64K-1.008. Electronic Health Recordkeeping System Integration


Effective on Tuesday, August 8, 2023
  • 1(1) Definitions.

    3(a) “Approved entity” means an eligible entity that has been approved by the department to connect an electronic health recordkeeping system directly to E2728FORCSE29®30.

    31(b) “Authorized user” means a health care practitioner as defined in Section 43893.055(1)(g), F.S., 45or his or her designee.

    50(c) “Electronic health recordkeeping system” is an electronic or computer-based integrated system used by health care practitioners or providers to create, collect, store, manipulate, exchange, or make available personal health information including, but not limited to, electronic health records, for the delivery of patient care.

    95(d) “Electronic health record” is an electronic or digital version of a patient’s medical history, maintained over time and may include all of the key administrative clinical data relevant to that person’s medical care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The electronic health record uses computer hardware and software for the storage, retrieval, sharing and use of health care information and data. The electronic health record must provide audit trail information at the time of the request, including but not limited to facility name; facility identification type; facility identification; facility state; requester first name; requester last name; requester role; requester identification type; requester identification; request date and time; request type; PDMP disclosure identification; patient last name; patient first name; and patient date of birth.

    234(e) “Eligible entity” means an organization or entity that operates, provides, or makes available an electronic health recordkeeping system to a health care practitioner or a designee of the practitioner.

    264(f) “Provider authentication” means confirmation of the authorized users’ credentials by the eligible entity through the state prescription drug monitoring program and Drug Enforcement Administration (DEA) Registration number, or National provider Identification (NPI) number prior to the release of information or state license number.

    308(2) An eligible entity may apply to the department to request and receive information directly from E325326FORCSE327® 328through an electronic health recordkeeping system by completing an “Integration Request Form,” DH8024-PDMP, effective 7/2018, incorporated by reference and available at 350https://www.flrules.org/Gateway/reference.asp?No=Ref-11404 352or 353https://go.bamboohealth.com/ehrrequest354.

    355(3) Eligible entities and authorized users may retain patient prescription monitoring information in the electronic health recordkeeping system and must ensure that the confidential and exemption information is not inadvertently released or accessed by unauthorized persons or entities. Eligible entities shall comply with all of the following:

    402(a) Ensure the provider is authenticated prior to the release of information.

    414(b) Log each user’s access to the information. Access logs shall be retained by the practitioner, health care system, or pharmacy for a minimum of four years from the date of access and shall be provided to the department upon request.

    455(c) If the user identified in access logs is not the practitioner, the eligible entity shall clearly identify on which practitioner’s behalf the user was accessing information. A practitioner’s designee using an integrated system is required to maintain an active prescription drug monitoring program registration.

    500(d) Maintain appropriate administrative, technical, and physical security measures to safeguard against unauthorized access disclosure, or theft of information and shall meet all state and federal requirements for safeguarding protected health information.

    532(e) Notify the program manager of any breach in the electronic health record system that may have included E-FORCSE551® 552information within 24 hours of making the determination that a breach occurred. This includes inappropriate access by a prescriber, health care system, or dispenser.

    576(4) Only individuals authorized by Sections 582893.055 583and 584893.0551, F.S., 586who are active registered E591592FORCSE593® 594users are authorized to request and receive information directly from E605606FORCSE607® 608through an electronic health recordkeeping system.

    614(5) Pursuant to Section 618893.055(8), F.S., 620prescribers and dispensers are required to consult the E-FORCSE629® 630database to review a patient’s controlled substance dispensing history prior to prescribing or dispensing a controlled substance to that patient. Review of summary information provided through an electronic health recordkeeping system integration does not meet this requirement.

    667(6) The department may suspend or revoke integration approval if an eligible entity or authorized user does not adhere to the department’s terms and conditions, including security and privacy requirements. The department will immediately notify the approved entity or authorized user upon suspension or revocation of approval.

    714Rulemaking Authority 716893.055 FS. 718Law Implemented 720893.055(7) FS. 722History–New 1-7-20, Amended 8-8-23.