Implications of Florida’s Electronic Health Records Data Storage Law

Data privacy has been an issue of growing importance across many different industries. As an industry, healthcare is a high-priority target for cyber criminals. In 2019, there were 525 data breaches in the healthcare industry, compared with only 108 data breaches in the financial sector, according to the most recent data published by Statista.¹ In 2022, the number of reported breaches in the healthcare industry had risen to 707, of which 555 were from hacking.² This growing problem has led some lawmakers to look for policy solutions to protect patient data.

Florida made news when Florida Gov. Ron DeSantis signed SB 264, effective July 1. The law was primarily aimed at preventing adversarial foreign countries from entering into contracts with the state, buying real estate and related actions. However, the bill included language amending the Florida Electronic Health Records Act to require offsite storage of patient data to be physically maintained in the continental U.S., one of its territories or Canada. The law also requires that providers licensed under the Florida Agency for Health Care Administration sign an affidavit at the time of application or renewal attesting, under penalty of perjury, to their compliance with the law.

Laws that arbitrarily require data to be held in specific geographic areas take an overly simplistic view of a complex problem. Worse, they may lead policymakers to believe they have addressed data security problems when they really have not.

RISE Registry Impact

Fortunately, this law will not affect ACR RISE registry participants. Although the registry’s technology vendor is based in India, all RISE registry data are stored in the continental U.S., making the registry compliant with this new law. The ACR worked with the technology vendor years ago to ensure all data are stored in the U.S.

India is a large player in data storage and management and has a long cooperative history with the U.S. Vendors that do not offer storage within the continental U.S. could eventually lead to increased costs for all electronic health record (EHR) systems. However, regardless of the new law and similar ones, the ACR will continue to include this requirement for our registry partners.

What Should Providers Do?

Florida is currently the only state to pass this kind of EHR law. If you are practicing in Florida, compliance with the new law is fairly straightforward. You should check with your EHR vendor on an annual basis to confirm where your patient data are stored. Make sure this confirmation is in written form, such as a letter or email, and retain a copy of the confirmation for your records. This will be vital if your compliance ever comes into question.