On July 1, 2023, a new Florida law affecting EHR comes into effect. The law broadly prohibits healthcare providers from storing protected health information (PHI) outside of the United States or Canada. The bill, which was signed into law by Governor Ron DeSantis on May 8, 2023, amends the Florida Electronic Health Records Exchange Act to require most medical providers, including behavioral health providers and administrators, to ensure patient data is stored in the United States or Canada. This is important to understand and comply with, as the law requires an affidavit attesting to compliance under penalty of perjury, and the law is broadly written to include cloud computing, subcontractors, and other third parties.
Background of Florida’s Ban on Offshore Health Record Storage
The new law is part of Florida Senate Bill 264 (2023 legislative session) that is more widely known for blocking land ownership rights for citizens of China and several other countries. The stated purpose is to address threats from foreign nations, businesses, and individuals. Lesser known is that portions of SB264 amend Florida Statute 408.051(3) to prohibit PHI from being stored or accessed outside the United States or Canada, for the purpose of preventing unlawful access or use of such data by foreign agents. This presents a new compliance requirement that may be important for data security and patient privacy.
Implications for Behavioral Health Providers
Due to the broad nature of the law, there are several urgent implications to behavioral health providers, as well as most other providers in Florida.
Data Security and Patient Privacy
The ban extends to third-party contractors with access to PHI, including information technology support vendors, cloud computing storage vendors such as Amazon Web Services, electronic health records (EHR) software platforms, data entry/transcription subcontractors, call centers, chat and telehealth subcontractors, and so forth. This may enhance data security by preventing the storage of sensitive health records outside the United States and Canada, which could prevent certain data breaches and unauthorized access to patient information. At the same time, it introduces new burdens on providers to investigate and monitor the software and vendors they are using for compliance, above and beyond HIPAA requirements.
Compliance with State Regulations
The ban will be implemented within Florida’s regulatory framework for healthcare data management through a new affidavit that licensed healthcare providers must sign upon initial application or renewal, attesting compliance with the new law under penalty of perjury. The Florida Agency for Healthcare Administration will investigate violations and may bring disciplinary action against healthcare providers’ licenses. Notably, the law puts the burden of compliance on healthcare providers, not technology vendors, requiring providers to review their data storage practices to ensure compliance with the prohibition. This adds new reputational and career risks to practicing in Florida.
Florida EHR Law Considerations for Behavioral Health Administrators
Behavioral health administrators must ensure compliance with the law, or else they are putting their careers and firms in jeopardy. Some providers, such as Amazon Web Services, allow choosing the country in which data is stored and processed, so it is important to update these choices before July 1, 2023. Other technology service providers may be unable to store data in the United States or Canada, necessitating costly and confusing changes of software and vendors.
Unfortunately, there is legal confusion over the scope of the new law’s definition of “certified electronic health record technology,” or CEHRT. One analysis laments that this is a federal certification applying only to specific providers such as inpatient EHRs for hospitals and ambulatory EHRs, but the law may be construed much more broadly and has not been tested in court. Finally, as the law has not taken effect as of this writing, it remains to be seen how consistently and vigorously it is enforced.
Reviewing Data Storage Contracts and Partnerships
Florida healthcare providers should review contracts with third-party vendors to ensure compliance with this prohibition and update the terms if needed. Inquiries may need to be made about the location of data storage and security measures implemented by vendors. Although it is ultimately the responsibility of the healthcare provider to ensure compliance, providers may want to have a paper trail and contractual language requesting and requiring all vendors to comply with the law, in case they are investigated by the Florida Agency for Healthcare Administration.
Implementing Secure Data Storage Practices
Administrators should establish secure data storage solutions that prioritize patient privacy and data security, as they already do for HIPAA compliance. It is possible that some administrators may choose to comply with the law by storing PHI on-site, although this presents its own potential problems. Contracting with local vendors and compliance consultants may be of use. At all times, cloud-based platforms that store PHI must use servers located in the United States or Canada. Providers who operate across state lines may find it simplest to ensure that all their PHI is located within the United States or Canada.
Staff Training and Awareness
Staff members should be educated about this new Florida EHR law and the significance of data security and patient privacy. Behavioral health practices may want to establish a point person who must approve any new vendors for data storage or handling. If best practices such as avoiding sending PHI via email and using the provider’s approved HIPAA-compliant EHR software are being followed, then the software may only need to be evaluated for where it stores PHI files.
Adhering to Florida’s new ban on offshore health record storage will help avoid unwanted scrutiny and adverse action while potentially improving data security and patient privacy. Over time, this may become easier as technology vendors advertise compliance with Florida law as a selling point, or some may choose to stop doing business in Florida altogether. Regardless, the amended Florida Electronic Health Records Exchange Act puts the burden of compliance on you as a healthcare administrator or provider.