Skip to main content

AOL Chief's Benefits Blunder Also a HIPAA Violation

 |  By cclark@healthleadersmedia.com  
   February 17, 2014

Announcing a pullback of a major employee benefit was bad. Violating the privacy of two employees was worse.

AOL's foot-in-mouth CEO, Tim Armstrong, may not have known the names of two employees he says cost his company $1 million each in medical bills when he complained this month about their drag on the company's finances.

But that doesn't matter, says 20-year healthcare attorney Martha Knutson of San Diego. With those remarks specifying AOL employees' "distressed babies" she says, Armstrong certainly violated HIPAA, the Health Insurance Portability and Accountability Act of 1996. And in so doing, his clumsy misspeak serves as a cautionary tale for anyone even thinking about sharing patients' protected medical information without their consent.

Armstrong, who receives $12 million a year in compensation, used the babies' medical expenses to justify AOL's decision to limit its match for its 401(k) plan by distributing a lump sum to each participating employee at the end of the year, rather than making a contribution in every pay period. But he should have known better.

As an executive of a large company that self-insures healthcare expenses for its workers, "it wouldn't be unusual to have high level information" about costs, because AOL would have to come up with the money to pay those claims, Knutson says.

"But then [Armstrong] discloses the information he does have," indicating roughly the time in which these healthcare expenses were incurred, the amount, and that it was for "distressed babies," she says.

No Name? It's Still a Violation
"There's a general misconception that if you don't put a name on it, if you don't say (so and so's) 'distressed baby,' that's not a HIPAA violation. But that's not correct. Because the standard is, can the information be used when it's combined with other information to reasonably identify the individual?"

In this case—a large media company employing journalists—the answer was, of course, yes.

As anyone could quickly surmise, anyone who worked with these parents and their friends, who knew of their suffering, quickly figured out the names of one, if not both, of the two parents whose babies Armstrong referenced.

One went public with her outrage.

Deanna Fei, wife of AOL editor Peter Goodman, said in an article posted on Slate," I take issue with how [Armstrong] reduced my daughter to a 'distressed baby' who cost the company too much money. How he blamed the saving of her life for his decision to scale back employee benefits."

Another woman, who may be the mother of the other baby Armstrong referred to, is now in a new job and known to many of her co-workers. She tells me she is not ready to go public with her story because she is "in negotiations for a settlement." Her baby's "medical bills exceeded $2 million" because of a lengthy hospitalization after an accident.

Anger among employees has raged across the country. Employees were already stressed by AOL's management moves. It laid off hundreds of employees and closed down dozens of Patch sites in January during the company's latest reorganization.

A 'Broader Lesson'
Knutson, former house counsel and compliance officer for Palomar Health, a two-hospital system north of San Diego and now in private practice, says there's a "broader lesson" for anyone in healthcare who even thinks about disclosing protected information outside the rules.

HIPAA does allow personal health information disclosure without patient consent in certain very specific cases, for example, when hospitals need to report adverse events or disease outbreaks to government agencies such as municipal health departments or the Centers for Medicare & Medicaid Services.

"But in the AOL case, or even in a case where an organization is trying to defend itself against accusations, that's not sufficient justification," Knutson says.

She points to another recent case in which California-based Prime Healthcare Services, which operates 16 hospitals in four states, was ordered to pay $275,000 to the federal Office of Civil Rights as punishment for disclosing protected health information of a patient to the media.

Serious Consequences
In 2011, California Watch took on Prime hospital Shasta Regional Medical Center (SRMC) saying the 246-bed hospital in Redding, CA billed Medicare under an expensive code for kwashiorkor, a wasting condition usually found among starving children in tropical climates.

The CW report identified Darlene Courtois, 64, who was in fact extremely overweight, as one of more than 1,030 kwashiorkor cases Shasta Regional billed Medicare.

In an effort to defend itself, Prime shared Courtois' entire medical chart with a newspaper editor and another newspaper's columnist, without Courtois' permission. Prime executives contended that by agreeing to have her story told by California Watch, she waived her medical privacy.

Not so, Knutson says. At least not according to the federal government.

Prime also sent an e-mail "to its entire workforce and medical staff, approximately 785-900 individuals" describing Courtois' medical condition, diagnosis and treatment "in detail," according to the agreement. And it failed to punish its employees who violated the law. (Congressional representatives subsequently called for a federal review of Prime hospitals for Medicare fraud.)

Last June in a Resolution Agreement with Prime hospitals, the Office of Civil Rights determined that between Dec. 13 to Dec. 20, 2011, "SRMC failed to safeguard the Affected Party's PHI (protected health information) from any impermissible intentional or unintentional disclosure on multiple occasions" with three California media outlets.

There are other consequences besides a financial penalty for healthcare organizations like Prime that dismiss or overlook the seriousness of HIPAA's prohibitions. All 16 Prime hospitals are now under a Corrective Action Plan to assure an end to privacy violations within this healthcare system.

There have been some good things to come out of all this mess. Armstrong has apologized to at least one of the parents and to other AOL employees. AOL has restored its prior 401(k) match policy. And many people in healthcare have learned an important lesson.

Tagged Under:


Get the latest on healthcare leadership in your inbox.