This article was originally posted to Seyfarth’s Global Privacy Watch blog.

Employers looking to enhance their suite of employee benefit programs, and focused on lessons learned during the pandemic on wellbeing, are interested in providing greater access to wellness tools. And, the vendors who support those tools are more than happy to provide them. Global spend in the health and wellness market would be around $24.8 billion in 2023 according to a study by Kilo Health. Wellness apps and wearables abound in all sorts of areas — from counting steps to nutrition to mental health to physical fitness to financial fitness. These tools are relatively inexpensive to provide and easily accessible to the workforce – many times with just a simple download to a smartphone. And, best of all they’re completely private with no middle man, and only the employee seeing their own data and progress. Right?  Well — not so fast. 

Federal Law

HIPAA is the federal statute that protects the privacy and security of individually identifiable health information, called Protected Health Information or PHI. Many people (plan sponsors and covered participants alike) assume that the wellness apps and the data they contain are protected by HIPAA. However, HIPAA does not address all types of health information.  For HIPAA to apply, the information must be created or maintained by a “covered entity”.  Covered entities are generally health care providers (e.g., doctors, hospitals, pharmacies) and health plans. 

Where the developer or license holder of a health application is a covered entity, and that entity maintains the application and the data that it collects, the underlying data will receive the protections of HIPAA. For example, a pharmacy may be the entity who is supplying patients with the access to the online application to manage their medications. In that case, the provider will have to design its security systems and protocols to meet HIPAA’s high standards.

However, many times the developer of a wellness application is not a health care provider and the application is not utilized by a provider for detecting, curing, mitigating, treating or preventing diseases. Common examples of these types of applications are those that track individuals’ walking steps or offer a tracker for weight or blood pressure. In this case, reviewing the privacy policy of the application and making an informed decision before loading personal information is critical.

On the other hand, where an employer is considering enhancing its benefits offering to include access to a wellness application or device, that benefit may be offered under and as part of its health plan. A clear example of this could be a heart monitor used for an individual complaining of an irregular or racing heartbeat. But, also a fitness tracker provided as part of the health plan’s wellness benefit could fall into this category. In that case, the wellness vendor will likely be functioning as a business associate to the health plan, and the individually identifiable health data collected on the app or device will be HIPAA PHI. This means that the vendor and the health plan will need to enter into a HIPAA compliant business associate agreement that lays out the possible uses of the PHI and how it is to be secured.

State Law

Where an ERISA health plan is not involved, and HIPAA therefore would not apply, employers should still consider the implications of state law. A number of states are getting into the privacy game by passing their own privacy laws. As part of these initiatives, the states are attempting to plug the holes around health data privacy which are present in the scope of HIPAA. For example, California, Texas, and Florida all endeavor to regulate the use of health data when used for purposes of “profiling”. Washington State passed a privacy statute directly pointed at health information.

However, almost all states’ privacy laws, with the exception of California’s, have an exclusion for information collected in the scope of an employment relationship. While providing benefits (and collecting information) related to workforce well-being is definitely an interest to the employer, the scope of the exclusion in these state privacy laws has not been litigated. As such, it is not clear if work place-adjacent activity, like the provision of wellness apps, would be covered by the employee exception in any given state.

Effectively, what this means is that even if HIPAA doesn’t apply to the employer’s provision of wellness apps or wearables, it is possible that a state law will apply. Therefore, it is possible that the employer will need to have its own privacy compliance program related to the collection and use of the wellness data.

Ultimately, employers who are deploying wellness apps need to consider the privacy implications at both the federal and state level before roll-out. If not, it is possible that the employer may generate privacy law liability without fully understanding its risk.


Dismissal of ACA Lawsuit Based Only on Standing Grounds

Seyfarth Synopsis:  In Texas v. California, the Supreme Court rejected another challenge to the Affordable Care Act (“Obamacare” or “ACA”). The Court never reached the merits of the challenge, relying instead on its now robust Article III standing doctrine. The plaintiffs failed to allege injury traceable to the allegedly unlawful conduct and likely to be redressed by their requested relief.

On June 17, in Texas v. California, the Supreme Court dismissed the declaratory judgment challenge to the ACA’s constitutionality brought by Texas and 17 other states (and two individuals), finding that the plaintiffs lacked Article III standing. Our earlier blog post on this case after oral argument explained that the plaintiffs alleged that the ACA’s “individual mandate” was unconstitutional in the wake of Congress reducing the penalty for failure to maintain health insurance coverage to $0.

