New Florida Bill Bans Storage of Health Records Outside the Continental United States, its Territories, or Canada

By: Carolina Guio


In May 2023, Florida House Bill 264 passed, and it will go into effect on July 1, 2023. The bill has two main parts: the first prohibits offshore health record storage, and the second requires additional ownership disclosures.


Prohibition of Offshore Health Record Storage

The first part of the bill is an update of the Florida Electronic Health Records Exchange Act. This amendment prohibits healthcare providers using certified health record technologies from storing electronic health records outside the continental United States, its territories, or Canada. This prohibition extends to patient data stored through third-party cloud services and subcontracted computing facilities, which must maintain the data in the continental United States, its territories, or Canada.


Once the ban takes effect, it will no longer be possible to use vendors that do not store patient data in the continental United States, its territories, or Canada. All healthcare providers covered by the Florida Electronic Health Records Exchange Act must comply with the law by July 1, 2023. The prohibition applies to all qualified electronic health records stored using any technology that allows information to be electronically retrieved, accessed, or transmitted.


This ban on offshore storage of electronic health records has significant ramifications for healthcare providers and vendors in Florida. It applies to HIPAA-regulated entities and healthcare practitioners not covered under HIPAA. Affected entities include hospitals, ambulatory surgery centers, pharmacies, home health agencies, hospices, laboratories, mental health treatment facilities, substance abuse services, and licensed healthcare providers such as physicians, nurses, dentists, therapists, podiatrists, and massage therapists.


Vendors and subcontractors that provide support services, including managed service providers, I.T. support companies, and scheduling support providers, must also abide by this ban. They can only store or access patient information in the continental United States, its territories, or Canada. Healthcare providers must review all agreements with vendors and subcontractors to ensure compliance with updated laws. Healthcare providers should conduct an audit to confirm the locations where health records are stored to ensure compliance, including assessing storage locations, migrating data to specified regions, and establishing strict data access controls. Therefore, any contracted third parties that provide support services, and any subcontractors they use, should be prohibited from storing patient information outside the continental United States, its territories, or Canada. The healthcare provider must ensure these prohibitions are reflected in their contracts, business associate agreements, and data processing agreements. The consequences for failing to meet the Florida offshore electronic health records storage requirements will put healthcare providers at risk of legal and financial repercussions.


The purpose of the prohibition is to prioritize patient privacy by ensuring that personal health data remains within jurisdictions where privacy and security measures can be enforced. Offshore storage has raised concerns due to potential security breaches and varying data protection standards across countries. By mandating storage within the continental United States, its territories, or Canada, Florida aims to mitigate the risks associated with data breaches, unauthorized access, and potential exploitation of patient information. While these new regulations offer essential benefits such as increased privacy protection and informed decision-making for patients, there are also potential challenges to consider. These include increased costs for healthcare providers, technological limitations, implementation and compliance challenges, and the potential disruption of existing partnerships.


Ownership Disclosure Requirements

Alongside the offshore storage prohibition, Florida House Bill 264 also introduced additional ownership disclosure requirements for healthcare providers. The second part of the bill requires entities licensed by the Agency for Health Care Administration to confirm that no individual or entity with a controlling interest holds, directly or indirectly, an interest in an entity that does business with any foreign country of concern. Foreign countries of concern include the People’s Republic of China, the Russian Federation, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Republic of Cuba, the Venezuelan regime of Nicolás Maduro, and the Syrian Arab Republic, including any agency of or any other entity of significant control of such foreign country of concern. These ownership disclosures aim to enhance transparency and provide patients with a clearer understanding of the affiliations and financial interests involved in their healthcare.


The bill aims to protect patient privacy by keeping health records within the continental United States, its territories, or Canada and promote transparency by requiring ownership disclosures. These changes aim to safeguard patient information, enhance trust between patients and healthcare providers, and improve the overall healthcare system in Florida.



It should be noted that I am not your lawyer (unless you have presently retained my services through a retainer agreement). This post is not intended as legal advice, it is purely educational and informational, and no attorney-client relationship shall result after reading it. Please consult your own attorney for legal advice. If you do not have one and would like to retain my legal services, please contact me using the contact information listed above.

All information and references made to laws, rules, regulations, and advisory opinions were accurate based on the law as it existed at this time, but laws are constantly evolving. Please contact me to be sure that the law which will govern your business is current. Thank you.