Florida Law will Ban Offshoring of EHR Patient Data
Effective July 1, 2023, a new Florida law will limit certain health care providers from storing patient information offshore. CS/CS/SB 264 (Chapter 2023-33, Laws of Florida), amends the Florida Electronic Health Records Exchange Act to require health care providers who use certified electronic health record technology to ensure that patient information is physically maintained in the continental United States or its territories or Canada.
The law broadly applies to “all patient information stored in an offsite physical or virtual environment,” including patient information stored through third-party or subcontracted computing facilities or cloud computing service providers. Further, it applies to all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted.
- The new law is limited to health care providers listed below who use “certified electronic health record technology” or CEHRT – a term of art applicable to technology certified to the certification criteria adopted by the U.S. Department of Health and Human Services (HHS): Certain entities licensed by the Florida Agency for Health Care Administration (AHCA), including hospitals, healthcare clinics, ambulatory surgical centers, home health agencies, hospices, home medical equipment providers, nursing homes, assisted living facilities, intermediate care facilities for persons with developmental disabilities, laboratories authorized to perform testing under the Drug-Free Workplace Act, birth centers, abortion clinics, crisis stabilization units, short-term residential treatment facilities, residential treatment facilities, residential treatment centers for children and adolescents, nurse registries, companion services or homemaker services providers, adult day care centers, adult family-care homes, homes for special services, transitional living facilities, prescribed pediatric extended care centers, healthcare services pools, and organ, tissue, and eye procurement organizations;
- Certain licensed health care practitioners, including physicians, physician assistants, anesthesiologist assistants, pharmacists, dentists, chiropractors, podiatrists, naturopathic physicians, nursing home administrators, optometrists, registered nurses, advanced practice registered nurses, psychologists, clinical social workers, marriage and family therapists, mental health counselors, physical therapists, speech language pathologists, audiologists, occupational therapists, respiratory therapists, dieticians, orthotists, prosthetists, electrologists, massage therapists, licensed clinical laboratory personnel, medical physicists, genetic counselors, opticians, certified radiologic personnel, and acupuncturists;
- Licensed pharmacies;
- Certain mental health and substance abuse service providers and their clinical and nonclinical staff who provide inpatient or outpatient services.
- Licensed continuing care facilities; and
- Home health aides.
Currently, the HHS certification program includes inpatient EHRs for hospitals and ambulatory EHRs for eligible health care providers, the only provider types eligible to participate in the Centers for Medicare and Medicaid Services (CMS) payment programs requiring CEHRT. While other health care providers such as ambulatory surgery centers, pharmacies, long-term post-acute care providers, home health and hospice are not eligible to participate in those CMS payment programs, they arguably fall within the scope of the Florida offshoring prohibition if they “utilize” CEHRT. Further, given its broad language, the statute could technically be read as covering all patient information stored by a health care provider utilizing CEHRT, even if that patient information is stored in an application that is not so certified.
The new law also amends Florida’s Health Care License Procedures Act to require entities submitting an initial or renewal licensure application to AHCA to sign an affidavit attesting under the penalty of perjury that the entity is in compliance with the new requirement that patient information be stored in the continental United States or its territories or Canada. Entities licensed by AHCA must remain in compliance with the data storage requirement or face possible disciplinary action by AHCA.
Furthermore, the new law requires an entity licensed by AHCA to ensure that a person or entity who possesses a controlling interest in the licensed entity does not hold, either directly or indirectly, an interest in an entity that has a business relationship with a “foreign country of concern” or that is subject to section 287.135, Florida Statutes, which prohibits local governments from contracting with certain scrutinized companies.