my company wants me to investigate what expensive medical treatments employees are having and why

A reader writes:

I took a job a few months ago doing benefits for a new company and recently have started to feel uneasy about one of my job duties. For now this particular duty has been delegated to my manager (who has experience in benefits but only started at this company a week before me), so I haven’t been doing it, but I’m worried about when the time comes for me to take it back on.

Every week, we receive a report from our health insurance company with the names of employees who had a claim processed that week, and the costs associated with their claims. The file itself doesn’t contain anything confidential, but it does have the medical codes associated with the employee’s claim. Our job is to find the most expensive claims (generally anything above $3,000) and look up the medical codes and figure out what treatment the employee had and why (which sometimes inevitably leads to that person’s medical diagnosis), and then send the names of those employees with their medical treatments and health information to our chief operating officer and VP of HR for approval. We also have to include a note as to whether we expect to see any future high-cost claims from that person.

When I first started, I didn’t really think anything of it, but after being there for a few months and seeing the not-illegal-but-less-than-ethical approach this company takes in other situations, it started to make my stomach churn. And the more I thought about it, the less sense it made to even be doing this file in the first place because 1) our health insurance company has already approved/denied these claims by the time we get the report and 2) we still have to pay the insurance company whether the COO approves this file or not. And while I can’t prove anything for certain, there’s been at least one person whose name has appeared on the file several times and was let go not long after.

I definitely don’t plan on sticking around long-term so I don’t want to make a huge deal out of this, but at the same time I don’t feel right sending this information around like that. If it I had a serious disease or embarrassing medical issue, I wouldn’t want anyone to know about it, let alone the COO and VP of HR at my work.

When the time comes for me to start doing this task again, I’ve thought about just sending the information without including anyone’s name, but I am doubtful that they will allow this since one of the few times I did it, the COO asked for the names of people specifically.

Is this illegal, and if it’s not, how much can I push back on it?

Whaaaat.

This is so messed up that I can barely see straight. It’s unethical and disgusting of your company to be investigating people’s medical conditions — and to the point that they’ve formalized a process for doing it, as if it’s just some mundane business practice — and possibly pushing someone out because of his medical treatment (!).

I took this straight to employment lawyer Donna Ballman, author of the excellent book Stand Up For Yourself Without Getting Fired, who said:

Wow! I thought I’d heard them all but this really takes the cake. What possible legal use could the COO and VP of HR have for this information? Because I can imagine lots of illegal things they could do with it. Disability discrimination, genetic information discrimination, and FMLA violations jump immediately to mind. The company’s potential liability for this practice is mind-boggling. I don’t know what state this happened in, but in Florida (where Donna practices) if the employee objects to or refuses to participate in an illegal practice, they are protected under the Florida Whistleblower Act. Other states have similar laws, but not all do. So you might be protected under a state whistleblower law. Otherwise, we need to look at federal legal protections.

Here are some possible legal violations by this employer:

Americans With Disabilities Act: Decisions about employment can’t be motivated by concerns about the impact of the employee’s disability or the disability of a person associated with the employee on the employer’s health insurance plan. Employers also can’t discriminate against employees because they discover an employee or an employee’s family member has a disability. Retaliation against employees who object to disability discrimination is illegal. EEOC enforces this.

Pregnancy Discrimination: Similar to age discrimination, employers can’t discriminate because they discover an employee is pregnant. Retaliation against employees who object to pregnancy discrimination is illegal. EEOC also enforces this.

HIPAA: Employer sponsored health plans are “covered entities” under HIPAA and the use of protected health information from those plans for employment purposes is prohibited without employee authorization. HIPAA requires that employers who gain access to employee medical information due to providing health insurance limit the people who can access this information to those who need the information for plan administration purposes. Under no circumstances can the company make any decisions about employment based on the employee’s health or the health of any of the employee’s family members. Both the insurance company and the employer could have exposure for this, and I really question why the insurance company would give the employer these codes at all. The Office of Civil Rights handles enforcement of HIPAA violations. Retaliation against whistleblowers who file a HIPAA complaint with OCR or who cooperate with a HIPAA investigation is illegal.

