Skip to main content

AOL CEO Tim Armstrong has been all over the news for blaming his decision to cut his company's 401(k) benefits because of Obamacare and the payments for two "distressed babies", that he claims cost millions of dollars.

It should be noted that AOL's profits rose by 13% in the last quarter of 2013, AOL shares are up over 50% in the last 12 months, and Armstrong took a pretty big salary hike in 2013.

In the wake of these statements, one of the women Armstrong was calling out responded, ripping him for the mendacity of his statements.

Although Armstrong has since apologized for his remarks, and has reinstated the benefit plans, there is another question here, and one that, while it's gotten some attention in the media, has largely been ignored: Did Tim Armstrong violate HIPAA? And if so, what should happen?

Background

Here's some research I've done and why I think Tim Armstrong is or should be in a lot of trouble for violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA is a complex regulation, but is not hard to understand if you spend a couple of minutes learning some basics.

The Security Rule and the Privacy Rule

The first thing to understand is that HIPAA is broken into two parts- the "Security Rule" and the "Privacy Rule". We're only interested in the Privacy Rule here. The Security Rule covers things like how electronic data is stored, what safeguards there are against its being disclosed, and regulations for who can access electronic health care data (in point of fact, for Tim Armstrong to be aware of such specifics, there had to be one or more violations of the Security Rule, but let's just stick to the Privacy Rule for now).

Supporting and Background Information

For most of this, I'll be referring to this:

http://www.hhs.gov/...

Which is an "Administrative Simplification" of the HIPAA requirements, boiling it all down into one document instead of requiring you to trawl through the myriad of different documents, regulations and US Code references that make up what we call "HIPAA".

Is AOL Subject to HIPAA?

The big question we have to answer: Is AOL and its staff subject to HIPAA?

HIPAA is only applicable to "covered entities", which are enumerated in the regulations (see 45 CFR § 160.102 and 45 CFR § 160.103 in the summary linked above)

AOL self-insures, making it a "health care provider" under the regulation. It might be a "hybrid entity" because it also does non-healthcare stuff. But either way the Privacy Rule applies.

Here's a summary of the "Privacy Rule":

http://www.hhs.gov/...

This is a layman-friendly summary of the Privacy Rule, and is quite helpful to understanding it.

Also, here's a handy set of flowcharts for easy determination of whether a business is a "covered entity" and therefore subject to HIPAA regulations:

http://www.cms.gov/...

Yes, AOL Is a "Covered Entity"

In conclusion: Yes, AOL is a "covered entity", making it subject to HIPAA requirements.

Were There Violations?

So, if AOL is subject to HIPAA, did Tim Armstrong violate any of its provisions?

We have to ask if the information in question was "protected health information" (PHI). PHI means all "individually identifiable" information that is "held or transmitted" by a covered entity or business associate. Specifically, it includes, but isn't limited to:

* The individual’s past, present or future physical or mental health or condition,
* The provision of health care to the individual, or
* The past, present, or future payment for the provision of health care to the individual,
* and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Given what Armstrong said, and the paucity of people to whom his statements could apply, it's quite clear that the information about this woman and her child was indeed PHI.

CFR 45 § 164.502 states that: "A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter." Uses permitted or required are to allow for healthcare decisions and support. What Armstrong said was specifically NOT a legitimate disclosure.

Potential Outcomes: Civil Fines or Jail

So now that we know that Armstrong did violate the Privacy Rule (and it looks like his organization violated the hell out of the Security Rule, because the CEO never needed to see PHI to do his work at AOL, which is a GLARING violation of the rule), what is the potential outcome?

There's a couple. HIPAA only identifies civil monetary penalties within the privacy and security rules, but those penalties can be excessive- millions of dollars. And HHS has been getting tougher of late.

However, I'd like to call your attention to a fun little section of the US Code. Specifically US Code § 1320d–6 - Wrongful disclosure of individually identifiable health information: http://www.law.cornell.edu/...

If someone knowingly "discloses indivdiudally identifiable health information to another person", they're subject to criminal penalties. Those include fines of up to $250,000 and imprisonment of up to ten years, depending on the severity of the violation and whether it was done with intent to gain commercial advantage.

What's Going On?

It's quite clear that Armstrong has not been faced with any charges or even an investigation into this matter, but I hope the DOJ and HHS are moving forward with one. If allowed to pass without comment, it will be a signal that regulations like HIPAA don't apply to major CEOs, just to the people who work for them.

Mon Feb 10, 2014 at  8:24 AM PT: Thank you for all the great discussion. A couple of things I'd like to point out, that I think address some recurring items in the discussion:

* Since AOL is self-insured, they likely use a separate insurance company to manage claims and simply paid out for that. If that's the case, Armstrong has even less legitimate reason to know patient-specific information.

* HIPAA is not a victim-centric law in the sense that many seem to take it. It states requirements that covered entities must comply with or face penalties (civil or monetary), and that's pretty much it. Victims of releases of PHI don't file claims under HIPAA and they aren't consulted when determining if a breach occurred.

* Even if someone discussed their medical coverage with someone else, that release of information doesn't relieve the covered entity from its duty to comply with HIPAA.

Again, thanks for all the great discussion and the recommendations!


Mon Feb 10, 2014 at 12:18 PM PT: To clarify an additional point that is being made repeatedly in the comments- the test for whether someone violated HIPAA is not whether they released a name. It's whether someone could reasonably be identified from the disclosed information, which would be trivially simple to do.

In short, there's no test under HIPAA that says "You didn't say a name, so you're OK".

Mon Feb 10, 2014 at 6:32 PM PT: This story is being picked up a little bit in the media:

http://www.forbes.com/...

http://www.thewire.com/...

Originally posted to Cyclometh on Sun Feb 09, 2014 at 02:54 PM PST.

Also republished by Community Spotlight.

