AOL Debacle Illustrates HR's Need to Counsel Senior Executives

With an emphasis on practical strategies to improve productivity and performance, and limit potential liabilities, Bulletin to Management™ concisely analyzes new developments in employment and human resources management.

By Martin Berman-Gorvine  

Feb. 26 --HR has an important role to play in helping senior management avoid the kind of negative publicity and compliance risk that Tim Armstrong, CEO of AOL Inc., courted recently in public comments about changing company policy on employee benefits, according to employment attorneys and HR practitioners.

Armstrong said Feb. 6 that AOL needed to post matching funds to its 401(k) plan at the end of the year rather than incrementally to help offset health-care costs, such as two employee pregnancies that resulted in "distressed babies" with more than $1 million each in medical expenses.

Following an employee outcry, he reversed the 401(k) decision in a Feb. 8 memo to employees.

The announcement, retraction and resulting negative publicity raise concerns over privacy of health care information as well as employee morale, sources agreed.

Privacy Protected Under HIPAA

HR departments can help senior management understand that the privacy of employee medical records is protected under the Health Insurance Portability and Accountability Act (HIPAA), so such records should not be discussed publicly, Amanda Layton, an associate at the law firm Duane Morris LLP in Philadelphia, said in a Feb. 26 interview with Bloomberg BNA.

Such concerns are heightened for employers that elect to cut costs by sponsoring self-insured health coverage for employees, as AOL reportedly does, Layton added. That is because such plans give the organization access to more employee medical information than is available to organizations with outside health insurance carriers, she said.

It's difficult to tell, given what's been reported publicly, whether Armstrong breached employee privacy even without mentioning the names of the patients, Lani M. Dornfield, a partner with the law firm Brach Eichler LLC in Roseland, N.J., said in a Feb. 27 interview with Bloomberg BNA.

“If he said enough, even without knowing all the details, about the 'two distressed babies,' ” it may have been enough to identify the patients, Dornfield said. However, she added, “even if there was a breach, it doesn't necessarily mean the company will be slapped with major fines and penalties.”

“I could see the HR person must have been absolutely cringing, but you can't control everything and sometimes things just come out.”  


-- Amanda Layton, an associate at the law firm Duane Morris LLP in Philadelphia

Potential Liability

Rob Wilson, president of Westmont, Ill.-based HR service company Employco USA, agreed in a Feb. 26 interview that cautioning senior leaders is an important task for HR to fulfill.

Speaking of Armstrong, he noted that “fortunately, he didn't reveal any individual person's data, but he did mention the pregnancy complications as a reason for cutting retirement benefits” for other workers.

In an organization with a self-insured medical coverage program like AOL's, Wilson said, it's likely that senior managers like Armstrong “receive statistics on costs,” which the CEO apparently drew on in making his controversial remarks.

“His message failed and upset employees, who thought 'because of the way you're managing our health insurance, you're costing us retirement benefits,' ” he said.

“In this case, there was a huge publicity issue, but there could also be legal ramifications if [employee health] data was used to terminate someone or make a reduction in benefits for somebody. There's a line you don't want to cross,” Wilson continued.

Even short of that, he added, “the position they put themselves in with Armstrong discussing [medical] claims they've had and giving it as a reason for reducing their retirement benefits--combining the two was not the best message, internally or externally.”

Creating 'Branding' Concerns

It's more difficult to tell whether the planned retirement policy changes, coupled with Armstrong's original remarks, directly affected recruitment and retention, Wilson said.

“But it's a branding question,” he said. “It could make a person pause and say, 'Am I at the right company? What are they doing with the rest of my data?' ”

It's impossible to tell from the media coverage whether AOL's HR department went any further than sharing statistics with Armstrong, Wilson noted.

On the other hand, Armstrong did go far to repair the damage, and reportedly “apologized in person to one of the parents of the children,” Layton noted. It's hard to know whether the initial insensitive remark “would prevent people from wanting to work there or applying for a job there. I could see the HR person must have been absolutely cringing, but you can't control everything and sometimes things just come out.”

The bad feeling engendered “will pass, but this will hopefully increase sensitivities on all sides,” attorney Joan Rothermel, a partner with Klein Zelman Rothermel Jacobs & Schess LLP in New York City, said in a Feb. 27 interview with Bloomberg BNA.

