Agencies Heed President’s Call to Take Action to Protect Access to Sexual and Reproductive Health Care Post-Dobbs
Within days of the Supreme Court’s June 24th Dobbs decision, which held that the Constitution does not guarantee the right to an abortion, key government agencies have taken action to protect access to sexual and reproductive health care:
- On June 27, the Secretaries of the Departments of Health and Human Services, Treasury and Labor (the “Departments”) jointly sent a letter to group health plan sponsors and insurers warning of enforcement actions for failure to comply with the Patient Protection and Affordable Care Act’s (“ACA”) mandate for coverage, without cost-sharing, for birth control and contraceptive counseling for individuals enrolled in group health plans and group and individual health insurance coverage (the “ACA contraceptive coverage mandate”); and
- On June 29, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services, which administers and enforces the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule,[1] issued (1) guidance addressing how the HIPAA Privacy Rule protects individuals’ PHI relating to abortion and other sexual and reproductive health care, and (2) guidance addressing how individuals can protect the privacy and security of their health information when using a personal cell phone or tablet.
In addition, today, July 8, President Biden signed an executive order to protect abortion access, including privacy rights, and establish an interagency task force between the Department of Health and Human Services (HHS) and the White House Gender Policy Council. This Task Force will also include the Attorney General. The executive order directs the Secretary of HHS to take the following actions and submit a report within 30 days on efforts to protect access to medication abortion, ensure emergency medical care, protect access to contraception, launch outreach and public education efforts, and convene volunteer lawyers to encourage robust legal representation of patients, providers and third parties lawfully seeking or offering reproductive healthcare services throughout the U.S. While we await the Secretary’s report, this post provides a high-level summary of the Departments’ joint letter and the OCR guidance highlighted above.
Letter to Group Health Plan Sponsors and Insurers
Non-grandfathered group health plans and health insurance issuers offering non-grandfathered group or individual health insurance coverage must comply with the ACA contraceptive coverage mandate, yet the Secretaries’ letter notes “troubling and persistent reports of noncompliance.” As a result of the Secretaries’ continued concern about complaints of noncompliance, the letter (1) strongly encourages plans and insurers to immediately ensure they are in compliance with the specific requirements of the ACA contraceptive coverage mandate (which are summarized in the letter), (2) includes specific steps plans and insurers should take to ensure compliance, and (3) indicates the Departments “may take enforcement or other corrective actions as appropriate.” The letter concludes by stating that, shortly, the Departments will convene a meeting with national industry leaders to obtain commitments to promptly correct all areas of potential noncompliance and to take specific actions to ensure that covered individuals have critical access to contraceptive services.
OCR Guidance
The first piece of OCR guidance addresses the circumstances under which the HIPAA Privacy Rule permits disclosure of PHI without an individual’s authorization and explains that permitted disclosures for purposes not related to health care are narrowly tailored to protect the individual’s privacy and support the individual’s access to health care, including abortion care. The guidance centers on the HIPAA Privacy Rule’s provisions addressing disclosures required by law, disclosures for law enforcement purposes, and disclosures to avert a serious threat to health or safety, and it includes examples of situations that covered entities may encounter in states that restrict or prohibit abortions.
The second piece of OCR guidance addresses the privacy and security of health information when an individual uses their personal cell phone or tablet. The guidance explains that because HIPAA’s privacy and security protections apply only when PHI is created, received, maintained, or transmitted by covered entities and business associates, HIPAA generally does not protect the privacy or security of an individual’s health information when it is accessed through or stored on their personal cell phone or tablet. For example, HIPAA does not protect information that an individual voluntarily shares online, their geographic location information, or their internet search history. In addition, the guidance explains that, in most cases, unless a health app is provided to an individual by a covered entity or its business associate, HIPAA does not protect the privacy of data the individual downloads or enters into mobile apps for their personal use, regardless of the source of the information. The guidance includes steps an individual can take to limit how their cell phone or tablet collects and shares their health and other personal information, such as where they go and their activities, without their knowledge.
If you have questions about the OCR guidance or the ACA contraceptive coverage mandate, please contact a member of our Employee Benefits & Executive Compensation Group.
[1] The HIPAA Privacy Rule establishes requirements regarding the use and disclosure of protected health information (“PHI”) by health plans, health care clearinghouses and most health care providers (“covered entities”) and their business associates.