20 June 20237 minute read

Offshoring patient information? Florida’s Electronic Health Records Exchange Act amendments bring new compliance considerations

Effective July 1, 2023, newly enacted amendments to the Florida Electronic Health Records (EHR) Exchange Act not only impose a new law requiring patient information to be stored physically within the continental US (and its territories) or Canada, but also require certain providers to submit attestations of compliance with that law each time they apply for or renew licenses. These amendments subject providers to the risk of disciplinary actions if they fail to comply with the law.

While the amendments extend well beyond rules on healthcare data and focus more broadly on matters pertaining to interests of foreign countries, the requirements for storing patient information creates uncertainties for providers by leaving important questions unanswered.  These uncertainties will pose challenges for providers seeking to comply with the law while mitigating their risk of disciplinary action.

Specifically, the amendments add a new section titled, “Security and Storage of Personal Medical Information,” that will pose a new compliance burden on covered providers with respect to how and where they maintain their patient information.

The following answers some questions that providers may have as they look to comply with the new security and storage requirements by July 1.

Who is subject to the law?

This is a good question as the law is a bit ambiguous on this point.  It applies to any “health care provider” that “utilizes” certified EHR technology.  Adopting a definition similar to that of the federal law which governs such technology, certified EHR technology is defined as a qualified EHR that is certified pursuant to Section 3001(c)(5) of the Public Health Service Act as meeting standards adopted under Section 3004 of such act, which are applicable to the type of record involved, such as an ambulatory EHR for office-based physicians or an inpatient hospital EHR for hospitals.

A “health care provider” is defined to refer to a broad range of licensed, certified, or otherwise regulated facilities and practitioners under Florida laws enumerated in the definition (eg, physicians, chiropractors, pharmacists, pharmacies, and healthcare facilities).

The big question, however, is what the law means by utilizing this technology.  Not all providers have their own certified EHR technology.  Many providers use non-certified technology but may, from time to time, access or use certified technologies of other providers.

Providers will need to carefully assess whether their use of their own certified technology or other providers’ technology may bring them under this law.

What patient information is subject to the law?

This is also a good question – and presents another ambiguity under the law.  The law expressly regulates “all patient information” that is stored in “an offsite physical or virtual environment.”  This includes arrangements with third-party or subcontracted computing facilities providing cloud computing services.  Any record that is a “qualified” EHR is expressly subject to the law when stored by any technology – not just certified EHR technology – that can allow information to be electronically retrieved, accessed, or transmitted.

Specifically, and similarly tracking the definition under federal law, a qualified EHR means an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support; to support physician order entry; to capture and query information relevant to healthcare quality; and to exchange electronic health information with, and integrate such information from, other sources.

So, covered providers will not be able to easily bypass this law by using non-certified technologies alongside certified ones.

The law may pose significant challenges for providers with multi-state operations.  It is not clear whether the law regulates records of patients outside of Florida.  A “patient” is a defined term in the law, referring to an individual treated by a healthcare facility or healthcare provider.

A healthcare provider is defined, as noted above, with respect to specific Florida laws.  A healthcare facility is not defined in this portion of Florida law, but elsewhere is broadly defined (eg, including ambulatory surgical centers, hospices, nursing homes, hospital, and the like). 

While it may be reasonable to assume the law only extends to patient information with respect to Florida patients, the law does not expressly limit its scope in this way.  Therefore, multi-state providers subject to this new law may need to reassess their current record storage arrangements in every jurisdiction.

How will the storage of covered patient information be impacted?

The law raises many more questions than it answers regarding how covered providers will need to adjust their arrangements for storing patient information.  The law specifically requires that patient information “is physically maintained in the continental United States or its territories or Canada.”  While this phrase would seem to include Alaska, it appears that Florida will not permit records to be stored in Hawaii.

Furthermore, the law expressly requires that the covered patient information be physically maintained in the enumerated jurisdictions.  However, the law neither states that the information must be solely stored in these jurisdictions nor does it expressly ban also storing the information in other jurisdictions.  For example, if a provider physically stores patient information in servers located in a permitted jurisdiction in the United States or Canada, but the information is accessed remotely in India, it is not clear whether the law prohibits the information to be downloaded to, and also stored on, servers in India.

It is possible that Florida regulators will seek to enforce the new law as a complete ban on the offshoring of patient data.  However, the language of the law itself leaves this issue open for interpretation.

What legal risks do providers face?

This is the one portion of the law that seems the clearest, but is again not without ambiguity.  The law will require licensees to sign an affidavit at the time of initial licensure application or any renewal applications.  That affidavit will attest “under penalty of perjury” to compliance with the law.  Any failure to remain in compliance will subject the licensee to disciplinary action.

As noted, even this requirement is not entirely clear.  For example, the law only seems to require individual licensees and not institutional providers to sign affidavits by using only “his or her” pronouns.  It is not clear whether institutional providers will need to sign affidavits with respect to their license applications.

Another ambiguity is whether this affidavit will require an attestation about other providers’ data storage practices.  For example, when a physician signs an affidavit, is that physician required to attest to not only the storage of their own patient records but also the records of a hospital, whose certified technology the physician may use from time to time?

Are EHR vendors and other vendors subject to the law?

Technically, no.  Only covered providers are subject to the law and required to submit the attestation.  However, the law will impact those providers’ arrangements with certain vendors.  The law expressly applies to patient information stored through a third-party or subcontracted computing facility or an entity providing cloud computing services.  If Florida regulators seek to enforce the law as a complete ban on physically offshoring patient information to other countries (as well as Hawaii), the law may impact quite a few more categories of vendors, not all of which are primarily or otherwise data storage vendors.

Is deidentified information subject to the law?

Arguably, no.  The definitions of certified EHR technology and qualified EHR both seemingly relate only to identifiable information.  The former is defined with respect to “a person’s medical treatment” and the latter to information “concerning an individual.”  If deidentified, the information may fall outside of the scope of the law.  Still, nothing in the law expressly addresses this issue.

What are providers’ next steps?

All healthcare providers operating in Florida should assess whether the law applies to them.  If applicable, providers should audit their record storage arrangements and modify those arrangements as needed, including by negotiating amendments to contracts with applicable vendors.

Given the lack of clarity under the new law, providers might take different approaches when modifying those arrangements, depending on costs, operational concerns, and risk tolerance levels.  In any case, however, prudent providers will ensure that they have documented their decision-making process to support any affidavits they may sign going forward.

For more information about the law, please contact your DLA Piper relationship partner, the author of this alert, or any member of our Healthcare industry group. 

Print