Missouri Employers and Abortions as Healthcare: Don’t Ask, Don’t Tell

Ruth Binger

By Ruth Binger



Authored by Ruth Binger with assistance from Sarah L. Ayers, contributor

supreme courtThe recent U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization triggered a ban on abortion in Missouri and several states. In 2019, Missouri passed the “The Right to Life of the Unborn Child Act,” an anti-abortion bill which included a trigger ban on abortions. In the event Roe v. Wade was ever overturned, the Governor or Attorney General was to issue a statement implementing the ban. Missouri Attorney General Eric Schmitt issued a statement proclaiming the trigger law in effect as of Friday, June 24, 2022, at 9 a.m. following the Dobbs decision.

A variety of new legal questions related to abortion and healthcare have arisen since the decision was announced and states, such as Missouri, have enacted trigger bans. One example of the confusion involves life-saving abortions in cases of a medical emergency. Under a new regulation issued by the Biden administration, a life-saving abortion in cases of a medical emergency is a federally protected procedure. Leaders in several states have challenged the regulation.

Another issue lies with pre-Roe bans in states which outlaw abortion and whose legality today is still questionable even with the reversal of Roe. Many states with pre-Roe bans are in the process of putting updated laws on the books that either re-affirm restricting abortion or protect abortion. Kansas voters recently rejected a proposed state constitutional amendment stating there is no right to abortion within the state. Other questions raised include: How will the laws be enforced? Who can be charged with conspiracy in states under a ban (such as Missouri)? Can a state with an abortion ban exclude a fetus from being considered a person in other areas of the law? Continue reading »

Religious Exemptions to COVID-19 Vaccination Mandates under Title VII and the EEOC’s Additional Guidance

Katherine M. Flett

By Katherine M. Flett



covid vaccineWith continued and widespread COVID-19 infection and the FDA’s full approval of the Pfizer-BioNTech COVID-19 vaccine, many employers have instituted COVID-19 vaccination mandates. Title VII requires employers to provide reasonable accommodations for employees with sincerely-held religious beliefs that conflict with getting vaccinated. Given that religious beliefs are difficult to disprove, many employees have taken this as an opportunity to request religious exemptions to avoid COVID-19 vaccination mandates.

The Law – Title VII

Title VII of the Civil Rights Act of 1964 prohibits employment discrimination on the basis of religion and requires employers to provide reasonable accommodations to employees claiming their sincerely-held religious beliefs conflict with getting vaccinated. Title VII protects not only people who belong to traditional, organized religions, such as Buddhism, Christianity, Hinduism, Islam, and Judaism, but also others who have “sincerely-held religious, ethical or moral beliefs.”

Given this sweeping definition of religion, the U.S. Equal Employment Opportunity Commission (“EEOC”) has cautioned that an employer should generally assume that an employee’s request for a religious accommodation is based on a sincerely-held religious belief. Nevertheless, an employer is permitted to question the sincerity of an employee’s purported religious belief where there is an objective basis for doing so. Further, an employer is not required to accommodate an employee’s religious beliefs and practices if doing so would impose an “undue hardship” on the employer’s legitimate business interests. For the EEOC’s list of factors to be considered when determining whether an accommodation imposes an undue hardship on an employer, visit: EEOC Undue Hardship.

The EEOC’s Guidance on Religious Exemption Requests

On October 25, 2021, the EEOC updated its technical assistance related to the COVID-19 pandemic, which included additional guidance on how employers should handle religious exemption requests (Section L). Read the full EEOC update here.

The key takeaways are:

  1. Employees who have a religious objection to receiving a COVID-19 vaccination must inform their employer and request a reasonable accommodation to be afforded protection under Title VII. Reasonable accommodations may include telework or reassignment.
  2. If an employer has an objective basis for questioning either the religious nature or the sincerity of a particular belief, the employer can make a limited factual inquiry seeking additional supporting information.
  3. An employer who objectively demonstrates that it would be an “undue hardship” to accommodate an employee’s request for religious exemption to the employer’s vaccination mandate is not required to provide the accommodation.
  4. An employer is not required to grant all employees’ requests for religious exemptions on the basis that it has granted some employees requests for religious exemptions. The determination is fact-intensive and specific to every request.
  5. While an employer should consider the employee’s preference, if there is more than one reasonable accommodation that would resolve the conflict between the vaccination requirement and the religious belief without undue hardship, the employer may choose which accommodation to offer.
  6. An employer has the right to discontinue a previously granted religious accommodation. If the employer learns that the belief is not religious in nature or sincerely-held, or if the accommodation becomes an undue hardship, the employer can discontinue the accommodation.

