The recent controversy about AOL CEO Tim Armstrong's comments on employee healthcare expenses reflects ongoing confusion about the actual and appropriate rules for employers and the protections for employees concerning their health care information. As employers become more involved in the overall management of employee wellness and overall healthcare expenditures, this confusion is likely to remain. Employers need to very carefully consider their approach to employee healthcare information and how they will act effectively and intelligently in this controversial and risky area.
AOL’s CEO was quoted in various media sources recently as saying “We had two AOL-ers that had distressed babies that were born that we paid a million dollars each to make sure those babies were OK in general. And those are the things that add up into our benefits cost.”
The media quickly went into overdrive.
The big question was whether the comments reflected a violation of the HIPAA rules. For better or worse, there was simply no way to tell from these comments on their own whether HIPAA was violated. At the same time, much of the uproar was about a “violation” of the employees’ rights, independent of the actual regulations. Was this an appropriate thing for the CEO to know and speak about?
Several key points led to the bulk of the confusion.
First, the HIPAA privacy principles that stem from the original HIPAA statute are not overall medical privacy rules. As a result of various choices in the original statute, the law and the accompanying regulations protect healthcare information in certain settings when held by certain kinds of entities. While the regulations provide substantial protections where they apply, there are large areas of healthcare where the HIPAA rules simply do not apply.
From the start of the HIPAA regime, employers were a key gap. The core purpose of this rule as it pertains to employers is to ensure that health information is not used against employees in connection with their employment. Because of HIPAA’s limited scope, however, the Department of Health and Human Services could only regulate the “group health plan,” not the employer itself that sponsors the plan. So, HIPAA regulates the flow of information between the health plans that simply provide benefits and the employer that sponsors the health plan and that is the entity that can engage in adverse actions such as terminations. But, the core problem is that this line between the “group health plan” and the employer/plan sponsor is a legal fiction. There really is no such distinction in most companies.
Now, in the 10 years since the HIPAA rules first went into effect, this problem has been exacerbated. More employer health plans are “self-insured,” meaning the employer plays a meaningful role in the administration of the plan. And, even for fully insured plans, employers tend to be more involved in overall management and administration of healthcare expenses.
In addition, because of the gaps in HIPAA scope, there have always been large areas where employers obtained health care information about employees outside the reach of the HIPAA rules. Disability claims, workers compensation claims, Family and Medical Leave Act data, information obtained as a result of applications and general information obtained through the course of being an employer all are outside the scope of HIPAA.
The growth of wellness programs has complicated this situation even more. Now, while there are significant restrictions on how these wellness programs can work, the core question of whether wellness programs are in or out of HIPAA remains unclear and confusing.
The AOL issue also raised the issue about employee rights in this area. This is a perception issue, more than one of legal rule. While the question of whether there was a HIPAA violation remains unclear—as there is no clear information that the CEO had any idea who these two people were—clearly, the controversy stemmed in large part from simply bad public relations. The CEO should not have isolated specific employees, even if they were not named by him.
And, by publicly using these examples, this situation highlighted the employee concerns and perceptions that employers were acting incorrectly or in ways adverse to employee rights. But was this fair? If the employer is footing the bill, should the employer be able to know general information about overall costs, specific examples, etc.? There clearly are limits, from HIPAA and otherwise, about what can be done with this information. If these individuals had been fired because of these expenses, it clearly would have been a violation of various laws.
But is simply knowing this information itself any kind of violation? What if this information is used for appropriate management of the health plan only? Would the controversy have been the same if the CEO used the exact same data to seek out a new healthcare program administrator or alter the overall structure of the benefits plan?
So, we are faced with a lose-lose situation.
Employees feel that their health information is at risk and that employers are seeing more of their information. Employers face a daunting set of regulatory requirements—and ample room for criticism and concern even where these requirements are met.
What is likely to happen?
For example, as the health insurance exchanges expand, will we see employers moving employee healthcare coverage into these exchanges—and therefore take the employers out of the middle? This clearly will reduce the privacy risks for both employers and employees, as employers will no longer have a basis to receive information or to manage the overall costs associated with employee care. Will this be a smart solution overall?
From the employer perspective, is there any way to realistically manage these risks? Will getting less information help? What about better controls on security and internal access? Is outsourcing and de-identification of personal details a viable option? Or is the best approach simply to do what you must, and say nothing publicly about it?
If you want to comment on this post, you need to login.