“As of 2021, nearly 4 in 5 office-based physicians (78%) and nearly all non-federal acute care hospitals (96%) adopted a certified EHR. This marks substantial 10-year progress since 2011 when 28% of hospitals and 34% of physicians had adopted an [electronic medical records platform (“EMR”)]” says the Office of the National Coordinator for Health Information Technology. With a majority of the countries’ health care providers creating, accessing, storing, and transmitting personal health information (“PHI”) via the internet of things, the safety of our PHI is at the highest risk of nefarious use by hackers.
As of July 1, 2023, Florida Governor Ron Desantis signed into law Senate Bill 264.Although the majority of the bill outlines restrictions by foreign actors relating to real property; the end of the bill addresses changes to Florida Statute 408.051,“Florida Electronic Health Records Exchange Act”.
Section 408.051(3) has been amended to state as follows:
“SECURITY AND STORAGE OF PERSONAL MEDICAL INFORMATION. In addition to the requirements in 45 C.F.R. part 160 and subparts A and C of part 164, a health care provider that utilizes certified electronic health record technology must ensure that all patient information stored in an offsitephysical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, is physically maintained in the continental United States or its territories or Canada. This subsection applies to all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted”.
More likely than not your EMR platform is storing your data either on a physical server overseas or via the cloud which is controlled by a foreign country (not including Canada).If you are found not to be in compliance you could be at risk forcompensatory damages.
With this change there are many priority items that now must be taken into consideration if are to comply with the new law. Although it is unclear if a grace period will be offered, or what position the court will take towards these types of future lawsuits, one thing is for sure, PHI is one of the highest concerns of 2023 from a patient’s perspective.
We’ve seen shifts in PHI access, and the simplification of the medical records request procedure under the “21st Century Cures Act”, the federal and state governments are fixed on patient access and safety relating to their PHI.
I’ll leave you with a few questions: 1. Do you know if your EMR platform stores the information via the cloud or at a physical location? 2. When was the last time you updated your patient data privacy practices? 3. Did a healthcare lawyer prepare your policies and procedures relating to PHI? 4. Does your practice use a call center, and is that call center located within the United States, its territories, and/or Canada?
