A new law requires Florida health care providers that utilize certified electronic health record technology to ensure that certain patient information be physically maintained in the continental United States, its territories or Canada. The recent amendment to the Florida Electronic Health Record Exchange Act (the Exchange Act) casts a broad net regarding the information subject to the new requirement, stating it applies to “all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services.” The extensive reach of the new law is clear from the provision that the storage requirements apply to all qualified electronic health records stored “using any technology that can allow information to be electronically retrieved, accessed or transmitted.” The law went into effect July 1.
Florida health care providers that utilize such technology should review their information security programs and their contracts with technology service providers to determine if they require changes or need to require the technology service providers (and any of their subcontractors) to physically maintain patient information in the continental United States, its territories or Canada. The new law requires that each provider sign an affidavit at the time of their initial application for licensure, and upon any renewal applications, attesting under penalty of perjury as to their compliance with these requirements.
Health care providers may also wish to revise their technology service contracts to require their service providers to provide all information and contractual protections necessary for the health care provider to make their regular licensure certifications regarding compliance.
Although the law clearly requires Florida health care providers to require compliance by their technology service providers providing data storage services, it is less clear whether the law will effectively require those health care providers to ensure that their business partners that are not otherwise subject to the Florida law (such as a health insurance company) comply with the law in order for the health care provider to make the necessary compliance certifications. This issue will need to be clarified as the law is implemented.
From the perspective of ensuring compliance with the new law, health care providers should note that cloud providers typically provide health care customers the option to designate that their data be stored within the United States, North America or similar region. In addition, for many years, technology service providers have used virtual desktop infrastructure (VDI) technology to provide services from offshore using health care data stored and processed on software and hardware located in the United States. A key component of this solution requires that the technology service providers do not retain any copies (virtual or physical) of the data in the offshore location. This approach offers the benefits of better security (i.e., the location of the data remains limited and therefore reduces the chances of a breach), while reducing the cost of such services. This does not appear to run afoul of the new law and will help facilitate compliance by offering Florida health care providers a service delivery model that provides these benefits.
Some commentators have suggested that the new law will prohibit accessing health care records from outside of the continental United States, its territories or Canada. This interpretation not only conflicts with the delivery model noted above that has proven to be secure, effective and beneficial for health care companies using offshore technology service providers (as well as meeting data privacy requirements in other jurisdictions), but it also does not appear to be supported by the plain text of the law.
Importantly, the law’s text as well as its legislative history do not support an argument that the law prohibits accessing health care records from outside the continental United States, its territories or Canada. The official bill summary and bill analyses and fiscal impact statements for each version of the bill released by the Florida Senate Judiciary Committee repeatedly state that the bill introduces “storage” requirements for patient information. Conversely, there do not appear to be any references to “accessing” patient data from outside those geographies or any suggestion that the law is intended to prohibit accessing health information from outside of the designated geographies. The only reference to “access” is in describing the type of technologies used to store information that are subject to the new storage requirement, i.e., “The bill applies this provision [requiring certain patient data to be stored in the continental United States, its territories or Canada] to all qualified electronic health records that are stored using any technology that can allow information to be electronically … accessed … .” Moreover, if the Florida legislature had intended to prohibit accessing health care data from outside of the designated geographies, it could have done so explicitly, but did not.
Not only does the law not prohibit accessing health information from offshore, an argument can be made that the law does not prohibit maintaining copies of the health information outside of the designated jurisdictions. The law requires only that “all patient information stored in an offsite physical or virtual environment … is physically maintained” in the specified geographies; the law does not provide that the information be stored only in those locations and therefore arguably does not prohibit the maintenance of backup or other copies outside the specified geographies.
In sum, the new Florida law will impact Florida health care providers who are subject to the Exchange Act, and they should confirm that their information management systems and technology contracts support their compliance with the new law.