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Tip Jar (140+ / 0-)
    Recommended by:
    Bob Love, MartyM, Horace Boothroyd III, Crabby Abbey, Hayate Yagami, voicemail, Chi, kevinpdx, tofumagoo, jacey, Tinfoil Hat, meg, tsackton, Amor Y Risa, devis1, nancyjones, BlueInARedState, dle2GA, psnyder, Anjana, eyesoars, Lujane, dagnome, petestern, ruscle, HCKAD, sawgrass727, suesue, doingbusinessas, crose, Oh Mary Oh, GeorgeXVIII, BenFranklin99, profundo, schumann, HeartlandLiberal, riverlover, rustypatina, TheMomCat, SaraBeth, Joy of Fishes, TheMeansAreTheEnd, nuclear winter solstice, AnotherMassachusettsLiberal, AnnCetera, StrayCat, nailbender, leeleedee, Catherine R, WheninRome, kharma, EastcoastChick, Dhavo, wintergreen8694, wader, Amber6541, No one gets out alive, J M F, hwy70scientist, marshstars, hubcap, democracy inaction, Jen Hayden, Haningchadus14, misshelly, frostieb, anodnhajo, emmasnacker, TexanJane, Heart of the Rockies, LI Mike, chicagobleu, zerelda, Shelley99, Norm in Chicago, dmhlt 66, HiKa, indres, mungley, SteelerGrrl, Shadowmage36, gooderservice, dewtx, SaintC, LeftieIndie, Joieau, Sun Tzu, Angie in WA State, gizmo59, roses, jdmorg, kathny, FloridaSNMOM, pat bunny, Dodgerdog1, VA Breeze, cybersaur, splashy, Assaf, admiralh, sodalis, Zinman, papercut, greengemini, elfling, FG, cville townie, wasatch, Habitat Vic, pamelabrown, AllanTBG, LakeSuperior, 2questions, Shockwave, JVolvo, JerryNA, Clive all hat no horse Rodeo, draghnfly, Sunspots, jguzman17, La Gitane, LaughingPlanet, Eddie L, dksbook, peacestpete, radical simplicity, MJ via Chicago, 1BQ, sngmama, vamulticulturalist, Nowhere Man, DerAmi, Aaa T Tudeattack, 714day, Cassandra Waites, Laughing Vergil, gypsytoo, BYw, Heimyankel, historys mysteries
  •  HIPAA covers disclosures made by those who came (41+ / 0-)

    into contact with such information as a result of their jobs, related to care or billing.  And that information has to be 'individually identifiable'.

    As a nurse, I can be charged with a HIPAA violation if I disclose personal medical information I received by, for instance, reading a medical chart.  I cannot be charged with such a violation if I tell the world about my uncle's hernia operation as a result of getting a phone call from my mom.

    Now, if the only way Armstrong knew about those children was as a result of private communications in light of corporate insurance expenses, there might be some case to be made.

    If, on the other hand, the info was common knowledge in part or all of the company, and Armstrong was merely advised of it because a manager passed it up as a result of one of the parents discussing it at work with a coworker, my understanding is that it is not covered.

    •  If He Didn't Know the Identities of the Kids Would (5+ / 0-)
      Recommended by:
      coffeetalk, Lujane, Catte Nappe, rb608, BPARTR

      n't that be no violation? I could see the insurer telling him the nameless fact for why they were raising rates, for example.

      We are called to speak for the weak, for the voiceless, for victims of our nation and for those it calls enemy.... --ML King "Beyond Vietnam"

      by Gooserock on Sun Feb 09, 2014 at 03:23:14 PM PST

      [ Parent ]

      •  They are the insurer (14+ / 0-)

        AOL IS the insurer. They're self-insured, so they are the insurance provider.

        Under HIPAA data only has to identify or provide a "reasonable basis" to be able to identify the individual.

        •  My company is "self-insured" (5+ / 0-)

          yet they use Aetna and other insurance companies to provide the coverage. As I understand it, my employer provides the money, but the insurance company manages the details.

          Gondwana has always been at war with Laurasia.

          by AaronInSanDiego on Mon Feb 10, 2014 at 07:24:47 AM PST

          [ Parent ]

          •  Self insure means they do not use insurance (6+ / 0-)

            But pay the bills themselves.  If they didn't have those kids they likely would have save significantly, but I am sure they would not have shared that savings with the employees.
            Privatize the profits, socialize the losses

            •  My company has "self-insured plans" (3+ / 0-)

              which do use insurance companies to administer the coverage. The insurance company handles all the bills with the doctors, but I guess the funding isn't part of a larger pool but is paid for by my employer. Any issues I deal with regarding health coverage go through the insurance company rather than my employer. I don't know what details the staff at my company has access to. They also have plans that are not self insured, such as Kaiser.

              Gondwana has always been at war with Laurasia.

              by AaronInSanDiego on Mon Feb 10, 2014 at 08:01:23 AM PST

              [ Parent ]

            •  My employer is self insured (2+ / 0-)

              They contract with United Health Care to manage the process, but the money comes from my employer.

              “Texas is a so-called red state, but you’ve got 10 million Democrats here in Texas. And …, there are a whole lot of people here in Texas who need us, and who need us to fight for them.” President Obama

              by Catte Nappe on Mon Feb 10, 2014 at 08:07:04 AM PST

              [ Parent ]

            •  Some Info on Self-Insurance How & Why (1+ / 0-)
              Recommended by:
              AaronInSanDiego

              From http://www.siia.org/...

              Q. Why do employers self fund their health plans?

              A. There are several reasons why employers choose the self-insurance option. The following are the most common reasons:

                  The employer can customize the plan to meet the specific health care needs of its workforce, as opposed to purchasing a 'one-size-fits-all' insurance policy.

                  The employer maintains control over the health plan reserves, enabling maximization of interest income - income that would be otherwise generated by an insurance carrier through the investment of premium dollars.

                  The employer does not have to pre-pay for coverage, thereby providing for improved cash flow.

                  The employer is not subject to conflicting state health insurance regulations/benefit mandates, as self-insured health plans are regulated under federal law (ERISA).

                  The employer is not subject to state health insurance premium taxes, which are generally 2-3 percent of the premium's dollar value.

                  The employer is free to contract with the providers or provider network best suited to meet the health care needs of its employees.

              Q. Who administers claims for self-insured group health plans?

              A. Self-insured employers can either administer the claims in-house, or subcontract this service to a third party administrator (TPA). TPAs can also help employers set up their self-insured group health plans and coordinate stop-loss insurance coverage, provider network contracts and utilization review services.

              Q. With what laws must self-insured group health plans comply?

              A. Self-insured group health plans come under all applicable federal laws, including the Employee Retirement Income Security Act (ERISA), Health Insurance Portability and Accountability Act (HIPAA), Consolidated Omnibus Budget Reconciliation Act (COBRA), the Americans with Disabilities Act (ADA), the Pregnancy Discrimination Act, the Age Discrimination in Employment Act, the Civil Rights Act, and various budget reconciliation acts such as Tax Equity and Fiscal Responsibility Act (TEFRA), Deficit Reduction Act (DEFRA), and Economic Recovery Tax Act (ERTA).

        •  They use Cigna. (0+ / 0-)

          I want to live in a world where George Zimmerman offered Trayvon Martin a ride home to get him out of the rain that night. -Bishop G. Brewer

          by the dogs sockpuppet on Mon Feb 10, 2014 at 10:37:41 AM PST

          [ Parent ]

      •  That's a bit trickier (10+ / 0-)

        and possibly does depend on just how small their labor force is, as it does get into 'identifiability'.  If AOL wasn't 'self-insuring', I don't think there could even be a hint of a case against Armstrong because he assuredly wouldn't be part of the medical info chain.

        Is it 2 people out of a possible pool of a dozen, or 2 out of thousands?  Was this info that can be proven to have come from protected information, or did it come to him through the company grapevine ala 'We're doing a collection for Sarah in accounting, her baby is in the NICU?'

