After the U.S. Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization overruling the constitutionally protected proper to an abortion, federal businesses have issued steerage meant to assist defend the privateness of sufferers. Employers ought to rigorously take into account this steerage as a result of it impacts their duties as a sponsor of a gaggle well being plan and the privateness rights of their workers.

As a part of our ongoing “Reproductive Healthcare Issues for Employers” collection, I’ll summarize the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) steerage and spotlight essentially the most vital parts for employers.

HHS Guidance underneath the Health Insurance Portability and Accountability Act (“HIPAA”)

On June 29, 2022, OCR issued new guidance to guard sufferers looking for reproductive healthcare, in addition to their suppliers. In normal, this steerage does two issues:

  1. Addresses how federal regulation and laws defend particular person’s non-public medical data (protected well being data or “PHI” underneath HIPAA) associated to abortion and different sexual and reproductive well being care—making it clear that suppliers are usually not required to reveal non-public medical data to 3rd events similar to regulation enforcement; and
  2. Addresses the extent to which private medical information is protected on personal cell phones and tablets. It additionally offers tips for safeguarding people’ privateness when utilizing interval trackers and different well being data apps.

HIPAA Privacy Protections Related to Reproductive Laws and Law-Enforcement

OCR administers and enforces the HIPAA Privacy Rule (“Privacy Rule”), which establishes the necessities in regards to the use, disclosure, and safety of PHI by lined entities (together with group well being plans and most well being suppliers), and, to some extent, their enterprise associates. These entities might use or disclose PHI with out a person’s signed authorization, solely as expressly permitted by the Privacy Rule.

Disclosures “Required by Law”

The Privacy Rule permits however doesn’t require lined entities to reveal PHI about a person with out the person’s authorization when such disclosure is required by one other regulation, and the disclosure complies with the necessities of the opposite regulation. This permission to reveal PHI as “required by law” is restricted to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Further, the place a disclosure is required by regulation, the disclosure is restricted to the related necessities of such regulation.

Example: An particular person goes to a hospital emergency division whereas experiencing problems associated to a miscarriage throughout the tenth week of being pregnant. A hospital workforce member suspects the person of getting taken remedy to finish their being pregnant. State or different regulation prohibits abortion after six weeks of being pregnant however doesn’t require the hospital to report people to regulation enforcement. Where state regulation doesn’t expressly require such reporting, the Privacy Rule wouldn’t allow disclosure to regulation enforcement underneath the “required by law” permission. Therefore, such a disclosure can be impermissible.

Disclosures for “Law Enforcement Purposes”

The Privacy Rule permits however doesn’t require lined entities to reveal PHI about a person for regulation enforcement functions “pursuant to process and as otherwise required by law,” underneath sure circumstances. For instance, a lined entity might reply to a regulation enforcement request made by authorized processes similar to a court docket order or court-ordered warrant, subpoena, or summons by disclosing solely the requested PHI  – supplied that all the circumstances specified within the Privacy Rule for permissible regulation enforcement disclosures are met.

In the absence of a mandate enforceable in a court docket of regulation, the Privacy Rule’s permission to reveal PHI for regulation enforcement functions doesn’t allow a hospital or different well being care supplier’s workforce member to report a person’s abortion or different reproductive well being care to regulation enforcement. That is true whether or not the workforce member initiated the disclosure to regulation enforcement or others or the workforce member disclosed PHI on the request of regulation enforcement. This is as a result of, usually, state legal guidelines don’t require docs or different well being care suppliers to report a person who self-managed the lack of a being pregnant to regulation enforcement. Also, state fetal murder legal guidelines usually don’t penalize the pregnant particular person, and “appellate courts have overwhelmingly rejected efforts to use existing criminal and civil laws intended for other purposes (e.g., to protect children) as the basis for arresting, detaining, or forcing interventions on pregnant” people.

Example: A regulation enforcement official presents the sponsor of a gaggle well being plan with a court docket order requiring the plan to supply PHI about people who’ve obtained an abortion. Because a court docket order is enforceable in a court docket of regulation, the Privacy Rule would allow however doesn’t require the group well being plan to reveal the requested PHI. The group well being plan might solely disclose the PHI expressly approved by the court docket order if it chooses to adjust to the order.

