Reproductive Healthcare Issues for Employers: Privacy Issues

By: Eric W. Gregory, DICKINSON WRIGHT PLLC

This article addresses privacy issues faced by employers following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.¹

AFTER THE U.S. SUPREME COURT RULING IN DOBBS overruling the constitutionally protected right to an abortion, federal agencies have issued guidance intended to help protect the privacy of patients. Employers should carefully consider this guidance because it impacts their responsibilities as a sponsor of a group health plan and the privacy rights of their employees.

This article summarizes the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) guidance and highlights the most critical elements for employers.

HHS Guidance under the Health Insurance Portability and Accountability Act (HIPAA)

On June 29, 2022, OCR issued new guidance² to protect patients seeking reproductive healthcare, as well as their providers. In general, this guidance does two things:

1. It addresses how federal law and regulations protect an individual’s private medical information (protected health information or PHI under HIPAA) related to abortion and other sexual and reproductive health care—making it clear that providers are not required to disclose private medical information to third parties such as law enforcement.
2. It addresses the extent to which private medical information is protected on personal cell phones and tablets.³ It also provides tips for protecting an individual’s privacy when using period trackers and other health information apps.

HIPAA Privacy Protections Related to Reproductive Laws and Law Enforcement

OCR administers and enforces the HIPAA Privacy Rule (Privacy Rule), which establishes the requirements concerning the use, disclosure, and protection of PHI by covered entities (including group health plans and most health providers), and, to some extent, their business associates. These entities may use or disclose PHI without an individual’s signed authorization, only as expressly permitted by the Privacy Rule.

Disclosures Required by Law

The Privacy Rule permits but does not require covered entities to disclose PHI about an individual without the individual’s authorization when such disclosure is required by another law, and the disclosure complies with the requirements of the other law. This permission to disclose PHI as required by law is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of such law.

Example: An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit disclosure to law enforcement under the required by law permission. Therefore, such a disclosure would be impermissible.

Disclosures for Law Enforcement Purposes

The Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law,” under certain conditions. For example, a covered entity may respond to a law enforcement request made through legal processes such as a court order or court-ordered warrant, subpoena, or summons by disclosing only the requested PHI—provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met.

In the absence of a mandate enforceable in a court of law, the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a hospital or other healthcare provider’s workforce member to report an individual’s abortion or other reproductive healthcare to law enforcement. That is true whether the workforce member initiated the disclosure to law enforcement or others or the workforce member disclosed PHI at the request of law enforcement. This is because, generally, state laws do not require doctors or other healthcare providers to report an individual who self-managed the loss of a pregnancy to law enforcement. Also, state fetal homicide laws generally do not penalize the pregnant individual, and “appellate courts have overwhelmingly rejected efforts to use existing criminal and civil laws intended for other purposes (e.g., to protect children) as the basis for arresting, detaining, or forcing interventions on pregnant” individuals.⁴

Example: A law enforcement official presents the sponsor of a group health plan with a court order requiring the plan to produce PHI about individuals who have obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but does not require the group health plan to disclose the requested PHI. The group health plan may only disclose the PHI expressly authorized by the court order if it chooses to comply with the order.

Disclosures to Avert a Serious Threat to Health or Safety

The Privacy Rule permits but does not require a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. According to major professional societies,⁵ including the American Medical Association and American College of Obstetricians and Gynecologists, it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive healthcare.

Example: A pregnant employee in a state that bans abortion informs the claims administrator of a group health plan that they intend to seek an abortion in another state where abortion is legal. An employee of the claims administrator, a business associate of the group health plan, wants to report the statement to state law enforcement to attempt to prevent the abortion. The Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission because, according to HHS, a statement indicating the intent to obtain a legal abortion is “not a serious and imminent threat to the health and safety of a person or the public,” would be inconsistent with the professional ethical standards, and may increase the risk of harm to the employee. Therefore, such a disclosure would be impermissible.

HIPAA Generally Does Not Protect Privacy or Security of Health Information on Apps

Generally, the HIPAA rules only apply when PHI is created, received, maintained, or transmitted by a covered entity or a business associate. For example, HIPAA does not protect the privacy of an employee’s internet search history, information that an employee voluntarily shares online, or their geographic location, unless the app is provided to the employee by a covered entity (such as the group health plan) or its business associate. HIPAA also does not protect the privacy of the data that an employee has downloaded or entered into mobile apps for personal use, regardless of the data source.

Although the HIPAA rules do not protect this information, employers may consider communicating with employees on steps that they can reasonably take to protect information when using a personal mobile device:

• Avoid downloading unnecessary or random apps
• Avoid, when asked, permitting access to a device’s location data, other than apps where the location is absolutely necessary (e.g., navigation and traffic apps)

Although the steps described above can reduce a person’s digital footprint, they will not eliminate it. The very nature of cell phones (and some tablets) permits tracking because the cellular service provider’s network records identifying information (such as subscriber and device information) when connected to it. 

Ultimately, the best way to protect health and personal information from being collected and shared without an individual’s knowledge is to limit what personal information is sent and stored with a device.

Conclusion

Much of the guidance issued by HHS should be welcome news for employers, who may be concerned about the specter of local law enforcement officials requesting protected private data about their employees’ healthcare. Nevertheless, these interpretations provided by HHS come in the form of sub-regulatory guidance, so the Biden Administration (or a new administration) could change its views on these issues quickly. In particular, one can easily imagine a different administration taking a very different view on whether abortion “is a serious and imminent threat to the health and safety of a person or the public.” Employers will need to carefully keep abreast of developments in this area.

Also, listen to this podcast episode where Eric Gregory discusses additional employee benefits issues following the Dobbs decision. 

Eric W. Gregory is a partner at Dickinson Wright. His practice is focused primarily in the areas of ERISA, employee benefits, and executive compensation. Mr. Gregory advises clients on all aspects of employee benefits including qualified retirement plans, welfare plans, and nonqualified compensation programs. Mr. Gregory assists clients with plan design, drafting, and implementation of 401(k), profit sharing, 403(b), 457, and defined benefit plans. Mr. Gregory also provides advice on the design, implementation, and administration of insured and self-insured medical plans, dental plans, life insurance, disability, and cafeteria plans, including pre-tax premium plans, and flexible spending account plans. Additionally, Mr. Gregory assists clients regarding regulatory compliance with HIPAA, the Affordable Care Act (healthcare reform), COBRA, FMLA, GINA, and ADA.

To find this article in Practical Guidance, follow this research path:

RESEARCH PATH: Employee Benefits & Executive Compensation > Trends and Insights > Articles

Related Content

1. 142 S. Ct. 2228 (2022). 2. HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care, Health Information Privacy, U.S. Department of Health & Human Service. 3. Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet, Health Information Privacy, U.S. Department of Health & Human Service. 4. HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care. 5. Decriminalization of Self-Induced Abortion, American College of Obstetricians and Gynecologists.