        It's possible there is a case here, but the first thing to see is how he got the info, and then, if he got it from medical or billing records, does it meet a personal identifiability standard.

        •  Taking your example. (2+ / 0-)
          Recommended by:
          FloridaSNMOM, radical simplicity

          If Armstrong go the personal information from the company grapevine it would not be HIPPA protected.  

          If he got it from the mothers themselves it would not be HIPPA protected, though there is probably company SOP about privacy matters, especially on a management/hourly level,  and there are state and federal laws that might apply relative to privacy or if there were any taint of trying to embarrass, humiliate or ridicule those specific employees in front of  the rest of the company's employees.

          •  The employees themselves would not be in a (8+ / 0-)

            position to determine why the company insurance rates are changing.

            While it may have been obvious that a person who was on extended maternity leave, or who was going to visit her baby in the hospital was probably one of the employees to whom they attributed high claims costs, there's no reason to believe that he employee knew the exact cost to AOL, and how it affected the insurance pool.

            Knowing that insurances losses were more severe than anticipated and then singling out one or two employees as the cause is exactly what HIPPA is supposed to prevent.

            Armstrong is telling the other employees, "You don't get these benefits, because THAT woman spent all of your money."

            I ain't often right, but I've never been wrong. Seldom turns out the way it does in this song.

            by mungley on Mon Feb 10, 2014 at 07:26:07 AM PST

            [ Parent ]

        •  Dozen, thousand, does not matter (0+ / 0-)

          The people that work with the individual would make the identification from the info released. Workplace friends usually know of major medical issues in coworker's families.

        •  Knowing the dollar amount (0+ / 0-)

          It a clue that he may have gotten the info from a protected source, since that's less likely to have come through the grapevine. But, alas, we don't know ... yet.

    •  I don't think that's the correct interpretation (14+ / 0-)

      Since the only way Armstrong could have legitimately know about the costs associated with the two children would have been through his knowledge of the health-care system AOL provides (they're self-insured), I don't think he got a call from his brother-in-law on this one. And just knowing about the specifics of healthcare provided to individuals is a violation of BOTH the Security Rule and the Privacy Rule, because Armstrong had no need to access that information in the normal course of business.

      It would not have been "common knowledge' within the company unless the people affected specifically discussed it, and it's pretty clear that they maintain they did not.

      There's a few media outlets and patient advocacy groups asking the same questions I am, because on its face, this is a pretty clear violation of HIPAA. Is it possible it's not? Sure. But right now, I think it's more likely that it is exactly what it looks like.

      •  He specifically claimed the company had kicked in (7+ / 0-)

        money above and beyond the insurance costs, which likely means there were specific inhouse conversations with the employees outside of the bounds of whatever insurance was covering.  Were those conversations initiated by the company or the parents?  If the parents, and they spoke of having additional financial trouble meeting bills even after insurance, then again I don't think it would be covered.

        It would not have been "common knowledge' within the company unless the people affected specifically discussed it, and it's pretty clear that they maintain they did not.
        If that's the case, why were all of the one husband's coworkers immediately asking him, 'That was you, right'?'  

        There are specific circumstances pertaining to how the info was obtained by Armstrong on which any such charge will hinge.  I don't particularly see any reason (with no inside knowledge) to assume in either direction.  Obviously there are people who know enough to make the call, and if he's guilty, then yes, one hopes he'll be charged.

        If he is, though, I gotta tell you a first violation is 50k, which in light of his 12M salary is on the order of a day's pay or so for him.  I don't think he'll lose too much sleep even if he does end up paying up.

      •  Even if he is following (12+ / 0-)

        the letter of rules, he is certainly violating the spirit of the rule.

        The spirit of HIPPA is to prevent something exactly like this from happening.  A boss using your private medical issue as a platform to complain.

        Because he mentioned two cases, it was pretty easy for anyone who worked at AOL to casually put two and two together and figure out who he was talking about.

        He violated those parents' privacy.

        •  HIPAA is NOT designed to prevent this (0+ / 0-)

          Respectfully, Eastcoastchick, HIPAA was not designed to prevent this sort of thing from happening. HIPAA was designed to prevent the unauthorized disclosure of protected health information by covered entities, but an employer is usually not considered to be a covered entity.

          In Europe, information is protected by the type of information that it is. Health information is protected because it is health information. Generally won't matter how the information got into your hands, personal health information is protected.

          In the US, however, we don't protect information, we prohibit certain types of disclosures by certain people/organizations/companies/groups.  For example, a doctor who has ever conducted a covered electronic transaction (generally insurance/Medicare/Medicaid reimbursement-type transactions) is required to abide by HIPAA. Once you've done one transaction, you're always required to abide by HIPAA-you cannot be de-HIPAAed. BUT–a doctor who has never engaged in a covered electronic transaction is NOT covered by HIPAA. They could stand in the middle of Times Square with a megaphone and read patient files and not violate HIPAA. Sure, there are other things that would apply (tort law, state laws, etc.), but HIPAA isn't one of them. (And I should note that almost every doctor has engaged in a HIPAA covered transaction).

          To give another example, if a doctor tells me protected health insurance information or gives me all his files, etc., I can do whatever I want with the information. I'm not a covered entity, and so HIPAA doesn't apply to me, even if the information getting to me was the result of someone violating HIPAA. Again, my running around blabbing about others' health information might run afoul of state laws, tort law, etc., but since I'm not a covered entity, HIPAA doesn't enter into it.

          A key question is how did Armstrong come by the information. I don't know the details of AOL's health insurance setup, the way their self-insurance works, etc. I don't know if he violated the letter of the law or not. If he didn't violate the letter of the law, though, he didn't violate the spirit of the law. HIPAA is very narrow in its scope–it only addresses privacy violations by covered entities.

          (Before I get flamed or voted down into oblivion, I should note that I'm not saying the way HIPAA is structured is a good thing. I'd personally like to see us adopt the sort of protections the EU put in place where PHI is protected regardless of the source. But that's not what we have right now in the US.)

      •  Either way, HIPAA is small shit (0+ / 0-)

        If we're lucky, this guy is going to find his rear end in a jail cell for SEC violations at some point soon.

        AOL is an investor in the brand new "CrunchFund II". The first "CrunchFund" was littered with conflicts of interest, "journalists" shilling for their investments...

        Unfortunately, Arrington decided to sell TechCrunch to a media conglomerate (AOL) that isn’t defined by Gawker (And to be clear, I’m not a fan of Huffington Post’s, either, for similar enough reasons. They don’t pay writers and make shitloads of money off that kind of slavery, and because Ariana Huffington is a daffy New Ager, the paper’s the home of some of the absolute worst science and medical reporting on earth, and that’s saying something. I have no favorites in this fight. But she’s right about TechCrunch’s dodgy ethics, which will potentially get AOL in serious – like federal level criminal serious – trouble someday if they aren’t curbed. On top of being awful in the first place.), and now Arrington wants AOL to fund a TechCrunch-branded investment pool, and he got some idiots in AOL to champion that, and…
        Emphasis mine. Note that was two years ago, and AOL just plunked a bunch of money into a new TechCrunch-branded investment pool last month. Does Tim Armstrong actually know what he's doing? I'd bet "no"...
    •  CEO of the Corp (8+ / 0-)

      While the corp and its responsible employees are probably guilty of violating the security rule, the CEO is responsible for keeping confidential any information they get in their job. They are the chief executive. All kinds of private, confidential info is their responsibility. Indeed by violating HIPPAA they are probably guilty of several other violations of law and contract nondisclosure rules.

