IAPP-GDPR Web Banners-300x250-FINAL
DPI16_Banner_300x250 WITH COPY
Why Employers Need to Carefully Approach Employee Healthcare Data

The recent controversy about AOL CEO Tim Armstrong's comments on employee healthcare expenses reflects ongoing confusion about the actual and appropriate rules for employers and the protections for employees concerning their health care information. As employers become more involved in the overall management of employee wellness and overall healthcare expenditures, this confusion is likely to remain. Employers need to very carefully consider their approach to employee healthcare information and how they will act effectively and intelligently in this controversial and risky area.

AOL’s CEO was quoted in various media sources recently as saying “We had two AOL-ers that had distressed babies that were born that we paid a million dollars each to make sure those babies were OK in general. And those are the things that add up into our benefits cost.”

The media quickly went into overdrive.

The big question was whether the comments reflected a violation of the HIPAA rules. For better or worse, there was simply no way to tell from these comments on their own whether HIPAA was violated. At the same time, much of the uproar was about a “violation” of the employees’ rights, independent of the actual regulations. Was this an appropriate thing for the CEO to know and speak about?

Several key points led to the bulk of the confusion.

First, the HIPAA privacy principles that stem from the original HIPAA statute are not overall medical privacy rules. As a result of various choices in the original statute, the law and the accompanying regulations protect healthcare information in certain settings when held by certain kinds of entities. While the regulations provide substantial protections where they apply, there are large areas of healthcare where the HIPAA rules simply do not apply.

While the regulations provide substantial protections where they apply, there are large areas of healthcare where the HIPAA rules simply do not apply.

From the start of the HIPAA regime, employers were a key gap. The core purpose of this rule as it pertains to employers is to ensure that health information is not used against employees in connection with their employment. Because of HIPAA’s limited scope, however, the Department of Health and Human Services could only regulate the “group health plan,” not the employer itself that sponsors the plan. So, HIPAA regulates the flow of information between the health plans that simply provide benefits and the employer that sponsors the health plan and that is the entity that can engage in adverse actions such as terminations. But, the core problem is that this line between the “group health plan” and the employer/plan sponsor is a legal fiction. There really is no such distinction in most companies.

Now, in the 10 years since the HIPAA rules first went into effect, this problem has been exacerbated. More employer health plans are “self-insured,” meaning the employer plays a meaningful role in the administration of the plan. And, even for fully insured plans, employers tend to be more involved in overall management and administration of healthcare expenses.

In addition, because of the gaps in HIPAA scope, there have always been large areas where employers obtained health care information about employees outside the reach of the HIPAA rules. Disability claims, workers compensation claims, Family and Medical Leave Act data, information obtained as a result of applications and general information obtained through the course of being an employer all are outside the scope of HIPAA.

The growth of wellness programs has complicated this situation even more. Now, while there are significant restrictions on how these wellness programs can work, the core question of whether wellness programs are in or out of HIPAA remains unclear and confusing.

The AOL issue also raised the issue about employee rights in this area. This is a perception issue, more than one of legal rule. While the question of whether there was a HIPAA violation remains unclear—as there is no clear information that the CEO had any idea who these two people were—clearly, the controversy stemmed in large part from simply bad public relations. The CEO should not have isolated specific employees, even if they were not named by him.

The growth of wellness programs has complicated this situation even more. Now, while there are significant restrictions on how these wellness programs can work, the core question of whether wellness programs are in or out of HIPAA remains unclear and confusing.

And, by publicly using these examples, this situation highlighted the employee concerns and perceptions that employers were acting incorrectly or in ways adverse to employee rights. But was this fair? If the employer is footing the bill, should the employer be able to know general information about overall costs, specific examples, etc.? There clearly are limits, from HIPAA and otherwise, about what can be done with this information. If these individuals had been fired because of these expenses, it clearly would have been a violation of various laws.

But is simply knowing this information itself any kind of violation? What if this information is used for appropriate management of the health plan only? Would the controversy have been the same if the CEO used the exact same data to seek out a new healthcare program administrator or alter the overall structure of the benefits plan?

So, we are faced with a lose-lose situation.

Employees feel that their health information is at risk and that employers are seeing more of their information. Employers face a daunting set of regulatory requirements—and ample room for criticism and concern even where these requirements are met.

What is likely to happen?

For example, as the health insurance exchanges expand, will we see employers moving employee healthcare coverage into these exchanges—and therefore take the employers out of the middle? This clearly will reduce the privacy risks for both employers and employees, as employers will no longer have a basis to receive information or to manage the overall costs associated with employee care. Will this be a smart solution overall?

From the employer perspective, is there any way to realistically manage these risks? Will getting less information help? What about better controls on security and internal access? Is outsourcing and de-identification of personal details a viable option? Or is the best approach simply to do what you must, and say nothing publicly about it?

Written By

Kirk Nahra, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»