Florida Bans Offshoring of Certain Patient Information
Governor DeSantis has signed legislation that took effect on July 1, 2023, changing Florida statutes to add a new section regarding how patient information is stored.
Offshore PHI Storage Banned
Senate Bill 264 is an amendment to the Florida Electronic Health Records Exchange Act, which regulates the use of electronic health records by certain healthcare providers and entities in Florida.
The law aims to protect the privacy and security of patient information by requiring that it is physically stored in the continental United States, its territories, or Canada. This applies to data stored in an offsite physical or virtual environment, such as a cloud computing service. Data storage companies and release of information (ROI) services fall under this category.
The law applies to all patient information stored using certified electronic health record technology (CEHRT), – technology that meets the standards set by the U.S. Department of Health and Human Services. All major EHR vendors on the market meet CEHRT requirements, and facilities must attest to CEHRT compliance to maintain Medicare eligibility. What does this mean? It is safe to say that the Florida law applies to nearly all mainstream healthcare providers and entities like pharmacies, long-term care facilities, and home health services in the state.
Florida law also prohibits certain healthcare providers and entities from being owned or controlled by a foreign government or entity that is designated as a state sponsor of terrorism, a cyber threat actor, or a human rights violator by the U.S. government. Currently, the list of that defines “foreign country of concern” includes:
- The People’s Republic of China
- The Russian Federation
- The Islamic Republic of Iran
- Democratic People’s Republic of Korea
- Republic of Cuba
- Venezuelan regime of Nicolas Maduro
- Syrian Arab Republic
This list includes any agency or any other entity under significant control of any country on the list.
What the Law Means for Florida Companies
The law affects a wide range of healthcare providers and entities licensed by the Florida Agency for Health Care Administration (AHCA) or the Florida Department of Health, as well as their subcontractors and vendors who handle patient information. With large health systems using many subcontracted services for different functions, the list of business associates with PHI can be long. It is up to the entity to verify the information storage location(s) of each company and make sure they are NOT offshore.
The law does not apply to patient information that is stored onsite by the health care provider or entity, or that is transmitted or exchanged through a health information exchange (HIE) organization authorized by the state. The law does not yet specify any penalties or enforcement mechanisms for violations of the law, but it may expose healthcare providers and entities to potential liability or sanctions from other sources, such as federal laws, state laws, contracts, or accreditation.
How Does This Law Affect RecordQuest and its Clients?
The good news is – not at all! RecordQuest has always kept all of the data it stores for clients locally in the U.S. RecordQuest promises uncompromised security of private patient data and maintains strict compliance with HIPAA, HITECH, and industry certifications like SOC2. Achieving these certifications validates the company’s commitment to robust systems and best practices for data security.
RecordQuest uses a detailed logging system to track all activity on the platform, allowing a comprehensive report accounting for each disclosure. RecordQuest can support its Florida partners in attesting compliance with new statutes – because it is the way we have always done business. Safely and transparently with a commitment to customer service.
Ready to outsource your release of information services to professionals? Spend more time on patients, and less on paperwork by partnering with RecordQuest. We easily integrate with any EHR system and work quickly and efficiently to deliver verified records. Request a demo to find out how your company can get started.