If this were a Florida case, I’d suggest that you put in writing that you object to and refuse to participate in this practice, state what laws you believe it violates, and then you are probably protected under the Florida Whistleblower Act. If your state doesn’t have a law like this, then you may have to file a complaint with the Office of Civil Rights or EEOC to gain legal protection. The problem with an EEOC complaint is you simply don’t know how the information is being used. But it certainly seems like it can only be used for illegal purposes under the circumstances. If you have a good relationship with your boss, you might point to the potential liability issues here and tell them that you think it’s a bad practice. You might want to run this past an employment lawyer in your state to get some legal advice on this before you take any action to make sure you are protected against retaliation before you act.

Letter-writer, you shocked even Donna Ballman, who I am pretty sure has seen everything. Please take her advice!

{ 506 comments… read them below }

    1. Momma Bear*

      Same.
      LW is right – the insurance has already processed it. There’s no “approval” needed from HR. It seems like what they are doing is using it as a fireable offense. Which is…astonishing.

      1. alioelj*

        The “approval” needed is the approval of this money-sucking employee (ie the one with the medical bill) remaining employed by the company!

      2. MissBaudelaire*

        Yeah, I have no idea why HR needs any of this information. The insurance has already taken care of it.

        The only reasons I can think of for doing this are nefarious.

        1. TardyTardis*

          There’s also an age discrimination lawsuit waiting to happen, too, since older employees are often ones with more medical problems (and least likely to find a new job with them if they’re laid off, yay whee. But in the US, the Supreme Court has ruled against several discrimination cases, K-Mart in particular, so I suppose the company doesn’t think of that as a potential problem. They have plenty others, though…).

      3. Polecat*

        It sounds like this company is self-insured. Rather than me try to explain it poorly, Google it. Bottom line, it means that the company has a vested interest in how many claims are paid and how much they cost.
        I worked for a Fortune 1000 company that was self insured. At one of our managers meetings, which included hundreds of people, The CEO was talking about the finances for the quarter and referenced that healthcare had killed us. He went on to say it was because we got a preemie baby and a brain tumor in the same month and the costs were astronomical.
        Needless to say, I was absolutely floored to hear this. No empathy, no concern for their employees and their privacy. Of course he didn’t need the employees but anyone who’s worked in those groups would likely know who it was. And the only thing he conveyed was that these people were costing us money.
        That’s why my guess is this company is self-insured. It puts companies in the position of thinking that any time there employees get sick, they are stealing money out of the company’s pocket, even more so than usual.

        1. Observer*

          It sounds like this company is self-insured.

          Nope. The OP says that they are getting this list from their INSURANCE company, not their health management company. Furthermore, the workflow makes no sense in the context of self insurance.

          And by the way, sharing this information with people like HR is almost certainly illegal anyway.

          I remember the fiasco you are talking about. I also remember people talking about the potentially illegal sharing of PHI. The big question there was who officially had been given the information as to WHO had gotten all of that expensive care or not. Because even in that context, the COO and HR are not supposed to have that information.

          1. Lusara*

            Self-insured companies use third-party administrators or insurance carriers to administer the plans.

          2. Polecat*

            Actually, yes. Even if you put insurance in all caps.
            I wasn’t talking about the incident of sharing health info that became public. I was talking about something that happened to me, at a company I worked for.

            1. Observer*

              I wasn’t talking about the incident of sharing health info that became public. I was talking about something that happened to me, at a company I worked for.

              The AOL fiasco was not about “info that became public”. It was about a CEO sharing information that he shouldn’t have had access t0 – and being a horrible human being in the process. I’m sorry that you had something similar happen in another company.

              And it turns out that the OP did actually use the incorrect term (they clarified that they are self insured), but that doesn’t change the basics of what I was saying. Self insurance does not allow the company to share and use the data in this way.

              1. Melody Pond*

                How did the OP use an incorrect term?

                Self-insured employers still go through an insurance company for their employees’ health coverage, as Polecat says. In fact, from the outside, it looks exactly the same as regular health insurance. The difference is that instead of monthly premium invoices, the employer receives regular claims invoices from the insurance company and the employer pays for the cost of everyone’s claims directly.

                Of course HIPAA still applies to the insurance company, whether the coverage is fully-insured or administrative-services-only (for self-insured employer groups). By law, the insurance company shouldn’t be giving any employee names or identifying numbers along with those claims invoices. Which I think is what you were getting at, it just sounded like you might have been unclear about the particulars of how self-insured coverage works (though I may have misread).

