Tim Armstrong, the chief executive of AOL, apologized last weekend for publicly revealing sensitive health care details about two employees to explain why the online media giant had decided to cut benefits. He even reinstated the benefits after a backlash.
But patient and workforce experts say the gaffe could have a lasting effect on how comfortable — or discomfited — Americans feel about bosses data-mining their personal lives.
Armstrong made a seemingly offhand reference to “two AOL-ers that had distressed babies that were born that we paid a million dollars each to make sure those babies were OK.”
The comments, made in a conference call with employees, brought an immediate outcry, raising questions over corporate access to and handling of employees’ personal medical data.
Some workers at other companies considered the likelihood that their bosses knew intimate details about their own families’ personal illnesses and treatments — and worried about the potential for those companies to disclose enough details about their health conditions to make them identifiable to colleagues. It was not long before a “distressed babies” meme emerged across social media.
“This example shows how easy it is for employers to find out if employees have a rare medical condition,” said Deborah C. Peel, founder of Patient Privacy Rights, a nonprofit group in Austin, Texas. She urged regulators to investigate Armstrong’s disclosure about the babies, saying “he completely outed these two families.”
In response to a question about how Armstrong learned the specifics of the AOL employees’ situations, Doug Serton, a spokesman for AOL, said, “We aren’t commenting on these issues.”
The uproar over the “distressed babies” remark comes at a time of increased public dissatisfaction with employers whose efforts to hold down health care costs appear to some employees to cross the line into invasion of privacy. Last fall, Pennsylvania State University introduced a plan that required employees to answer a long questionnaire about their health and private lives or pay a fee of $100 monthly. After faculty members protested, the university said it would suspend the fine.
Against a backdrop of rising spending, many companies are paying greater and more detailed attention to health care costs for employees and their spouses and children. That kind of analysis is perfectly legal, but the AOL episode exposes some potential privacy risks.
The Health Insurance Portability and Accountability Act — known as HIPAA — regulates how hospitals and health insurers, among others, may use and disclose patients’ personal medical information. Although the law does not cover employers, it allows companies that are self-insured, those directly assuming the risk and paying out of pocket, to obtain certain health care information about employees from their group plans.
“Any employer worth his or her salt will get reports monthly, quarterly or semiannually,” said Helen Darling, the president of the National Business Group on Health, a nonprofit group that represents large employers on health issues. “They have got money in big clumps coming out of their bank accounts.”
Group health plans typically issue comprehensive reports to self-insured businesses that include aggregated company spending on employee medical tests, treatments, medications, doctor visits, hospitalizations and other categories over a given month or quarter.
The reports usually break down costs by treatment category such as outpatient services, drugs and imaging tests; by disease category, such as the number of employees with psychiatric disorders, cancers or muscular-skeletal disorders; and the aggregate cost for their treatments. Employers may also receive tables that compare spending on brand-name and generic medicines in categories such as cholesterol or multiple sclerosis. The reports often include details on specific high-cost cases.
The idea is to give businesses a detailed picture of the health care expenses that are the biggest cost drivers so they can channel employees toward more cost-efficient care.
“The information can be used to educate or incent people to use one delivery service over another,” said Julie Stone, a senior consultant in the health and group benefits business atTowers Watson, a consulting firm
. For example, she said, “if employers see that their drug costs are going up for asthmatics, that might be a good thing because it means they are taking their inhalers and not showing up in the emergency room,” a much more expensive treatment option.
Legal experts said that if Armstrong was not authorized by the plan document to see the employee data he publicly discussed, it could constitute a violation of disclosure regulations.
“It’s likely an impermissible disclosure,” saidLisa J. Sotto, a lawyer in New York who specializes in data privacy and security compliance. “There is a permissible group that is pinpointed to administer the health plan, and they are not permitted to disclose that information” outside specified purposes.