On May 13, 2025, the Michigan House of Representatives passed House Bill 4242, introduced by Representative Jamie Thompson (R), to bolster protections for residents’ health data by requiring that electronic medical records (EMRs) be stored within the United States or Canada.
The bill specifically aims to protect sensitive health information from foreign entities designated as threats to national security, including China, Russia, Iran, North Korea, Cuba, Venezuela (under Nicolás Maduro), and Syria. Under the proposed legislation, healthcare providers and any third-party vendors managing EMRs off-site must ensure that the data is stored in physical or virtual environments located within U.S. states or Canadian provinces.
Violations due to gross negligence or willful misconduct could result in fines of up to $10,000. This legislation comes in response to rising cybersecurity threats and an alarming trend of health data breaches. Over 700 large healthcare breaches were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights in 2023 and 2024.
While HIPAA currently mandates safeguards for the confidentiality and integrity of electronic protected health information, it does not restrict data storage to domestic servers, which this bill seeks to address. HB 4242 is part of a broader legislative package (House Bills 4233–4235 and 4238–4242) designed to limit foreign influence and enhance data security across Michigan, and will now move forward to the Michigan Senate for consideration.
According to Rep. Jamie Thompson, “People in communities I represent and in Michigan should have peace of mind knowing sensitive information within their medical records isn’t at risk. We have seen breaches in our state that expose this type of data and impact tens of thousands of patients through insurance fraud and identity theft. If these breaches come from a foreign adversary of the United States, the fallout could be profound. In addition, the lack of trust resulting from a privacy breach can cause patients to potentially withhold serious information that may help get them needed care. As a licensed practical nurse, I find this element very concerning as well.”
If passed by the Senate, the bill will proceed to the governor’s desk for signature into law. Critically evaluating the future implications, the bill sets a precedent for states taking data localization into their own hands, stepping beyond federal HIPAA requirements, which do not mandate domestic storage. If signed into law, healthcare providers and third-party vendors will need to reassess their cloud infrastructure and data management contracts to ensure compliance, potentially leading to increased operational costs or transitions away from global service providers based in non-compliant jurisdictions.
This may also raise legal and logistical questions about interstate and cross-border health data exchange, especially for multi-state health systems. Moreover, while the bill seeks to limit foreign cyber threats, its effectiveness depends on the enforceability of the proposed $10,000 fines and the ability to monitor off-site storage practices. The legislative momentum behind HB 4242, paired with related bills targeting foreign influence, signals that data sovereignty and cybersecurity are becoming central to state-level health policy, potentially prompting similar legislative efforts in other states.
As the Senate reviews the bill, stakeholders, including healthcare organizations, IT providers, and civil liberties advocates, will likely weigh in on both the privacy benefits and the practical burdens of enforcing such a geographic data storage mandate.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
In 2025, states are prioritizing several key public health issues including containing and preventing infectious diseases (such as improving vaccine access and managing outbreaks), maternal and child health (expanding mental health services and reducing maternal mortality), strengthening the healthcare workforce (addressing shortages and modernizing licensing), and substance misuse and overdose prevention (expanding harm reduction and access to opioid antagonists).
Many states continue to focus on healthcare affordability by regulating pharmacy benefit managers (PBMs), increasing price transparency, and expanding Medicaid coverage.
States are exploring funding to recruit and retain healthcare workers, modifying professional licensing requirements, and incorporating technology such as artificial intelligence to ease workloads. Some states are also expanding licensing for midwives, doulas, and community health workers to bolster rural healthcare access.