      CEO Armstrong violated the privacy rule. And helped violate the security rule.

      "When the going gets weird, the weird turn pro." - HST

      by DocGonzo on Mon Feb 10, 2014 at 06:54:21 AM PST

      [ Parent ]

  •  Also, according to the link to the mother's (14+ / 0-)

    article about her child,

    On Thursday, within minutes of Armstrong’s utterance, my husband began fielding questions from colleagues: Wasn’t the CEO talking about his baby?
    This would seem to indicate that the husband's coworkers did already know about their child's problems, and that it was not exactly a secret around the workplace.
    •  What other people knew wasn't relevant (23+ / 0-)

      What other people knew about this family and their child is  not relevant to whether Armstrong can disclose PHI. This kind of thing goes to the heart of what HIPAA is supposed to prevent- the release of sensitive information that could negatively affect someone in their life.

      Imagine the reaction of their coworkers to the news that their 401(k) was going to be slashed because this woman was unfortunate enough to have a premature baby.

      Just because some friends and coworkers knew they had a preemie and that there were major costs associated with it has no bearing on whether Armstrong could legally disclose PHI. And frankly, he should not have even had access to it.

      •  Actually what's relevant is where his knowledge (7+ / 0-)

        came from.  If it came from those other people, and not actual medical or billing records, then there's no case as far as I can see.

        It's a dick move, certainly, but it might not be illegal.

        •  I consider that scenario to be highly unlikely (7+ / 0-)

          For a variety of reasons- first, the CEO is not likely to be following the water-cooler conversations of people who work for him, and second, it's also not likely that the people he mentioned as the mothers of the "distressed babies" discussed enough specifics of the costs associated with their healthcare that it would have been something he could have latched onto to use as a reason for cutting unrelated benefits.

          He didn't go on TV and say "our healthcare costs went up, and I heard through the grapevine that there were a couple of people who got a lot of benefits". He specifically cited "a couple of distressed babies that were born", which implies direct and specific knowledge of the costs associated with those cases.

          You're correct that it is possible he wasn't guilty of committing a HIPAA violation, but right now I have to say that I don't think that is a likely scenario.

        •  It also is totally dependent on exactly what he (3+ / 0-)

          said.
          Did he release specific medical information.  Apparently not.
          Did he release specific information that identified the patient.  Apparently not.
          Did he even release specific information that identified the employee.  Apparently not.
          Is he a jerk.  Yeah. but that's a different issue.

          If the parents had themselves revealed the medical conditions of their babies, to say, fellow employees,then they cannot claim under a privacy law, not HIPPA and not state and federal privacy laws.

          The only possible legality is if he said enough for it to be reasonable that other people could identify the specific "distressed babies" they could not otherwise identify  And that issue would be one under state and federal laws protecting the privacy of employees.
          No specific medical information was given and no personal identity of the patient was given.

          •  This is incorrect, because (9+ / 0-)

            no one "claims" anything under HIPAA. If you're a covered entity, you are required to comply with it, and if you violate the provisions of it, you're in trouble, whether the people whose information was violated want to do anything about it or not. There is no claim here.

            It doesn't matter if someone could "otherwise identify" these people. The burden of compliance is on the covered entity to comply, at least as I read the regulations. There's no loophole that says "if the information was already known by some people, you've got carte blanche to talk about it on TV".

        •  It seems most likely to me that he heard about it (0+ / 0-)

          through an annual report to executive leadership about the costs associated with their insurance, because AOL self-insures... that means the payouts from the plan are part of the business data, their annual costs in all areas of the company, so he would be informed of the total payouts, as well as any unusually large medical expenses of any staff or covered dependent, as part of this annual review that all companies do at the top levels. It is unlikely he actually even knew who they were nor cared, if he's anything like most CEOs.

          So a question for you Dr. Bloodaxe, if you don't mind answering, if he came across the information through his work as chief executive looking at a report of overall costs of the company and not through either "common knowledge" OR though contact with specific medical or "billing" records -- is it covered under HIPAA, or not?

          My own thought is this is not covered PHI and while him speaking of it publicly was stupid and wrong, I don't think it would be prosecutable under HIPAA. Especially if he didn't even know the names of the employees and only knew of the fact of such costs having occurred.

          But I don't know for sure if that's right ... so I wondered what you think about that scenario. From what I know of how business reviews work (a lot, unfortunately, because I work on those types of reports all the time), this seems how it would have most likely come to his attention. And that is the context in which he discussed it, in terms of annual cost reviews and business decision making.

      •  Actually whether he violated HIPPA (8+ / 0-)

        Or not it was a shitty thing to do, blaming the FAMILIES effectively for the cut in 401(k) funding.
        A kindergartner with good morals would know that was a lousy thing to do.

      •  It's releveant to personally identifiable (4+ / 0-)

        I think that illustration shows how easily the patients were identified by co-workers.

    •  Or it could be because it's such a rare (7+ / 0-)

      condition. That's the thing about "identifiable"--if no names are mentioned, but only one person (or two) fit the description, that's "identifiable." And it's not OK. Now, if he said the problem was 500 people with premature births, that probably wouldn't count as identifying anyone in particular.

      "All governments lie, but disaster lies in wait for countries whose officials smoke the same hashish they give out." --I.F. Stone

      by Alice in Florida on Mon Feb 10, 2014 at 07:13:39 AM PST

      [ Parent ]

    •  Did they want the world to know? (5+ / 0-)

      Probably not.

      Patient privacy us not just sbout the letter of the HIPAA law, its also about the spirit of the law. Common sense should prevail even if the law doesn't apply.

      Money is property, not speech. Overturn Citizens United.

      by Betty Pinson on Mon Feb 10, 2014 at 07:36:19 AM PST

      [ Parent ]

  •  Hippa Schmippa (13+ / 0-)

    I don't know about the hippa thing but I do know this. I called AOL and told them how I felt about the Chairman's statements along with thousands of others. Look what happened. Public shaming works. Please, everyone become more active, call your Congressman or whoever. It works.

    “He talks a lot and he's not very bright. And that's a combination I like in Republicans.” James Carville

    by Mokislab on Sun Feb 09, 2014 at 06:52:07 PM PST

  •  He didn't mention the names of the babies or the (5+ / 0-)

    parents.

    The only way anyone would know what specific babies is if they already knew about them, having been told by the babies' parents.

    AOL is not subject to HIPPA and unless Armstrong had access to his employee's medical records there is no way he would be subject to HIPPA.

    A similar case would be if he said he had fired some employees for selling proprietary information.  Federal and state laws protect employee's privacy in pretty much the same way that HIPPA does for patients.  As long as Armstrong doesn't mention the names or specific identifying formation he's not liable.

    Company management and HR are under those privacy laws.  While most of the rest of the employees are not.  There is a legal fire wall for some entities in the company but not for others.

    If AOL is its own insurer then those employees who handle identifiable medical information would be under HIPPA, just like employees in any other insurance company.
    Again there is a fire wall.

    Also hospitals and physicians would not knowingly release medical information to an entity or a person that was not under HIPPA.

    The guy is a schmuck but probably not a criminal in this instance

    •  You don't have to know the names of the babies (13+ / 0-)

      or the parents, as long as it is reasonable that someone could identify the person(s) based on the knowledge released. Given that there were only 2 in all of AOL's staff, that is a pretty clear indication that the guy in the next office who was talking about his preemie baby being in the NICU for a couple months is probably the reason the CEO cited for slashing your 401(k).

      The law doesn't require any specific information like a name. Just that you could reasonably identify the individuals from the information released. A rather large part of the law is actually about how to "de-identify" data so that it can be used legitimately for research, etc.

      •  Unfortunately... (0+ / 0-)

        ...although there are a lot of self-proclaimed HIPAA experts on here, my recent experiences with it have taught me that if this:

        Given that there were only 2 in all of AOL's staff, that is a pretty clear indication that the guy in the next office who was talking about his preemie baby being in the NICU for a couple months is probably the reason the CEO cited for slashing your 401(k).
        ...is in fact, true, then the CEO is in the clear. Because if you tell anyone in the company your health information who is not required to know it in order to perform their job, then that information is public knowledge within the company, and the company can make decisions based on that information. If the company is also the insurance company, then it matters where the information came from, but if the information got to this person's manager, and that manager told his manager, and so on, it could easily have made its way to the president.

        In fact, if he sent out a note to his group saying 'I won't be in tomorrow because my wife went into premature labor' and he'd already informed his coworkers that he was planning on taking some time off in 12 weeks as paternity leave, that's plenty of information right there, and could easily get passed up the chain of command.

        And it's common knowledge how expensive a premature baby can be.

    •  And also, (4+ / 0-)

      AOL is absolutely subject to the requirements of HIPAA because they self-insure. That makes them a covered entity for the purposes of HIPAA and subject to both the Security Rule and the Privacy Rule.

  •  Individually identifiable, though? (2+ / 0-)
    Recommended by:
    mconvente, white blitz

    You somewhat glossed skipped over that part of the analysis.  On the one hand, he didn't name the people involved.  But is the company now small enough that those stories are so unique that other coworkers would immediately go, "Oh, that's so-and-so?"

    "The first drawback of anger is that it destroys your inner peace; the second is that it distorts your view of reality. If you come to understand that anger is really unhelpful, you can begin to distance yourself from anger." - The Dalai Lama

    by auron renouille on Sun Feb 09, 2014 at 08:44:43 PM PST

    •  The larger the company (8+ / 0-)

      the easier it would be to identify two people who had received that kind of very specific medical attention. Two "distressed babies" costing a million bucks isn't hard to figure out if you've got thousands of staff.

      Given that a few people working with this person immediately put two and two together seems like it bears out the conclusion that the release was of information that could reasonably identify a protected individual's records.

      •  Thats not illegal (1+ / 0-)
        Recommended by:
        mconvente

        He can state anything generally.

        Красота спасет мир --F. Dostoevsky

        by Wisper on Mon Feb 10, 2014 at 06:49:20 AM PST

        [ Parent ]

        •  But its still unethical, its still wrong (0+ / 0-)

          Common sense, common courtesy.

          Money is property, not speech. Overturn Citizens United.

          by Betty Pinson on Mon Feb 10, 2014 at 07:39:36 AM PST

          [ Parent ]

          •  No one disagreeing (1+ / 0-)
            Recommended by:
            mconvente

            but we don't "charge" people with criminal acts in this country for being discourteous.

            I mentioned in my comment down-thread that his only "crime" was being an inarticulate asshole.  He clearly said something so inappropriate that if it was meant as some kind of throw-away generalization it was insensitive as hell and it he meant it factually it is a demonstrably weak, if not outright false, argument.

            But to try to drum up some federal statute and ask why the Department of Justice has not brought formal charges against him is um....  ....well,... I'll go with "silly" and leave it there.

            Красота спасет мир --F. Dostoevsky

            by Wisper on Mon Feb 10, 2014 at 07:44:02 AM PST

            [ Parent ]

            •  How do we teach a lesson to these clods? (0+ / 0-)

              These jerks need to know if they reveal personal information about someone's health there will be a hefty price to pay.  Otherwise, they will keep doig it, keep discriminating and shooting off their mouths.

              Money is property, not speech. Overturn Citizens United.

              by Betty Pinson on Mon Feb 10, 2014 at 07:53:09 AM PST

              [ Parent ]

              •  Public Backlash...which happened (is happening) (1+ / 0-)
                Recommended by:
                mconvente

                He's already reversed the decision to change 401(k) matching benefits.

                I have no problem with and will instinctively join in the chorus of people calling this guy out as an idiot.

                It needs to be made clear that he has damaged the AOL brand. That these comments will speak louder in a negative way then anything else the company is spending millions of dollars on to try and build a positive image.

                And this wasn't discrimination.  He never tried to do ANYTHING to any class of people or take any actions against the families of those children.  He just tried to use this as an anecdotal prop to justify cost-cutting measures.

                The benefit he wanted to cut was to stop matching contributions to employee 401-k plans throughout the yeat and only match by way of a lump sum deposit on Dec 31 of each year.  It wasn't retaliatory or targeted.

                Красота спасет мир --F. Dostoevsky

                by Wisper on Mon Feb 10, 2014 at 07:59:35 AM PST

                [ Parent ]

              •  Oh and.... (1+ / 0-)
                Recommended by:
                mconvente

                Those families are free to bring a civil suit if they think they have a legitimate grievance as a result of being called out publicly on this private matter.

                Civil law is very different then criminal law.  Anyone can sue, as we know only all to well in this country, and I've no doubt they'd find any number of attorneys willing to argue their case.  ...would they actually win?  No idea......

                Красота спасет мир --F. Dostoevsky

                by Wisper on Mon Feb 10, 2014 at 08:03:48 AM PST

                [ Parent ]

                •  Not sure about a civil suit (0+ / 0-)

                  See my comment  just below this one.