The Court side-stepped all issues on the merits, and ruled 7-2 that the plaintiffs did not have standing because they failed to show “a concrete, particularized injury fairly traceable to the defendants’ conduct in enforcing the specific statutory provision they attack as unconstitutional.” The majority said that the plaintiffs suffered no indirect injury, as alleged, because they failed to demonstrate that a lack of penalty would cause more people to enroll in the state-run Marketplaces, driving up the cost of running the programs. Similarly, the majority found no direct injury resulting from the administrative reporting requirements of the mandate. The majority found that those administrative requirements arise from other provisions of the ACA, and not from the mandate itself.

Justices Alito and Gorsuch dissented, opining that the states not only have standing, but that the individual mandate is now unconstitutional and must fall (as well as any provision inextricably linked to the individual mandate).

This is the third significant challenge to the ACA over the last decade.

Moreover, the latest ACA decision has implications beyond just that statute. A solid majority of the Court has emboldened its already tough standing requirements that precondition any merits consideration in federal court. Our prior blogs here and here, have explained that the Court is intent on narrowing the door to the courthouse for many cases, including ERISA cases. This is significant because ERISA fiduciary breach cases, in particular, can be brought only in federal court. As such, we expect to see more ERISA defense arguments based on Article III standing deficiencies. And it certainly will not be enough for plaintiffs to mount a challenge under the Declaratory Judgment Act as a way to avoid the very stringent Article III injury in fact requirement.

Seyfarth Synopsis: Yesterday, the Supreme Court heard oral arguments on the most recent challenge to the Affordable Care Act. The case has the potential to invalidate the entire law. While the Court’s decision isn’t expected soon, the oral arguments may provide some clues as to which way the Justices are leaning. We stress, however, that statements made during oral argument are not binding, and Justices remain free to rule as they deem appropriate.

On November 10, 2020, the Supreme Court heard oral argument on the constitutionality of the ACA. The case is captioned California v. Texas, No. 19-10011.

The case was brought by a group of state attorneys general in the wake of the 2017 Tax Cuts and Jobs Act, which reduced the individual tax for failure to maintain health insurance coverage to $0. The Trump Administration chose not to defend the law, but the lower courts granted leave to other states’ attorneys general and to the House of Representatives to defend the law. The arguments in the case addressed the following three issues:

  1. Do the plaintiff states have standing to challenge the constitutionality of the individual mandate?
  2. If so, did Congress’s actions in “zeroing out” the penalty for the mandate render the mandate an unconstitutional exercise of Congressional power?
  3. If so, is the mandate severable from the remainder of the ACA, or should the entire law fall?

The Court had previously ruled in 2012 that the ACA’s individual mandate was constitutional, as it represented an exercise of the lawful power of Congress to tax, and provide citizens with a reasonable choice of purchasing approved health insurance or paying a tax as a penalty. In that ruling, however, five Justices found that Congress cannot rely on its Commerce Clause power to enact the ACA. In other words, the Court upheld the mandate only by finding that the mandate was a tax, not a penalty. So, the question before the Court at present is whether the mandate can truly be considered a tax if it generates no revenue.

The Court under Chief Justice Roberts has shown an aversion to wading into politically sensitive rulings, given the current politically polarized climate. And this case has a complicated political overlay. The Court’s ruling here takes on heightened significance in the wake of the recent election in which Republicans appear to have maintained control of the Senate, because that takes away the Democrats’ avenue to “cure” the challenged provision by simply implementing a tax above $0 to enforce the individual mandate.

There are two ways that the Court can avoid a finding of unconstitutionality.

First, there is the issue of Article III standing. As we have previously opined, there is a substantial question whether there is a sufficient injury traceable to the actions of the defendants to justify a lawsuit on the merits. The November 10 oral argument focused on whether an injury could be said to have occurred because of increased reporting requirements, Medicaid payments by the state and the ACA restriction on what health policies an American can purchase in the marketplace. But a failure to purchase insurance does not directly cause injury — the tax penalty is $0. Justice Thomas described this issue in terms that we all can understand given our COVID times. He asked whether an American could sue in federal court to challenge a mask mandate that is not enforced. Justice Gorsuch and some of the more liberal Justices, however, expressed some concern that if the Court were to grant standing in this case, it would open the door to more challenges to federal law.

