“You’ve got mail! And it just might be a warrant for your arrest”

You don’t have to try very hard these days to find employment law references in pop culture. Movies and TV shows examine issues of employment discrimination, politicians seem unable to resist the urge to text photos of their private parts to their disgusted subordinates, and professional athletes provide ample fodder for lawyers in desperate search of HR blog topics. But when’s the last time a major news story emerged about the Health Insurance Portability and Accountability Act, or HIPAA? Now it is true that HIPAA made the news when it was initially signed into law by President Clinton, because (to greatly oversimplify) it served the laudable goal of guaranteeing continued health insurance coverage for employees who change jobs, without regard to preexisting conditions. But since those initial kudos, publicity about HIPAA has been about as hard to find as a day of calm weather in the American winter of 2013-14. AOL

That all changed last week, when the CEO of AOL, Tim Armstrong, publicly blamed unpopular changes to the company’s 401(k) policy on costs AOL had incurred because of two employees’ “distressed babies.” Specifically, Armstrong stated that AOL had to enact the new policy because, in part, “We had two AOL-ers that had distressed babies that were born, that we paid a million dollars each to make sure those babies were OK  in general. And those are the things that add up into our benefits cost.”  Suddenly, every pundit and commentator in the country became a HIPAA expert.

What was all the fuss about? Well, in addition to guaranteeing the “portability” of group health insurance, HIPAA also protects individuals from certain disclosures of their “protected health information,” or PHI. Of course, HIPAA only covers certain types of entities, only protects certain people, and only applies to certain information. Did it apply to Armstrong’s comments?

First, it does appear that HIPAA would apply to AOL’s group health plan. The law’s coverage includes certain health care providers, health care clearinghouses, and group health plans. AOL’s group health plan is a self-insured group health plan, meaning that while a carrier might administer claims, AOL would be intimately involved in the claims process and its benefits administrators and company executives might receive PHI obtained through the group health plan to administer and make decisions about the health plan.

Another relevant inquiry is how Armstrong received his information about the “distressed babies.” If he received it through employment records, as opposed to from AOL’s health plan, the information might not be considered PHI, and there would be no HIPAA violation (although other violations might have occurred).  However, if he received it in connection with the group health plan, a HIPAA violation was possible.

Armstrong also didn’t identify the babies at issue, let alone their parents. Can a violation occur when the employee isn’t specifically named? Again, the answer is “maybe.” To violate HIPAA, the inappropriate disclosure need not specifically identify the person with the condition; the law also applies where “there is a reasonable basis to believe [the disclosed information] can be used to identify the individual.” While most of AOL’s 5,000 employees probably had no idea who Armstrong was talking about, the mother of one of the “distressed babies” reported that within minutes of Armstrong’s statement, her husband began receiving calls from curious colleagues. Clearly, some co-workers were able to surmise from Armstrong’s statement the identity of the employees at issue.

Finally, while a comment about “distressed babies” clearly isn’t very specific about the medical conditions at issue, HIPAA prohibits statements about a person’s “physical condition,” among other things, as well as “the provision of health care to the individual” and the “payment for the provision of health care to the individual.” Armstrong’s comments here hit the trifecta: He commented about the babies’ physical condition, he made it clear they were receiving significant health care, and he mentioned the payment for the care.

Having said all of that, we don’t know what information Armstrong received, how or from what source he received it, or what independent investigation he might have done, all of which would be relevant to a detailed analysis of the issue. If either affected employee files a complaint with the Department of Health and Human Services, these are just a few of the questions the agency will ask Armstrong and AOL. Meanwhile, his comment has caused a whirlwind of negative publicity, culminating in AOL’s rescinding its 401(k) policy change.

What can an HR official learn from all of this? When it comes to employees’ health, conditions, health care, or payment for that health care, the less said, the better. HIPAA includes some significant potential monetary penalties, not to mention criminal penalties such as imprisonment for up to 10 years. While it’s unlikely that an inadvertent mention of an employee’s health condition will land a company official in the hoosegow, the lesson here–like the lesson in so many HR situations–is that when discussing employees, discretion is the better part of valor.