Florida's Amendment to Electronic Health Records Exchange Act

On May 8, 2023, Florida Governor Ron DeSantis approved an amendment to the Florida Electronic Health Records Act, effective July 1, 2023, which requires that offsite storage of certain protected health information by Florida-licensed health care providers and practitioners be physically maintained in the continental U.S., its territories or Canada.

An article published on The National Law Review’s website suggested that healthcare providers may need to limit access by foreign contractors to electronic health records stored on servers in the U.S. Consequently, there have been questions about whether the amended Act prohibits contractors and vendors located outside of the U.S., such as revenue cycle management companies, IT support, and scheduling support, from accessing health records stored on servers in the U.S.

 However, from a review of the amendment, CS/CS/SB 264, it appears that it does not on its face limit or prohibit access by foreign contractors to electronic health records stored in the U.S.

• The amendment addresses the storage of health records, and states that healthcare providers “must ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, is physically maintained in the continental United States or its territories or Canada.”

• It does not appear to specifically address the access of records by foreign downstream contractors and vendors.

• Contractors and vendors located outside of the U.S. should not store health records but do not appear to be prohibited from accessing the records (with appropriate safeguards pursuant to HIPAA) while conducting services for Florida healthcare providers.

• Covered healthcare providers and practitioners that renew their Florida license will have to submit an affidavit attesting under penalty of perjury that they are in compliance with the Act.

Failure to comply with the Act may result in disciplinary action. Therefore, downstream contractors and vendors located outside of the U.S. should expect that their customers will be asking them to sign updated or new contracts certifying that they do not store any health records on servers located outside of the U.S.

**The information provided in this article does not and is not intended to, constitute legal advice, and readers of this article should refrain from acting on the basis of the information and should consult their own attorney.