Want to Provide Abortion Travel Benefits at Your Company? Here’s How to Protect Employees

Companies that have come forward to offer travel benefits to employees going out of state to obtain an abortion face a vexing question: How can they avoid creating a paper trail that law enforcement could access to confirm that an individual has received an abortion? 

To find out, Treasury & Risk sister publication Corporate Counsel spoke with attorneys who specialize in employee benefits, data privacy, and cybersecurity. They share what kind of information law enforcement and other state officials are most likely to seek out, the circumstances in which employers and other stakeholders holding employee information need to comply with law enforcement, and best practices for employers looking to provide this type of benefit. 

What Information Could Law Enforcement Seek to Obtain?

When an employer opts to provide abortion-related travel benefits for employees, they face three major risks, said Mamta Shah, who specializes in employee benefits law as a partner at ArentFox Schiff, one of several law firms that have assembled reproductive healthcare groups to handle corporate client questions on Dobbs.

In states with restrictive abortion laws, law enforcement could ask employers to disclose information about employees who may have used travel benefits to obtain an abortion, Shah said. This information could be leaked and obtained by law enforcement and used against an employee. There is also a risk that an individual handling this information—whether at the company offering the benefit or a third party tasked with administering it—will improperly use it in a state like Texas, where private citizens are promised a minimum of $10,000 in damages from each lawsuit they file against someone who performs or aids an abortion. 

Employers might not have this information at hand, since they may not be administering travel benefits themselves.

“An employer who maintains a self-insured health plan that is administered by a third party—and where the employer has no transparency into what services covered individuals are utilizing under the health plan and has no involvement in any claims determinations under the plan—would not have any information that state officials could necessarily go after,” said Shah, adding the third-party company could, in that case, be subjected to information requests. 

For employers that choose to administer these benefits in-house, Shah added, some critical questions include: “How much information is the employer requesting from employees to substantiate the reimbursement? Is the employer asking about the medical services obtained, where the service was obtained?” 

Even if employers hold only limited information, law enforcement might be able to combine the employer’s data with information from other sources. “An organization can serve a subpoena on a company to find out which employees have health plans—that will only be a starting point,” said Shoba Pillay, a partner at Jenner & Block whose practice includes data privacy and cybersecurity. The firm also has a task force to help corporate clients navigate reproductive healthcare post-Dobbs. 

“They may be seeking location information involving that employee’s personal web emails and personal phone usage from some of the some of the third-party technology companies and providers that would be sort of unrelated to the specific employer data,” Pillay said. 

Federal and State Laws Limit Disclosures of Health Information

Attorneys say it’s key for employers to understand that under federal and state laws governing medical and health information, there are few circumstances under which an entity holding an individual’s information is legally permitted to disclose it without the individual’s consent.

Shortly after the high court released the Dobbs opinion, the U.S. Department of Health and Human Services (HHS) released guidance clarifying privacy protections under the Health Insurance Portability and Accountability Act, better known as HIPAA.

The provisions restrict various entities from disclosing an individual’s health information without their consent. Those entities include health plans, healthcare clearinghouses, most healthcare providers, and their “business associates” like brokers, third-party administrators or even benefits administration software providers.

Sarah Raaii, an associate at McDermott Will & Emery who co-chairs the firm’s multidisciplinary reproductive healthcare team, noted that HIPAA “generally applies to ERISA welfare plans—so the vast majority of employer plans that provide healthcare, reproductive healthcare benefits such as abortion travel benefits, or medical travel benefits. Those plans are all likely subject to HIPAA.

“The most common way that we’ve seen employers offering these abortion benefits is to include them in their existing ERISA health plans, in which case they [the plans] would be subject to HIPAA,” Raaii added. 

The HHS outlines three scenarios in which an entity covered by HIPAA is allowed to disclose an individual’s information without their consent: when such a disclosure is required by another law; in response to a law enforcement request made through legal processes like court orders, warrants, or subpoena; or when such a disclosure is needed to prevent or lessen a serious threat to a person or the public.

Just because HIPAA-covered entities can choose to disclose information under these specific circumstances, however, doesn’t mean they have to: The HHS does not outline any scenario in which it is mandatory for an entity to disclose an individual’s medical and health information without their consent.

If a covered entity is hit with a court order, warrant, or subpoena for information related to an employee obtaining abortion services, for example, and there is a law that specifically requires the reporting of abortion procedures, “then the covered entity would be permitted but not required to disclose them,” said  Madeleine Findley, a Jenner & Block partner who focuses on data privacy and cybersecurity. “And if the covered entity chose to disclose, they would need to limit the disclosure to only the information required by law.

“The actual requirement to disclose information under HIPAA is extremely limited,” Findley added. 

In many states, there might be further restrictions on disclosing medical and health information. California, for instance, has the Confidentiality of Medical Information Act. Such laws “may cover information that would not be restricted under HIPAA,” said Findley. “So if an employer receives a request for information that touches on health information, it’s important to think about not only the federal law, but also any applicable state law and whether that imposes additional restrictions or obligations.” 

Best Practices

While employers offering abortion-related travel benefits might be tempted to announce the policy either publicly or internally, Raaii said she’s been advising corporate clients to be very careful about how much they say, since it could put a target on their backs. 

“We’ve been consulting with employers on how to accurately describe the benefits but at the same time try to minimize the risk of being pursued by states that are looking to aggressively enforce these laws,” Raaii said. 

Shah agreed, adding that employers should strive to intercept as little information as possible about how many employees are obtaining abortion services so that they have minimal information to offer state officials.

Shah recommended employers simply offer employees more vacation or sick days, without requiring employees to report a specific reason why they are taking time off, and to use third-party benefits administrators. 

For employers doing the latter, this would be a good time to “review their business associate agreements to ensure that they are HIPAA-compliant, and to ask their TPA [third-party administrator] about the TPA’s policy on how and when they may disclose information to law enforcement, particularly where multiple overlapping state and local laws apply,” said Jessica Agostinho, a partner at Hunton Andrews Kurth who specializes in employee benefits law.

She also suggested reviewing company IT systems to make sure they are adequately protecting health data. 

Finally, Findley said, “This is a good time to think about your data retention policy.” 

“Storage of data is very cheap,” she continued. “But the cost of having that data can be quite steep. If it is accessed without authorization, if it turns out that it is something that you wished you had disposed of because you didn’t need it some time ago, and now you’ve gotten a request for it, and you still have it—that puts you in a difficult position.”

---

From: Corporate Counsel