Florida's Data Residency Law Just Raised the Stakes on Offshore RCM: What CFOs Must Know About SB 264
A 2023 Florida law requires CEHRT data to stay in the continental U.S. Here is what that means for your billing vendor.
A question came in after my recent piece on offshore medical billing and AI: what about Florida specifically? The answer is that Florida has gone further than federal law on data residency, and most healthcare CFOs and RCM leaders in the state do not know it yet. If your billing vendor accesses patient records from outside the continental United States, you may already have a compliance problem under Florida statute, regardless of what your business associate agreement says.
Two-column comparison card showing federal CMS offshore RCM allowance versus Florida SB 264 data residency mandate.
What Florida Senate Bill 264 Actually Says
Florida Senate Bill 264 passed in the 2023 legislative session. The bill is broad, covering foreign land acquisition restrictions, governmental contracting prohibitions, and data sovereignty requirements. The sections most directly relevant to healthcare revenue cycle operations are the amendments to Section 408.051 and Section 408.810 of the Florida Statutes.
Section 408.051 amends the Florida Electronic Health Records Exchange Act. It defines the terms "cloud computing" and "health care provider" and then adds a data residency mandate: any healthcare provider that utilizes certified electronic health record technology (CEHRT) must ensure that certain patient information is maintained in the continental United States. The provision explicitly covers third-party and subcontracted computing facilities, including entities providing cloud computing services.
Section 408.810 adds an enforcement layer. Licensees in Florida, which includes hospitals and clinics, must now sign an affidavit under penalty of perjury upon initial license application and at each renewal, confirming they are in compliance with these data residency requirements. The Agency for Health Care Administration is authorized to take disciplinary action for non-compliance.
These are not proposed rules or agency guidance. They are enacted statute, signed into law.
The CEHRT Connection: Why This Reaches Into Your RCM Operation
The key phrase in Section 408.051 is "certified electronic health record technology." CEHRT is the technical standard that most major hospital EHR systems must meet to participate in CMS quality reporting programs. Epic, Oracle Health, Meditech, and most enterprise EHR platforms are CEHRT-certified. If your organization uses a CEHRT-compliant EHR, the data residency mandate applies to you.
Here is where the RCM implication becomes direct. Medical coding, claims processing, denial management, and accounts receivable follow-up all require access to clinical documentation. Coders need to read physician notes, operative reports, and diagnostic documentation to assign accurate ICD-10 and CPT codes. Denial appeals require pulling the original clinical record to build a clinical justification. These are not peripheral functions. They are core RCM activities that require access to the patient record held in your CEHRT-compliant system.
If those access functions are performed by staff located outside the continental United States, the patient data is effectively being accessed from offshore, regardless of where the server sits. The data residency mandate requires that information be maintained in the continental United States. Whether "access from offshore" constitutes a violation of a residency requirement is a compliance interpretation question that your legal and compliance teams need to evaluate. But the compliance risk is not theoretical. It is the kind of ambiguity that generates AHCA audit exposure, particularly at license renewal when your organization must sign the affidavit under penalty of perjury.
I want to be precise here: the statute says "maintained in the continental United States." It does not use the phrase "accessed only from the continental United States." The access risk is a compliance interpretation, not explicit statutory language. What is explicit is the storage mandate and the affidavit requirement. Whether your offshore vendor's remote access to a domestically-hosted system constitutes a violation depends on how AHCA interprets "maintained" in enforcement. That is exactly the kind of ambiguity that creates legal exposure at renewal time.
The Part That Catches People Off Guard: The Governmental Contracting Provision
Section 287.138 of the bill gets less attention in healthcare discussions but is worth understanding. It prohibits Florida governmental entities from contracting with vendors that are owned by or have a controlling interest held by entities from specific "foreign countries of concern." The list includes the People's Republic of China, the Russian Federation, Iran, North Korea, Cuba, Venezuela, and Syria.
This provision applies to government contracting, not directly to private hospital vendor relationships. And critically, India and the Philippines, where the majority of offshore RCM work for U.S. clients is performed, are not on the foreign countries of concern list.
That distinction matters for precision. The governmental contracting ban is not what restricts offshore RCM for most Florida health systems. The Section 408.051 CEHRT data residency mandate is the provision with the broadest operational reach, because it applies to any healthcare provider using CEHRT regardless of which country their vendor operates from.
Three-row table comparing CMS federal rule, Florida SB 264 Section 408.051, and Florida SB 264 Section 408.810 across focus area and RCM impact.
Why D-SNP and C-SNP Plans Face a Compounding Compliance Layer
For Medicare Advantage plans operating in Florida, particularly Dual Special Needs Plans and Chronic Special Needs Plans, the compliance picture adds another layer on top of SB 264.
D-SNP members are dual-eligible, receiving both Medicare and Medicaid benefits. C-SNP members have qualifying chronic conditions. Both plan types are administered under contracts with CMS and, in Florida, are subject to oversight by the Agency for Health Care Administration because of their Medicaid integration component. AHCA, as Florida's Medicaid agency, has historically maintained domestic-only preferences in managed care contracts to ensure operational auditability and member protection.
