What are the implications for practices outside Florida? The reality is that we are likely to see more of these kinds of laws in other states. Twenty-four other states have considered legislation restricting business dealings with “foreign governments of concern” and their business entities. These laws in the media have often been termed “anti-China” laws, mainly taking aim at foreign purchases of farmland and real estate. Some have pointed out that these laws may stoke fear of Asian Americans and could have a discriminatory effect. However, we live in a political and legal reality where these laws are being proposed and do exist.
Although the EHR aspect of the Florida law is unique for now, it likely won’t be for long. Providers not affected by this law should learn more about their patient data, such as where they are stored and how the data are protected from cyber criminals. Being proactive in protecting patient data will not only provide greater protection to your patients and practice, but also help make laws like Florida’s unnecessary.
Solutions
Many people in the U.S. may feel as though their vital data are more vulnerable than ever before, and there is a good reason for this feeling of vulnerability. The U.S. did not even rank in the top 40 in a recent National Cyber Security Index ranking of countries.3 This is largely due to the hodgepodge of federal and state data privacy laws. This growing problem seems prime for policy solutions. However, policy solutions are only effective when they are grounded in fact.
Although requiring data storage in the U.S. may seem like an effective way to protect patients, it may actually leave them more vulnerable and exposed. In a world that is more and more connected, borders are increasingly irrelevant to cyber criminals. Hackers can just as easily access data in Jersey City as Jaipur. Their success will not be determined by the geographic location of the health records, but by the security in place at the storage facility. Laws that arbitrarily require data to be held in specific geographic areas take an overly simplistic view of a complex problem. Worse, they may lead policymakers to believe they have addressed data security problems when they really have not. Instead, the focus should be on policies that actually get at the problem, such as minimum data security requirements for EHRs and breach reporting transparency.