Practical Guidance is committed to amplifying diverse voices of attorneys across all differences, including gender and race. If you are interested in writing for Practical Guidance, please let us know...
Earlier this year, the U.S. Environmental Protection Agency (EPA) and U.S. Army Corps of Engineers published a final rule 1 to revise the definition of waters of the United States.
THIS ARTICLE DISCUSSES...
By: Cameron Kinvig , PRACTICAL GUIDANCE ENERGY & UTILITIES ATTORNEY EDITOR
This article provides you and your clients with an overview of the federal environmental regulation affecting the oil and...
Sustainability-Linked Loans Overview
Sustainability-linked loans are loans where the economic characteristics can vary depending on whether the borrower achieves ambitious, material, and quantifiable...
By: M. Shams Billah , BARNES & THORNBURG LLP, NEW YORK
This article discusses guidance for borrowers and private equity sponsors entering into private credit loans with nonbank lenders in the middle...
Copyright © 2023 LexisNexis and/or its Licensors.
By: Eric W. Gregory, DICKINSON WRIGHT PLLC
This article addresses privacy issues faced by employers following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.1
AFTER THE U.S. SUPREME COURT RULING IN DOBBS overruling the constitutionally protected right to an abortion, federal agencies have issued guidance intended to help protect the privacy of patients. Employers should carefully consider this guidance because it impacts their responsibilities as a sponsor of a group health plan and the privacy rights of their employees. This article summarizes the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) guidance and highlights the most critical elements for employers.
On June 29, 2022, OCR issued new guidance2 to protect patients seeking reproductive healthcare, as well as their providers. In general, this guidance does two things:
OCR administers and enforces the HIPAA Privacy Rule (Privacy Rule), which establishes the requirements concerning the use, disclosure, and protection of PHI by covered entities (including group health plans and most health providers), and, to some extent, their business associates. These entities may use or disclose PHI without an individual’s signed authorization, only as expressly permitted by the Privacy Rule.
Disclosures Required by Law
The Privacy Rule permits but does not require covered entities to disclose PHI about an individual without the individual’s authorization when such disclosure is required by another law, and the disclosure complies with the requirements of the other law. This permission to disclose PHI as required by law is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.
Example: An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit disclosure to law enforcement under the required by law permission. Therefore, such a disclosure would be impermissible.
Disclosures for Law Enforcement Purposes
The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law,” under certain conditions. For example, a covered entity may respond to a law enforcement request made through legal processes such as a court order or court-ordered warrant, subpoena, or summons by disclosing only the requested PHI—provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met.
In the absence of a mandate enforceable in a court of law, the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a hospital or other healthcare provider’s workforce member to report an individual’s abortion or other reproductive healthcare to law enforcement. That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement. This is because, generally, state laws do not require doctors or other healthcare providers to report an individual who self-managed the loss of a pregnancy to law enforcement. Also, state fetal homicide laws generally do not penalize the pregnant individual, and “appellate courts have overwhelmingly rejected efforts to use existing criminal and civil laws intended for other purposes (e.g., to protect children) as the basis for arresting, detaining, or forcing interventions on pregnant” individuals.4
Example: A law enforcement official presents the sponsor of a group health plan with a court order requiring the plan to produce PHI about individuals who have obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but does not require the group health plan to disclose the requested PHI. The group health plan may only disclose the PHI expressly authorized by the court order if it chooses to comply with the order.
Disclosures to Avert a Serious Threat to Health or Safety
The Privacy Rule permits but does not require a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. According to major professional societies,5 including the American Medical Association and American College of Obstetricians and Gynecologists, it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive healthcare.
Example: A pregnant employee in a state that bans abortion informs the claims administrator of a group health plan that they intend to seek an abortion in another state where abortion is legal. An employee of the claims administrator, a business associate of the group health plan, wants to report the statement to state law enforcement to attempt to prevent the abortion. The Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission because, according to HHS, a statement indicating the intent to obtain a legal abortion is “not a serious and imminent threat to the health and safety of a person or the public,” would be inconsistent with the professional ethical standards, and may increase the risk of harm to the employee. Therefore, such a disclosure would be impermissible.
