A new law requires Florida health care providers that utilize certified electronic health record technology to ensure that certain patient information be physically maintained in the continental United States, its territories or Canada. The recent amendment to the Florida Electronic Health Record Exchange Act (the Exchange Act) casts a broad net regarding the information subject to the new requirement, stating it applies to "all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services." The extensive reach of the new law is clear from the provision that the storage requirements apply to all qualified electronic health records stored "using any technology that can allow information to be electronically retrieved, accessed or transmitted." The law went into effect July 1.

Florida health care providers that utilize such technology should review their information security programs and their contracts with technology service providers to determine if they require changes or need to require the technology service providers (and any of their subcontractors) to physically maintain patient information in the continental United States, its territories or Canada. The new law requires that each provider sign an affidavit at the time of their initial application for licensure, and upon any renewal applications, attesting under penalty of perjury as to their compliance with these requirements.