Exchange Act Impacts Record Storage by FL Health Care Providers

All healthcare providers must comply with various local, state, and federal laws and regulations, including the Exchange Act, which went into effect on July 1, 2023. In the healthcare field, business owners must be knowledgeable about a wide array of legal requirements related to privacy and recordkeeping, among other issues. You can rely on a Florida health law attorney at Kramer Green to keep up-to-date with new developments in the law so that your business remains compliant with state and federal laws.

Changes to the Florida Electronic Health Record Exchange Act

A recent amendment to the Florida Electronic Health Record Exchange Act (the Exchange Act) has placed new recordkeeping requirements on all Florida healthcare providers that use certified electronic health record technology. Specifically, healthcare providers must physically keep certain patient information in the continental United States, U.S. territories, or Canada. This requirement applies to “all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services.” Qualified electronic health records include any records providers can electronically retrieve, access, or transmit.

Compliance Actions Health Care Providers Should Take

As a result of this amendment to the Exchange Act, Florida healthcare providers should examine their information security programs and contracts with technology service providers to determine whether any changes are needed. They must ensure that these providers are physically maintaining patient information as required. All healthcare providers must sign affidavits upon initial licensure and upon renewing their licenses, attesting under penalties of perjury as to their compliance.

Although healthcare providers must ensure that their technology service providers comply with the amendments to the Exchange Act, how these changes impact their other partners is still being determined. For instance, healthcare providers often do business with other service providers, such as insurance companies, that are not otherwise subject to the law. Whether a healthcare provider can execute the required compliance affidavit without these business partners being compliant is uncertain.

Virtual Desktop Infrastructure Technology and the Exchange Act

Cloud providers customarily offer healthcare providers the option of choosing their data to be physically stored within the United States, which would comply with the new law. Likewise, technology service providers have already been using virtual desktop infrastructure (VDI) technology for many years to provide services from offshore using data stored and processed on systems located in the United States. In this business delivery model, no virtual or physical copies of the data exist outside of the country, which not only offers better security, reduces costs, and meets data privacy requirements in other jurisdictions but complies with the amendments to the Exchange Act.

Some commentators have suggested that the amendments to the Exchange Act prohibit anyone from accessing healthcare data from outside the continental United States, its territories, or Canada. However, a plain text reading of the law does not support this interpretation and would conflict with the VDI service delivery model. Furthermore, the bill’s legislative history repeatedly refers to data “storage.” It does not mention “accessing” patient data except to describe the technology used to store information subject to the new storage requirements. If the Florida legislature had intended to place geographical restrictions on the ability of an individual to access health care data, it could have done so explicitly, but it did not. Nothing in the law’s text suggests that technology service providers are prohibited from maintaining backup copies of patient data offshore; the law just requires that the physical data be contained within the continental U.S., its territories, or Canada.

Let Us Help Ensure Your Legal Compliance Today

A health law attorney at Kramer, Green, Zuckerman, Greene & Buchsbaum, P.A. stands ready to help ensure compliance with all applicable laws as you operate your healthcare facility. We understand how hard you have worked to build your business, and our goal is to protect and advocate for you and your business to the greatest extent possible. Contact our office today at (954) 966-2112 or reach out to us online to schedule a time to discuss your legal compliance issues with our attorneys.

Font Resize