Florida’s insurance regulator has demanded an unusually intrusive trove of data on millions of prescription drugs filled in the state last year, including the names of patients taking the medications, their dates of birth and doctors they’ve seen.
The Florida Office of Insurance Regulation in January sought this information from pharmacy benefit managers like UnitedHealth’s Optum Rx and CVS Health’s Caremark, companies that oversee prescription drugs for employers and government programs.
It remained unclear why the state was ordering the submission of so much data. In a letter to one benefit manager reviewed by The New York Times, the regulator said the state required the data to review whether the benefit managers, known as P.B.M.s, were compliant with a 2023 state law aimed at lowering drug prices and reining in the managers.
But the demand is sparking concerns about government overreach and patient privacy.
“You don’t need such granular patient information for purposes of oversight,” said Sharona Hoffman, a health law and privacy expert at Case Western Reserve University. She added: “You have to worry: Is the government actually trying to get information about reproductive care or transgender care or mental health care?”
Florida’s six-week abortion ban, enacted by Gov. Ron DeSantis, a Republican, and the state’s Republican-dominated legislature, requires that doctors who prescribe abortion pills dispense them in person, not through the mail. Another Florida law banned transgender transition care for minors and made it harder for adults to seek such care. Last year, a judge struck down key parts of that law, though it is still being enforced while the legal fight makes its way through the courts.
The data requested by the state could, in theory, be used to determine whether physicians are complying with those laws.
It was also unclear whether any of the benefit managers had complied and turned over the information to the state.
Some benefit managers and the employers that hire them to handle prescription drug benefits for their workers have also criticized the state’s demand.
A group of large employers, the American Benefits Council, is asking the Florida regulator to withdraw its order to turn over the information. In a letter to the state, the council’s lawyers wrote that the “demand impermissibly violates the health privacy and security of millions of Floridians,” and that the state had not clearly outlined its authority or reasons for the action.
“We have a duty to employees and their data,” Katy Johnson, the president of the council, said in an interview.
Shiloh Elliott, a spokeswoman for Florida’s insurance regulator, said that objections to the state’s data request “are clearly from those who do not want to be regulated or have any oversight in their industry.” She said the office “will continue to request data in the best interest to protect consumers.”
Rosa Novo, the administrative benefits director for Miami-Dade County Public Schools, which provides health coverage to about 45,000 people, said in an interview that while she appreciated the state’s efforts to address drug prices, it was unclear why it would need this level of detailed information about patients and their medications.
“My doctor is the only one who should know that,” Ms. Novo said.
Federal privacy law allows benefit managers to hand over limited data about individual patients in certain circumstances, such as when regulators are conducting an audit. But, according to experts, Florida’s data request could violate the law because it is so broad and may go beyond what the regulator needs to conduct its review.
Experts said that another concern with Florida’s request is that when sensitive patient data is in multiple hands, it raises the risk of a breach in which the information may be stolen.
Ms. Elliott, the spokeswoman for the regulator, said those concerns “should be addressed to the actual health care insurance companies that have had countless data breaches exposing millions of Americans’ sensitive information.”
Florida’s data order was first reported by Bloomberg.
Like other states, Florida already has access to some of the data it is seeking, such as detailed information about prescriptions that are paid through Medicaid. But that data is generally strictly walled off, accessible only to staff members whose jobs require it.
Benefit managers often field requests from government regulators asking for slices of data to conduct audits or investigations. Such requests typically ask benefit managers to strip out patient names, and other identifying details, or ask for a small sample of patient claims.
By comparison, Florida’s data request was “pretty expansive and unprecedented,” said Joseph Shields, the president of a group of smaller benefit managers, Transparency-Rx.
Florida sought data not only on Florida residents, but also on patients who may have filled a prescription while visiting the state. Its request included patients covered through the federal Medicare program and commercial plans through employers that are regulated under federal law rather than state law, according to the regulator’s letter to one benefit manager reviewed by The Times.
The Prescription Drug Reform Act, the Florida law the regulator used to justify the data request, imposed new reporting requirements on the benefit managers but said nothing about a mandate requiring them to turn over such detailed patient information. Benefit managers have fiercely fought efforts to scrutinize their business practices.
Florida’s data request was first reported by Bloomberg.
Patricia Mazzei contributed reporting from Florida.
