Florida insurance regulators have requested unusually intrusive data on millions of prescription drugs buried in the state last year. This includes the patients taking the medication, their date of birth and the names of the doctors they saw.
In January, the Florida Insurance Regulation Office sought this information from pharmacy benefits managers such as Optum RX and CVS Health's Caremark at UnitedHealth, a company that oversees prescription drugs for employers and government programs.
It remained unclear why the state ordered so much data to be submitted. In a letter to a benefit manager reviewed by The New York Times, the regulator said the state would request data to see if benefits managers known as PBMS are compliant with state laws of 2023 aimed at lowering drug prices and governing managers.
However, demand has sparked concerns about government overreach and patient privacy.
“For surveillance purposes, no such patient information is needed,” said Sharona Hoffman, a health law and privacy expert at Case Western Reserve University. She added: “You need to worry. Is the government actually trying to get information about reproductive care, transgender care and mental health care?”
Florida's six-week abortion ban, enacted by Republican Gov. Ron DeSantis and the state's Republican-controlled Congress, requires doctors who prescribe abortion pills to omit them directly, rather than by mail. Another Florida law prohibits transgender transition care for minors, making it difficult for adults to seek such care. Last year, judges shattered a key part of the law, but it's still in force while the legal battle passes through the courts.
In theory, the data requested by the state can be used to determine whether a doctor is complying with those laws.
It was also unclear whether any of the benefits managers had complied with the information and took over the state.
Some profit managers and employers who hire them to handle the benefits of workers' prescription drugs have also criticised the state's demands.
The American Benefits Council, a large group of employers, is asking Florida regulators to withdraw an order to take over information. In a letter to the state, counsel wrote that “demand violates the health privacy and security of millions of Floridians,” and that the state did not clearly outline the reasons for its authority or action.
“We have an obligation to work with employees and their data,” Council Chairman Katie Johnson said in an interview.
Shilo Elliott, a spokesman for Florida insurance regulators, said the objections to the state's data request were “from people who clearly don't want to be regulated or those who are monitoring the industry.” She said the firm will “continue to request data in its best interest to protect consumers.”
Rosa Novo, director of administrative benefits for Miami-Dade County Public Schools, which provides health insurance to around 45,000 people, said in an interview that it is unclear why this level of detailed information about patients and their medications is needed while valuing the state's efforts to address drug prices.
“My doctor is the only person you should know about that,” Novo said.
Federal Privacy Act allows profit managers to hand over limited data about individual patients in certain circumstances, such as when regulators are audited. However, experts say Florida's data requests can violate the law as it is so widespread that it exceeds what regulators need to conduct reviews.
Experts say another concern about Florida's demand is that if sensitive patient data is in multiple hands, it increases the risk of violations that could cause information to be stolen.
Elliott, a regulatory spokesman, said those concerns should be addressed to actual health insurance companies that have had countless data breaches that exposed the confidential information of millions of Americans.
Florida data orders were first reported by Bloomberg.
Like other states, Florida already has access to some of the data it seeks, including more information about prescriptions paid through Medicaid. However, that data is generally strictly enclosed and accessible only to staff members who need work.
Profit managers often field requests from government regulators requesting slices of data to conduct an audit or investigation. Such requests typically ask the benefits manager to remove the patient's name and other identification details, or to have a small sample of patient requests.
In comparison, Florida's data request was “pretty vast and unprecedented,” said Joseph Shields, president of a small group of benefits managers.
Florida sought data on Florida residents as well as patients who may have filled their prescriptions during their visit to the state. That request included patients covered through federal Medicare programs and commercial planning through employers regulated under federal law rather than federal law, according to a regulatory letter to one benefit manager reviewed by the Times.
The Prescription Drug Reform Act, a Florida regulator, was used to justify data requests, and therefore imposed new reporting requirements on benefits managers, but it said nothing about the mandate that required such detailed patient information to be taken over. Benefits managers have fought hard in their efforts to scrutinize business practices.
Florida's data request was first reported by Bloomberg.
Patricia Matsuzey contributed a report from Florida.
