Florida Moves to Strengthen ePHI Safeguards
Do you know where your patient electronic data is stored?
Legislature recently signed by Florida Governor Ron DeSantis amends the Florida Electronic Health Records Exchange Act (the Act) to reinforce the security of state residents’ electronic protected health information (ePHI). Although well-meaning, the law puts yet another level of risk on healthcare providers’ shoulders.
Know the Law for ePHI
Effective July 1, 2023, all healthcare providers required to uphold HIPAA regulations and licensed under Florida law will be prohibited from using certified electronic health record technologies (CEHRT) owned or operated outside of the United States to store patient records. The law specifically states:
“In addition to the requirements in 45 C.F.R. part 160 and subparts A and C of part 164, a health care provider that utilizes certified electronic health record technology must ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, is physically maintained in the continental Untied States or its territories or Canada.”
The ban extends to any offshore entity that can retrieve, access, or transmit EHR data in the United States.
Immediate Action Required
Robert A. Pelaia, Esq., CPC, CPCO, Deputy General Counsel, University of South Florida and a member of AAPC’s Legal Advisory Board said, “Healthcare entities need to carefully review this legislation because it is very definition driven. The new law applies to certain types of delineated healthcare providers who use ‘certified electronic health record technology’ or CEHRT.”
Providers will be required to sign an affidavit when applying for or renewing their license to practice medicine in Florida, attesting that they are in compliance with this law. This could be extremely difficult because compliance requires providers to know where their patients’ ePHI is at all times.
Pelaia warns, “The state of Florida has made it clear: Healthcare providers must ensure that their patient information, regardless of whether the data is in the cloud or a third-party computing facility, is stored in the continental United States or its territories or Canada. This new Florida requirement impacts nearly all licensed providers in the state, and the compliance burden is on the providers – not the digital health technology vendors. If your patient information is physically maintained outside the United States or Canada, you must start transitioning the data in advance of the law’s effective date of July 1, 2023, or you risk possible disciplinary action by AHCA [Florida Agency for Healthcare Administration].”
A provider who commits a violation of this law is “acting as a foreign agent,” according to the Florida statute, which is a felony of the first degree.
Sutton, M. The National Law Review, Florida Bans Offshoring of Certain Patient Information, May 25, 2023
2016 Florida Statutes, Title XXIX, Chapter 408, Section 408.051
CS/CS/SB 264 (Chapter 2023-33, Laws of Florida)