This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives.
STORAGE NAME: h7009b.SAC
DATE: 1/18/2022
HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: HB 7009 PCB GOS 22-05 OGSR/Health Information/Department of Corrections
SPONSOR(S): Government Operations Subcommittee, Shoaf
TIED BILLS: IDEN./SIM. BILLS:
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
Orig. Comm.: Government Operations
Subcommittee
13 Y, 0 N Landry Toliver
1) Criminal Justice & Public Safety Subcommittee 17 Y, 0 N Mathews Hall
2) State Affairs Committee Landry Williamson
SUMMARY ANALYSIS
The Open Government Sunset Review Act requires the Legislature to review each public record and each
public meeting exemption five years after enactment. If the Legislature does not reenact the exemption, it
automatically repeals on October 2nd of the fifth year after enactment.
Federal law provides a right to privacy for health and medical records under the Health Insurance Portability
and Accountability Act (HIPAA). The HIPAA Privacy Rule sets national standards for the use and disclosure of
individuals’ health information, called protected health information (PHI), by covered entities. Although an
individual’s health and medical records are generally private under HIPAA, there are exceptions which allow
disclosure for purposes of promoting health and safety, protecting law enforcement, and assisting in criminal
and other types of investigations.
Current law provides a public record exemption for the PHI of an inmate or an offender, and the identity of an
inmate or offender upon whom an HIV test has been performed and the subsequent test results held by the
Department of Corrections. Such information is confidential and exempt from public records requirements.
This bill saves from repeal the public record exemption, which will repeal on October 2, 2022, if this bill does
not become law.
This bill does not appear to have a fiscal impact on state or local governments.
STORAGE NAME: h7009b.SAC PAGE: 2
DATE: 1/18/2022
FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Background
Open Government Sunset Review Act
The Open Government Sunset Review Act (Act)
1
sets forth a legislative review process for newly
created or substantially amended public record or public meeting exemptions. It requires an automatic
repeal of the exemption on October 2nd of the fifth year after creation or substantial amendment,
unless the Legislature reenacts the exemption.
2
The Act provides that a public record or public meeting exemption may be created or maintained only if
it serves an identifiable public purpose. In addition, it may be no broader than is necessary to meet one
of the following purposes:
Allow the state or its political subdivisions to effectively and efficiently administer a
governmental program, which administration would be significantly impaired without the
exemption.
Protect sensitive personal information that, if released, would be defamatory or would
jeopardize an individual’s safety; however, only the identity of an individual may be exempted
under this provision.
Protect trade or business secrets.
3
If, and only if, in reenacting an exemption that will repeal, the exemption is expanded (essentially
creating a new exemption), then a public necessity statement and a two-thirds vote for passage are
required.
4
If the exemption is reenacted with grammatical or stylistic changes that do not expand the
exemption, if the exemption is narrowed, or if an exception to the exemption is created
then a public
necessity statement and a two-thirds vote for passage are not required.
Medical Privacy under Federal Law
Federal law provides a right to privacy for health and medical records. In 1996, Congress passed the
Health Insurance Portability and Accountability Act (HIPAA).
5
Among its purposes are the following:
To provide the ability to transfer and continue health insurance coverage for workers and their
families when they change or lose their jobs;
To reduce health care fraud and abuse;
To mandate industry-wide standards for health care information on electronic billing and other
processes; and
To require the protection and confidential handling of protected health information.
Under HIPAA, the Secretary of Health and Human Services (HHS) is required to publicize national
standards for the electronic exchange, privacy, and security of health information. These standards are
collectively known as the Administrative Simplification provisions. HIPAA also required the Secretary of
HHS to issue privacy regulations governing individually identifiable health information if Congress did
not enact privacy legislation within three years of the act’s passage.
6
As Congress did not enact the privacy legislation within three years of HIPAA’s passage, the Secretary
of HHS developed the HIPAA Privacy Rule, which was first published in 2000 and modified in 2002.
7
The Privacy Rule sets national standards for the use and disclosure of individuals’ health information,
1
Section 119.15, F.S.
2
Section 119.15(3), F.S.
3
Section 119.15(6)(b), F.S.
4
Article I, s. 24(c), FLA. CONST.
5
Pub. L. 104-91(1996).
6
Summary of HIPAA Privacy Rule, United States Department of Health and Human Services, May 2003, available at
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html (last visited Jan. 12, 2022).
7
See 45 C.F.R. Parts 160 and 164, Subparts A and E. STORAGE NAME: h7009b.SAC PAGE: 3
DATE: 1/18/2022
called protected health information (PHI), by three types of “covered entities”: health plans,
8
health care
clearinghouses,
9
and health care providers
10
who conduct the standard health care transactions
electronically. A state agency or department that performs functions that make it a “covered entity”
must comply with the HIPAA Privacy Rule.
The HIPAA Privacy Rule defines PHI as individually identifiable health information,
11
held or maintained
by a covered entity or its business associates acting for the covered entity, which is transmitted or
maintained in any form or medium. This includes identifiable demographic and other information
relating to the past, present, or future physical or mental health or condition of an individual, or the
provision or payment of health care to an individual that is created or received by a health care
provider, health plan, employer, or health care clearinghouse.
