A new Florida law will require certain Florida-licensed providers to ensure that patient information is physically maintained only in the continental United States and its territories or in Canada. Florida SB 264, which goes into effect July 1, 2023, amends the Florida Electronic Health Records Exchange Act, adding a ban on offshoring health information that goes beyond the requirements under HIPAA and most other generally applicable health privacy and security laws. Florida licensees to which the new requirements apply will need to attest upon initial licensure and any renewals that they are in compliance with the new requirements. Applicable licensees will also be required to ensure that no individual or entity with a controlling interest in the licensee has an interest in an entity that has a business relationship with certain foreign countries, as discussed below.
The new privacy requirements apply to all “qualified electronic health records that are stored using technology that can allow information to be electronically retrieved, accessed or transmitted” used by the categories of health care providers listed below. “Qualified electronic health records” are electronic health records that can provide clinical decision support, support physician order entry, capture and query relevant quality information, and exchange electronic health information with and from other sources. The new anti-offshoring requirements are separate from the recently passed Florida Digital Bill of Rights, which our Mintz privacy colleagues covered here.
Impacted provider types encompass facilities including, but not limited to, hospitals, clinics, ambulatory surgical centers, home health agencies, hospices, nursing homes, labs, pharmacies, and individual practitioners including physicians, physician assistants, advanced practice registered nurses, registered nurses, pharmacists, dentists, chiropractors, podiatrists, certain behavioral health providers, physical therapists, occupational therapists, speech-language pathologists, audiologists, and respiratory therapists. The law only applies to providers who use “certified electronic health record technology”, or CEHRT, which meets the federal interoperability standards. Because of ambiguity in the statute, it is unclear if the law is meant to apply only to providers who participate in the CMS payment programs that require CEHRT or if the requirements are more broadly applicable to any provider who utilizes CEHRT, regardless of whether they are required to do so.
The new licensure requirements included in the statute require providers applying for and renewing their Florida Agency for Health Care Administration (AHCA) licensure to submit an affidavit attesting under penalty of perjury that the applicant is in compliance with the prohibition on offshoring health care information. Failure to maintain compliance with the requirements could result in disciplinary action by AHCA.
The requirement to store qualified electronic health records within the U.S. and Canada also extends to third-party vendors and subcontractors who store such records on behalf of the affected Florida providers. This could also affect vendors overseas who access electronic health records if the access involves downloading a copy of the records. Because of the potential reach of this law, providers operating in Florida should take steps to confirm that neither they nor their vendors are storing electronic health records outside of the U.S. and Canada.
While HIPAA does not prohibit offshoring health information, covered entities outside of Florida should always take steps to ensure that vendors who store PHI offshore are able to comply with all of the privacy and security requirements under HIPAA and other applicable privacy laws. Third-party payers, including Medicare Advantage plans and state Medicaid programs, also often include provisions restricting or prohibiting the use of offshore vendors, so providers should stay on top of how and where their health records are being stored.
The new law also requires entities licensed by AHCA to confirm that no individual or entity with a controlling interest in the licensed entity holds, directly or indirectly, an interest in an entity that does business with a “foreign country of concern.” “Foreign countries of concern” include “the People’s Republic of China, the Russian Federation, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Republic of Cuba, the Venezuelan regime of Nicolás Maduro, or the Syrian Arab Republic, including any agency of or any other entity of significant control of such foreign country of concern.” Under Florida law, a controlling interest is defined to mean a person or entity that serves as an officer or director of or has a 5% or greater ownership interest in the licensee or a management company that manages the licensee. The law as drafted does not include a carve-out for ownership interests held by publicly traded entities, unlike the current ownership limitations related to holding an interest in a facility that has previously had its license revoked. Notably, as drafted the restrictions do not include any carve out for activities that the Office of Foreign Assets Control has permitted to be conducted with sanctions nations. Additionally, the inclusion of the People’s Republic of China in the list of foreign countries of concern will require entities licensed in Florida to review potential business relationships that they or their parent companies have in China that are otherwise permissible under U.S. law.