Revelations by AOL Boss Raise Fears Over Privacy
Tim Armstrong, AOL’s chief, set off a firestorm when he revealed information about medical costs for two “distressed babies.” Toby Melville/Reuters
Tim Armstrong, the chief executive of AOL, apologized last weekend for publicly revealing sensitive health care details about two employees to explain why the online media giant had decided to cut benefits. He even reinstated the benefits after a backlash.
But patient and work force experts say the gaffe could have a lasting impact on how comfortable — or discomfited — Americans feel about bosses’ data-mining their personal lives.
Mr. Armstrong made a seemingly offhand reference to “two AOL-ers that had distressed babies that were born that we paid a million dollars each to make sure those babies were O.K.” The comments, made in a conference call with employees, brought an immediate outcry, raising questions over corporate access to and handling of employees’ personal medical data.
Some workers at other companies considered the likelihood that their bosses knew intimate details about their own families’ personal illnesses and treatments — and worried about the potential for those companies to disclose enough details about their health conditions to make them identifiable to colleagues. It was not long before a “distressed babies” meme emerged across social media.
AOL’s Chief Under Fire
Julia Boorstin of CNBC on Tim Armstrong’s reversal of changes to company 401K benefits.
“This example shows how easy it is for employers to find out if employees have a rare medical condition,” said Dr. Deborah C. Peel, founder of Patient Privacy Rights, a nonprofit group in Austin, Tex. She urged regulators to investigate Mr. Armstrong’s disclosure about the babies, saying “he completely outed these two families.”
In response to a query about how Mr. Armstrong learned the specifics of the AOL employees’ situations, Doug Serton, a spokesman for AOL, said, “We aren’t commenting on these issues.”
The uproar over the “distressed babies” remark comes at a time of increased public dissatisfaction with employers whose efforts to hold down health care costs appear to some employees to cross the line into invasion of privacy. Last fall, Pennsylvania State University introduced a wellness plan that required employees to answer a lengthy questionnaire about their health and private lives, or pay a fee of $100 monthly; after faculty members protested, the university said it would suspend the fine.
Against a backdrop of rising spending, many companies are paying greater and more detailed attention to health care costs for employees and their spouses and children. While that kind of analysis is perfectly legal, the AOL episode exposes some potential privacy risks.
The Health Insurance Portability and Accountability Act — the federal law known as Hipaa — regulates how certain health-care-related entities, like hospitals and health insurers, may use and disclose patients’ personal medical information. Although the law does not cover employers, it allows companies that are self-insured, those directly assuming the risk and paying out of pocket, to obtain certain health care information about employees from their group plans.
“Any employer worth his or her salt will get reports monthly, quarterly or semiannually,” says Helen Darling, the president of the National Business Group on Health, a nonprofit group that represents large employers on health issues. “They have got money in big clumps coming out of their bank accounts.”
Group health plans typically issue comprehensive reports to self-insured businesses that include aggregated company expenditures on employee medical tests, treatments, medications, doctor visits, hospitalizations and other categories over a given month or quarter.
The reports usually break down costs by treatment category — like outpatient services, drugs and imaging tests; by disease category — such as the number of employees with psychiatric disorders, cancers or muscular-skeletal disorders; and the aggregate cost for their treatments. Employers may also receive tables that compare spending on brand-name and generic medicines in categories like cholesterol or multiple sclerosis. The reports often include details on specific high-cost cases.
The idea is to give businesses a detailed picture of the health care expenses that are the biggest cost drivers, so that they can channel employees toward more cost-efficient care.
“The information can be used to educate or incent people to use one delivery service over another,” said Julie Stone, a senior consultant in the health and group benefits business at Towers Watson, a consulting firm. For example, she said, “if employers see that their drug costs are going up for asthmatics, that might be a good thing because it means they are taking their inhalers and not showing up in the emergency room,” a much more expensive treatment option.
Today, most large companies in the United States are self-insured, working with intermediaries like Cigna or Blue Cross to process their employees’ claims. Fully insured employers, usually smaller companies, typically have access to health care spending summaries without the same level of detail as self-insured large employers.
Self-insured businesses contractually agree with their group health plans on the types of employee information that can be shared and the people who may receive the data. Often, a company’s human resources managers are authorized to receive the reports, and they typically receive training on health care data confidentiality requirements.
Legal experts said that if Mr. Armstrong was not authorized by the plan document to see the employee data he publicly discussed, it could constitute a violation of disclosure regulations.
“It’s likely an impermissible disclosure,” said Lisa J. Sotto, a lawyer in New York who specializes in data privacy and security compliance. “There is a permissible group that is pinpointed to administer the health plan, and they are not permitted to disclose that information” outside specified purposes.
Group health plans do not use a uniform industry format for sharing information about the most costly cases, says Deborah J. Chollet, a senior fellow and health care financing specialist at Mathematica Policy Research, a public policy research firm. And that could lead to a situation where a report discloses information about cases that occur so seldom, like premature babies or the rarest cancers, that it could inadvertently allow executives to identify an individual employee against his or her wishes.
“In principle, if you have an illness code or a medical treatment service type code populated by one person, you wouldn’t want to divulge that,” Ms. Sotto said. “But there isn’t a single protocol that all insurers must use.”