June 02, 2023
Florida legislators recently took an important step to protect patient privacy and ensure data security when they passed an update of the Florida Electronic Health Records Exchange Act in May 2023.
According to The HIPAA Journal, this amendment prohibits healthcare providers using certified health record technologies from storing electronic health records (EHR) outside the United States (including its territories) or Canada. This ban extends to patient data stored through third-party cloud services and subcontracted computing facilities.
Table of Contents
Florida Electronic Health Records Exchange Act Update
This year, the Florida Electronic Health Records Exchange Act was updated to demonstrate its dedication to safeguarding EHR. By banning offshore EHR storage, Florida seeks to reduce risks related to data breaches, unauthorized access, and inadequate regulatory oversight. And at the same time, simultaneously assure patients that their data remains within U.S. or Canada.
Florida’s ban on offshore storage of EHR is in line with an emerging trend within healthcare, where data security and patient privacy continue to be of primary concern. In this regard, the southeastern state is taking proactive steps toward strengthening data governance and safeguarding PHI by mandating that EHRs be stored only within specified regions.
Implications for Healthcare Providers and Vendors
The ban on offshore storage of EHR has major ramifications for healthcare providers and vendors in Florida. Affected entities include hospitals, ambulatory surgery centers, pharmacies, home health agencies, hospices, laboratories, mental health treatment facilities, substance abuse services, and various licensed healthcare providers.
Healthcare providers that wish to comply with the new law must audit the locations where their health records are being kept. Any documents stored outside of specified regions should be immediately transferred to avoid violations. Cloud providers must also ensure that their data centers are within the approved jurisdictions.
Vendors and subcontractors that provide support services, including managed service providers, I.T. support companies, and scheduling support providers, must also abide by this ban. They can only store or access patient information in the United States, its territories, or Canada. It is vital for healthcare providers to review all agreements with vendors and subcontractors to ensure compliance with updated laws.
Healthcare providers should also conduct an internal data management review in order to identify any vulnerabilities or risks associated with offshore storage. Implementing robust security protocols and access controls will help protect EHR against unapproved access or malicious cyberattacks.
Compliance Deadline and Requirements for Covered Healthcare Providers
All healthcare providers covered by the Florida Electronic Health Records Exchange Act must abide by the ban on offshore storage by July 01, 2023. Thus, they must comply and conduct immediate steps to meet the amended requirements, including assessing storage locations, migrating data to specified regions, and establishing strict data access controls.
Healthcare providers who wish to meet compliance regulations must allocate sufficient resources while coordinating closely with I.T. departments, software vendors, and data storage providers. Proper planning, communication, and coordination are essential for an efficient transition to compliant storage locations.
Healthcare organizations must also place extra importance on employee training and education regarding the updated regulations. On the other hand, employees should understand their roles and responsibilities for maintaining data security and compliance.
By adhering to the revised law, healthcare providers in Florida can uphold patient trust, strengthen data security measures, and contribute to overall healthcare system integrity. Compliance with the ban on offshore EHR storage provides an additional safeguard toward protecting PHI while meeting the requirements for evolving data privacy regulations.
Consequences for failing to meet the Florida Offshore EHR storage requirements
Covered entities, including hospitals and private practice professionals, who fail to adhere to the ban will face several consequences, including:
- Civil and criminal penalties
- Lawsuits from patients whose PHI was compromised
- Class action lawsuits
- Reputational damages
There’s also a possibility that the Office for Civil Rights (OCR) will look into these violations and enforce fines and other corrective actions. Failure to do so will put healthcare providers at risk of severe legal and financial repercussions.
Taking Action to Secure Patient Data
Florida’s ban on offshore EHR storage marks a monumental leap toward safeguarding patient data and upholding privacy standards. By mandating that electronic health record storage locations fall within specific regions, the federal state aims to enhance data security while increasing patient trust.
As part of these proactive steps taken by Florida to protect sensitive patient information, it would be beneficial for healthcare providers to consider the importance and urgency of choosing robust security and storage solutions that comply with the new regulations.