Continue reading »

Access to Patient Medical Records During COVID-19

Health Care Law Practice Group

By Health Care Law Practice Group



medical recordsIssues relating to a patient’s right of access to medical records have never been more important than now, in the midst of the COVID-19 pandemic.  Healthcare providers, big and small (from a large New York City non-profit providing health care and other services to the homeless population to small psychiatric services providers in Virginia and Colorado), are facing monetary penalties and having to comply with Corrective Action Plans (CAP) imposed by the Office for Civil Rights (OCR) with strict requirements and short deadlines.

One of these psychiatry services providers must distribute new policies and procedures concerning patient requests for records to all members of its workforce and relevant business associates within 30 days and to new employees upon hiring. Recipients are required to execute certification of having read, understood, and promised to abide by these policies and procedures. Training and individual certifications must be completed within 60 days. Going forward, the practice must implement annual training. Any reportable events must be fully investigated and described in a report as part of the full-scale written “Implementation Report.” The practice must submit the report to the U.S. Department of Health and Human Services (HHS) within 120 days. The CAP concludes with a “Final Report,” again containing specific terms and obligations of the psychiatry practice. Continue reading »

Warning to Employers and Medical Providers Alike Regarding Releasing COVID-19 Test Results!

Employment Law Practice Group

By Employment Law Practice Group



So, your furloughed employee[i] is returning to work – Hooray!? Not so fast. Employers and the medical providers who are treating and perhaps testing these employees/patients for COVID-19 need to be wary about who is able to disclose and use testing information and to whom.  Both sides must tread carefully and follow strict guidelines in such situations.

covid test

For over two decades, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has governed disclosure of an individual’s protected health information and has prevented a medical provider from unilaterally disclosing sensitive health information to employers.  Even faced with a previously unimaginable global pandemic, from its implementation in 2003, the HIPAA Privacy Rule has had procedures in place that address this thorny legal issue.

Take the following hypothetical example: An employer furloughs an employee as a reduction in work force for financial reasons. While on furlough, the rumor mill is active and the employer “hears” that this employee may have been experiencing COVID-19 symptoms while on furlough.  May the employer reach out to the employee’s medical provider to obtain medical information specifically related to COVID-19 testing? May the provider release such information if the employer contacts the provider to inquire? Work-arounds exist under the HIPAA Privacy Rule or may exist when the employer pays for COVID-19 testing.

Option 1:  Consent Upfront. Continue reading »

Troubling Practices by Hospitals for Patients’ Access to Medical Records Uncovered

Health Care Law Practice Group

By Health Care Law Practice Group



A new study published in JAMA Network Open and conducted by Yale University School of Medicine found troubling practices at U.S. hosmedical recordspitals relating to patients’ access to and provision of patients’ own medical records.  HIPAA’s Privacy Rule absolutely requires access to a medical record when properly requested under two circumstances:  (1) to the patient; and (2) to the Secretary of the Department of Health and Human Services.  Further, the patient must be provided records in his or her preferred format and for a reasonable processing fee.  Shockingly, only 53 percent of the hospitals surveyed provide patients an option to obtain their own medical records.  (Eighty-three top-ranked U.S. hospitals in 29 states were surveyed.)

Continue reading »

Modernizing Healthcare Legislation in the Face of the Opioid Crisis

Health Care Law Practice Group

By Health Care Law Practice Group



opioid crisis

In 2016, opioid overdoses accounted for more than 42,000 deaths in America. It was estimated that 11.5 million people misused opioid prescriptions and 2.1 million people suffered from an opioid use disorder that same year.[1] From July 2016 to September 2017, the Center for Disease and Prevention found that opioid overdoses increased 30% in 45 states; however, the Midwest region alone saw a 70% increase.[2] On October 26, 2017, President Trump declared the opioid crisis a national Public Health Emergency under federal law.

While the federal government has responded by allotting six billion dollars to assist in the treatment and prevention of opioid overdoses, hospitals and medical providers still face barriers when it comes to the disclosure of medical information related to these overdoses due to conflicts between HIPAA and other federal law. Congress is working to resolve this conflict.

In 2017, the Department of Health and Human Services Office for Civil Rights (OCR) released a new HIPAA Guidance on when and how healthcare providers may share a patient’s health information with his or her family members, friends, and legal representative if the patient is in crisis. Current HIPAA regulations permit (but do not require) healthcare professionals to disclose health information without a patient’s consent if the provider determines that doing so is in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment of care. This allows a provider to talk to the parents of someone incapacitated by an opioid overdose about the overdose, but generally does not allow disclosure of medical information unrelated to the overdose without the patient’s permission. Continue reading »

The Intersection of HIPAA and Cloud Storage

Katherine M. Flett

By Katherine M. Flett



Our ever-evolving technological society is raising new questions about how to reconcile complex health data protection laws with cloud storage.  Storage of data in the “cloud” allows users to store, maintain, and manage data remotely on the internet.  Its advantages include accessibility of the cloud-stored data from any location via the internet, emergency back-up capacity, and even cost savings.  An online search for HIPAA-compliant cloud storage companies reveals that there is no shortage of companies who advertise their “HIPAA-compliant cloud services.”  It is important to remember that working with a company who claims their cloud storage “is HIPAA compliant,” does not excuse you from meeting HIPAA requirements.  Due diligence is required when selecting such a company and entering into appropriate contractual arrangements with the companies.

