Michigan House Passes Bill Requiring Medical Records to be Stored Domestically
The Michigan House of Representatives has passed a bill (HB 4242) that seeks to protect the sensitive health data of state residents from foreign entities of concern by requiring electronic medical records to be stored in the United States or Canada.
If signed into law, Michigan residents will have peace of mind that their sensitive healthcare data will be protected from all foreign entities of concern on the federal watch list, namely The People’s Republic of China, the Russian Federation, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, the Republic of Cuba, the Venezuelan regime of Nicolas Maduro, and the Syrian Arab Republic.
The bill was introduced by Rep. Jamie Thompson (R) and requires licensees that use off-site physical or virtual environments for electronic medical records to ensure that the physical or virtual environment is physically maintained in a U.S. state or Canadian province, including if the medical records are maintained by a third-party medical records company. If passed, healthcare regulatory compliance fines of up to $10,000 can be imposed if the failure was due to gross negligence or willful and wanton misconduct.
“Ensuring our health care record technology is physically maintained in the US or Canada, as my bill does, is a needed step Michigan should take to protect the personal and private health information of people we all represent,” explained Thompson. “Our adversaries abroad frequently try to compromise our national security and access information within our country. We should be updating our laws to reflect this reality and installing commonsense safeguards to protect residents.”
Under federal HIPAA law, healthcare providers are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; however, HIPAA does not require medical records to be maintained in the United States or Canada.
In 2023 and 2024, more than 700 large healthcare data breaches were reported to the HHS’ Office for Civil Rights, with large data breaches reported at a rate of more than two per day. “If these breaches come from a foreign adversary of the United States, the fallout could be profound,” Rep. Thompson said. “In addition, the lack of trust resulting from a privacy breach can cause patients to potentially withhold serious information that may help get them needed care. As a licensed practical nurse, I find this element very concerning as well.”
Several other bills have been introduced with requirements to protect data from foreign influence (House Bills 4233-35 and 4238-42). They include provisions that prevent foreign entities of concern from collecting sensitive information by blocking prohibited apps on government devices; prevent public bodies from entering into constraining agreements with foreign entities of concern; ensure public economic incentives are not awarded to foreign entities of concern; and prevent entities of concern from purchasing land and surveilling military bases and other critical infrastructure. The bills will now be considered by the Senate.
