Although sponsors of group health plans have had their hands full sorting through the still-changing Affordable Care Act requirements, the recent uproar involving AOL CEO Tim Armstrong is a stark reminder of the need to stay vigilant on HIPAA privacy — even as companies wrestle publicly with health care costs.
As has been widely reported, Armstrong precipitated an outcry when he attributed a cut in pension contributions in part to two “distressed babies” whose treatment cost AOL “a million dollars each.” Even though he didn’t name names, Armstrong might well have been disclosing protected health information in violation of HIPAA, according to Kathryn Bakich, national director of health care compliance at The Segal Company.
“Anytime an employer mentions a high-cost claim, it is likely that the individual can be identified,” said Bakich, co-author of Thompson’s Employer’s Guide to HIPAA Privacy Requirements. “So mentioning in a meeting that there are two high-cost babies is using PHI, because the information about who had the babies is readily identifiable,” she said. “Employers should never refer to specific illnesses as part of a report about the causes of high health care costs.”
For a CEO to even have this type of information raises questions. A typical large employer will have a self-funded health plan, with certain HR and benefits staff within an organizational “firewall” authorized to have PHI for plan functions. However, “CEOs would not generally be in the HIPAA firewall and generally should not have access to the detailed claims information,” even if information on large claims is submitted to a stop-loss insurer, Bakich said.
The HIPAA enforcement wheels at the U.S. Department of Health and Human Services turn slowly, and monetary settlements have been substantial (often more than $1 million) but relatively infrequent to date. In this case, however, a lot of damage obviously has been done already.