The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations). Perhaps not many people are pondering the HIPAA implications of this historic decision, but if you are reading this blog, you might be among the very few of us wondering what this decision means in terms of HIPAA protection. Or, more likely, you are wondering why I don’t have better things to think about on the eve of a national holiday.
The majority notes that the Department of Health and Human Services (HHS) has effectively exempted certain religious nonprofit organizations (“eligible organizations”) from the contraceptive mandate imposed by the Affordable Care Act (ACA). If an employer certifies that it is an eligible organization, its health insurance issuer must exclude contraceptive coverage from the employer’s plan and must provide separate payments for contraceptive services for plan participants without imposing fees or cost-sharing requirements on the eligible organization, its insurance plan, or its employee beneficiaries. HHS regulations implementing this eligible organization contraceptive policy make it clear that the health insurance issuer is not acting as an insurance carrier under state insurance law because the payments for contraceptive coverage “derive solely from a federal regulatory requirement, not a health insurance policy… .” If the eligible organization is self-funded, its third party administrator (TPA) must pay for contraceptive services (without imposing fees or cost-sharing requirements) or arrange for an insurer or other entity to pay for these services.
The Hobby Lobby majority endorses this “reasonable accommodation” for use by religious for-profit, closely-held corporations such as Hobby Lobby – it points out that HHS has the means to achieve its desired goal (here, employer plan coverage of contraceptives) without imposing a substantial burden on the exercise of religion by these closely-held corporate entities.
Back to HIPAA. If a beneficiary of an eligible organization’s health plan seeks contraceptive coverage, and the health plan is not covering this benefit, who is the covered entity for purposes of HIPAA compliance? If the eligible organization has a self-funded plan, is the TPA (which acts the business associate in relation to the self-funded plan in its normal course of operations) the “covered entity” for purposes of protected health information (PHI) related to contraceptive services? This is an important question because presumably the beneficiary who is seeking contraceptive services must obtain coverage for these services someone other than the eligible organization’s health plan.
Women whose health plans do not cover contraception, whether because their employer plans were exempt from the ACA contraceptive coverage mandate under the pre-Hobby Lobby religious nonprofit exemption, or because the Hobby Lobby decision casts open the doors to new employer plan exemptions, may want to think about who’s responsible for protecting this very personal PHI.
The requirements of HIPAA impose other specific obligations on a covered entity and raise additional questions. For example, what will the Notice of Privacy Practices of the covered entity (assuming we know who that is) look like for contraceptive services? If the TPA (or other person now responsible for paying for contraceptive services) normally acts as a business associate in relation to the employer plan, does it now need its own Notice of Privacy Practices and business associate agreements with third parties to deal with its receipt of PHI related to contraceptive services? These types of issues will likely become more clouded as cases involving other challenges to the ACA move through the courts. Certainly, religious freedom is important and worth protecting, but so too is health information privacy. Happy Fourth!