Offshore Record Storage Ban Creates Challenges for Florida HI Professionals
HIPAA privacy officer Sharon Joseph, MBA, MPH, CNA, recalls meeting with an agency to discuss a project that would require extracting patient data. The firm was based in the US, however, it intended to work with an offshore company to pull the data.
Joseph immediately decided against the collaboration.
“I said, ‘Nope, not going to happen.’ Because we can’t guarantee the protection of our patient information offshore,” says Joseph, who is also a Connecticut-based risk and director of health information at a large, non-profit healthcare organization. “We can’t rely on another country’s privacy protections.”
Offshoring medical information storage and enabling access to such health records outside the US has long raised privacy concerns. Now, a new Florida law is banning the practice, prohibiting healthcare providers from storing electronic health records outside the US, or relying on third-party vendors that operate offshore and have access to patient data maintained in the US.
As of July 1, an amendment to the Florida Electronic Health Records Exchange Act mandates that all storage of protected health records be physically maintained in the US, its territories, or Canada. The new requirement impacts nearly all Florida healthcare providers, including hospitals, clinics, ambulatory surgical centers, nursing homes, labs, pharmacies, and physicians, among others. The ban includes data from qualified electronic health record (EHR) systems stored through a third-party vendor, subcontracted computing facility, or cloud service provider.
The measure was one of three new laws in Florida aimed at counteracting the influence of the Chinese Communist Party in the state, according to Gov. Ron DeSantis. In a statement, DeSantis said the new requirement would “stop sensitive digital data from being stored in China” and “protect digital data from Chinese spies.”
The state does not plan to immediately start reviewing whether health providers are storing health data offshore. Instead, all providers applying or renewing their licensure with the Florida Agency for Health Care Administration (AHCA) after July 1, must attest under penalty of perjury that all patient information in their EHRs is being maintained in compliance with the new law. If providers fail to comply with the new requirements, they “shall be subject to disciplinary action by the agency,” according to the law.
While many laud the law as useful in tightening privacy protections around EHRs, legal experts say the new regulations are not without challenges for providers and health information (HI) professionals.
“We have seen a number of new state privacy laws this year, adding greater complexity in this area,” says Anna Watterson, JD, a data privacy and information security law expert based in Sacramento, CA. “The Florida law in particular is challenging given the July 1 effective date, and the considerable time it may take for entities that do offshore today to modify those relationships and agreements. In some cases, there may be relatively simple solutions, but in other cases there may be entire functions or critical clinical support areas that are being performed offshore.”
The Risks of Offshoring
The primary risk of offshoring health information storage is the difficulty for US companies to monitor how the data is being used and ensure compliance with US privacy and security standards. Even if vendor contracts mandate compliance, offshore professionals may not have adequate training in US privacy rules or be able to stay updated on the latest changes to the rules.
If a breach occurs, US health providers are likely to be on the hook for HIPAA (Health Insurance Portability and Accountability Act of 1996) violations, even if their facility is HIPAA-compliant.
Offshore entities “aren’t governed by our HIPAA privacy rules,” Joseph says. “So although you might have a business associate agreement in place that governs [the rules] as written in the privacy regulations in the United States, that doesn’t give you much leeway when it’s offshored in another country.”
In some cases, companies aren’t even aware that their health data is being stored or accessed offshore, Joseph says. A provider may hire a vendor based in the US, not knowing the vendor uses a third-party service in a foreign country for certain services. That’s why it’s important for health providers to ask questions about whether any services will be offshored, she stressed.
“Questions need to start being asked, whether it’s beginning a relationship with that third-party vendor or going back and asking a concurrent vendor, ‘Where are our records being stored?’ " Joseph says.
Potential Impact of the Law
The law will undoubtedly affect a number of entities and send providers and HI professionals scurrying to identify and ensure they meet the new standards, said Rosalee Alston-Rivers, MSCHI, RHIA, CCS, president-elect of the Northeast Florida Health Information Management Association (NEFHIMA) Board.
“The financial stress this will place on many different entities will be tremendous,” she says. “Companies that are impacted by this law must scramble and make significant decisions that could have years of backlash. Companies that are using vendors who may have been offshoring health information will have to look into making new partnerships.”
HI professionals may be responsible for helping with reviewing and rewriting the policies and procedures at their workplaces to ensure their company meets the new law requirements, Alston-Rivers says. The employment of some HI professionals may also be negatively impacted by the law, she adds.
“Some health information professionals may lose employment if they work for vendors that lose contracts due to the new laws,” she says. “We have health information professionals that work for release of information companies, IT companies, and small practices that may be unable to abide by the new rules.”
Watterson says the law may also limit certain services offered to vendors, such as some IT support. She adds that the broad language of the statute could be read to apply to all of a covered healthcare provider's patient information, not just patient information stored in certified EHR technology.
Watterson recommends that entities subject to the law immediately start assessing what patient information is stored—or could be accessed and potentially downloaded—by offshore vendors or subcontractors. A good starting point would be major IT vendors, transcription services, and any outsourced functions such as call centers or revenue cycle, she says. Additionally, entities subject to this law should consider any offshore clinical support.
“Contracts should be updated to prohibit the vendor and subcontractors from offshoring data subject to this law,” she says. “Given the July 1 effective date, entities will likely need to prioritize and act with urgency. Additionally, this law requires the healthcare provider to sign an affidavit under penalty of perjury. Health information professionals will want to advise the appropriate leadership within their organization of this requirement ahead of their initial or renewal licensure application.”
While some states prohibit providers enrolled in Medicaid from offshoring health records, experts say Florida appears to be the first to ban the practice altogether. Alaska, Arizona, Ohio, and Wisconsin prohibit the use of offshore Medicaid contractors.
“Florida being the first [state] to really put this into effect, I think you’re going to see a lot of states really looking into this,” Joseph says. “I would imagine other states are going to start following suit within the next several years. It’s really a new learning curve that will require asking questions about offshoring up front and starting now.”
Alicia Gallegos is a freelance healthcare journalist based in the Midwest.