Florida Bans Offshore Storage of Electronic Health Records and Texas Data Privacy and Security Act Approval

Last May 2023, the Florida Legislature approved a change to the Florida Electronic Health Records Exchange Act. Healthcare companies using certified health record technologies are now forbidden to store electronic health records if not within the United States, its regions, or Canada. The restriction likewise covers patient data saved via a third-party or subcontracted computing provider or cloud computing service, which should also keep the information in the continental U.S., its regions, or Canada. As soon as the ban is in effect, overseas vendors cannot be used and given access to patient data since the update likewise prohibits the access, retrieval, and sending of patient information from areas outside the U.S., its regions, or Canada. All healthcare companies under the Florida Electronic Health Records Exchange Act should adhere to the modified legislation by July 1, 2023.

“Certified electronic health record technology” refers to “a qualified electronic health record that is authorized according to s. 3001(c)(5) of the Public Health Service Act as achieving the requirements under s. 3004 of such legislation, which can be applied to the kind of record concerned, for example, ambulatory electronic health data for office-based doctors or the electronic health record for inpatient hospitals.

“Qualified electronic health record” refers to “an electronic record of health data associated with a person including patient demographic and clinical data, for example, medical background and problem listings, and which could give clinical decision help, to support doctor order entry, to record and query data related to health care quality, and to swap electronic health data with, and merge such data from, other resources.

Covered healthcare organizations consist of hospitals, ambulatory surgery units, pharmacies, home health institutions, hospices, labs, mental health treatment services, substance abuse services, and certified healthcare professionals like doctors, nurses, therapists, dentists, massage therapists, and podiatrists.

Healthcare organizations ought to carry out a review to verify the areas where health information is kept to make sure that they’re compliant. When a cloud vendor is employed to keep patient data, data centers should be situated in particular areas. In case hired third parties are employed to give support services like managed service providers, IT support firms, booking support services, and other providers, they, together with any subcontractors they call on, ought to be forbidden from keeping or accessing patient data beyond the United States, its regions, or Canada.

In case the audit verifies patient information is saved in or is utilized in banned places, steps ought to be undertaken quickly to move patient information to a compliant storage place and limit access from unauthorized places before the compliance due date.

Texas Data Privacy and Security Act Passed

The Texas legislature has approved the Texas Data Privacy and Security Act. The new bill is now awaiting Texas Governor, Greg Abbott to sign it into law. California and Virginia already have comprehensive data privacy laws in effect. Connecticut, Colorado, and Utah are waiting for their data privacy laws to be implemented eventually this year. Data privacy regulations are likewise to be approved in Iowa, Indiana,
Florida, Montana, Washington, and Tennessee this year.

The Texas Data Privacy and Security Act uses an extensive meaning of personal data, referring to any data that is linkable or sensibly connected to a person, which includes pseudonymous data that may be joined with other data to permit the identification of an individual. The legislation is applicable to any individual that runs a business in Texas and offers services or products that are used by Texas residents that manage or participate in the selling of personal information. ‘Sale’ includes disclosures of personal information for money or other important consideration.

There is no limit set for company income or minimum information processing levels; nevertheless, small businesses, based on the definition of the United States Small Business Administration, are exempt however need to acquire permission prior to selling the sensitive information of Texas locals. Following the Texas Data Privacy and Security Act is not required from the Health Insurance Portability and Accountability Act (HIPAA) nor Gramm-Leach-Bliley Act (GLBA) covered entities, nor non-profits and higher education organizations.

Data controllers need to acquire permission prior to processing the sensitive data of a consumer. Sensitive data includes any information that shows a person’s mental/physical health diagnosis, racial or ethnic origin, spiritual beliefs, sexuality, or citizenship/immigration standing, along with genetic/biometric information processed to identify persons, personal information gathered from a known child, and accurate geolocation information (within a 1,750 ft. radius). The selling of sensitive information is just allowed in case consumers are particularly informed sensitive data will be marketed in the organization’s privacy notification. Companies are banned from getting permission using ‘dark patterns’ such as the manipulation of persons into giving consent, decision-making, or choice and harming user autonomy.

The Texas Data Privacy and Security Act will allow consumers new rights regarding their personal data:

The right to validate when a data controller is handling their personal information and accessing that information
The right to correct errors in their personal information
The right to have personal information deleted
The right to get a portable duplicate of their personal information
The right to opt-out of processing for (a) targeted marketing, (b) the selling of their personal information, and (c) automated profiling.
All data controllers must carry out data protection testing of processing activities that entail the selling of personal information, targeted marketing, profiling, sensitive data, or any activity that holds an increased risk of damage to customers.

The Texas Attorney General will impose compliance, though data controllers and processors shall be permitted to cure any violation in one month. In case corrective action is not undertaken in 30 days, civil monetary fines may be issued as much as $7,500 per violation in addition to reasonable lawyer’s fees and expenses. When signed into law, most of the terms of the Texas Data Privacy and Security Act will have a compliance date of March 1, 2024. Adherence to the out-out provisions will not be enforceable up to January 1, 2025.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone