The American Journal of Managed Care
July 2016
Volume 22
Issue 7

Medical Record Privacy and State Health Reform After Gobeille v. Liberty Mutual Insurance Co.

Gobeille v. Liberty Mutual Insurance Company highlights the challenges in managing conflicting state and federal laws, and balancing patient privacy interests against the state’s interests in healthcare reform.

Am J Manag Care. 2016;22(7):472-474

On March 1, 2016, the Supreme Court issued a 6-2 decision in Gobeille v. Liberty Mutual Insurance Co., holding that the federal Employee Retirement Income Security Act (ERISA)—a comprehensive federal law that regulates a variety of employee benefits, including health plans established by employers—preempts a Vermont law requiring self-funded employer health insurers to submit certain types of health data to state databases.1 Vermont had passed the law to collect and aggregate state-level health data, with the goal of understanding and addressing rising healthcare costs.2 As increasing numbers of employees receive coverage from self-funded employers, their healthcare data have become important to ensure transparency and to craft state-level healthcare policy. Although some laud the Supreme Court decision as a win for medical privacy, the case highlights the challenges in managing conflicting state and federal laws, and balancing patient privacy interests against the state’s interests in healthcare reform.

Background: Vermont’s Law, its Opposition, and the Court’s Holding

Enacted in 2005, the Vermont law aimed to improve healthcare quality by collecting various health-related data, including “medical claims data, pharmacy claims data, member eligibility data, provider data and other information.”2 In particular, the law required self-funded insurance providers to submit, upon request, healthcare information on prices and annual registration forms, and to report claims at specified intervals.2 In the recent past, a growing number of states have established databases that collect health insurance claims information from all healthcare payers into a statewide information repository. By January 2016, Vermont and 17 other states had enacted “all-payer claims databases,” while more than a dozen others considered such a law or program.3

Liberty Mutual Insurance Company, which administers self-insured health plans for over 80,000 individuals nationwide,1 objected to the Vermont law, claiming its disclosure requirements violate its fiduciary duties under ERISA.1 Vermont had issued a subpoena to demand that Liberty Mutual release medical and pharmacy claim files pursuant to Vermont law, and the company responded by filing suit—claiming that ERISA preempted Vermont’s data-reporting requirement for self-insured plans. The district court sided with Vermont, but the Second Circuit Court of Appeals reversed the lower court’s decision and ruled in favor of Liberty Mutual.4 The Second Circuit placed a heavy emphasis on the privacy risks associated with this type of reporting requirement and found that such privacy risks would burden beneficiaries of the plans.4

The Supreme Court subsequently granted certiorari, and, with little difficulty, found that ERISA did preempt the Vermont law.1 The Court noted that the only relevant question is whether Congress intended ERISA to preempt state legislation, such as Vermont’s. Because the Vermont law both “govern[ed]…a central matter of plan administration” and “interfere[ed] with nationally uniform plan administration,” the Court found that the law was of the very type that Congress intended ERISA to preempt.5 To allow states to have their own reporting requirements would “impos[e] novel, inconsistent, and burdensome reporting requirements on plans.”5

Unaddressed Controversy: Should Privacy or Data Drive Healthcare Policy?

Unlike the Second Circuit’s ruling, the Supreme Court’s opinions (majority, concurring, and dissenting) made little of the privacy aspect, noting only that Liberty Mutual challenged the law to protect the privacy of individual medical records.1 None of the justices, however, expressed any issue with government collection of individual healthcare information.1 The majority opinion even suggested that the Secretary of Labor could require ERISA plans to report individual claims data to a national or state database, indicating that the Court saw no privacy issues at stake, so long as statutes and policies meet the requirements of ERISA.1

Although the Court barely addressed the issue, many have recognized an inherent conflict between protecting medical privacy and collecting healthcare information to shape effective policy. Eighteen states have created such databases to determine the nature and distribution of healthcare costs, in hopes of implementing policies and regulations that could reduce costs.3 As Justice Ruth Bader Ginsberg noted in her dissent in Gobeille v. Liberty Mutual, “Stopping states from collecting claims data from self-insured employer healthcare plans would thus hugely undermine the reporting regimes on which Vermont and other States depend to maintain and improve the quality, and hold down the cost, of healthcare services.”1 Following Gobeille, states can no longer mandate data reporting from the majority of employees nationwide, given that about 63% of covered workers are enrolled in a plan that is partially or entirely self-funded.6

Likewise, the American Hospital Association noted that it is essential that self-funded insurers be included in all-payer databases if those databases are to realize their potential.7 The American Hospital Association and the Association of American Medical Colleges agreed that hospitals have only the data for the patients they treat, but information from an individual’s broad healthcare experience is needed to inform clinical, payment, and public health policy.7 Complete data is necessary to conduct useful analyses of the healthcare system, across its entire spectrum, to make meaningful changes. Striking down these laws may also reduce the transparency necessary to encourage insurers participating in the healthcare marketplace and improve overall state health.

