Do Healthcare Providers In Florida Implicitly Agree To Safeguard Their Patients’ PII and PHI?

The Answer May Depend On Venue

When a patient in Florida provides personally identifiable information (“PII”) and protected health information (“PHI”) to her health care provider, is there an implicit agreement between the parties that the provider will safeguard this sensitive information? If litigation over a data breach ensues, the answer may depend on which Florida Federal District Court has venue.?

In Farmer v. Humana, Inc., 582 F. Supp. 3d 1176 (M.D. Fla. 2022), lead Plaintiff Steven Farmer alleged that he had been required to provide PII—including his name, Social Security number, and date of birth—to Humana, Inc., a medical benefit plan provider, when applying to become a Humana member. Roughly two years later, Humana notified Farmer that unauthorized persons had obtained access to a wide variety of the PII and PHI of Humana’s members. Farmer filed a putative class action in which he claimed that he and other unnamed class members had suffered injuries from the data breach.?

Farmer asserted (among others) a claim for Breach of Implied Contract, contending that when he became a Humana member, the parties entered an implied contract in which Humana agreed to safeguard and protect the PII and PHI he entrusted to Humana. Humana moved to dismiss this claim, arguing that Farmer had not adequately alleged the existence of an implied contract.?Analogizing to data breach cases involving merchants that had been entrusted with their customers’ PII which included credit card information, the United States District Court for the Middle District of Florida found that Farmer had adequately alleged the existence of an implied contract. The Court stated:? Where, as here, a person hands over sensitive information, in addition to receiving a . . . service, they presumably expect to receive an implicit assurance that the information will be protected. In that situation, a jury could reasonably conclude . . . that an implicit agreement to safeguard the data is necessary to effectuate the contract.

Id. At 1187 (citations and internal quotation marks omitted). Thus, the Middle District of Florida Court found that Farmer had sufficiently alleged a claim for Breach of Implied Contract.

Under similar facts, the United States District Court for the Southern District of Florida reached the opposite conclusion. In re Mednax Servs., 2022 U.S. Dist. LEXIS 84453 (S.D. Fla. May 10, 2022) concerns a multidistrict litigation (“MDL”) that arose from two data breaches. Id. at *6. The breaches resulted in the alleged disclosure of the PHI and PII of patients of three affiliated healthcare services providers, the Defendants in the various lawsuits transferred to the MDL. Id.?Among others, Plaintiffs asserted a claim for Breach of Implied Contract. Plaintiffs alleged that as part of their agreement with each Defendant, Plaintiffs provided their PII and PHI thus entering an implied contract whereby Defendants became obligated to reasonably safeguard Plaintiffs’ PII and PHI. Plaintiffs further alleged that as part of the treatment provided to Plaintiffs, Defendants accepted the responsibility to safeguard Plaintiff’s PII and PHI and accepted payment from Plaintiffs for the safety and security of their PII and PHI. Id. at *65-66.

Defendants moved to dismiss Plaintiffs’ claim for Breach of Implied Contract. In ruling on the motion, the Court distinguished the same data breach cases involving merchants entrusted with credit card information that the Middle District of Florida Court had relied upon to support its finding in Farmer. The Southern District of Florida Court found that unlike in the merchant/credit card cases, Plaintiffs in Medmax had not alleged an “invitation or solicitation by Defendants indicating that Defendants implicitly assented to secure their PHI and PII in exchange for remuneration.” Id. at *67. The Court further stated: “Plaintiffs’ allegations reveal only that they provided their personal information as required to receive healthcare services from Defendants—not data security services beyond the privacy requirements already imposed on Defendants by federal law.” Id. The Court found that a privacy notice Defendants had provided to Plaintiffs in advance of treatment merely informed Plaintiffs of their rights under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the provisions of which did not create any contractual duties on the part of Defendants.?

The Court also explicitly acknowledged the decision by the Middle District of Florida Court in Farmer, but “decline[d] to adopt [its] ‘consumer expectation’ theory of contract formation,” finding that “[u]nilateral and subjective expectations in a transaction cannot be inferred to coalesce into the meeting of the minds required to establish an implied contract.” Id. at *69, fn. 20 (citation omitted). Ultimately, the Court in Medmax dismissed Plaintiffs’ Breach of Implied Contract claim, finding that it “cannot infer from Plaintiffs’ allegations the mutual assent and meeting of the minds required to form an implied contract for data security services based on the parties’ conduct.” Id. at 68.

Two cases with similar allegations; two different results. It will be interesting to see how this split among the Florida Federal District Courts is eventually resolved.

Christian Dodd is a civil litigation attorney whose practice is focused on complex commercial and business litigation, business and consumer torts, intellectual property matters, and electronic discovery and information governance issues. He is the Legal Operations Partner for Hickey Smith Dodd LLP, a process and data driven law firm that is designed to deliver legal services with more value.