Did AOL's CEO violate HIPAA?
In explaining why the company was making its 401(k) a little less generous, Tim Armstrong
said increased costs for health benefits meant that retirement benefits would have to come down a little. He specifically mentioned a couple of "distressed babies" that cost the company health plan a million bucks each. Is that a HIPAA breach?
I don't think so. If he got the information from the health plan and wasn't supposed to, that could be a HIPAA violation. HIPAA requires companies to erect a firewall between the company's health plan (and the health data it holds on employees) and the rest of the company, particularly HR. Presumably, the CEO isn't on the health plan side, so he shouldn't have access to individual health information that the health plan holds, analyzes, and transmits. However, the health plan CAN share "summary health information" with the business side, and this could certainly be that.
There's also the question of whether this is PHI at all. To be PHI, it must be individually identifiable. Obviously, he didn't name the babies. But if it would be possible to identify the babies or their mothers/fathers who are the AOL beneficiaries, it could be PHI. I don't know how many employees work at AOL, but some employees would presumably know if a coworker had a baby with lots of medical issues. One of the AOL employees (actually, the wife of the employee, Deanna Fei) went public that she and her baby were one of the ones mentioned by Armstrong, because her husband's co-workers began asking him if his baby was one of them.
Which illustrates a little quandry that occasionally pops up when the policy
behind HIPAA is examined: HIPAA requires that health information be treated as if it is entirely private, when often it is much more public that a lot of other personal information. I probably don't know how much my co-worker gets paid, but I almost certainly will know my coworker is pregnant; I'll probably know if she has problems with the pregnancy, if the baby is born prematurely, if he/she is in a neonatal ICU for an extended period of time, etc. While my co-worker could keep all that information private, the fact is that people tend to be friends with co-workers, and people tell (some of) their health information to their co-workers.
In the AOL case, Mr. Fei apparently told his co-workers about his baby and his/her medical issues; otherwise, how would they know it might be him that Anderson was talking about? The only thing Anderson spilled that wasn't already known was the total cost.
One final note: when I first heard that the AOL CEO was in trouble for cutting the 401(k) and blaming it on "distressed babies," I thought he was referring to AOL workers. Particularly those at the Huffington Post.
Blogger: HIPAA Blog - Edit your Template