Generally, the HIPAA rules only apply when PHI is created, received, maintained, or transmitted by a covered entity or a business associate. For example, HIPAA does not protect the privacy of an employee’s internet search history, information that an employee voluntarily shares online, or their geographic location, unless the app is provided to the employee by a covered entity (such as the group health plan) or its business associate. HIPAA also does not protect the privacy of the data that an employee has downloaded or entered into mobile apps for personal use, regardless of the data source.
Although the HIPAA rules do not protect this information, employers may consider communicating with employees on steps that they can reasonably take to protect information when using a personal mobile device:
Although the steps described above can reduce a person’s digital footprint, they will not eliminate it. The very nature of cell phones (and some tablets) permits tracking because the cellular service provider’s network records identifying information (such as subscriber and device information) when connected to it.
Ultimately, the best way to protect health and personal information from being collected and shared without an individual’s knowledge is to limit what personal information is sent and stored with a device.
Much of the guidance issued by HHS should be welcome news for employers, who may be concerned about the specter of local law enforcement officials requesting protected private data about their employees’ healthcare. Nevertheless, these interpretations provided by HHS come in the form of sub-regulatory guidance, so the Biden Administration (or a new administration) could change its views on these issues quickly. In particular, one can easily imagine a different administration taking a very different view on whether abortion “is a serious and imminent threat to the health and safety of a person or the public.” Employers will need to carefully keep abreast of developments in this area.
Also, listen to this podcast episode where Eric Gregory discusses additional employee benefits issues following the Dobbs decision.
Eric W. Gregory is a partner at Dickinson Wright. His practice is focused primarily in the areas of ERISA, employee benefits, and executive compensation. Mr. Gregory advises clients on all aspects of employee benefits including qualified retirement plans, welfare plans, and nonqualified compensation programs. Mr. Gregory assists clients with plan design, drafting, and implementation of 401(k), profit sharing, 403(b), 457, and defined benefit plans. Mr. Gregory also provides advice on the design, implementation, and administration of insured and self-insured medical plans, dental plans, life insurance, disability, and cafeteria plans, including pre-tax premium plans, and flexible spending account plans. Additionally, Mr. Gregory assists clients regarding regulatory compliance with HIPAA, the Affordable Care Act (healthcare reform), COBRA, FMLA, GINA, and ADA.
To find this article in Practical Guidance, follow this research path:
RESEARCH PATH: Employee Benefits & Executive Compensation > Trends and Insights > Articles
For guidance on whether expenses relating to abortion may be reimbursed from a health flexible spending account (FSA), health reimbursement arrangement (HRA), and/or a health savings account (HSA), see
> POST-DOBBS, MAY ABORTIONS BE REIMBURSED ON A TAX-FREE BASIS FROM A HEALTH FSA, AN HRA, OR AN HSA?
> AVOIDING COSTLY “EMPLOYER PAYMENT PLAN” STATUS FOR TRAVEL BENEFITS
For a collection of resources that address the impact of the Dobbs decision on employer group health plans, see
> DOBBS V. JACKSON WOMEN’S HEALTH ORGANIZATION CLIENT ALERT DIGEST
For an overview of the impact of the Dobbs decision in a number of practice areas, such as employee benefits, insurance, labor and employment, healthcare, and tax, see
> DOBBS V. JACKSON WOMEN’S HEALTH ORGANIZATION RESOURCE KIT
For a discussion of the HIPAA rules that impact employers and the group health plans they sponsor, see
> HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION AND OTHER ADMINISTRATIVE SIMPLIFICATION RULES
For a description of the impact of the Mental Health Parity and Addiction Equity Act and related provisions of the Affordable Care Act on employers providing behavioral health benefits through group health plans, see
> MENTAL HEALTH PARITY AND ADDICTION EQUITY ACT COMPLIANCE FOR EMPLOYER HEALTH PLANS
For an extensive review of the interpretation and implementation of the Pregnancy Discrimination Act, see
> PREGNANCY DISCRIMINATION ACT: COMPLIANCE TIPS
1. 142 S. Ct. 2228 (2022). 2. HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care, Health Information Privacy, U.S. Department of Health & Human Service. 3. Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet, Health Information Privacy, U.S. Department of Health & Human Service. 4. HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care. 5. Decriminalization of Self-Induced Abortion, American College of Obstetricians and Gynecologists.