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) is responsible for overseeing protection of sensitive health data under the Health Insurance Portability and Accountability Act, as amended (“HIPAA”). OCR issued guidance on October 6, 2016, explaining how to safeguard electronic health information protected by HIPAA in today’s widespread cloud networking environment.

HIPAA applies to “covered entities,” and this article will focus on one such covered entity, the health care provider.  Most health care providers do not perform all of their health care functions by themselves and instead often use a range of services offered by others, called “business associates” under HIPAA.  Health care providers are permitted to disclose protected health information (“PHI”) to these business associates (“BA”) as long as they obtain satisfactory assurances that the BA will use the information only for the purposes for which it was engaged by the health care provider, will safeguard the information from misuse, and will help the health care provider comply with some of the health care provider’s duties under HIPAA, through the execution of business associate agreements.

Continue reading »

HIPAA Non-Compliance Results in Largest Single-Entity Settlement to Date

Katherine M. Flett

By Katherine M. Flett



On August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) entered into a settlement agreement with Advocate Health Care Center (Advocate) in which Advocate agreed to pay $5.5 million to settle multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  This is the largest HIPAA settlement against a single entity to date, and according to OCR, is due to the severity of the violations and the length of time that those violations continued.

According to OCR’s press release, OCR began its investigation of Advocate in 2013, after Advocate submitted three breach notification reports relating to three separate instances of breach of unsecured electronic protected health information (ePHI).  The combined breaches resulted in unsecured access to over four million patients’ information. Continue reading »

Mizzou Story Highlights Tension Between Doctor-Patient Privilege and Protecting the Patient

Health Care Law Practice Group

By Health Care Law Practice Group



A story concerning the death of a female athlete by suicide, her alleged rape, and the role played by the university she attended in the tragic facts has placed the issue of patient confidentiality squarely in the headlines.  The story highlights the care that must be taken to protect a patient’s ability to speak candidly and honestly to his or her medical provider without fear that such information will be divulged to anyone else without the patient’s permission.

The female student athlete had committed suicide in 2011, approximately 16 months after her alleged rape in 2010 by another student athlete at the school.  According to an email posted to Mizzou’s website on January 24, 2014, an ESPN producer of “Outside the Lines” wanted to know if University of Missouri officials planned to investigate or notify law enforcement about the alleged rape.  Just hours before publishing the story, the ESPN producer asked university officials: Continue reading »

A Long Road to HIPAA Compliance: Privacy and Security Audits

Health Care Law Practice Group

By Health Care Law Practice Group



Since the Health Information Portability and Accountability Act of 1996 (HIPAA) was implemented in 2003, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has not conducted a formalized plan for auditing health care providers, insurance plans and other covered entities … until now.

OCR recently announced its pilot program to audit covered entities for privacy and security compliance and says in 2012 it will conduct up to 150 audits in their effort to ensure that covered entities and their business associates are complying with the HIPAA Privacy and Security Rules and the Breach Notification Standards. The OCR website provides useful information about this program and its objectives.

Previously, there was no mandated auditing process as a part of HIPAA, but rather reviews of covered entities typically would occur as complaints were raised by patients or consumers. With the American Recovery and Reinvestment Act of 2009, Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH) amended portions of HIPAA and requires HHS to develop procedures for auditing covered entities to verify compliance with the Privacy Rules and breach notification.

Covered entities need to ensure that their policies and procedures are updated for privacy and security compliance efforts. The entity must be prepared to provide documentation of its procedures, including with regard to breach notification, and documentation that its key personnel have been trained. Training does not include simply having a notebook containing policies and procedures that no one knows how to use.

According to the OCR website, the timeline is fairly quick, so individuals within the covered entity should be prepared to know what to do upon receiving a written notification that an audit is coming. If a “serious compliance issue” is found, OCR may initiate a compliance review to address the problem.

Of course, OCR will continue to accept complaints from individuals and covered entities through their privacy officers must continue to accept complaints from individuals. The goal of the pilot audit program appears to be to identify best practices and discover risks and vulnerabilities that otherwise have not come to light through the complaint process.

Covered entities that are prepared will shine, while those that are not prepared will have some explaining to do.

Skip to content