Many employers which offer a group health plan need to comply with federal rules requiring privacy protections for medical information, such as the HIPAA Privacy and Security Rules. But do employers also need to comply with state medical privacy and data breach laws? Or, does ERISA preempt those laws, such that employers can ignore them? Two recent cases address state data breach and ERISA preemption. Neither case is fully resolved yet, but both cases may set the tone for future lawsuits involving state privacy-related laws.
As has been widely reported, Anthem suffered a major breach earlier in 2015. Unsurprisingly, Anthem has been hit by numerous lawsuits in response to the breach. In a recent decision from one of those lawsuits, the court found that it did not need to examine whether Anthem’s conduct violated various state laws (such as unjust enrichment and breach of contract), because ERISA preempted those state law claims. The court therefore held that the plaintiffs’ claims must proceed in federal court, not state court. Smilow v. Anthem Life& Disability Ins. Co. (In re Anthem, Inc. Data Breach Litig.), N.D. Cal., No. 5:15-cv-04739-LHK, 11/24/15. This is a very helpful decision for employers with ERISA-covered plans (health, retirement, or otherwise). However, other courts have reached opposite conclusions in similar situations. So the water remains a bit muddy on this question.
Another pending case may clear the waters a bit. On December 3, 2015, the U.S. Supreme Court considered whether ERISA preempted a Vermont law that requires both ERISA and non-ERISA plans to submit health claims data to a centralized database. The data is used by Vermont to help set health care policy in the state. About a dozen other states are like Vermont and require the submission of this data. The Supreme Court, which lately has tended to narrow rather than expand ERISA preemption, was hotly divided on the preemption issue. Some justices indicated that such claims database laws would become burdensome for ERISA plans if similar laws were adopted by multiple states. Other justices indicated that the purposes of such state laws are far removed from ERISA’s core purposes.
The Court’s decision is expected in the first half of 2016. A strong, pro-preemption decision would likely mean that employers would have a stronger argument that ERISA preempts state medical privacy and breach notification laws. A decision going the opposite way may call into question whether employers can rely on ERISA to preempt those laws. The bottom line is that there is still no clear cut answer, so employers cannot completely ignore state privacy-related laws that affect their group health plans.