(1) SHORT TITLE.—This section may be cited as the “Florida Electronic Health Records Exchange Act.”
(2) DEFINITIONS.—As used in this section, the term:(a) “Certified electronic health record technology” means a qualified electronic health record that is certified pursuant to s. 3001(c)(5) of the Public Health Service Act as meeting standards adopted under s. 3004 of such act which are applicable to the type of record involved, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals.
(b) “Cloud computing” has the same meaning as in s. 282.0041. (c) “Electronic health record” means a record of a person’s medical treatment which is created by a licensed health care provider and stored in an interoperable and accessible digital format.
(d) “Health care provider” means any of the following:1. A provider as defined in s. 408.803. 2. A health care practitioner as defined in s. 456.001. 3. A health care professional certified under part IV of chapter 468.
4. A home health aide as defined in s. 400.462. 5. A service provider as defined in s. 394.455 and the service provider’s clinical and nonclinical staff who provide inpatient or outpatient services. 6. A continuing care facility licensed under chapter 651.
7. A pharmacy permitted under chapter 465.
(e) “Health record” means any information, recorded in any form or medium, which relates to the past, present, or future health of an individual for the primary purpose of providing health care and health-related services.
(f) “Identifiable health record” means any health record that identifies the patient or with respect to which there is a reasonable basis to believe the information can be used to identify the patient.
(g) “Patient” means an individual who has sought, is seeking, is undergoing, or has undergone care or treatment in a health care facility or by a health care provider.
(h) “Patient representative” means a parent of a minor patient, a court-appointed guardian for the patient, a health care surrogate, or a person holding a power of attorney or notarized consent appropriately executed by the patient granting permission to a health care facility or health care provider to disclose the patient’s health care information to that person. In the case of a deceased patient, the term also means the personal representative of the estate of the deceased patient; the deceased patient’s surviving spouse, surviving parent, or surviving adult child; the parent or guardian of a surviving minor child of the deceased patient; the attorney for the patient’s surviving spouse, parent, or adult child; or the attorney for the parent or guardian of a surviving minor child.
(i) “Qualified electronic health record” means an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources.
(3) SECURITY AND STORAGE OF PERSONAL MEDICAL INFORMATION.—In addition to the requirements in 45 C.F.R. part 160 and subparts A and C of part 164, a health care provider that utilizes certified electronic health record technology must ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, is physically maintained in the continental United States or its territories or Canada. This subsection applies to all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted.
(4) EMERGENCY RELEASE OF IDENTIFIABLE HEALTH RECORD.—A health care provider may release or access an identifiable health record of a patient without the patient’s consent for use in the treatment of the patient for an emergency medical condition, as defined in s. 395.002(8), when the health care provider is unable to obtain the patient’s consent or the consent of the patient representative due to the patient’s condition or the nature of the situation requiring immediate medical attention. A health care provider who in good faith releases or accesses an identifiable health record of a patient in any form or medium under this subsection is immune from civil liability for accessing or releasing an identifiable health record. (5) HOSPITAL DATA.—A hospital as defined in s. 395.002(12) which maintains certified electronic health record technology must make available admit, transfer, and discharge data to the agency’s Florida Health Information Exchange program for the purpose of supporting public health data registries and patient care coordination. The agency may adopt rules to implement this subsection. (6) UNIVERSAL PATIENT AUTHORIZATION FORM.—(a) By July 1, 2010, the agency shall develop forms in both paper and electronic formats which may be used by a health care provider to document patient authorization for the use or release, in any form or medium, of an identifiable health record.
(b) The agency shall adopt by rule the authorization form and accompanying instructions and make the authorization form available on the agency’s website, pursuant to s. 408.05. (c) A health care provider receiving an authorization form containing a request for the release of an identifiable health record shall accept the form as a valid authorization to release an identifiable health record. A health care provider may elect to accept the authorization form in either electronic or paper format or both. The individual or entity that submits the authorization form containing a request for the release of an identifiable health record shall determine which format is accepted by the health care provider prior to submitting the form.
(d) An individual or entity that submits a request for an identifiable health record is not required under this section to use the authorization form adopted and distributed by the agency.
(e) The exchange by a health care provider of an identifiable health record upon receipt of an authorization form completed and submitted in accordance with agency instructions creates a rebuttable presumption that the release of the identifiable health record was appropriate. A health care provider that releases an identifiable health record in reliance on the information provided to the health care provider on a properly completed authorization form does not violate any right of confidentiality and is immune from civil liability for accessing or releasing an identifiable health record under this subsection.
(f) A health care provider that exchanges an identifiable health record upon receipt of an authorization form shall not be deemed to have violated or waived any privilege protected under the statutory or common law of this state.
(7) PENALTIES.—A person who does any of the following may be liable to the patient or a health care provider that has released an identifiable health record in reliance on an authorization form presented to the health care provider by the person for compensatory damages caused by an unauthorized release, plus reasonable attorney’s fees and costs:(a) Forges a signature on an authorization form or materially alters the authorization form of another person without the person’s authorization; or
(b) Obtains an authorization form or an identifiable health record of another person under false pretenses.