                  Money is property, not speech. Overturn Citizens United.

                  by Betty Pinson on Mon Feb 10, 2014 at 08:07:08 AM PST

                  [ Parent ]

                  •  That only limits suits specific to HIPAA violation (1+ / 0-)
                    Recommended by:
                    radical simplicity

                    They could still for any other cause of action related to a violation of personal privacy that would appear to be an offensive violation to a reasonable person and that it resulted in damage.,

                    They just can't leverage the explicit HIPAA requirements and penalties in a private suit.

                    And whats the EO specifics on this?  I thought this was a judicial thing by statute? (see Acara v. Banks)

                    Красота спасет мир --F. Dostoevsky

                    by Wisper on Mon Feb 10, 2014 at 08:19:00 AM PST

                    [ Parent ]

                    •  Here's a link (0+ / 0-)

                      to the history of HIPAA and all the changes to the rules since it's inception.

                      Link to HIPAA history

                      Legislation to protect people against genetic discrimination also failed in Congress, but was partially enacted by a Clinton EO. It was a companion to the Patient Privacy legislation for cancer advocates.  It also had right to private action provisions, but was replaced by the GINA legislation in the Bush II era. It has very weak enforcement provisions, no right to private action, IIRC

                      Link to  Federal Genetic Anti-Discrimination EO

                      Just a bit of history.  HIPAA privacy protections (such as they are) were promoted and enacted largely through the work of the cancer & AIDS advocacy communities.

                      Regulations today, for both medical privacy and genetic non-discrimination have few or no enforcement provisions that patients/consumers can use to recover damages.    IANAL, but these health privacy/non-discrimination regulations could be beefed up through EO's.  They're rules, and I'm pretty sure rules can be changed once legislation is enacted.

                      Money is property, not speech. Overturn Citizens United.

                      by Betty Pinson on Mon Feb 10, 2014 at 12:48:58 PM PST

                      [ Parent ]

                      •  To clarifiy on privacy & discrimination (0+ / 0-)

                        While medical records are now private, people with certain illnesses and disabilities do have some legal recourse under the ADA if they're discriminated against because of a disabiling medical condition.  The problem is that there are many medical conditions that courts have ruled don't fall under the umbrella of ADA.   Just sayin.

                        Money is property, not speech. Overturn Citizens United.

                        by Betty Pinson on Mon Feb 10, 2014 at 12:52:26 PM PST

                        [ Parent ]

              •  As info this is a trick question (1+ / 0-)
                Recommended by:
                radical simplicity

                The original patient privacy regs were added to HIPAA in an Executive Order issued by Bill Clinton via John Podesta.

                The original EO provided for a right to private action (right to sue for personal damages), Iirc, even if it was an employer.  When Bush II took office, he left the patient privacy reg in place, but removed the righ to private action provisions.

                Obama could easily fix this problem by restoring those provisions to HIPAA via EO. John Podesta is working for Obama now in a similar capacity. He could probably get this fone in one afternoon.

                I always assumed the first Dem elected after Bush II would reverse these changes. No time like the present yo get it done.

                Money is property, not speech. Overturn Citizens United.

                by Betty Pinson on Mon Feb 10, 2014 at 08:05:33 AM PST

                [ Parent ]

        •  Wisper, that is exactly the point. (2+ / 0-)
          Recommended by:
          radical simplicity, Chi

          He made a statement that was specific enough that people were able to identify the patients.  Best rule, if you are a covered entity (my practice is) you keep your mouth shut.  HIPAA is enough of an ethical, legal and financial liability that you will find that health care providers take it deadly serious (pardon this tortured sentence; HIPAA doesn't seek to regulate ethics).  If I shoot my mouth off about one of my patients, even if it seems so very much a generic description, I can practically guarantee that someone will probably know who I am talking about. Cha ching, public shaming, fines, feelings of stupidity will follow.  I hope to never find out first hand.

          •  Yup (1+ / 0-)
            Recommended by:
            Chi

            A friend is a nurse who works in a facility in which a local person was hospitalized after a terrible car accident.

            She would say NOTHING at all, even though the person in question was a close family friend, and she had the same information about him through family. The only way to be absolutely certain not to violate HIPAA is to not say anything about anyone's medical information if one is a covered entity.

  •  As a point of information (7+ / 0-)

    Armstrong actually could have access to some basic patient data that would explain his knowledge of the two incidents.

    In my work as a grad student health insurance rep at my current university, each year we receive an overview of plan performance. This document includes high-dollar medical care and pharmacy claims. The information provided is ICD codes, total benefits cost, and number of claims per patient. No patient names are given.

    If Armstrong had access to similar data, and I'm sure he did, he could say exactly what he did without specifically knowing what employees made the claims. Of course, with rare ICD codes, people may be able to figure it out, but I'm not convinced that Armstrong is in violation. All comes down to how easy it was for people to figure our who the employees Armstrong was speaking of. Since it took the employee's spouse to reveal herself, as opposed to a reporter finding her first, I'm not sure how that rates as "reasonable basis"

    Armstrong is an asshole, but not sure this is as open and shut as you make it out to be.

    "Give me a lever long enough... and I shall move the world." - Archimedes

    by mconvente on Sun Feb 09, 2014 at 09:01:16 PM PST

    •  I could easily be wrong (4+ / 0-)

      But given that others knew who it was based on Armstrong's statements (at least according to the mother's claims), that bears out the conclusion that a reasonable basis existed to identify these people.

      It doesn't matter if a reporter figured it out; what matters is that anyone who happened to know these people even casually could. All you'd need to know is that they worked at AOL and had a "distressed baby" that had gotten a lot of medical care, and it's not hard to figure out. That's the kind of stuff that your Facebook friends could put together, let alone your coworkers.

  •  Could Be Insurance Underwriting Not Medical Record (2+ / 0-)

    There is an insurance underwriting database containing records of everything the insurance company paid for - which is not the same as a medical record.  For instance the bill for a biopsy is not the same as a diagnosis.   All that stuff and more  is in there, but I'm not sure how HIPAA applies.

  •  I don't follow (1+ / 0-)
    Recommended by:
    mconvente

    How you reached the conclusion that AOL is a coveted entity.  Generally covered entities are health care providers of one sort or another.

    If you think you're too small to be effective, you've never been in the dark with a mosquito.

    by marykk on Mon Feb 10, 2014 at 04:03:01 AM PST

    •  Health Care providers, (4+ / 0-)

      independent laboratories, claims processing, etc are all 'covered entities'. (I do medical claim processing for Medicaid/medicare reimbursement so we have training on this every other day it seems).

      This includes:
      •Health insurance companies
      •HMOs
      •Company health plans
      •Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
      Though AOL is not in the process of conducting healthcare business etc, patients whose insurance is provided through AOL and any internal information about a employees health matters, etc should technically be covered

      However at best its not like anyone would ever go to jail. There would under worse case scenarios for AOL be a fine

      "These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals" -BoA/HBGary/CoC

      by LieparDestin on Mon Feb 10, 2014 at 05:41:12 AM PST

      [ Parent ]

      •  But most self insurers (1+ / 0-)
        Recommended by:
        mconvente

        In my experience, contract with insurance companies to administer their plans.

