On May 8, 2023, Governor Ron DeSantis of Florida signed CS/CS/SB 264, amending a suite of Florida statutes to impose heightened requirements on business activities involving foreign interests. As related to the health care industry, CS/CS/SB 264 amended the Florida Electronic Health Records Exchange Act (“Act”) to, among other things, require “health care providers” that utilize “certified health record technology” to manage health records in an electronic interoperable and digital format to ensure that in addition to maintaining such records in accordance with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”), the health records must be stored only in environments physically maintained in the U.S., its territories or Canada, effective July 1, 2023. CS/CS/SB 264 also amended Florida licensure requirements for qualifying health care providers, obligating licensees to comply with the amended requirements of the Act, particularly as related to the security and storage of personal medical information outside of U.S. and Canadian jurisdictions, in order to obtain and maintain a license in Florida.
Key Takeaways and Recommendations
- Qualifying health care providers must comply with both HIPAA and Florida state requirements for transfers of health care data. Although HIPAA does not impose specific requirements regarding where health data must be stored, the amendments to the Act require qualifying health care providers in Florida to only store health records in the U.S., its territories, or Canada. As such, effective July 1, 2023, qualifying health care providers in Florida have heightened health data record storage obligations.
- Qualifying health care providers must submit a signed affidavit attesting under penalty of perjury that the provider is in compliance with the health records storage requirements of the Act when they submit their initial and renewal license application. Non-compliant qualifying health care providers may be subject to disciplinary action by the Agency for Health Care Administration, the Florida state agency that regulates health care licenses in Florida.
- The applicability of the Act does not depend on where the patient who is the data subject resides, but on whether the entity is a qualifying health care provider under Florida law. The Act applies to HIPAA covered entities and business associates that are also qualifying health care providers in Florida under the Act. It also applies to traditionally non-HIPAA covered entities and business associates, such as acupuncturists. Therefore, the requirements of the Act apply to a broader group of entities that collect health data than HIPAA.
- The Act does not directly impose obligations on parties that are not qualifying health care providers under Florida law, such as third-party vendors that provide cloud computing services and other health technology vendors, but effectively prohibits offshoring of data in health records. To comply with these obligations, qualifying health care providers will most likely contractually flow down the requirement to store health records only in the U.S. and Canada to their third-party vendors via business associate agreements and data processing agreements.
- Recent enforcement and regulatory trends suggest the Act is likely the first of many legal and regulatory restrictions that will apply to transfers of sensitive data (e.g., health data) to foreign jurisdictions. Therefore, third-party vendors providing cloud computing services and other health technologies to qualifying health care providers should be prepared to offer its customers U.S.- or Canada-based data processing, maintenance, and storage options to accommodate legal and regulatory developments.