As of July 1, the Florida Electronic Health Records Act requires that the offsite storage of protected health information be physically maintained in the continental U.S., its territories or Canada.

WHY IT MATTERS

In addition, Florida's Healthcare Licensing Procedures Act will require licensees to sign affidavits attesting that all patient information in qualified electronic health records – which includes patient demographic and clinical health information – is being physically maintained in accordance with the amended EHR law.

Of concern are third-party vendors that exist outside of the U.S. and Canada, such as an IT support vendor, EHR company or data entry subcontractor that is able to access qualified patient records stored on servers within the country, according to Michael Sutton, an associate with Sheppard, Mullin, Richter and Hampton in The National Law Review.

Sutton says in his legislative review that the change includes a healthcare vendor's subcontracted computing facilities and any of its cloud service providers based or operating offshore. 

He advises qualifying healthcare providers to assess where electronic patient information is stored and whether any third-party vendors outside of the U.S. or Canada, "such as IT support, scheduling support, etc.," have access to patient information.

Many companies, like AWS, for example, allow users to select a region for their data storage or choose a default option.

THE LARGER TREND

Imaging is just one area of healthcare where doctors and patients need fast access to large pieces of patient data. 

One example related to the rise of at-home care is the use of portable ultrasoundw and mobile x-rays, where large amounts of patient imaging data need to be sent to physicians and radiologists quickly, according to Tim Dawson, chief technical officer at Canon Medical, during a HIMSS23 conversation about data neutrality. 

Cloud-based servers have made it possible to lower the costs of data storage and improve the speed of data transmission. 

However, software vendors often outsource to subcontractors who may employ data centers located in foreign countries. Even law-abiding offshore entities may not be able to keep up with changing U.S. laws governing patient data storage and security, putting healthcare providers and other organizations subject to HIPAA at risk if a patient data breach occurs.

"CIOs are rightfully concerned about their digital supply chain," Dawson said. 

However, software vendors have been using server farms, call centers, transcriptionists, revenue cycle managers and data analytics services located offshore for several years.

The onus is on the healthcare organization to stipulate that it does not allow offshoring PHI in its contracts.

ON THE RECORD

"Where there is a conflict, qualifying healthcare providers may need to begin transitioning patient information to new storage locations or take steps to ensure that access to patient information is appropriately limited prior to the Act’s effective date," Sutton said in the legislative review.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.