        If you think you're too small to be effective, you've never been in the dark with a mosquito.

        by marykk on Mon Feb 10, 2014 at 08:12:49 AM PST

        [ Parent ]

        •  Then there was even less (2+ / 0-)
          Recommended by:
          JerryNA, Chi

          reason for Armstrong to have patient-specific information in his possession, and the insurance company probably committed multiple breaches of the Security Rule.

          •  It's not patient-specific (1+ / 0-)
            Recommended by:
            marykk

            that's the whole point of my own comment above.

            I guarantee you that Armstrong and every other executive at AOL that discusses benefits packages had a copy of high-dollar claims while reviewing plan performance.  This is standard procedure, to view trends.

            Obviously their own documents may be different, but I would posit that the only information listed on the high-dollar claims summary page was total dollar amount of claim, ICD code, and total number of claims under that same ICD code.  That's it.

            Sure, if the ICD code is so specific, then maybe people could figure it out by asking around the water cooler.  But Armstrong could have authorized dipping into the "rainy day" fund to cover the two claims' extra costs also without knowing who the claims were for.  And it appeared he did.

            Armstrong is an asshole with no empathy, but not a criminal (at least for this incident).

            "Give me a lever long enough... and I shall move the world." - Archimedes

            by mconvente on Mon Feb 10, 2014 at 10:27:50 AM PST

            [ Parent ]

  •  Laws are for little people (2+ / 0-)
    Recommended by:
    rbaillie, papercut

    CEO's are a protected class

    "When I give food to the poor, they call me a saint. When I ask why they are poor, they call me a communist." Dom Hélder Pessoa Câmara

    by Haningchadus14 on Mon Feb 10, 2014 at 06:26:34 AM PST

  •  The answer to the question is NO (8+ / 0-)

    He did not violate HIPAA.  He is not going to be "charged" or whatever else people are salivating over.

    He is the financial steward of that company and he can talk about anything in general terms.  He never mentioned a name or location.  He never mentioned a specific date or dollar amount.  He also never said anything that wasn't true.

    He is 100% clear of any legal HIPPA liability and wishing otherwise won't make it so.  And seeing him "not charged" is not some self-evident proof that CEO's are a protected class and can break laws with impunity.

    What he IS is an inarticulate asshole who NEVER should have tried to use someone else's sick babies as a justification of ANY corporate decision much less one that involved benefit cuts.

    He should be held accountable for what he said and the policies he is trying to enact (which I hear he has since reversed position on anyway).

    But this is not a crime.  At all.

    Красота спасет мир --F. Dostoevsky

    by Wisper on Mon Feb 10, 2014 at 06:53:12 AM PST

    •  General terms VS specific (3+ / 0-)
      Recommended by:
      greengemini, JerryNA, Chi

      He may have been a little too specific with the types of medical expenses that he disclosed. Apparently the parents were easily identified and that's one of the key words "personally identifiable" information. He would have been better off saying a couple cases of unusually high medical care costs.

  •  Small point: kudos for accurately referring (4+ / 0-)

    to the law as HIPAA and not HIPPA.

  •  ... (3+ / 0-)
    Recommended by:
    FishOutofWater, Catte Nappe, Wisper

    Very few will agree with you that what Armstrong said revealed PHI.  He never said specific names or other identifiable info.  Yes, people familiar with the employee situation would know but the publican general would not.   Not an ePHI disclosure.

    Now as for him knowing the situation, that I think merits investigation.

    •  Anything that allows the person to be reasonably (0+ / 0-)

      identified.  So it would be really easy for a reporter to find out which two people at AOL had 24 week (or whatever pre-term date) infants.  That's PHI.  Though I don't think HIPAA applies to  this guy, so it's a moot point.

      I want to live in a world where George Zimmerman offered Trayvon Martin a ride home to get him out of the rain that night. -Bishop G. Brewer

      by the dogs sockpuppet on Mon Feb 10, 2014 at 10:48:38 AM PST

      [ Parent ]

  •  Didn't you get the memo? (0+ / 0-)

    This is America where rich CEO's in America are exempt from the law.  

    The Long War is not on Iraq, Afghanistan, or Iran. It is on the American people.

    by Geonomist on Mon Feb 10, 2014 at 07:16:45 AM PST

  •  THIS is why we separation of health care from jobs (5+ / 0-)
    Recommended by:
    bws, JerryNA, draghnfly, Cassandra Waites, Chi

    Our employers should not know anything about our health, except what is necessary for us to do our jobs.

    The sooner jobs and health care are separated, the better.



    Women create the entire labor force.
    ---------------------------------------------
    Sympathy is the strongest instinct in human nature. - Charles Darwin

    by splashy on Mon Feb 10, 2014 at 08:37:30 AM PST

  •  This whole story really drives home why we need (6+ / 0-)

    single payer. It's not just the parents of the premature kids that should feel violated. I think every employee should fear this ahole of an employer.

  •  Larger implication - employment & HIPAA (6+ / 0-)

    I am a mini-expert in HIPAA at my organization - we're a "business associate" of covered entities, which basically means we have access to covered entities' PHI as part of our work for them - we're also covered by HIPAA. I agree that it is a stretch to make that PHI was actually revealed by Armstrong's statements, although the co-workers of the two families could likely figure out the subject of his statements.

    However, the HIPAA privacy law also explicitly prohibits employers of any kind from using PHI they may have access to in employment decisions. Now, these provisions were meant to stop, say, AOL from firing the employees with these high-cost births in order to escape from the high cost of their care. IANAL, but depending on how those provisions are interpreted by the courts, the removal of the 401(k) matching funds might be considered just such an impermissible use of health information. I wonder if his lawyers, more than public backlash, were responsible for his quick backpedaling.

    Oh, and if AOL had to pay above and beyond their typical insurance costs for these kids, then someone didn't get the right kind of reinsurance. Self-insured employers, like AOL, certainly do contract with health insurers to administer their benefits (that way the self-insured plans don't have to create a provider network, negotiate contracts, etc.) but they also contract with reinsurance companies to ensure any catastrophic cases won't bankrupt them. Either that reinsurance was not in place, or was not appropriate, or these cases actually didn't trigger reinsurance, so they weren't that expensive.

    The typical response of a company with a catastrophic case increasing their costs is to increase the cost of health insurance to their employees to make up the difference. Seems like that is a much better way of handling the extra costs, not stopping 401(k) matching. Maybe this was a convenient excuse to try to change a benefit?

    A government that denies gay men the right to bridal registry is a fascist state - Margaret Cho

    by CPT Doom on Mon Feb 10, 2014 at 08:47:45 AM PST

  •  Did he disclose info that allowed public to (1+ / 0-)
    Recommended by:
    Chi

    discern the identity of the person in question?  I think that is the primary question here.  I know one of the women came forward and complained, but if reporters could figure out who the women are independent of that fact, the CEO essentially disclosed personally identifiable information, which I believe would be illegal.  As their employer, I can see the need to obtain such information, but that does not necessarily give them the right to disclose medical info to those outside the company.

