3 Days left! 50% off + FREE Books on select certification training ends 8/31 |  Save Now

Florida Moves to Strengthen ePHI Safeguards

Florida Moves to Strengthen ePHI Safeguards

Do you know where your patient electronic data is stored?

Legislature recently signed by Florida Governor Ron DeSantis amends the Florida Electronic Health Records Exchange Act (the Act) to reinforce the security of state residents’ electronic protected health information (ePHI). Although well-meaning, the law puts yet another level of risk on healthcare providers’ shoulders.

Know the Law for ePHI

Effective July 1, 2023, all healthcare providers required to uphold HIPAA regulations and licensed under Florida law will be prohibited from using certified electronic health record technologies (CEHRT) owned or operated outside of the United States to store patient records. The law specifically states:

“In addition to the requirements in 45 C.F.R. part 160 and subparts A and C of part 164, a health care provider that utilizes certified electronic health record technology must ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, is physically maintained in the continental Untied States or its territories or Canada.”

The ban extends to any offshore entity that can retrieve, access, or transmit EHR data in the United States.

Immediate Action Required

Robert A. Pelaia, Esq., CPC, CPCO, Deputy General Counsel, University of South Florida and a member of AAPC’s Legal Advisory Board said, “Healthcare entities need to carefully review this legislation because it is very definition driven. The new law applies to certain types of delineated healthcare providers who use ‘certified electronic health record technology’ or CEHRT.”

Prevent Repercussions

Providers will be required to sign an affidavit when applying for or renewing their license to practice medicine in Florida, attesting that they are in compliance with this law. This could be extremely difficult because compliance requires providers to know where their patients’ ePHI is at all times.

Pelaia warns, “The state of Florida has made it clear: Healthcare providers must ensure that their patient information, regardless of whether the data is in the cloud or a third-party computing facility, is stored in the continental United States or its territories or Canada. This new Florida requirement impacts nearly all licensed providers in the state, and the compliance burden is on the providers – not the digital health technology vendors. If your patient information is physically maintained outside the United States or Canada, you must start transitioning the data in advance of the law’s effective date of July 1, 2023, or you risk possible disciplinary action by AHCA [Florida Agency for Healthcare Administration].”

A provider who commits a violation of this law is “acting as a foreign agent,” according to the Florida statute, which is a felony of the first degree.

Sutton, M. The National Law Review, Florida Bans Offshoring of Certain Patient Information, May 25, 2023

2016 Florida Statutes, Title XXIX, Chapter 408, Section 408.051

 CS/CS/SB 264 (Chapter 2023-33, Laws of Florida)

Renee Dustman
Follow me
Latest posts by Renee Dustman (see all)

About Has 835 Posts

Renee Dustman, BS, AAPC MACRA Proficient, is managing editor - content & editorial at AAPC. She holds a Bachelor of Science degree in Media Communications - Journalism. Renee has more than 30 years' experience in journalistic reporting, print production, graphic design, and content management. Follow her on Twitter @dustman_aapc.

3 Responses to “Florida Moves to Strengthen ePHI Safeguards”

  1. Robert Kebbekus says:

    In reading the new Florida Law, I am thinking this is much bigger than just where the information is retained. In my opinion, it also will apply to BPO services that health care providers contract with to handle their back office activities (i.e coding, denial review, insurance follow-up..) The law prohibits access to medical records outside the US and Canada. If I am correct, this is a big problem for most providers i Florida.

  2. Misaki says:

    I am thinking the same thing about storage vs access. If accessing is also prohibited then no offshore services like you mentioned above will be able to work with health care providers from FL

  3. Renee Dustman says:


Leave a Reply

Your email address will not be published. Required fields are marked *