Florida PBM Audits Ensnare Self-Insured Employer Health Plans

April 29, 2025, 9:15 AM UTC

A Florida law requiring prescription drug middlemen to turn patients’ personal health information over to the state is creating a legal bind for employers that are typically not subject to state health plan regulation.

Florida’s Prescription Drug Reform Act of 2023 mandates that pharmacy benefit managers—which administer drug benefits for health insurers—comply with a range of transparency and payment requirements. The Florida Office of Insurance Regulation requires PBMs to submit detailed claims data as part of regular state audits under the law.

The inclusion of protected health information like patient names and birthdates in these audits is alarming privacy advocates, given the state’s restrictive laws on abortion and gender-affirming care. Self-insured employers face an additional dilemma, since Florida’s law could be preempted by the federal Employee Retirement Income Security Act that typically regulates plans that pay their own medical claims. State laws, by contrast, usually regulate fully insured employers that defer medical bills to the insurance company.

“In my view, to give the state a whole bunch of PHI under a statute that’s probably preempted is probably riskier than risking the ire of the state for refusing to do it,” said Roberta Casper Watson, a partner with the Wagner Law Group.

It’s also a twist in the ongoing saga over whether employers or third-party service providers like PBMs control self-insured plans’ data. A number of employers have sued insurance companies and PBMs over data access, while workers are alleging employees have breached their fiduciary duty by not monitoring their medical costs.

The three major PBMs—CVS Caremark, Express Scripts, and Optum—are taking different approaches to Florida’s law, benefits lawyers said, but some seem to be allowing self-insured employers to opt out of sharing the data.

CVS declined to comment. Express Scripts and Optum did not respond to requests for comment.

Florida is the latest state testing ERISA’s preemption limits when it comes to PBMs, after the US Supreme Court upheld an Arkansas law regulating PBMs’ payments to pharmacies. A union plan serving members of the International Brotherhood of Teamsters is challenging another Arkansas statute allowing the state to review and increase a PBM’s pharmacy payments. The Supreme Court is also considering taking up a challenge to a similar law from Oklahoma.

The laws aim to inject transparency into PBMs’ business model and outlaw what critics say are bad tactics, but PBMs say they offer employers a variety of coverage and data access options.

Bipartisan legislation in Congress has been stymied by broader partisan rifts on spending and other health policies, leaving a patchwork of state laws and questions about they’re preempted by ERISA.

“What we really need is a federal bill,” said Anne Tyler Hall, a managing partner at Hall Benefits Law. The firm advised its client, an employer, to not provide the data and refer the state to its attorneys. Hall declined to say which company she represented.

Privacy Concerns

The Health Insurance Portability and Accountability Act permits disclosures of protected health information if a government entity requires it, but attorneys worry that safe harbor might not apply if Florida’s law is preempted by ERISA. Adding to the uncertainty, the Florida Office of Insurance Regulation didn’t explain why it needs the PHI.

“It’s not automatically problematic, but there’s a concern that with the amount of detail the OIR is requesting—and the inability or the decision by the OIR to not specify why it needs that level of detail—that doesn’t fit squarely within that exception,” said Ryan Temme, a principal with Groom Law Group.

Compelling self-insured plans to turn over data runs afoul of the Supreme Court’s 2016 decision in Gobeille v. Liberty Mutual Insurance Co., the American Benefits Council said in a February letter to Florida Insurance Commissioner Michael Yaworsky. The decision said that Vermont could not force health insurers to share data for the state’s all-payer claims database.

ABC said the “extraordinarily sensitive” information requested by the state was not necessary to comply with the law, and added it was afraid that Florida did not have the proper controls in place to protect the data.

“As ‘health plans’ under HIPAA, self-insured, ERISA-covered health plans must adhere to complex disclosure and authorization requirements,” ABC wrote. “Notably, those requirements do not appear (based on the state’s PBM licensure statute) to permit disclosure in this instance.”

Still, the legal threat over privacy violations is likely minimal if employers and PBMs do turn over the data, said Kirk Nahra, a partner at Wilmer Cutler Pickering Hale and Dorr LLP. Patients cannot sue under HIPAA, and it’s unlikely that the federal Health and Human Services Office for Civil Rights—which enforces HIPAA—would pursue a case against an employer for attempting to comply with a state law.

Patients could argue other claims against plans that turn over data, like negligence or a breach of fiduciary duty under ERISA. But plans could still point to the state’s requirement as a shield.

“That’s not impossible,” he said of potential lawsuits, “but seems pretty far-fetched.”

Florida’s OIR did not respond to questions from Bloomberg Law, including why the agency can’t perform audits with de-identified data.

The agency said in a March memo that it was “pleased” with the industry’s emphasis on data security, but reiterated that all PBMs were “required to provide all of the requested data and information, in an unredacted, unaltered format, and make access to records freely available to the contracted examiners in accordance with Florida law.”

The state does not appear to have penalized any companies yet, even though it has acknowledged that “certain PBMs have not fully complied.” No company has sued the state over the law yet either, and Temme said litigation will likely depend on how far the state goes on enforcement.

“The state is taking a pretty aggressive view of its authority with respect to self-insured plans, and I think that can always create an impetus to sue,” he said.

To contact the reporter on this story: Lauren Clason in Washington at lclason@bloombergindustry.com

To contact the editors responsible for this story: Rebekah Mintzer at rmintzer@bloombergindustry.com; Alex Ruoff at aruoff@bloombergindustry.com

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.