In May 2023, the Florida Legislature amended the Florida Electronic Health Records Exchange Act to add a provision regarding the security and storage of patient information. It took effect on July 1, 2023. To ensure compliance, Florida healthcare providers should review where their electronic patient information is physically maintained.
The act provides a legal framework for the creation, storage, access and exchange of digital health records. It includes requirements for patient authorization and penalties for violations, aimed at promoting interoperability and ensuring data privacy in the healthcare sector.
ANALYZING THE NEW PROVISION
The new provision prohibits healthcare providers that utilize certified health record technologies from physically maintaining electronically stored patient information outside the continental United States, its territories or Canada. Specifically, the act establishes that healthcare providers in Florida that utilize certified electronic health record technologies are subject to the onshore physical maintenance requirements. These healthcare providers include licensed practitioners (e.g., physicians, nurses and dentists), healthcare facilities and related services (e.g., hospitals, nursing homes, pharmacies and labs under the Drug-Free Workplace Act) and licensed entities offering mental health or substance abuse services, along with their supporting staff. “Certified electronic health record technology” is defined as “a qualified electronic health record that is certified pursuant to s.3001(c)(5) of the Public Health Service Act as meeting standards adopted under s.3004 of such act which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals.” Fla. Stat. § 408.051(2).
The act further outlines that all patient information stored in an offsite physical or virtual environment is subject to the new provision. Interestingly, the act excludes Hawaii as a permitted electronic storage location by referencing the continental United States but includes Canada, Guam, Puerto Rico and American Samoa.
The final sentence of the security and storage provision is less clear and has caused some confusion. The sentence states that “[t]his subsection applies to qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted.” Some commentators have interpreted this provision to mean that patient information may not be remotely accessed by offshore personnel, even when the patient information physically remains within the continental United States. However, we believe the sentence was intended to ensure that all qualified electronic health records that are stored using certain technologies are subject to the previously mentioned physical maintenance requirement. “Qualified electronic health record” is defined as “an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources.” Fla. Stat. § 408.051(2).
It follows that offshore third-party contractors (e.g., call centers and customer service centers) may access and process patient information from anywhere in the world, provided they do not physically maintain the patient information offshore in any format. The act does not appear to consider accessing, processing or transmitting patient information as physically maintaining it. The bill analysis from the Florida Legislature also focuses on the need for information stored to be physically maintained in the United States and does not suggest that offshore access is prohibited.
The new provision took effect on July 1, 2023, so it is crucial for healthcare providers to review where their electronic patient information is physically maintained. Additionally, providers should review their contracts with third-party service providers that are not located in the continental United States, its territories or Canada to ensure that the contracts prohibit storage of patient information. Healthcare providers may also request that service providers furnish a copy of their internal storage policy to ensure that the service providers prohibit the physical maintenance of patient information offshore. By taking these steps now, providers can ensure compliance with the new requirements of the act and continue to protect patient information effectively.
Dane Chapman and Nicole Pomerantz, summer associates in the Miami and Washington, DC offices, also contributed to this article.