Florida’s Amendment to Electronic Health Records Exchange Act

Florida’s Amendment to Electronic Health Records Exchange Act

Florida’s Electronic Health Records Act received a significant update on May 8, 2023, when Governor Ron DeSantis approved an amendment. Starting July 1, 2023, the law requires Florida-licensed healthcare providers to store offsite protected health information (PHI) only in the continental U.S., its territories, or Canada.

Learn more about the Florida Electronic Health Records Act.

Why Was This Amendment Introduced?

The amendment seeks to improve the security of health records by restricting their storage to specific, approved regions. Despite this clarity on storage, it brings up important questions regarding access. For example, can foreign contractors—such as revenue cycle management companies, IT support teams, or scheduling vendors—legally access electronic health records stored in the U.S.

For detailed insights, read The National Law Review’s analysis of the amendment.

Can Foreign Contractors Access U.S.-Stored Health Records?

A review of the amendment, CS/CS/SB 264, reveals that it does not explicitly prohibit foreign contractors from accessing electronic health records stored on U.S. servers. Here’s what you need to know:

  • Storage Requirement: Healthcare providers need to ensure that all patient information stored offsite, including data hosted by third parties or cloud services, remains physically maintained in the U.S., its territories, or Canada. This requirement underscores the importance of adhering to geographic restrictions for data security.

  • Access by Contractors: Interestingly, the amendment does not directly address whether foreign contractors can access these records. However, it allows flexibility as long as storage guidelines are followed, leaving room for careful interpretation by providers and vendors.

  • HIPAA Safeguards: Foreign contractors and vendors can access health records stored in approved regions, provided they comply with strict HIPAA safeguards. By ensuring robust data protection practices, contractors can maintain compliance while supporting healthcare providers.

What Does This Mean for Florida Healthcare Providers?

Healthcare providers and practitioners renewing their Florida licenses must submit an affidavit to confirm compliance with the amendment. If they fail to comply, they may face disciplinary action.

To ensure compliance with the law, providers should carefully review agreements with contractors and vendors. This step is crucial because these agreements may need updates to certify that all health records are stored within the approved regions. Moreover, contractors should remain aware of these changes to maintain strong partnerships with healthcare providers.

Read more about managing vendor compliance on our Revenue Cycle Blog.

How Should Contractors and Vendors Prepare?

To comply with the amendment, foreign contractors and vendors should:

  1. Review Storage Practices: Ensure all stored health records remain within the approved regions.
  2. Sign Updated Agreements: Be prepared to sign new or updated contracts confirming compliance with the amendment.
  3. Follow HIPAA Guidelines: Implement and maintain safeguards while accessing U.S.-stored records.

Explore vendor compliance tips on our blog.

Conclusion: Stay Informed and Compliant

This amendment emphasizes the need for strict data storage and access controls. Healthcare providers and their partners must collaborate to ensure full compliance.

For additional resources, visit:

**The information provided in this article does not and is not intended to, constitute legal advice, and readers of this article should refrain from acting on the basis of the information and should consult their own attorney.

Floridas-Amendment-to -Electronic-Health-Records-Exchange-Act

Ready to Connect
with Experts?

Get a FREE Consultation

Complete the form for customized billing solutions. Strengthen your revenue cycle and get started with a free report!

    Login Account

    Already a Medilab Customer?

    Invaild email address.

    6 or more characters, letters and numbers. Must contain at least one number.

    Your information will nerver be shared with any third party.

    Request Pricing