After the U.S. Supreme Court ruling in Dobbs v. Jackson Women's Health Organization overruling the constitutionally protected right to an abortion, federal agencies have issued guidance intended to help protect the privacy of patients. Employers should carefully consider this guidance because it impacts their responsibilities as a sponsor of a group health plan and the privacy rights of their employees.
As part of our ongoing "Reproductive Healthcare Issues for Employers" series, I will summarize the Department of Health and Human Services ("HHS") Office for Civil Rights ("OCR") guidance and highlight the most critical elements for employers.
HHS Guidance under the Health Insurance Portability and Accountability Act ("HIPAA")
On June 29, 2022, OCR issued new guidance to protect patients seeking reproductive healthcare, as well as their providers. In general, this guidance does two things:
- Addresses how federal law and regulations protect individual's private medical information (protected health information or "PHI" under HIPAA) related to abortion and other sexual and reproductive health care—making it clear that providers are not required to disclose private medical information to third parties such as law enforcement; and
- Addresses the extent to which private medical information is protected on personal cell phones and tablets. It also provides tips for protecting individuals' privacy when using period trackers and other health information apps.
HIPAA Privacy Protections Related to Reproductive Laws and Law-Enforcement
OCR administers and enforces the HIPAA Privacy Rule ("Privacy Rule"), which establishes the requirements concerning the use, disclosure, and protection of PHI by covered entities (including group health plans and most health providers), and, to some extent, their business associates. These entities may use or disclose PHI without an individual's signed authorization, only as expressly permitted by the Privacy Rule.
Disclosures "Required by Law"
The Privacy Rule permits but does not require covered entities to disclose PHI about an individual without the individual's authorization when such disclosure is required by another law, and the disclosure complies with the requirements of the other law. This permission to disclose PHI as "required by law" is limited to "a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law." Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.
Example: An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit disclosure to law enforcement under the "required by law" permission. Therefore, such a disclosure would be impermissible.
Disclosures for "Law Enforcement Purposes"
The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes "pursuant to process and as otherwise required by law," under certain conditions. For example, a covered entity may respond to a law enforcement request made through legal processes such as a court order or court-ordered warrant, subpoena, or summons by disclosing only the requested PHI – provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met.
In the absence of a mandate enforceable in a court of law, the Privacy Rule's permission to disclose PHI for law enforcement purposes does not permit a hospital or other health care provider's workforce member to report an individual's abortion or other reproductive health care to law enforcement. That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement. This is because, generally, state laws do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement. Also, state fetal homicide laws generally do not penalize the pregnant individual, and "appellate courts have overwhelmingly rejected efforts to use existing criminal and civil laws intended for other purposes (e.g., to protect children) as the basis for arresting, detaining, or forcing interventions on pregnant" individuals.
Example: A law enforcement official presents the sponsor of a group health plan with a court order requiring the plan to produce PHI about individuals who have obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but does not require the group health plan to disclose the requested PHI. The group health plan may only disclose the PHI expressly authorized by the court order if it chooses to comply with the order.
Disclosures to Avert a Serious Threat to Health or Safety
The Privacy Rule permits but does not require a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. According to major professional societies, including the American Medical Association and American College of Obstetricians and Gynecologists, it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual's interest, intent, or prior experience with reproductive health care.
Example: A pregnant employee in a state that bans abortion informs the claims administrator of a group health plan that they intend to seek an abortion in another state where abortion is legal. An employee of the claims administrator, a business associate of the group health plan, wants to report the statement to state law enforcement to attempt to prevent the abortion. The Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission because, according to HHS, a statement indicating the intent to obtain a legal abortion is "not a serious and imminent threat to the health and safety of a person or the public," and would be inconsistent with the professional ethical standards, and may increase the risk of harm to the employee. Therefore, such a disclosure would be impermissible.
HIPAA Generally Does Not Protect Privacy or Security of Health Information on Apps
Generally, the HIPAA rules only apply when PHI is created, received, maintained, or transmitted by a covered entity or a business associate. For example, HIPAA does not protect the privacy of an employee's internet search history, information that an employee voluntarily shares online, or their geographic location, unless the app is provided to the employee by a covered entity (such as the group health plan) or its business associate. HIPAA also does not protect the privacy of the data that an employee has downloaded or entered into mobile apps for personal use, regardless of the data source.
Although the HIPAA rules do not protect this information, employers may consider communicating with employees on steps that they can reasonably take to protect information when using a personal mobile device:
- Avoid downloading unnecessary or random apps.
- Avoid, when asked, permitting access to a device's location data, other than apps where the location is absolutely necessary (e.g., navigation and traffic apps).
Although the steps described above can reduce a person's digital footprint, they will not eliminate it. The very nature of cell phones (and some tablets) permits tracking because the cellular service provider's network records identifying information (such as subscriber and device information) when connected to it.
Ultimately, the best way to protect health and personal information from being collected and shared without an individual's knowledge is to limit what personal information is sent and stored with a device.
Much of the guidance issued by HHS should be welcome news for employers, who may be concerned about the specter of local law enforcement officials requesting protected private data about their employees' health care. Nevertheless, these interpretations provided by HHS come in the form of sub-regulatory guidance, so the Biden Administration (or a new administration) could change its views on these issues quickly. In particular, one can easily imagine a different administration taking a very different view on whether abortion "is a serious and imminent threat to the health and safety of a person or the public." Employers will need to carefully keep abreast of developments in this area.
The Dickinson Wright Employee Benefits and Executive Compensation Group has been and will continue to monitor the impact of these issues as they evolve to advise clients on how best to respond to this changing landscape.
See part 1 of our "Reproductive Healthcare Issues for Employers" series: May Abortions be Reimbursed on a Tax-Free Basis from a Health Flexible Spending Account, a Health Reimbursement Arrangement, or a Health Spending Account?
See part 2 of our "Reproductive Healthcare Issues for Employers" series: Avoiding Costly "Employer Payment Plan" Status for Travel Benefits
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.