Florida Moves to Strengthen ePHI Safeguards

Do you know where your patient's electronic data is stored?

The legislature recently signed by Florida Governor Ron DeSantis amends the Florida Electronic Health Records Exchange Act (the Act) to reinforce the security of state residents’ electronically protected health information (ePHI). Although well-meaning, the law puts yet another level of risk on healthcare providers’ shoulders.

Know the Law for ePHI

Effective July 1, 2023, all healthcare providers required to uphold HIPAA regulations and licensed under Florida law will be prohibited from using certified electronic health record technologies (CEHRT) owned or operated outside of the United States to store patient records. The law specifically states:

“In addition to the requirements in 45 C.F.R. part 160 and subparts A and C of part 164, a health care provider that utilizes certified electronic health record technology must ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, is physically maintained in the continental Untied States or its territories or Canada.”

The ban extends to any offshore entity that can retrieve, access, or transmit EHR data in the United States.

Immediate Action Required

Robert A. Pelaia, Esq., CPC, CPCO, Deputy General Counsel, University of South Florida and a member of AAPC’s Legal Advisory Board said, “Healthcare entities need to carefully review this legislation because it is very definition driven. The new law applies to certain types of delineated healthcare providers who use ‘certified electronic health record technology’ or CEHRT.”

Prevent Repercussions

Providers will be required to sign an affidavit when applying for or renewing their license to practice medicine in Florida, attesting that they are in compliance with this law. This could be extremely difficult because compliance requires providers to know where their patients’ ePHI is at all times.

Pelaia warns, “The state of Florida has made it clear: Healthcare providers must ensure that their patient information, regardless of whether the data is in the cloud or a third-party computing facility, is stored in the continental United States or its territories or Canada. This new Florida requirement impacts nearly all licensed providers in the state, and the compliance burden is on the providers – not the digital health technology vendors. If your patient information is physically maintained outside the United States or Canada, you must start transitioning the data in advance of the law’s effective date of July 1, 2023, or you risk possible disciplinary action by AHCA [Florida Agency for Healthcare Administration].”

A provider who commits a violation of this law is “acting as a foreign agent,” according to the Florida statute, which is a felony of the first degree.

Sutton, M. The National Law Review, Florida Bans Offshoring of Certain Patient Information, May 25, 2023

2016 Florida Statutes, Title XXIX, Chapter 408, Section 408.051

 CS/CS/SB 264 (Chapter 2023-33, Laws of Florida)

Previous
Previous

Comparing 2023 E/M MDM and Table of Risk