Although many disclosures about an individual’s health and medical records are private under HIPAA,
there are also exceptions which are applicable to health and safety. This includes things such as the
protection of the public and members of law enforcement, as well as the furtherance of investigative
functions, judicial proceedings, food safety investigation, crime prevention, disease prevention, child
abuse, child neglect, domestic violence investigations, school-related health and safety concerns,
medical examinations, research, and national security.
12
These exceptions also include correctional
facilities,
13
where disclosure of PHI for inmates and other covered individuals is permitted if it is
necessary for:
The provision of health care to such individuals;
The health and safety of such individuals or other inmates;
The health and safety of the officers, employees, or others at the correctional institution;
The health and safety of such individuals and officers or other persons responsible for the
transporting of inmates or their transfer from one institution, facility, or setting to another;
Law enforcement on the premises of the correctional institution; or
The administration and maintenance of the safety, security, and good order of the correctional
institution.
14
Under HIPAA, a covered entity that is a correctional institution may use the PHI of individuals who are
inmates for any purpose for which such information may be disclosed.
15
If a state law is contrary to HIPAA, then the latter preempts it and is controlling. However, where state
laws are more protective of privacy than HIPAA, the state requirements will remain in effect. HIPAA
sets a floor, not a ceiling.
16
Right to Privacy in Medical Records in Florida
In Florida, citizens have a constitutional right to privacy.
17
This includes information about a patient’s
medical records, health condition, treatment, and care, and imposes a high burden on a member of the
public or a government agency to obtain this information.
18
8
The term “health plan” means an individual or group plan that provides, or pays the cost of, medical care. 45 C.F.R. 160.103.
9
The term “healthcare clearinghouse” means a “a public or private entity, including a billing service, repricing company, community
health management information system or community health information system, and ‘value-added’ networks and switches, that
[performs one or another function described in the rule.]” 45 C.F.R. 160.103.
10
The term “health care provider” means “a provider of services..., a provider of medical or health services..., and any other person or
organization who furnishes, bills, or is paid for health care in the normal course of business. 45 C.F.R. 160.103.
11
“Personal health information” or “PHI” is defined in 45 CFR 160.103, along with the related definitions of “individually identifiable
health information” and “health information.”
12
See generally 45 C.F.R. 164.512.
13
45 C.F.R. 164.512(k)(5)(i).
14
45 C.F.R. 164.512(k)(5)(i)(A)-(F).
15
45 C.F.R. 164.512(k)(5)(ii).
16
45 C.F.R. 160.201-205.
17
Article I, s. 23, FLA. CONST.
18
State v. Johnson, 814 So. 2d 390, 393 (Fla. 2002) (noting, “[a] patient’s medical records enjoy a confidential status by virtue of the
right to privacy contained in the Florida Constitution, and any attempt on the part of the government to obtain such records must first STORAGE NAME: h7009b.SAC PAGE: 4
DATE: 1/18/2022
Along with the constitutional right to privacy, there are also specific statutory provisions which protect
an individual’s health and medical records. For example, s. 456.057, F.S., involves the confidentiality of
both medical records and communications between a person and his or her doctor, who is the “record
owner.”
19
Consistent with the constitutional right of privacy, s. 456.057, F.S., indicates that medical
records may not be furnished, and discussions about a patient’s medical condition may not be
disclosed, to any person other than the patient or the patient’s legal representative or other health care
practitioners and providers involved in the patient’s care or treatment, except upon written authorization
from the patient, and subject to limited exceptions.
20
Current law provides a public record exemption for medical records held by the Florida Department of
Corrections (DOC). Section 945.10(1)(a)1., F.S., provides that mental, medical, and substance abuse
records of inmates and offenders held by DOC are confidential and exempt from public record
requirements.
21
Section 945.10, F.S., also requires DOC to adopt rules to prevent disclosure of such
records or information to unauthorized persons.
22
DOC is a “covered entity” for purposes of the HIPAA
Privacy Rule.
23
Further, because DOC creates and maintains hospital records through its licensed
hospital, the Reception Medical Center, DOC is a “record owner” subject to ss. 456.057 and 945.10,
F.S. Section 945.10, F.S., provides greater privacy protection and is more restrictive than the HIPAA
Privacy Rule.
Public Record Exemptions under Review
In 2017, the Legislature amended s. 945.10, F.S., expanding the public records exemption to include
the PHI of an inmate or an offender, and the identity of an inmate or offender upon whom a human
immunodeficiency virus (HIV) test has been performed and the subsequent test results. Such
information is confidential and exempt
24
from public records requirements.
