New FL Law Bans Offshoring Certain Patient Data & Business Relationships with Specific Countries

Health Highlights

A first-of-its-kind Florida law requires health care providers to keep certain patient data within the United States, its territories or Canada.

The Overview

Effective July 1, under Senate Bill 264—recently passed and signed into law by Governor DeSantis—health care providers and their vendors in Florida are not permitted to offshore certain patient data and will be further restricted from ownership by certain designated foreign countries. The Florida Electronic Health Records Exchange Act (the Act) has been amended to require most Florida health care providers who utilize certified electronic health record technology (CEHRT) to store all patient information, whether stored physically or virtually, in the United States, its territories or Canada. This applies to any third-party or subcontracted computing facility or cloud computing service provider used by the health care provider.

A new provision of the licensure law requires that health care providers subject to this offshoring restriction must attest to their compliance under penalty of perjury when submitting a license application and any renewal.1

Neither HIPAA nor any other federal health care-related law expressly prohibits patient data from being stored outside of the United States. To date, geographic restrictions on cross-border data transfers and storage have largely been reserved for international privacy laws, such as the European Union’s General Data Protection Regulation.

In addition, in a separate section of the new law, licensed health care providers must also ensure that no person or entity that “possesses a controlling interest” in the entity has a business relationship with a “foreign country of concern”—China, Russia, Iran, North Korea, Cuba, the Venezuelan regime of Nicolás Maduro or Syria. The impact of these new restrictions appears to partially—but not completely—overlap with current rules against doing business with sanctioned persons and entities.2

Who Is Specifically Impacted?

The offshoring restriction applies broadly to all qualified electronic health records that are stored using technology that allows such information to be “electronically retrieved, accessed, or transmitted” by a health care provider subject to the law. Qualified electronic health records integrate patient health related-information and have the capacity to provide tools to support clinical decision-making.

The new law impacts Florida licensed health providers, including individuals such as physicians, dentists, nurses, pharmacists and massage therapists and entities such as nursing homes, home health aides, pharmacies and residential treatment facilities, if they “utilize” certified electronic health records.3

What Does the Law Prohibit?

Health care providers subject to the law will no longer be able to use any vendor, if that vendor itself or through a contractor stores patient data outside of the United States, its territories or Canada. Health care entities and digital health technology providers will need to ensure compliance across all contracted services that work with Florida providers using CEHRT.

What is less clear is whether this law prohibits any health care provider subject to the law from storing patient data offshore, outside of CEHRT. Based on the language of the Act, it is unclear how the utilization of CEHRT will be interpreted. Health care entities should be aware of the potential to implicate any health care provider who broadly touches CEHRT, even if a provider stores patient information that is not certified. Because the offshoring restriction includes all qualified health electronic records that can potentially be electronically retrieved, accessed or transmitted, the new law could also be interpreted as affecting providers who solely store patient information through electronic health records.

What Should Florida Health Care Providers Do?

Health care providers must evaluate their existing relationships with third parties that store their patient data to confirm that neither they nor any of their subcontractors store patient data outside of the United States, its territories or Canada. This evaluation may require health care providers to conduct extensive internal data audits to determine the location of patient data. If their third-party vendors do store such data, health care providers must contact them to see if the data can be moved onshore or determine whether they must terminate their contracts with such vendors and how.

For new vendor relationships, diligence of their third-party vendor’s data storage processes and location must become a critical initial step when evaluating the relationship.

Health care providers must certify to their compliance with this law when they apply for or renew a Florida license. In addition to potential disciplinary action by the AHCA for noncompliance, failure to perform appropriate reviews of their existing or future relationships could result in the submission of a false statement.

Banning Business Relationships With a ‘Foreign Country of Concern’

Entities subject to this restriction must also ensure that a person or entity that “possesses a controlling interest” in the entity does not have a business relationship with China, Russia, Iran, North Korea, Cuba, the Venezuelan regime of Nicolás Maduro or Syria. A person or entity has a controlling interest when they directly or indirectly hold 25 percent or more of the voting interests or profits.

What’s Next

In addition to conducting audits to determine the location of patient data and confirm compliant terms of contract, health care entities in Florida will need to ensure that no person or entity that possesses a controlling interest has a business relationship with a foreign country of concern.

1 Florida Statute Section 408.810(14) and (15).

2 A new section was added to F.S. 287.138.

3 The term “certified electronic health records” refers to qualified electronic health records certified per the federal Public Health Service Act.



pursuant to New York DR 2-101(f)

© 2023 Manatt, Phelps & Phillips, LLP.

All rights reserved