Florida Bans Offshore Storage of Electronic Health Records

Posted by Steve Alder

In May 2023, the Florida Legislature passed an update to the Florida Electronic Health Records Exchange Act that prohibits healthcare providers that use certified health record technologies from storing electronic health records outside the United States, its territories, or Canada. The ban also covers patient information stored through a third-party or subcontracted computing facility or cloud computing service, which must similarly maintain the data in the continental United States, its territories, or Canada. When the ban takes effect it will no longer be possible to use overseas vendors that require access to patient information as the update also bans the access, retrieval, and transmission of patient data from locations outside the United States, its territories, or Canada. All healthcare providers covered by the Florida Electronic Health Records Exchange Act must comply with the updated law by July 1, 2023.

“Certified electronic health record technology” is defined as “a qualified electronic health record that is certified pursuant to s. 3001(c)(5) of the Public Health Service Act as meeting standards adopted under s. 3004 of such act, which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals.”

“Qualified electronic health record” is defined as “an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources.”

Covered healthcare providers include hospitals, ambulatory surgery centers, pharmacies, home health agencies, hospices, laboratories, mental health treatment facilities, substance abuse services, and licensed healthcare providers such as physicians, nurses, dentists, therapists, podiatrists, and massage therapists.

Healthcare providers should conduct an audit to confirm the locations where health records are stored to ensure that they are compliant. If a cloud vendor is used to store patient information, data centers must be located in the specified regions. If contracted third parties are used to provide support services such as managed service providers, IT support companies, scheduling support providers, and other vendors, they, along with any subcontractors they use, should be prohibited from storing or accessing patient information outside of the United States, its territories, or Canada.

If the audit confirms patient data is stored in or is accessed from prohibited locations, steps should be taken immediately to move patient data to a compliant storage location and restrict access from unauthorized locations ahead of the compliance deadline.

The post Florida Bans Offshore Storage of Electronic Health Records appeared first on HIPAA Journal.

Compliancy Group Confirms Trüpp is HIPAA Compliant

Posted by Steve Alder

Compliancy Group has recently assessed Trüpp HR Inc., an HR outsourcing, HR consulting, compensation consulting, and eLearning service provider, and has and has confirmed the company has achieved compliance with the federally mandated standards of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Any vendor that provides services to HIPAA-regulated entities that involve access to or contact with identifiable health information classed as protected health information under HIPAA is classed as a business associate and is required to be HIPAA compliant. Vendors that provide services to the healthcare industry that do not require contact with PHI may choose to ensure that they have appropriate policies and procedures in place that are compliant with HIPAA, to give their healthcare clients peace of mind and differentiate their services.

To achieve compliance with the HIPAA Rules, Trüpp partnered with Compliancy Group and used its proven HIPAA compliance methodology and proprietary HIPAA compliance solution, The Guard, which allows companies to track their progress toward compliance and implement an effective HIPAA compliance program. Through the use of The Guard, Trüpp completed Compliancy Group’s Implementation Program, adhering to the necessary regulatory standards outlined in the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, Omnibus Rule, and the HITECH Act. Compliancy Group’s HIPAA compliance subject matter experts verified Trüpp’s good faith effort to achieve HIPAA compliance and awarded Trüpp the HIPAA Seal of Compliance.

“We are honored to be among the few HR organizations that have achieved HIPAA compliance and pleased to offer this added assurance to our healthcare partners,” said Jean Roque, Trüpp HR President and CEO. “The privacy of our client’s data is of utmost importance at Trüpp, and we are happy to offer this added level of security to all our clients.”

The post Compliancy Group Confirms Trüpp is HIPAA Compliant appeared first on HIPAA Journal.