    The only thing we have to fear is fear itself - FDR. Obama Nation. -6.13 -6.15

    by ecostar on Mon Feb 10, 2014 at 09:44:22 AM PST

  •  Since when are CEOs accountable? (0+ / 0-)
    If allowed to pass without comment, it will be a signal that regulations like HIPAA don't apply to major CEOs, just to the people who work for them.
  •  My first thought was (2+ / 0-)
    Recommended by:
    Catskill Julie, Chi

    I didn't think he was guilty of a HIPPA violation. But after reading your post I believe he is. He didn't release their name but there was no doubt among their co-workers who he was referring to.

    Guilty!Of a HIPPA violation and guilty of being stupid and soul less.

    I ask him if he was warm enough? "Warm," he growled, "I haven't been warm since Bastogne."

    by Unrepentant Liberal on Mon Feb 10, 2014 at 10:09:55 AM PST

    •  But Armstrong rat that he is is not responsible (0+ / 0-)

      for the co-workers knowing.  Their identified medical knowledge came from the parent not from Armstrong.
      Armstrong's statement was deidentified as to the patients' names and totally lacking in specific medical information.

      As even at that, it was just a guess on the empolyees part.  

      One of the mother's has now gone public, but that also is not Armstrong breaching HIPPA.

      That she has willingly gone public will greatly weaken the validity of any HIPPA breach they might charge Armstrong with, as it reenforces the fact that at least that one family was/is more than willing to publicize their child's medical issues and link it to the child's identity.

  •  I don't see the womans name who had the baby (0+ / 0-)

    with problems so therefore it is not a violation of HIPAA.  Anyone can talk about a problem that someone had with a difficult birth or problems later.  As long as you do not use their name.  So please delete this diary as it is in error.

    •  He gave enough info so that her husband's cowork- (2+ / 0-)
      Recommended by:
      Cassandra Waites, Chi

      ers knew it was their baby. He said "2 distressed babies" cost them all that money in a specific time frame. That was enough information to identify them in a very public way.

      If HIPAA does not punish a corporate employer for doing that, as it certainly would a doctor, nurse or hospital, then the law must be changed so that it does!

      Okay, the Government says you MUST abort your child. NOW do you get it?

      by Catskill Julie on Mon Feb 10, 2014 at 11:49:48 AM PST

      [ Parent ]

  •  I didn't realize he revealed any names or (0+ / 0-)

    identifying remarks.  

    If I comply with non-compliance am I complying?

    by thestructureguy on Mon Feb 10, 2014 at 12:14:15 PM PST

  •  I Speak With Some... Experience... In This Area (0+ / 0-)
    To clarify an additional point that is being made repeatedly in the comments- the test for whether someone violated HIPAA is not whether they released a name. It's whether someone could reasonably be identified from the disclosed information, which would be trivially simple to do.

    In short, there's no test under HIPAA that says "You didn't say a name, so you're OK".

    While you are certainly correct about that, the diagnosis itself doesn't qualify as individually identifying information--regardless of the rarity.  

    For example: let's say you're a large hospital and you successfully complete the world's first simultaneous heart, lung, liver, kidney, pancreas and cornea transplant.

    Even though no human ever (except the one you just did the procedure on) has had the procedure, it's not a HIPAA violation to issue a press release saying you successfully completed it, as long as you don't provide any information that identifies the individual.

    •  I totally agree. (1+ / 0-)
      Recommended by:
      TooFolkGR

      For one thing the first test for HIPPA is whether a person who releases information is under the HIPPA restrictions.

      For those not in a profession that handles personal medical information, the ones who are are constantly being reminded that they are under HIPPA restrictions.  It is as omni-presnet in you mind as scrubs are on your body.  Its like traffic lights to a commuter, always there in front of you controlling what you can and can't do.  It literally is a life style.

      So the question about Armstrong is, is he restricted by HIPPA?
      Next, if he is, did what he say breach HIPPA?

      As in the example given, if the patient lets his family know about the operation, and the patient and or his family talk about it to friends, fellow employees or go on CNN  to talk about it, that is not a HIPPA violation.  But it also means that there are people who can connect a name from one source with a deidentified description from another source, but only because the patient has publicized the name.  That is not a HIPPA violation.

  •  We charge CEOs for crimes in the US? (1+ / 0-)
    Recommended by:
    Chi

    Who knew?

    50 states, 210 media market, 435 Congressional Districts, 3080 counties, 192,480 precincts

    by TarheelDem on Mon Feb 10, 2014 at 01:42:51 PM PST

tsackton, Angie in WA State, From the choir, Chi, bob in ny, Dave the Wave, Bob Love, Shockwave, Heimyankel, Wintermute, elfling, hubcap, niemann, Heart of the Rockies, opinionated, TheMomCat, Zinman, 714day, whenwego, boadicea, Geonomist, roses, sngmama, Nate Roberts, splashy, admiralh, dksbook, wader, jdmorg, Texknight, kharma, psnyder, pat bunny, draghnfly, papercut, riverlover, Diana in NoVa, mungley, sawgrass727, nailbender, CPT Doom, historys mysteries, LakeSuperior, democracy inaction, ajsuited, dewtx, SaraBeth, Sun Tzu, brentut5, AnotherMassachusettsLiberal, petestern, laurel g 15942, peacestpete, SocioSam, Alan Arizona, kathny, cybersaur, BlueInARedState, profundo, cookseytalbott, MJ via Chicago, jguzman17, StrayCat, gooderservice, JVolvo, CA Nana, doingbusinessas, Clive all hat no horse Rodeo, AllanTBG, Aaa T Tudeattack, Habitat Vic, Haningchadus14, devis1, HeartlandLiberal, HCKAD, martyinsfo, Assaf, gizmo59, Amor Y Risa, OleHippieChick, Laughing Vergil, Lujane, tofumagoo, pamelabrown, Cassandra Waites, TexanJane, suesue, maggiejean, Ran3dy, J M F, greengemini, Norm in Chicago, indres, mkor7, Shelley99, stevenwag, ruscle, Amber6541, Crabby Abbey, 2questions, dagnome, Eddie L, DerAmi, Betty Pinson, Oh Mary Oh, nosleep4u, Wisdumb, misshelly, Catherine R, La Gitane, Araguato, dle2GA, voicemail, marshstars, wintergreen8694, Hayate Yagami, SteelerGrrl, Sunspots, No one gets out alive, Sister Inspired Revolver of Freedom, jacey, anodnhajo, rustypatina, Joieau, FloridaSNMOM, Horace Boothroyd III, MartyM, nuclear winter solstice, smokey545, gypsytoo, aresea, JerryNA, nancyjones, LeftieIndie, Dodgerdog1, AWilson

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site