AOL CEO Tim Armstrong has been all over the news for blaming his decision to cut his company's 401(k) benefits because of Obamacare and the payments for two "distressed babies", that he claims cost millions of dollars.
It should be noted that AOL's profits rose by 13% in the last quarter of 2013, AOL shares are up over 50% in the last 12 months, and Armstrong took a pretty big salary hike in 2013.
In the wake of these statements, one of the women Armstrong was calling out responded, ripping him for the mendacity of his statements.
Although Armstrong has since apologized for his remarks, and has reinstated the benefit plans, there is another question here, and one that, while it's gotten some attention in the media, has largely been ignored: Did Tim Armstrong violate HIPAA? And if so, what should happen?
Here's some research I've done and why I think Tim Armstrong is or should be in a lot of trouble for violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA is a complex regulation, but is not hard to understand if you spend a couple of minutes learning some basics.
The Security Rule and the Privacy Rule
The first thing to understand is that HIPAA is broken into two parts- the "Security Rule" and the "Privacy Rule". We're only interested in the Privacy Rule here. The Security Rule covers things like how electronic data is stored, what safeguards there are against its being disclosed, and regulations for who can access electronic health care data (in point of fact, for Tim Armstrong to be aware of such specifics, there had to be one or more violations of the Security Rule, but let's just stick to the Privacy Rule for now).
Supporting and Background Information
For most of this, I'll be referring to this:
Which is an "Administrative Simplification" of the HIPAA requirements, boiling it all down into one document instead of requiring you to trawl through the myriad of different documents, regulations and US Code references that make up what we call "HIPAA".
Is AOL Subject to HIPAA?
The big question we have to answer: Is AOL and its staff subject to HIPAA?
HIPAA is only applicable to "covered entities", which are enumerated in the regulations (see 45 CFR § 160.102 and 45 CFR § 160.103 in the summary linked above)
AOL self-insures, making it a "health care provider" under the regulation. It might be a "hybrid entity" because it also does non-healthcare stuff. But either way the Privacy Rule applies.
Here's a summary of the "Privacy Rule":
This is a layman-friendly summary of the Privacy Rule, and is quite helpful to understanding it.
Also, here's a handy set of flowcharts for easy determination of whether a business is a "covered entity" and therefore subject to HIPAA regulations:
Yes, AOL Is a "Covered Entity"
In conclusion: Yes, AOL is a "covered entity", making it subject to HIPAA requirements.
Were There Violations?
So, if AOL is subject to HIPAA, did Tim Armstrong violate any of its provisions?
We have to ask if the information in question was "protected health information" (PHI). PHI means all "individually identifiable" information that is "held or transmitted" by a covered entity or business associate. Specifically, it includes, but isn't limited to:
* The individual’s past, present or future physical or mental health or condition,Given what Armstrong said, and the paucity of people to whom his statements could apply, it's quite clear that the information about this woman and her child was indeed PHI.
* The provision of health care to the individual, or
* The past, present, or future payment for the provision of health care to the individual,
* and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
CFR 45 § 164.502 states that: "A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter." Uses permitted or required are to allow for healthcare decisions and support. What Armstrong said was specifically NOT a legitimate disclosure.
Potential Outcomes: Civil Fines or Jail
So now that we know that Armstrong did violate the Privacy Rule (and it looks like his organization violated the hell out of the Security Rule, because the CEO never needed to see PHI to do his work at AOL, which is a GLARING violation of the rule), what is the potential outcome?
There's a couple. HIPAA only identifies civil monetary penalties within the privacy and security rules, but those penalties can be excessive- millions of dollars. And HHS has been getting tougher of late.
However, I'd like to call your attention to a fun little section of the US Code. Specifically US Code § 1320d–6 - Wrongful disclosure of individually identifiable health information: http://www.law.cornell.edu/...
If someone knowingly "discloses indivdiudally identifiable health information to another person", they're subject to criminal penalties. Those include fines of up to $250,000 and imprisonment of up to ten years, depending on the severity of the violation and whether it was done with intent to gain commercial advantage.
What's Going On?
It's quite clear that Armstrong has not been faced with any charges or even an investigation into this matter, but I hope the DOJ and HHS are moving forward with one. If allowed to pass without comment, it will be a signal that regulations like HIPAA don't apply to major CEOs, just to the people who work for them.
Mon Feb 10, 2014 at 8:24 AM PT: Thank you for all the great discussion. A couple of things I'd like to point out, that I think address some recurring items in the discussion:
* Since AOL is self-insured, they likely use a separate insurance company to manage claims and simply paid out for that. If that's the case, Armstrong has even less legitimate reason to know patient-specific information.
* HIPAA is not a victim-centric law in the sense that many seem to take it. It states requirements that covered entities must comply with or face penalties (civil or monetary), and that's pretty much it. Victims of releases of PHI don't file claims under HIPAA and they aren't consulted when determining if a breach occurred.
* Even if someone discussed their medical coverage with someone else, that release of information doesn't relieve the covered entity from its duty to comply with HIPAA.
Again, thanks for all the great discussion and the recommendations!
Mon Feb 10, 2014 at 12:18 PM PT: To clarify an additional point that is being made repeatedly in the comments- the test for whether someone violated HIPAA is not whether they released a name. It's whether someone could reasonably be identified from the disclosed information, which would be trivially simple to do.
In short, there's no test under HIPAA that says "You didn't say a name, so you're OK".
Mon Feb 10, 2014 at 6:32 PM PT: This story is being picked up a little bit in the media: