Want to Provide Abortion Travel Benefits at Your Company? Here's How to Protect Employees
Free Article Limit This Month
Attorneys recommend a range of strategies to limit the paper trail that authorities might seek to obtain.
What You Need to Know
- Employers could help shield themselves by using third-party health benefits administrators.
- HIPAA restricts the release of an employee's health information without their consent.
- Companies should review their data retention policies.
Companies that have come forward to offer travel benefits to employees going out of state to obtain an abortion face a vexing question: How can they avoid creating a paper trail that law enforcement could access to confirm that an individual has received an abortion?
To find out, Corporate Counsel spoke with attorneys who specialize in employee benefits, data privacy and cybersecurity. They share what kind of information law enforcement and other state officials are most likely to seek out, the circumstances in which employers and other stakeholders holding employee information need to comply with law enforcement, and best practices for employers looking to provide a travel benefit.
What Information Could Law Enforcement Seek to Obtain?
When an employer opts to provide abortion-related travel benefits for employees, they face three major risks, said Mamta Shah, who specializes in employee benefits law as a partner at ArentFox Schiff, one of several law firms that have assembled reproductive health care groups to handle corporate client questions on Dobbs.
In states with restrictive abortion laws, law enforcement could ask employers to disclose information about employees who may have used travel benefits to obtain an abortion, Shah said. This information could be leaked and obtained by law enforcement and used against an employee; there is also the risk that an individual handling this information—whether at the company offering the benefit or a third party tasked with administering it—will improperly use it in a state like Texas, where private citizens are promised a minimum of $10,000 in damages from each lawsuit they file against someone who performs or aids an abortion.
Employers might not have this information at hand, since they may not be administering travel benefits themselves.
"An employer who maintains a self-insured health plan that is administered by a third party—and where the employer has no transparency into what services covered individuals are utilizing under the health plan and has no involvement in any claims determinations under the plan—would not have any information that state officials could necessarily go after," said Shah, adding the third party company could in that case be subjected to information requests.
For employers that choose to administer these benefits in-house, Shah added, some critical questions include: "How much information the employer is requesting from employees to substantiate the reimbursement? Is the employer asking about the medical services obtained, where the service was obtained?"
But even limited information held by employers could be useful for law enforcement, if they can combine it with information from other sources.
"An organization can serve a subpoena on a company to find out which employees have health plans—that will only be a starting point," said Shoba Pillay, a partner at Jenner & Block whose practice includes data privacy and cybersecurity. The firm also has a task force to help corporate clients navigate reproductive health care post-Dobbs.
"They may be seeking location information involving that employee's personal web emails and personal phone usage from some of the some of the third party technology companies and providers that would be sort of unrelated to the specific employer data," Pillay said.
Federal and State Laws Limit Disclosures of Health Information
Attorneys say it's key for employers to understand that under federal and state laws governing medical and health information, there are few circumstances under which an entity holding an individual's information is legally permitted to disclose it without the individual's consent.
Shortly after the high court released the Dobbs opinion, the Department of Health and Human Services released guidance clarifying privacy protections under the Health Insurance Portability and Accountability Act, better known as HIPAA.
The provisions restrict various entities from disclosing an individual's health information without their consent. Those entities include health plans, health care clearinghouses, most health care providers and their "business associates" like brokers, third party administrators or even benefits administration software providers.
While employers are generally not covered by HIPAA, Sarah Raaii, an associate at McDermott Will & Emery who co-chairs the firm's multidisciplinary reproductive health care team, noted the law "generally applies to ERISA welfare plans—so the vast majority of employer plans that provide health care, reproductive health care benefits such as abortion travel benefits or medical travel benefits. Those plans are all likely subject to HIPAA."
"The most common way that we've seen employers offering these abortion benefits is to include them in their existing ERISA health plans, in which case they [the plans] would be subject to HIPAA," Raaii added.
The HHS outlines three scenarios in which an entity covered by HIPAA is allowed to disclose an individual's information without their consent: when such a disclosure is required by another law; in response to a law enforcement request made through legal processes like court orders, warrants or subpoena; when such a disclosure is needed to prevent or lessen a serious threat to a person or the public.
Just because HIPAA-covered entities can choose to disclose information under these specific circumstances, however, doesn't mean they have to: The HHS does not outline any scenario in which it is mandatory for an entity to disclose an individual's medical and health information without their consent.
If a covered entity is hit with a court order, warrant or subpoena for information related to an employee obtaining abortion services, for example, and there is a law that specifically requires the reporting of abortion procedures, "then the covered entity would be permitted but not required to disclose them," said Madeleine Findley, a Jenner & Block partner who focuses on data privacy and cybersecurity. "And if the covered entity chose to disclose, they would need to limit the disclosure to only the information required by law."
"The actual requirement to disclose information under HIPAA is extremely limited," Findley added.
In many states, there might be further restrictions on disclosing medical and health information.
California, for instance, has the Confidentiality of Medical Information Act. These laws "may cover information that would not be restricted under HIPAA," said Findley. "So if an employer receives a request for information that touches on health information, it's important to think about not only the federal law, but also any applicable state law and whether that imposes additional restrictions or obligations."
While employers offering abortion-related travel benefits might be tempted to announce the policy either publicly or internally, Raaii said she's been advising corporate clients to be very careful about how much they say, since it could put a target on their backs.
"We've been consulting with employers on how to accurately describe the benefits but at the same time try to minimize the risk of being pursued by states that are looking to aggressively enforce these laws," Raaii said.
Shah agreed, adding that employers should strive to intercept as little information as possible about how many employees are obtaining abortion services, so they have minimal information to offer state officials.
Shah recommended employers simply offer employees more vacation or sick days, without requiring employees to report a specific reason why they are taking time off, and use third party benefits administrators.
For employers doing the latter, this would be a good time to "review their business associate agreements to ensure that they are HIPAA-compliant, and should ask their TPAs [third party administrators] about the TPA's policy on how and when they may disclose information to law enforcement, particularly where multiple overlapping state and local laws apply," said Jessica Agostinho, a partner at Hunton Andrews Kurth who specializes in employee benefits law.
She also suggested reviewing company IT systems to make sure they are adequately protecting health data.
Finally, Findley said, "This is a good time to think about your data retention policy."
"Storage of data is very cheap," she continued. "But the cost of having that data can be quite steep. If it is accessed without authorization, if it turns out that it is something that you wished you had disposed of because you didn't need it some time ago, and now you've gotten a request for it, and you still have it—that puts you in a difficult position."
ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.