compliant. Advantum stores all electronic patient health information in the U.S. on highly secure servers with redundant backup.