Data privacy has been an issue of growing importance across many different industries. As an industry, healthcare is a high-priority target for cyber criminals. In 2019, there were 525 data breaches in the healthcare industry, compared with only 108 data breaches in the financial sector, according to the most recent data published by Statista.1 In 2022, the number of reported breaches in the healthcare industry had risen to 707, of which 555 were from hacking.2 This growing problem has led some lawmakers to look for policy solutions to protect patient data.
Florida made news when Florida Gov. Ron DeSantis signed SB 264, effective July 1. The law was primarily aimed at preventing adversarial foreign countries from entering into contracts with the state, buying real estate and related actions. However, the bill included language amending the Florida Electronic Health Records Act to require offsite storage of patient data to be physically maintained in the continental U.S., one of its territories or Canada. The law also requires that providers licensed under the Florida Agency for Health Care Administration sign an affidavit at the time of application or renewal attesting, under penalty of perjury, to their compliance with the law.
Laws that arbitrarily require data to be held in specific geographic areas take an overly simplistic view of a complex problem. Worse, they may lead policymakers to believe they have addressed data security problems when they really have not.
RISE Registry Impact
Fortunately, this law will not affect ACR RISE registry participants. Although the registry’s technology vendor is based in India, all RISE registry data are stored in the continental U.S., making the registry compliant with this new law. The ACR worked with the technology vendor years ago to ensure all data are stored in the U.S.
India is a large player in data storage and management and has a long cooperative history with the U.S. Vendors that do not offer storage within the continental U.S. could eventually lead to increased costs for all electronic health record (EHR) systems. However, regardless of the new law and similar ones, the ACR will continue to include this requirement for our registry partners.
What Should Providers Do?
Florida is currently the only state to pass this kind of EHR law. If you are practicing in Florida, compliance with the new law is fairly straightforward. You should check with your EHR vendor on an annual basis to confirm where your patient data are stored. Make sure this confirmation is in written form, such as a letter or email, and retain a copy of the confirmation for your records. This will be vital if your compliance ever comes into question.
What are the implications for practices outside Florida? The reality is that we are likely to see more of these kinds of laws in other states. Twenty-four other states have considered legislation restricting business dealings with “foreign governments of concern” and their business entities. These laws in the media have often been termed “anti-China” laws, mainly taking aim at foreign purchases of farmland and real estate. Some have pointed out that these laws may stoke fear of Asian Americans and could have a discriminatory effect. However, we live in a political and legal reality where these laws are being proposed and do exist.
Although the EHR aspect of the Florida law is unique for now, it likely won’t be for long. Providers not affected by this law should learn more about their patient data, such as where they are stored and how the data are protected from cyber criminals. Being proactive in protecting patient data will not only provide greater protection to your patients and practice, but also help make laws like Florida’s unnecessary.
Solutions
Many people in the U.S. may feel as though their vital data are more vulnerable than ever before, and there is a good reason for this feeling of vulnerability. The U.S. did not even rank in the top 40 in a recent National Cyber Security Index ranking of countries.3 This is largely due to the hodgepodge of federal and state data privacy laws. This growing problem seems prime for policy solutions. However, policy solutions are only effective when they are grounded in fact.
Although requiring data storage in the U.S. may seem like an effective way to protect patients, it may actually leave them more vulnerable and exposed. In a world that is more and more connected, borders are increasingly irrelevant to cyber criminals. Hackers can just as easily access data in Jersey City as Jaipur. Their success will not be determined by the geographic location of the health records, but by the security in place at the storage facility. Laws that arbitrarily require data to be held in specific geographic areas take an overly simplistic view of a complex problem. Worse, they may lead policymakers to believe they have addressed data security problems when they really have not. Instead, the focus should be on policies that actually get at the problem, such as minimum data security requirements for EHRs and breach reporting transparency.
Conclusion
In the end, the solution to patient data security is not likely to be found in more state laws. We know our members take the security of their patient data seriously. It is not just an essential part of a practice; it is an essential part of keeping and maintaining patient trust. EHR vendors also understand this, which is why most of them have state-of-the-art data protection systems. We must continue to strive to set a high standard for patient data security. In doing so, we not only make Florida’s law unnecessary, but we also make patient data safer. That is ultimately everyone’s goal.
Joseph Cantrell, JD, is the director of state affairs and community relations for the ACR.
References
- Statista. Number of data breaches in the United States from 2013 to 2019, by industry. 2020 Jan.
- Statista. Most common causes of healthcare data breaches in the United States in 2022. 2023 Jan.
- National Cyber Security Index. https://ncsi.ega.ee/ncsi-index/?order=rank. Accessed 2023 Aug 7.