As employers, which have increasingly dispersed workforces, grapple with what employee protections to offer individuals seeking abortion care, several legal risks have emerged that could place companies in a political and financial crossfire. States like Texas and Missouri have made clear they plan to punish those who “aid or abet” abortion seekers. This presents problems for companies that do business in such states. Their own employees could be their Achilles heel, leaking information to outsiders and helping prosecutors obtain information that could be used to bring charges against colleagues.

While the extent to which prosecutors will punish those who provide any sort of abortion assistance to patients is unclear, employers must be vigilant in protecting their employees’ health information. Prosecutors could subpoena companies, requesting the disclosure of medical information, and whistleblowers could leak protected health information or retaliate against employees who seek abortions.

“Any employer who doesn’t already have an assessment of what the end of Roe means for its operations and workforce…needs to get in front of this,” says David Gacioch, a partner at the Chicago law firm McDermott Will & Emery, which formed an interdisciplinary task force to advise employers on post-Roe legal risks.

Gacioch and other members of McDermott’s task force spoke with Fortune about what the end of the landmark ruling means for employers and employees alike, and how companies can protect the privacy of their workers. 

Challenging a subpoena

State authorities could subpoena employee healthcare data from employers as part of criminal prosecution efforts against abortion seekers. Determining how to respond to these requests depends on the subpoena’s scope and whether the employer is subject to a state’s jurisdiction.

“There are going to be a number of different flavors of this scenario. I think that it’s going to depend on the values and priorities of the organization,” Gacioch says.

Upon receiving a subpoena, companies should work with their legal counsel to determine how they will respond. Employers and benefits partners can refute requests for abortion-related data or ignore them altogether. Companies will want to review the degree of their “continuous and systematic” contacts with that state and keep in mind where they are incorporated and headquartered, where their branch offices and other facilities are located, and how they market to or serve people in the state in question. If a Texas court is subpoenaing information, for instance, a company with limited operations in the state may choose not to respond, whereas a company headquartered in the state may be more likely to engage. 

Some companies may decide that their ties to a state are minimal enough to warrant ignoring a subpoena. If a company’s legal counsel determines that the state issuing the subpoena doesn’t have jurisdiction, the employer may be able to insist the subpoena can only be served through the courts in its home state, which may offer protection from subpoenas or litigation from outside states.

“As long as [employers ignore subpoenas] in an informed fashion, the subpoena has to be followed up on and actually enforced to have any consequences,” says Gacioch.

This will, in turn, present logistical and geographical hurdles for prosecutors. If an antiabortion state subpoenas an employer outside its jurisdiction, the requesting state will have to go through the state court where the employer is headquartered. The opposing state may have protections, making it challenging to obtain sensitive information. California, for example, has enacted a shield law protecting abortion providers and patients from bans, lawsuits, and penalties in other states. 

Employers can also narrow the breadth and depth of the information requested by leveraging privacy protections from the Health Insurance Portability and Accountability Act (HIPAA), which created a national standard for protecting sensitive patient health information and prevents such information from being disclosed without the patient’s knowledge, and similar state privacy laws. For example, Section 18 of New York’s Public Health Law prevents the disclosure of medical records without the patient’s consent and extends to abortion care. Without access to specific data, prosecutors seeking protected information will likely fall short in their requests. 

Protecting health data from whistleblowers

There’s a chance that employees with antiabortion beliefs may want to retaliate against employers for offering abortion-related benefits, and leak information about colleagues to law enforcement and prosecutors. McDermott advises that a limited group of individuals, primarily human resources personnel and legal professionals involved in the day-to-day administration of a company’s health plan, have access to protected health information (PHI). Employers can also limit access to PHI by engaging a third-party administrator to process claims and administer benefits.

“It’s critical for employers to start looking at those policies,” says Ellen Bronchetti, a partner at McDermott’s labor and employment practice group in San Francisco. “Especially in large organizations that operate under various state laws and regulations.”

This limited group should undergo annual HIPAA training and become well versed in how and when to disseminate health care data, how to administer health plans and related benefits, and what the group can’t do with the information: share it with colleagues in other departments, use it to make decisions about firings or promotions, or use it to bring a private right of action, a lawsuit or enforcement of legal rights brought on by a private individual.

“If you take PHI outside of the health plan contracts and you’re using it for purposes that are not authorized, that could open up not only the employer liability but potentially the individual who breached [that] confidentiality,” says Sarah Raaii, an associate attorney at McDermott who focuses on employee benefits matters.

HIPAA violations carry hefty costs. The U.S. Department of Health and Human Services’ Office for Civil Rights can levy fines as high as $1.5 million for those it deems to have willfully neglected HIPAA regulations. Violations can also be subject to federal prosecution, resulting in separate penalties and even a prison sentence. As if that isn’t enough, the OCR lists HIPAA breaches that affect 500 or more individuals on its website, dubbed the “wall of shame” by those in the industry.

“In addition to potential penalties, it can be hard for an employer to just sweep [violations] under the rug,” says Raaii.

Assessing employee federal protections

Under the 1978 Pregnancy Discrimination Act, any employment decision based on pregnancy, childbirth, or related medical conditions is considered unlawful sex discrimination. The Equal Employment Opportunity Commission has also taken the explicit position that abortion is protected under Title VII, and a federal appeals court in Philadelphia ruled in 2008 that Title VII prevents employers from terminating an employee for seeking an abortion. 

Given the precedent of federal preemption, meaning federal laws trump state laws, Title VII protections will likely supersede any state rulings. Employee requests for abortion leave could also fall under the Family and Medical Leave Act, a federal law requiring employers to provide  leave for qualified medical and family reasons.

“Not only could Title VII be implicated if they fired an employee for either having an abortion or seeking care to have the procedure, they could also, if asked for a leave, be in violation of the FMLA,” Bronchetti says.

Despite federal preemption, antiabortion states and conservative legal groups will likely try to challenge Title VII protections. They’ll also likely target the abortion travel benefits employers offer, calling it discriminatory, as evidenced by Dick’s Sporting Goods. The conservative legal group America First Legal, led by former Trump White House senior advisor Stephen Miller, filed a complaint with the EEOC on July 13 challenging Dick’s abortion travel policy. The complaint argues that offering travel compensation to women seeking abortion care but not other pregnant women violates Title VII because employers can’t discriminate “with respect to compensation, terms, conditions, or privileges of employment because of childbirth.”

“I see that as a huge issue that will ultimately make its way through the courts, but also an issue that employers and states that have very strict abortion statutes are going to have to grapple with in the weeks and months to come,” Bronchetti says.

The right to an abortion is a hotly debated issue and, as such, employees will fall on either side. Companies can’t fire workers for taking a stance for or against abortion rights and corresponding corporate policies. Employees protesting abortion-related policies could argue that they’re protected by the National Labor Relations Act, which allows employees to protest any terms and conditions of employment with which they disagree. 

“Employers need to prepare themselves for the possibility that they may not be able to take action if they disagree with that employee’s view because those rights are likely protected,” Bronchetti says. “There has to be some awareness and sensitivity to employers knowing that this is by far an issue that not everyone can agree on.”