Opponents of the law, however, fear potential data breaches in the large-scale transmission and storage of personal health data, and suggest that any savings and increased efficiency will come at a high cost. Thus, said Twila Brase, president of Citizens’ Council for Health Freedom, in reaction to the ruling, “Today is a good day for medical privacy in America.”8 The ruling means that fewer patient medical records are at risk of privacy violation.8 Many, including the Association of American Physicians and Surgeons (AAPS) believe that patient privacy cannot adequately be protected in large government databases.7 Large, centralized databases are vulnerable to hacking, and are targets for cyber-attacks, putting the private medical information of millions of Americans at risk of public disclosure.

The Second Circuit explicitly acknowledged that the laws “require[…] ERISA plans to record, in specified format, massive amounts of claims information and to report that information to third parties, creating significant (and obvious) privacy risks and financial burdens.”4 Moreover, de-identification may do little to protect individual privacy; researchers at Harvard demonstrated that de-identified private medical information can be re-identified.9 The potential public disclosure of this private information, through breach or re-identification, could adversely impact careers and family lives, causing a disincentive against seeking care for stigmatized medical conditions. The AAPS believes that ultimately, the medical profession, rather than “big brother” states, is the appropriate actor to spearhead healthcare cost reductions.4

Implications for the Future of Healthcare Data Collection After Gobeille v. Liberty Mutual Insurance Co.

Although the decision in Gobeille v. Liberty Mutual Insurance Co. hampers efforts to track the quality and cost of care, it implies that, at least for now, workers in America covered under self-insured plans are protected from the mandatory release of their private medical records to state governments. Advocates of privacy rights are not alone in celebrating the decision.4 Many employers and health insurers see the decision as a significant victory for self-funded insurers who otherwise would have to comply with conflicting patchworks of state laws and regulations.4 Without the ruling, large self-funded employers that operate in multiple states could face a myriad of different regulations in each state, leading to high administrative costs and conflicts in compliance requirements. The new ruling alleviates that burden by ensuring that self-insured employers all face one uniform set of national regulations. Uniformity in reporting helps with efficient plan administration.

The majority opinion did, however, suggest a way in which states might obtain the information they desire—through the federal government.1 The Secretary of Labor could, for example, promulgate regulations to require self-funded insurers to report healthcare data to the federal government, who could then distribute this information to the states.1 Moreover, the ruling does not prevent self-funded insurers from voluntarily reporting health information to the states.1

These technical workarounds to comply with the Court’s decision, however, may overlook the risk of privacy violation. Although many can appreciate the need for centralized healthcare databases and the critical analysis regarding the costs and quality that they enable for policy formulation, the Court’s reticence on privacy issues associated with data collection may suggest that it finds no inherent privacy violation in massive, government-collected databases of private medical information.


Although Gobeille v. Liberty Mutual Insurance Co. was silent on the privacy issues surrounding health databases and the ruling was merely a technical application of the doctrine of federal preemption, according to which federal law trumps state law when the two are in conflict, this case may pave the way for the federal government to collect health plan data or to approve or delegate to a state the authority to collect such data. As one physician put it, however, “[W]e need to foster a public debate over citizens’ right to medical privacy versus government seizure of private information without consent, because any loss of privacy rights undermines our society, and threatens our freedoms and our way of life.”10 A rigorous analysis of the risks and benefits of government-mandated healthcare databases, and investment in improved technology to protect such data already held by the government, are of utmost importance.

Author Affiliations: Department of Health Administration and Policy, George Mason University (YTY), Fairfax, VA; Department of Health Services Policy and Management, University of South Carolina (BC), Columbia, SC.

Source of Funding: None.

Author Disclosures: The authors report no relationship or financial interest with any entity that would pose a conflict of interest with the subject matter of this article.

Authorship Information: Concept and design (YTY); drafting of the manuscript (YTY); critical revision of the manuscript for important intellectual content (BC); and supervision (YTY).

Address correspondence to: Y. Tony Yang, MS, 1J3, 4400 University Dr, Fairfax, VA 22030. E-mail:


1. Gobeille v. Liberty Mut. Ins. Co., No. 14-181 (2016). US Supreme Court website. Accessed June 2016.

§ 9410.

2. The Vermont statutes online. Title 18: Health; Chapter 221: Health Care Administration; Subchapter 001: Quality, Resource Allocation, And Cost Containment; Health care database. State of Vermont Legislature website. Accessed June 2016.

3. Interactive state report map. All-Payer Claims Database Council website. Accessed March 24, 2016.

4. Liberty Mut. Ins. Co. v. Donegan, No. 12-4881-cv. 746 F.3d 497 (2d Cir, 2014). Leagle website. Accessed June 2016.

5. Egelhoff v. Egelhoff, No. 99—1529. 532 U.S. 141, 148 (2001). Accessed June 2016.

6. 2015 Employer Health Benefits Survey. Kaiser Family Foundation website. Published September 22, 2015. Accessed March 24, 2016.

7. Respondent amici—Gobeille v. Liberty Mutual Insurance Company. National Academy for State Health Policy. Accessed March 24, 2016.

8. Woodward C. Brase on database: court ruling ensures privacy. One News Now website. Published March 2, 2016. Accessed March 24, 2016.

9. Sweeney L. Policy and law: identifiability of de-identified data Accessed March 24, 2016.

10. Israel S. The illusion of patient privacy and private practice. JPandS. 2015;20(4):116-118. 

Related Videos
Related Content
CH LogoCenter for Biosimilars Logo