Florida has implemented new regulations prohibiting healthcare providers from storing electronic health records (EHRs) offshore or relying on third-party vendors outside the US and Canada with access to patient data. The amended laws require that protected health information be physically stored within the continental US, its territories, or Canada. The change aims to address concerns regarding offshore vendors’ compliance with evolving US laws on data storage and security, protecting healthcare providers and organizations subject to HIPAA regulations from potential breaches.
Electronic health records (EHRs) storage offshore and reliance on third-party contractors who are based outside the U.S. but have access to patient data maintained inside the U.S. are both illegal for healthcare providers in Florida as of July 1. Protected health information must now be physically maintained in the continental United States, its territories, or Canada when stored offsite in accordance with the Florida Electronic Health Records Act.
To further ensure compliance, the Healthcare Licensing Procedures Act in Florida now requires licensees to sign affidavits confirming that all patient information within qualified EHRs, including demographic and clinical health data, is being physically stored in accordance with the amended EHR law.
A particular area of concern involves third-party vendors located outside the U.S. and Canada, such as IT support vendors, EHR companies, or data entry subcontractors, who may have access to patient records stored on domestic servers. Michael Sutton, an associate with Sheppard, Mullin, Richter and Hampton, highlights the inclusion of subcontracted computing facilities and offshore cloud service providers in the updated legislation.
Sutton advises healthcare providers subject to the amended law to conduct assessments to determine the storage location of electronic patient information and identify any third-party vendors outside the U.S. or Canada, emphasizing the need to scrutinize vendors providing IT support or scheduling services, among others, who might access patient data.
Notably, major companies like AWS offer users the flexibility to choose the region for data storage or utilize default options.
This development aligns with a broader trend in healthcare, where rapid access to large amounts of patient data, including imaging, is crucial. For instance, with the growing prevalence of at-home care, portable ultrasound and mobile x-rays require prompt transmission of extensive imaging data to physicians and radiologists. Cloud-based servers have facilitated cost reduction in data storage and accelerated data transfer speeds.
However, software vendors often outsource to subcontractors who may operate data centers located in foreign countries. Even compliant offshore entities may struggle to keep up with evolving U.S. laws on patient data storage and security, potentially exposing healthcare providers and HIPAA-regulated organizations to risks in the event of a data breach.
“CIOs rightly express concerns about their digital supply chain,” commented Tim Dawson, Chief Technical Officer at Canon Medical, during a HIMSS23 discussion on data neutrality.
Although software vendors have been utilizing offshore server farms, call centers, transcriptionists, revenue cycle managers, and data analytics services for several years, healthcare organizations bear the responsibility of ensuring their contracts explicitly prohibit the offshore storage of protected health information.
According to Sutton, qualifying healthcare providers faced with conflicts may need to transition patient information to new storage locations or take measures to appropriately limit access to patient data before the effective date of the Act.