Healthcare Companies Should Watch Florida's Data Privacy Bills
The Florida Legislature will once again consider consumer data privacy bills during the 2022 legislative session. Both the House and Senate are considering proposed legislation, designated as HB 9 and SB 1864, respectively. This article discusses wording of the bills as they were introduced. They are likely to change as the legislative session progresses. Following similar laws in other states, both bills provide helpful exemptions for many healthcare entities that are already subject to robust federal health privacy regulations. Because the Health Insurance Portability and Accountability Act of 1996 (HIPAA) generally preempts only those state laws that are contrary to it and provide less protection, a new state law that adds more stringent privacy requirements could require changes to compliance programs absent such a carve-out.
The pending bills contain a number of detailed privacy protections that go beyond HIPAA. For example, HIPAA has no private right of action, but Florida's HB 9 would allow consumers to sue for violations of the law if it passes in its current form. The proposed legislation contains a number of carve-outs that benefit certain healthcare entities. For example, HB 9 does not apply to a long list of data types and entities, including:
- de-identified or aggregate consumer data, which will help companies that need to do data analysis for quality evaluation or benchmarking
- protected health information (PHI) for purposes of HIPAA and its regulations. This will exempt health plan and most provider records
- substance use disorder program information governed by 42 C.F.R. Part 2 (Part 2)
- covered entities and business associates subject to HIPAA, as long as personal information is maintained in the same manner as PHI, not used for targeted advertising with third parties and not sold or shared unless an exception applies
- "qualified service programs" under Part 2, which would be subject to the same restrictions as HIPAA-covered entities and business associates. A challenge with respect to this provision (as well as a similar provision in SB 1864) is that Part 2 does not refer to "qualified services programs." Instead, it governs substance use disorder "programs" and "qualified service organizations," so clarity is needed for this exception
- certain data collected for "research," as defined in the HIPAA rules, or identifiable personal information consistent with the Federal Policy for the Protection of Human Subjects or the human subject protection requirements of the U.S. Food and Drug Administration
- information created for purposes of the federal Health Care Quality Improvement Act of 1986
- patient safety work product for purposes of 42 CFR Part 3
- data that is de-identified in accordance with HIPAA
- information used only for public health activities and numerous other purposes listed in 45 CFR 164.512 of the HIPAA rules, including reporting abuse, health oversight, and judicial and administrative proceedings. Since the bill already carves out HIPAA data, presumably the bill would apply these particular provisions of the HIPAA rules to non-HIPAA data
SB 1864 also contains some of the same exemptions as HB 9. For example, "biometric information" does not include photographs or information used for treatment, payment or "operations" under HIPAA. While the HIPAA rules define "health care operations," it is not clear whether the bill's use of the term "operations" by itself would have the same definition. SB 1864 would not apply to certain data or entities, including PHI governed by HIPAA, patient information under Part 2, certain research, quality or patient safety data, and de-identified PHI.
Next Steps
These bills are not final, and the Florida legislative session is ongoing, so companies handling health-related data should watch these bills carefully. Not all healthcare companies are subject to HIPAA or Part 2. For example, digital health and fitness apps collect a lot of health information and may not be regulated by these federal provisions. Healthcare companies that are outside of HIPAA's jurisdiction will likely need to comply with any comprehensive Florida privacy bill that passes, unless the final bill includes additional exceptions.
Some consumer-directed digital health companies, pharmaceutical manufacturers and other members of the healthcare industry have taken measures to avoid having to comply with HIPAA. To a certain extent, those measures could backfire because those companies will have to comply with an ever-growing list of state consumer data privacy laws. HIPAA, with its carefully drafted rules and plentiful government guidance, could be an easier compliance option.