CMS adds its own scrutiny through the lens of Culturally and Linguistically Appropriate Services standards. D-SNP members often have complex dual-eligibility determination questions and benefit coordination needs that require staff with detailed knowledge of how Florida Medicaid and Medicare interact. CMS expects plan operations serving these populations to handle member inquiries with the precision that dual-eligibility complexity demands. That expectation creates informal but real pressure toward domestic operations for functions that touch the member record.
The compounding effect is this: a Florida D-SNP or C-SNP plan running offshore RCM operations is navigating CMS attestation requirements at the federal level, SB 264 data residency requirements at the state level, and AHCA managed care contract expectations simultaneously. Each layer individually has some flexibility. All three together create a compliance environment where offshore RCM is operationally difficult to defend.
From my time on the payer side evaluating how MA plan operations interacted with state Medicaid agencies, the practical reality was that functions touching dual-eligible member data were consistently kept domestic. The regulatory exposure was simply too concentrated to justify the cost savings from offshore operations in that specific population.
What the Affidavit Requirement Means for Your Next Renewal
Section 408.810 is where this becomes personally consequential for healthcare executives. The affidavit requirement at license renewal is signed under penalty of perjury. An administrator or compliance officer who signs that affidavit without having reviewed their organization's RCM vendor arrangements for data residency compliance is accepting personal exposure, not just institutional exposure.
This does not mean the risk is uniformly high. If your RCM vendor operates domestically with U.S.-based staff, you likely have no issue. If your vendor uses a hybrid model with offshore back-end processing, the question is whether patient data from your CEHRT system is being accessed from outside the continental United States in the performance of that work. That question needs a documented answer before the next renewal cycle.
For the AI-enabled RCM transition discussed in my previous article on offshore billing and vendor transparency, there is a practical advantage here. Platforms that perform autonomous coding domestically, with U.S.-based oversight staff managing exceptions, are structurally aligned with SB 264 compliance. The technological shift that is making offshore labor arbitrage economically obsolete is also making domestic compliance less operationally difficult. That alignment is not a coincidence. It reflects the market responding to exactly the kind of regulatory pressure Florida has now codified.
You can read the foundational vendor evaluation framework in Offshore Medical Billing and AI: Who Is Actually Handling Your Revenue Cycle?. The questions that the article outlines become more urgent in light of the Florida statutory requirements covered here.
Four-step Florida SB 264 RCM compliance review checklist for healthcare organizations evaluating offshore vendor arrangements.
What To Do Before Your Next License Renewal
The practical steps here are not complicated, but they do require intentional follow-through.
Start with your RCM vendor contracts. Do those contracts include any representation about where work is performed? Do they address data residency specifically? If the contract is silent on geography, you do not know whether the data residency requirement is being met. Request written confirmation from your vendor describing where staff are located and whether patient data is accessed from outside the continental United States in the performance of work for your organization.
Bring your compliance and legal teams into the vendor review. The affidavit signed at license renewal connects your organization's attestation to your vendor's operational structure. Legal needs to assess whether the current vendor arrangement creates perjury exposure at the next renewal. That is not a hypothetical risk. It is a statutory mechanism.
Document the review. Whether the outcome is a clean bill of compliance or a required remediation, the documentation of the review itself becomes the evidence that your organization took the requirement seriously.
And evaluate the AI transition timeline. If your current RCM vendor relies on offshore labor for coding or back-end processing, the SB 264 environment accelerates the timeline for evaluating AI-enabled domestic alternatives. The compliance pressure and the technological economics are pointing in the same direction.
If you are navigating RCM vendor compliance reviews in Florida or evaluating the offshore-to-domestic transition, HFI Consulting works directly with provider organizations and health plans on revenue cycle due diligence and compliance alignment. Start the conversation at hfi.consulting.
The Broader Signal
Florida is not alone in moving toward data sovereignty requirements for healthcare. The combination of high-profile cybersecurity events, federal scrutiny of foreign country data access, and the AI-driven reshoring trend described in my previous article has created a regulatory environment where the compliance cost of offshore RCM is rising and the economic advantage is shrinking simultaneously.
Florida's SB 264 is specific to Florida licensees and CEHRT users. But the data residency direction it represents is not unique to Florida. CFOs and RCM leaders at health systems in other states should be watching how AHCA interprets and enforces these provisions, because state-level data sovereignty requirements for healthcare are a template other state legislatures may follow.
The organizations that build domestic, AI-enabled RCM operations for compliance reasons today will not need to retool when those requirements arrive elsewhere.
For the denial management and revenue integrity implications of the AI transition, AI in the Revenue Cycle: How Hospitals Are Fighting Back Against Payer Take-Backs covers the operational framework in detail.
P.S. Are you a Florida healthcare CFO or compliance officer who has already had this conversation with legal about SB 264 and your RCM vendors? I am curious how far along the industry is on awareness of this specific provision. Hit reply and tell me what you found when you looked into it.