Look for the Court to limit any finding of standing to the peculiar facts of California v. Texas, given the concern about the federal judicial chaos that could result from a broader ruling on standing.

Second, there is the issue of severability. It is true that the individual mandate remains a part of the ACA, and it does state that all Americans “shall” purchase compliant insurance. It is also true that the constitutionality of that mandate is based on Congress’s taxing power that now is exercised at $0. It is true as well that a future Congress might increase the tax above $0, which might explain why the 2017 reduction to that level was not accompanied with a repeal of the individual mandate.

Justice Thomas pressed the attorney for the House of Representatives on how he could argue that the mandate is severable when, in 2012, he had argued that it was the “heart and soul” of the law. On the other hand, many Court observers honed in on statements from Chief Justice Roberts and Justice Kavanaugh, both of whom seemed to express reservation at “reading into” Congressional intent rather than simply looking to the actions taken by Congress in zeroing out the individual mandate (while leaving the rest of the law intact). Justice Alito offered a hypothetical involving a plane that is presumed to be incapable of flight without a crucial instrument, but that then continues flying without issue once that instrument is removed.

While it is impossible at oral argument to discern how nine Justices will rule, hints from the arguments suggest the Court may have the votes to find standing (in a limited way) and declare only the individual mandate (and not the remainder of the law) to be unconstitutional as long as it is enforced by a $0 tax. We anxiously await the decision of the Court, and its reasoning.

By Namrata Kotwani and Mark Casciari

Seyfarth Synopsis: In this post, we discuss the implications of the Fifth Circuit’s holding that a plaintiff challenging the ACA has Article III standing to bring suit when her injury amounts to an “increased regulatory burden,” even though she faces no other penalties.

The authors are well-aware of the COVID-19 pandemic and its human toll. We extend our well-wishes to the readers of this post, and hope for everyone’s wellness and safety, and a marked improvement to public health.

On March 2, 2020, the United States Supreme Court granted certiorari in California v. Texas, No. 19-840, which appeals the decision of the Court of Appeals for the Fifth Circuit that struck down the individual mandate to the Affordable Care Act (ACA). We previously shared an overview of the Supreme Court’s decision to grant certiorari here.

In Texas v. United States (as the case was styled previously), the Fifth Circuit held that the two individual plaintiffs who were self-employed residents of Texas had standing to challenge the ACA, despite not being subject to a financial penalty. There was no penalty because the 2017 Tax Cuts and Jobs Act (TCJA) set the penalty for not maintaining individual health insurance at zero dollars. According to the Fifth Circuit, the individual plaintiffs had standing because they demonstrated the “increased regulatory burden” that the individual mandate imposes.

As we have discussed, the Supreme Court is keenly interested whether a federal court plaintiff has a sufficient injury to sue in a federal forum when she can show no other harm besides a technical statutory violation. In Spokeo v. Robbins, the Supreme Court held that, although Congress can create federal claims, those claims can only be litigated in federal court as long as the plaintiff alleges a “concrete” injury (i) that affects the plaintiff in a personal and individual way, (ii) that is traceable to the defendant, and (iii) that is repressible by the federal judge. And now pending before the Supreme Court is Thole v. U.S. Bank, which will decide whether plan participants and beneficiaries in a fully-funded ERISA pension plan have Article III standing to sue a plan for alleged breaches of their statutory fiduciary duties. The Thole plaintiffs faced no injury in the form of reduced pension benefits but alleged that investment decisions made by the plan fiduciaries in breach of their duties of loyalty and prudence caused the plan to lose more than $758 million.

It is possible that the Supreme Court may dismiss the individual plaintiffs in Texas v. United States for lack of standing, finding that they have not been harmed by a mere obligation to maintain individual health insurance without a corresponding penalty. Such a ruling would seemingly comport with Spokeo, which suggests that private plaintiffs may not sue to enforce statutory obligations when they have not yet been harmed by violations of those obligations. ERISA fiduciaries thus might expect a drop in class action filings, especially as all private claims for breaches of fiduciary duty under Section 502(a)(2) and (a)(3) may be brought only in federal court, and not in a state court. A technical ERISA statutory violation may not be found “concrete and particularized,” or “actual or imminent,” and may instead be considered “conjectural” or “hypothetical,” buzz words used to determine the outcome of Spokeo arguments to dismiss.