Abortion ruling renews questions about employers’ access to health information
The decision of the Supreme Court of the United States overturning Roe vs. Wade has led to new questions about the privacy of health information about an individual’s use of reproductive services such as abortion. Employer plans that cover these services, and now add a travel benefit so employees can access this care, could create a paper trail of claims information or reimbursement records. Some states with laws prohibiting or criminalizing abortion may seek this information to bring claims against any entity involved in assisting in obtaining an abortion, which could include employers as well as providers. Federal privacy protections have long restricted the use and disclosure of personal health information to and by employer-sponsored plans, but these protections are not foolproof and will likely be tested in the future by States seeking to implement abortion bans and related restrictions.
Employer Plan Access to Employee Abortion Information
Plans may use and disclose information necessary to administer the plan without individual authorization. HIPAA rules allow employer plans to use protected health information to administer benefits. This includes claims review and payment as well as “health care operations” such as quality assessment and population-based activities related to benefit cost reduction. Self-insured employers typically contract with outside entities to administer parts of their health program. Typically, a Third-Party Administrator (TPA) manages medical claims processing, a different entity (such as a Pharmacy Benefits Manager (PBM)) administers prescription drug benefits, and another entity may manage reimbursements in part of an employer’s flexible spending account. HIPAA rules require employer plans to enter into a business associate agreement with each of these external providers so that they agree to comply with the same HIPAA requirements as the employer plan.
Only the “necessary minimum” necessary for the exercise of the administrative function is authorized. Depending on the design of the plan, an employer’s human resources (HR) staff may have access to information about health care services provided to employees, even if external providers perform most plan administration functions. . For example, HR staff may use health information to administer eligibility, assist employees with claims questions, or review benefit usage and costs. HIPAA rules require plans to access only the minimum information necessary to perform these functions. Typically, employer staff would not need individually identifiable information about abortion requests and could instead rely on aggregated information to administer the plan. However, HR staff at smaller employers might still be able to deduce the individual names associated with the claims. To the extent that a travel reimbursement benefit is administered internally, some HR staff will have this information.
Employers must have a firewall between the “plan” and the “employer”. The concern over the confidentiality of employee medical information by an employer who sponsors a group health insurance plan is not a new problem. HR staff could have sensitive health information that they could, in theory, use to take harmful and discriminatory employment action. While HIPAA applies to group health plans, it does not apply to the employer itself. This creates a confusing framework for compliance because a group health plan is usually not a separate physical entity. HIPAA regulations nevertheless create a distinction between the plan and the employer and provide that a plan cannot disclose health information to an employing plan sponsor unless the employer certifies in writing that it does not will not, among other things, use the information for employment-related actions such as fitness for duty and related actions. The employer must also ensure that there is “adequate separation” between the functions of the group health plan and the functions of the employer through policies and procedures such as the separation of employees who use health information to administer the health plan of those performing other HR functions. Practically, many HR professionals wear two hats, both benefits and HR functions, and are expected to protect information under HIPAA and other federal laws such as the Americans with Privacy Provisions. Disabilities Act. They also may not use such medical information to discriminate against or retaliate against an employee under federal laws such as the Pregnancy Non-Discrimination Act and certain state laws.
Recent guidance from the U.S. Department of Health and Human Services (HHS) Office of Civil Rights, while outlining protections under the HIPAA Privacy Act for reproductive health services, highlights the limits of HIPAA. In explaining how HIPAA protects the confidentiality of reproductive health information, HHS acknowledges that applicable regulations permit plans to disclose such information in certain circumstances, such as when disclosure is required by another law or in response to a law enforcement request accompanied by a court order. warrant or assignment.
Some states could use these tools to attempt to compel employers, plans, and providers to disclose information about an individual’s abortion. Additionally, clinicians who provided the service could be targeted or criminalized depending on where they practice. At the same time, states more favorable to abortion access could seek to enact stronger privacy protections, since the federal HIPAA standards represent a floor rather than a ceiling. This new environment will put these employers and health plans on the front lines of protecting access to sensitive health information in ways they may never have anticipated. Legal battles are expected.
The focus is now on how longstanding HIPAA protections on employer health plan information work in practice. Enforcement of current HIPAA protection largely relies on a single office within HHS. It is not possible for an individual or entity to bring private actions to protect their health information. Enforcement activities over the past 20 years have rarely involved employer schemes. Additionally, cybersecurity threats to information held by employer plans and their service providers are currently under intense scrutiny, and HHS has acknowledged in new guidance that HIPAA requirements do not apply. does not extend to health information held or stored on personal cell phones and other devices.
These confidentiality issues may be among the reasons why many women with access to abortion service coverage nevertheless pay for abortions out of pocket. For low-income women, paying for these services is often not an option, which makes it all the more important to have confidential access to coverage from employers who can legally cover and pay for it.
President Biden’s recent executive order will require federal agencies to assess additional privacy protections. One question is whether HIPAA provisions permitting disclosure to law enforcement may include additional protections for copying service information. States implementing abortion bans will likely use law enforcement tools to obtain information from and about providers, which includes seeking information from employers’ plans for meeting with providers. States where abortion is legal are already beginning to add restrictions on subpoenaing information about reproductive services. More difficult questions arise in states that prohibit abortion, where local providers (including pharmacists) and local employers may be at the center of law enforcement.