State privacy patchwork grows
Oklahoma’s incoming privacy bill and Florida’s ban on offshore storage for health data underscore a messy, state-by-state compliance landscape—Oklahoma exempts HIPAA-covered entities while Florida forces U.S.-based storage for resident health data. Consumer health apps must build location-aware compliance and clear user-facing explanations for where data is stored. ( )
Senate Bill 546 applies to controllers or processors that handle the personal data of at least 100,000 Oklahoma consumers, or the data of at least 25,000 consumers if the controller derives 50% or more of gross revenue from selling data. (iapp.org) The Oklahoma text builds in data‑subject rights (access, correction, deletion), opt‑outs for targeted advertising and data sales, and a requirement for data protection assessments for specified high‑risk processing activities. (iapp.org) SB 546 contains standard entity‑level carve‑outs that would exempt HIPAA‑covered entities, GLBA‑regulated financial institutions, non‑profits and governmental bodies from the statute’s obligations. (stateofsurveillance.org) The bill, as reported, gives exclusive civil enforcement to the Oklahoma Attorney General and preserves a 30‑day cure period for violations; the legislature set the statutory effective date as January 1, 2027 if the governor signs. (iapp.org) Florida’s CS/CS/SB 264 (Chapter 2023‑33), effective July 1, 2023, amended the Florida Electronic Health Records Exchange Act to require qualifying health‑care providers that “utilize” certified EHR technology to ensure offsite patient records are physically maintained only within the continental U.S., its territories or Canada. (mintz.com) The Florida amendments require qualifying licensees to submit signed affidavits on initial licensure and renewals attesting compliance with the storage rule, and the Agency for Health Care Administration may pursue disciplinary action for noncompliance. (natlawreview.com) Florida’s law explicitly pulls vendors and cloud service providers into scope for providers that rely on them, and legal commentary since enactment has advised providers to add contractual residency clauses, audit rights, and technical controls to keep primary records and backups within the allowed geographies. (manatt.com) Operationally, consumer health apps that are not HIPAA‑covered but meet Oklahoma’s numeric thresholds will fall under SB 546’s notice, assessment and opt‑out rules, while integrations with Florida CEHRT customers will trigger data‑residency, attestation and vendor‑contract obligations—requiring per‑resident routing, segmented storage, updated privacy notices, and vendor attestations/audit trails. (iapp.org)