“Employees will become more active and vocal in ensuring their privacy is protected. It will also make companies think more carefully about how they train and what they do,” Rothermel said. Some employees may actually start paying attention to privacy protection policy notices from their employer, she added.

“It forces HR to start looking at issues of what information is and should be disclosed to upper management,” said attorney Khristan Heagle, also with Klein Zelman.

Webinar Alert: Adding Storypower to Your Talent Management and Development Process

Don't miss Bloomberg BNA's HR webinar, Adding Storypower to Your Talent Management and Development Process, March 26.

You can amplify the effectiveness of all aspects of your talent management and development process, including employer branding, new hire orientation, employee engagement, training and coaching, by adding storytelling to your mix.

Join David Lee, Founder, HumanNature@Work, as he discusses the five story genres you want to add to your talent management communication mix; how to go beyond plain vanilla employee testimonials and instead tell stories that make your work experience and organizational personality come to life; how to make your new hire orientation program inspiring and pride-inducing; ways to communicate and reinforce your cultural values and norms; and how to challenge people's limiting beliefs and perspectives without being confrontational.

Subscribers receive a discount on all Bloomberg BNA webinars. More information is at

Lessons Learned

According to Wilson, one lesson to be drawn is that under HIPAA, “individual medical data should be kept separate from payroll and other records” by the HR department.

At Employco, which manages HR and employee benefits for 500 small-to-medium-sized companies, “we have a tremendous amount of individual client data,” he said. “We keep it on a [computer] drive that nobody but HR has access to, and the same for paper [records]. Clients like that, because [employee] questionnaires come directly to us; clients don't have to know about it at all.”

“I think that it's important for corporate HR to make certain individuals that have access to information protected by HIPAA at all levels of the company realize what can and can't be done with that information,” Layton said. “I think if there had been more awareness of what the limitations of HIPAA are, [Armstrong] probably wouldn't have even made a broad statement” referencing employees' families' health problems, even though he didn't mention any names.

Training is key, Layton said. “Many times companies think that only the HR department has access to protected information, but that's not always true,” she said. Thus, she added, “you really need to do a due diligence.”

It's essential for HR to have written HIPAA procedures in place and to make sure they are being implemented correctly, “so all individuals understand the rules of HIPAA privacy and what might happen from misuse of that information,” she said.

Even for employers that aren't covered by HIPAA, “training on privacy is essential, including at the corporate directorship and governance levels. It's just good business practice.”  


-- Lani M. Dornfield, a partner with the law firm Brach Eichler LLC in Roseland, N.J.

HIPAA Requirements

For employers that sponsor group health plans, the basic requirements for complying with HIPAA privacy rules include:

• Designating which employees can access protected health records for plan administration purposes. Someone should be designated to handle HIPAA privacy and security, Dornfield said.

• Establishing firewalls that prevent use of these records for employment actions and employment-related decisions.

• Amending plan documents to reflect conformance with the privacy rules' restrictions on access to and disclosure of medical records. There were some major changes in the HIPAA rules last year, so it's important to make sure that policies and procedures are up to date, Dornfield said. “Having a policy that just sits on the shelf does more harm than good,” she said.


Employers whose staffs handle substantial plan administrative duties and routinely deal with protected health information must meet additional requirements, such as:

• Notifying plan participants of their privacy rights and protections.

• Safeguarding against unauthorized disclosure or use of the information.

• Training those employees who have access to the information, including upper management and HR staff. “In all employment-related areas, there's a tendency not to include the higher-ups in training, but they should be,” Rothermel said.

• Establishing oversight and complaint mechanisms.

• Taking steps to ensure that business associates--such as third-party administrators and consultants--also maintain appropriate safeguards.


Dornfield said that even for employers that aren't covered by HIPAA, “training on privacy is essential, including at the corporate directorship and governance levels. It's just good business practice.”

For senior management, she said, “privacy training should be combined with sensitivity training. We're in an era of corporate accountability. It's important to think before you speak.”


To contact the reporter on this story: Martin Berman-Gorvine in Washington at

To contact the editor responsible for this story: Simon Nadel at