The U.S. Supreme Court’s ruling overturning Roe v. Wade has led to new questions about privacy protections for health information about an individual’s use of reproductive services such as abortion. Employer plans that cover these services, and that are now adding a travel benefit for employees to access this care, might create a paper trail of claims information or reimbursement records. Some states with laws to ban or criminalize abortion may seek this information to bring actions against any entity involved in assisting to obtain an abortion, which could include employers as well as providers. Federal privacy protections have long restricted the use and disclosure of personal health information to and by employer-sponsored plans, but these protections are not fool proof and will likely be tested going forward by states looking to implement abortion bans and related restrictions.

Employer plan access to employee abortion information

HIPAA privacy regulations, effective since 2003, place restrictions on the ability of employer-sponsored plans to access, use and disclose health information without specific written authorization from the individual who is the subject of the information. HIPAA – which stands for the Health Insurance Portability and Accountability Act of 1996 — applies to employer-sponsored health plans as well as most health care providers, and health care clearinghouses.  An employer’s major medical plan, a health reimbursement arrangement (HRA) and a flexible spending account (FSA) are all considered group health plans that must meet HIPAA’s privacy protections.

Plans can use and disclose information needed for plan administration without individual authorization. HIPAA rules allow employer plans to use protected health information to administer benefits. This includes the review and payment of claims as well as for “health care operations,” such as quality assessment and population-based activities related to reducing benefit costs. Employers who self-insure their benefits typically contract with outside entities to administer parts of their health program. Typically, a third-party administrator (TPA) handles the processing of medical claims, a different entity (such as a pharmacy benefit manager (PBM)) administers prescription drug benefits, and yet another entity might handle reimbursements under an employer’s flexible spending account. The HIPAA rules require employer plans to enter into a business associate agreement with each of these outside vendors so that they agree to abide by the same HIPAA requirements as the employer plan.

Only the “minimum necessary” needed to perform the administrative function is allowed. Depending on the design of the plan, human resource (HR) personnel for an employer might have access to information about health care services provided to employees even though outside vendors perform most plan administration functions. For example, HR personnel might use health information to administer eligibility, assist employees with claims questions or review benefit utilization and costs.  HIPAA rules require that plans only access the minimum necessary information to perform these functions. Generally, employer personnel would not need individually identifiable claims information about abortion and could instead rely on aggregated information to administer the plan. However, HR personnel for smaller employers might still be able to deduce individual names associated with claims.  To the extent that a travel reimbursement benefit is administered in house, some HR personnel will have this information.

Employers must have a firewall between “plan” and “employer” Information.  Concern about the confidentiality of employee medical information by an employer who sponsors a group health plan is not a new issue. HR personnel might have sensitive health information that they, in theory, could use to take detrimental and discriminatory employment actions. While HIPAA applies to group health plans, it does not apply to the employer itself. This creates a confusing framework for compliance, since a group health plan is not usually a separate physical entity.  HIPAA regulations nevertheless create a distinction between the plan and employer and provide that a plan cannot disclose health information to an employer plan sponsor unless the employer certifies in writing that it will, among other things, not use the information for employment related actions such as fitness for duty and related actions. The employer must also ensure that there is “adequate separation” between the group health plan functions and the employer functions through policies and procedures such as walling off employees who use health information to administer the health plan from those that perform other HR functions. Practically, many HR professionals wear two hats, both benefits and HR functions, and are expected to safeguard the information under HIPAA and other federal laws such as the confidentiality provisions of the Americans with Disabilities Act. They also cannot use this health information to discriminate or retaliate against an employee under federal statutes such as the Pregnancy Nondiscrimination law and some state laws.

Looking forward

Recent guidance from the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS), while stating the protections under the HIPAA privacy law for reproductive healthcare service, puts a spotlight on HIPAA’s limits. In explaining how HIPAA protects the privacy of reproductive health information, HHS acknowledges that current regulations do allow plans to disclose this information in certain instances, such as when disclosure is required by another law or in response to a law enforcement request accompanied by a court ordered warrant or subpoena.

Some states might use these tools to try to compel employers, plans and providers to disclose information about an individual’s abortion.  In addition, the clinicians that provided the service could be targeted or criminalized depending on where they practice.  At the same time, states friendlier to abortion access may look to enact stronger privacy protections, since the federal HIPAA standards represent a floor rather than a ceiling. This new environment will put these employers and health plans on the front line of protecting access to sensitive health information in ways they may have never anticipated. Litigation battles are expected.

The focus is now on how longstanding HIPAA protections on employer health plan information work in practice. Enforcement of HIPAA’s current protection rests largely with a single office within HHS. There is no ability for an individual or entity to privately bring actions to protect their health information. Enforcement activity over the past 20 years has rarely involved employer plans. In addition, cybersecurity threats to information held by employer plans and their service providers is currently under scrutiny, and HHS has acknowledged in new guidance that HIPAA requirements do not extend to health information held or stored on personal cell phones and other devices.

These confidentiality issues may be among the reasons many women with access to coverage for abortion services nonetheless pay for abortions out-of-pocket. For lower income women, paying for these services is often not an option—making confidential access to employer coverage that can legally cover and pay for it that much more significant.

President Biden’s recent executive order will require federal agencies to evaluate additional privacy protections. One issue is whether HIPAA provisions allowing disclosure to law enforcement can include added protections for reproductive services information. States implementing abortion bans will likely use law enforcement tools to get information from and about providers, this includes seeking information from employer plans about employee provider encounters. States where abortion is legal are already starting to add restrictions on the subpoena of reproductive services information. Harder questions arise in those states with abortion bans, where local providers (including pharmacists) and local employers may be the focus of law enforcement.

KFF Headquarters: 185 Berry St., Suite 2000, San Francisco, CA 94107 | Phone 650-854-9400
Washington Offices and Barbara Jordan Conference Center: 1330 G Street, NW, Washington, DC 20005 | Phone 202-347-5270

www.kff.org | Email Alerts: kff.org/email | facebook.com/KFF | twitter.com/kff

The independent source for health policy research, polling, and news, KFF is a nonprofit organization based in San Francisco, California.