The 2017 public necessity statement
25
for the exemption provides that the Legislature finds that the
public record exemption is necessary because:
Allowing protected health information to be publicly disclosed would in some
cases cause a conflict with existing federal law and would be a violation of an
inmate or offender's privacy under the state constitution. Maintaining the
confidentiality of an inmate or offender's HIV testing information is essential to his
or her participation in such testing. Thus, the harm from disclosure would
outweigh any public benefit derived therefrom. Appropriate records and protected
health information are available, however, to various governmental entities in
order for them to perform their duties. It is mandatory that prisons function as
effectively, efficiently, and nonviolently as possible. To release such information
meet constitutional muster. The right of privacy is not absolute and will yield to compelling governmental interests.”); Fla. Dep’t of Corrs.
v. Abril, 969 So. 2d 201, 205-06 (Fla. 2007); State v. Strickling, 164 So. 3d 727, 731 (Fla. 3d DCA 2015).
19
Chapter 456, F.S., generally governs health professions and occupations, while s. 456.057, F.S., pertains to ownership and control of
patient records; reports or copies of records to be furnished; and disclosure of information. The term “record owner” means “any health
care practitioner who generates a medical record after making a physical or mental examination of, or administering treatment or
dispensing legend drugs to, any person; any health care practitioner to whom records are transferred by a previous records owner; or
any health care practitioner’s employer, including, but not limited to, group practices and staff-model health maintenance organizations,
provided the employment contract or agreement between the employer and the health care practitioner designates the employer as the
records owner.” Section 456.057(1), F.S.
20
Section 456.057(7)(a), F.S.
21
Section 945.10(1)(a)1., F.S.
22
Section 945.10(4), F.S.
23
See Christie v. Dep’t of Corr., No. 09-2312RP, at 9 (Fla. DOAH, Nov. 2, 2009).
24
There is a difference between records the Legislature designates as exempt from public record requirements and those the
Legislature deems confidential and exempt. A record classified as exempt from public disclosure may be disclosed under certain
circumstances. See WFTV, Inc. v. The School Board of Seminole, 874 So.2d 48, 53 (Fla. 5th DCA 2004), review denied 892 So.2d
1015 (Fla. 2004); City of Riviera Beach v. Barfield, 642 So.2d 1135 (Fla. 4th DCA 1994); Williams v. City of Minneola, 575 So.2d 687
(Fla. 5th DCA 1991). If the Legislature designates a record as confidential and exempt from public disclosure, such record may not be
released by the custodian of public records to anyone other than the persons or entities specifically designated in statute. See Attorney
General Opinion 85-62 (August 1, 1985).
25
Article I, s. 24(c), FLA. CONST., requires each public record exemption to “state with specificity the public necessity justifying the
exemption.” STORAGE NAME: h7009b.SAC PAGE: 5
DATE: 1/18/2022
to the public would severely impede that function and would jeopardize the health
and safety of those within and outside the prison system.
26
Pursuant to the Open Government Sunset Review Act, the exemption will repeal on October 2, 2022,
unless reenacted by the Legislature.
27
During the 2021 interim, the House Government Operations Subcommittee conducted an interview with
staff from DOC as part of its review under the Open Government Sunset Review Act. Since 2019, the
DOC’s Office of Inspector General, which processes a portion of DOC’s requests for public records,
asserted the exemption under s. 945.10(1)(a), F.S., for 398 requests out of a total of 800 requests.
28
DOC indicated that the exemption is functioning well, that DOC has not received any complaints
regarding the exemption, and that there has not been any litigation involving the exemption since it was
enacted in 2017. DOC recommended the exemption be reenacted as is.
Effect of the Bill
The bill amends s. 945.10, F.S., to remove the scheduled repeal date of the public record exemption;
thereby, maintaining the public record exemption for the PHI of an inmate or an offender, and the
identity of an inmate or offender upon whom an HIV test has been performed and the subsequent test
results.
B. SECTION DIRECTORY:
Section 1: Amends s. 945.10, F.S., to remove the scheduled repeal date of the public record
exemption.
Section 2: Provides an effective date of October 1, 2022.
II. FISCAL ANALYSIS & ECONOMIC IMPACT STATEMENT
A. FISCAL IMPACT ON STATE GOVERNMENT:
1. Revenues:
None.
2. Expenditures:
None.
B. FISCAL IMPACT ON LOCAL GOVERNMENTS:
1. Revenues:
None.
2. Expenditures:
None.
C. DIRECT ECONOMIC IMPACT ON PRIVATE SECTOR:
None.
D. FISCAL COMMENTS:
26
Chapter 2017-114, L.O.F.
27
Section 744.2111(5), F.S.
28
Email from Philip Fowler, Attorney Supervisor-Administration Unit, Florida Department of Corrections (Sep. 29, 2021) (on file with the
House Government Operations Subcommittee). STORAGE NAME: h7009b.SAC PAGE: 6
DATE: 1/18/2022
None.
III. COMMENTS
A. CONSTITUTIONAL ISSUES:
1. Applicability of Municipality/County Mandates Provision:
Not applicable. The bill does not appear to affect county or municipal governments.
2. Other:
None.
B. RULE-MAKING AUTHORITY:
None.
C. DRAFTING ISSUES OR OTHER COMMENTS:
None.
IV. AMENDMENTS/COMMI TTEE SUBSTITUTE CHANGES
None.