Do you know where your electronic health records are stored?
By Jeff Scott, Esq., FMA General Counsel | June 22, 2023
SB 264, signed into law by Governor DeSantis on May 8, 2023, is most notable for the provision that bars citizens of a foreign country of concern who are not lawful US residents from buying agricultural land or property within 10 miles of a military base. While most of the 29-page bill is of little concern to FMA members, tucked in the back is a section that amends the “Florida Electronic Health Records Exchange Act” and affects physicians, hospitals, pharmacies, and most other health care providers.

The key change is the addition of section (3) to the Act, “Security and Storage of Personal Medical Information.” This new language requires health care providers that utilize certified electronic health record technologyi to ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, is physically maintained in the continental United States or its territories or Canada.

This requirement to store electronic health records in the US or Canada “applies to all qualified electronic health recordsii that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted.”

The amendment to Florida’s Electronic Health Records Exchange Act becomes effective on July 1, 2023. Before then, physicians with a qualified electronic health record system should consult with their vendors to ensure that patient information is not stored outside of the United States, its territories or Canada.

According to some sourcesiii, the changes to the Act in SB 264 also prohibit the access, retrieval, and transmission of patient data from locations outside of the United States, its territories or Canada. The FMA’s analysis of SB 264 does not support this assertion. None of the experts contacted by the FMA on this issue agree with this interpretation, though there was a feeling that the law could be less ambiguous.

Finally, the law requires each entity licensed by the Agency for Health Care Administration to sign an affidavit at the time of initial application and upon renewal that attests under penalty of perjury that the entity is in compliance with s. 408.051(3). Individual physicians are not licensed by AHCA and thus will not have to comply with this requirement.


i Section 408.051(2)(a) defines “certified electronic health record technology” to mean “a qualified electronic health record that is certified pursuant to s. 3001 (c) (5) of the Public Health Service Act as meeting standards adopted under s. 3004 of such act which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals.”

ii Section 408.051(2)(i) defines “qualified electronic health record” to mean “an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources.

iii Florida Bans Offshore Storage of Electronic Health Records, posted by Steve Alder on June 2, 2023