On May 8, 2023, the Florida Legislature enacted Senate Bill 264 (“SB 264”), which creates new restrictions on licensed Florida health care providers regarding the storage of patient records. The bill became law as of July 1, 2023.

SB 264 states that “[i]n addition to the requirements under 45 C.F.R. part 160 and subparts A and C of part 164 (referring to the HIPAA Information Security Rule), a health care provider that utilizes certified electronic health record technology must ensure that all patient information stored in an offsite physical or virtual environment, including through a third party, or subcontracted computing facility, or an entity providing cloud computing services, is physically maintained in the continental United States or its territories or Canada.”^[1] This requirement will apply to all “qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted.”^[2] The statute does not place the burden of ensuring that such records are kept within the U.S., its territories, or Canada on companies providing the services within the field of electronic health records, but rather on the healthcare providers themselves.

In addition, going forward, any individual, facility, or party applying for, or holding a license under F.S. chapter 408 for the Florida Agency for Health Care Administration (the “AHCA”), as a “licensee” will need to sign an affidavit, either at the time of its initial application for said license, or on any renewal applications, that attests, under penalty of perjury, that the licensee is in compliance with this new statute F.S. 408.051(3), which requires the aforementioned records to be stored physically within the continental United States, its territories, or Canada.^[3] Failure to do so will subject the licensee to disciplinary action by the AHCA.

Under SB 264, the licensee shall also be responsible for ensuring that any person or entity who possesses a controlling interest in any health care facility does not hold, either directly or indirectly, an interest in an entity that has a business relationship with a foreign country of concern or those subject to F.S. 287.135.^[4] “Business relationship” is construed liberally to cover engaging in commerce in any form, including but not limited to “acquiring, developing, maintaining, owning, selling, possessing, leasing, or operating equipment, facilities, personnel, products, services, personal property, real property, military equipment, or any other apparatus of business or commerce.”^[5] Existing licensed health care providers will need to ensure they are compliant with these statutes prior to the renewal of their applications.

Healthcare providers operating in several states including Florida might need to reconfigure their information technology systems to come into compliance with this new law.

---