Disclosures to Avert a Serious Threat to Health or Safety

The Privacy Rule permits however doesn’t require a lined entity, per relevant regulation and requirements of moral conduct, to reveal PHI if the lined entity, in good religion, believes the use or disclosure is critical to forestall or reduce a critical and imminent risk to the well being or security of an individual or the general public, and the disclosure is to an individual or individuals who’re moderately capable of stop or reduce the risk. According to major professional societies, together with the American Medical Association and American College of Obstetricians and Gynecologists, it will be inconsistent with skilled requirements of moral conduct to make such a disclosure of PHI to regulation enforcement or others concerning a person’s curiosity, intent, or prior expertise with reproductive well being care.

Example: A pregnant worker in a state that bans abortion informs the claims administrator of a gaggle well being plan that they intend to hunt an abortion in one other state the place abortion is authorized. An worker of the claims administrator, a enterprise affiliate of the group well being plan, desires to report the assertion to state regulation enforcement to aim to forestall the abortion. The Privacy Rule wouldn’t allow this disclosure of PHI to regulation enforcement underneath this permission as a result of, in keeping with HHS, a press release indicating the intent to acquire a authorized abortion is “not a serious and imminent threat to the health and safety of a person or the public,” and can be inconsistent with the skilled moral requirements, and should improve the danger of hurt to the worker. Therefore, such a disclosure can be impermissible.

HIPAA Generally Does Not Protect Privacy or Security of Health Information on Apps

Generally, the HIPAA guidelines solely apply when PHI is created, acquired, maintained, or transmitted by a lined entity or a enterprise affiliate. For instance, HIPAA doesn’t defend the privateness of an worker’s web search historical past, data that an worker voluntarily shares on-line, or their geographic location, until the app is supplied to the worker by a lined entity (such because the group well being plan) or its enterprise affiliate. HIPAA additionally doesn’t defend the privateness of the information that an worker has downloaded or entered into cell apps for private use, whatever the knowledge supply.

Although the HIPAA guidelines don’t defend this data, employers might take into account speaking with workers on steps that they’ll moderately take to guard data when utilizing a private cell system:

  • Avoid downloading pointless or random apps.
  • Avoid, when requested, allowing entry to a tool’s location knowledge, apart from apps the place the situation is totally vital (e.g., navigation and visitors apps).

Although the steps described above can cut back an individual’s digital footprint, they won’t eradicate it. The very nature of cell telephones (and a few tablets) permits monitoring as a result of the mobile service supplier’s community data figuring out data (similar to subscriber and system data) when linked to it.

Ultimately, one of the best ways to guard well being and private data from being collected and shared with out a person’s information is to restrict what private data is distributed and saved with a tool.

Conclusion

Much of the steerage issued by HHS needs to be welcome information for employers, who could also be involved in regards to the specter of native regulation enforcement officers requesting protected non-public knowledge about their workers’ well being care. Nevertheless, these interpretations supplied by HHS come within the type of sub-regulatory steerage, so the Biden Administration (or a brand new administration) may change its views on these points rapidly. In specific, one can simply think about a distinct administration taking a really totally different view on whether or not abortion “is a serious and imminent threat to the health and safety of a person or the public.” Employers might want to rigorously preserve abreast of developments on this space.

The Dickinson Wright Employee Benefits and Executive Compensation Group has been and can proceed to observe the affect of those points as they evolve to advise purchasers on how greatest to reply to this altering panorama.

See half 1 of our “Reproductive Healthcare Issues for Employers” collection: May Abortions be Reimbursed on a Tax-Free Basis from a Health Flexible Spending Account, a Health Reimbursement Arrangement, or a Health Spending Account?

See half 2 of our “Reproductive Healthcare Issues for Employers” collection: Avoiding Costly “Employer Payment Plan” Status for Travel Benefits

[View source.]

Leave a comment

Your email address will not be published. Required fields are marked *