                1. Observer*

                  How did the OP use an incorrect term?

                  If they are self insured they are dealing with a TPA (Third party administrator) which usually is an insurance company, but is not *their* insurance company. Not that that’s really the point.

                  What is the point is:
                  Of course HIPAA still applies to the insurance company, whether the coverage is fully-insured or administrative-services-only (for self-insured employer groups). By law, the insurance company shouldn’t be giving any employee names or identifying numbers along with those claims invoices. Which I think is what you were getting at,

                  There was a sense in some of the comments about self insurance, that somehow because they are self insured they can be looser with this data. And that’s not really the case. Which all I was really trying to get at.

          3. Esme*

            I’m not an expert on insurance terminology, but my husband works for a State University which chooses to pay out of pocket for its employee’s health insurance, rather than take any money from the government. Under the terms of Obamacare, insurers who use it are required to follow all sorts of government mandates. They (the university) refer to themselves as “self-insured,” as do the pharmacists who fill my prescriptions.

        2. Western Rover*

          In my former employer’s open enrollment meeting some years back, in the context of why we didn’t have a better insurance plan, the HR lady explained that while she sent (somethings) to all the major insurance carriers, most of them declined to bid because we had one employee who had used $X of health care the previous year, and most people I’m sure guessed who it was. So this does affect companies who shop the market for coverage as well as self-insured.
          Another reason health coverage should not be tied to employment.

          1. Mm*

            Yep, it’s insane companies are in this process at all. What a complete waste of resources and an incentive for companies to behave unethically.

            1. TardyTardis*

              And of course those people who use the most insurance would never, ever get laid off…right?

      4. Anonannie*

        The owner of my company announced at the company wide all hands that we weren’t getting bonuses this year because there were a couple of people that had expensive medical claims. I had gone through cancer (surgery, chemo, radiation) My team (which was a pretty big portion of the company) knew that I was out for medical reasons, so I’m sure they knew I was the reason that they were not getting bonuses.

    2. Amber Rose*

      I dunno, I think mine plummeted right outside the planet’s crust and is getting thoroughly lost in space.

    3. anonymous 5*

      Well said. If they’re willing to look for mine as well, I’ll go in with you on their fee…

    4. Keymaster of Gozer (she/her)*

      A bit more sane response from me: I’ve shopped an employer to the high court for doing illegal stuff (in the UK) and gone through the rigmorale of being the whistle blower and associated stress. Their problem was massive financial fraud, not the mega oh no of private medical information being given out so I can’t claim to give any advice regarding the legal stuff.

      What I will say, from experience, is shore up your own mental defences whatever you decide to do and make moves to get the heck away from the company as fast as you feasibly can. The first bit is very, very, very important.

      1. Keymaster of Gozer (she/her)*

        Also, lawyers aren’t as scary to talk to as I used to think! The one I spoke to before I gave over all the incriminating information was so calm and really, really good at reducing stress.

      2. Keymaster of Gozer (she/her)*

        My kingdom for an edit button: also want to add that I do not regret my actions. Yes, it was a massive stress in my life, I can’t use that firm as a reference, but the people in charge? Are serving some lovely time at Her Majesty’s Pleasure.

          1. Keymaster of Gozer (she/her)*

            Not gonna lie, there were times I just wanted to quit and run and not say a word for fear of causing a ruckus (being the only woman employed there I was trying to avoid the ‘disloyal b****’ stereotype the men had of just about every other woman they’d ever met. Then I stopped caring)

        1. Anthony J Crowley*

          Oh my lord. That must have been awful to go through, but it’s good to know that at least sometimes the system works.

        2. 30 Years in the Biz*

          I’m so sorry you had to go through this, but you did the right thing and justice prevailed! I’m going through the same thing now and I totally agree with your opinion of the need for mental support and a good lawyer who is calm and good at reducing stress.

          1. Keymaster of Gozer (she/her)*

            Much, much love and respect to you mate. It’s bloody difficult but seeing the judges order those crooks into jail? Best. Moment. Ever.

            (I played soooo much Diablo during that. Repeatedly splatting huge demons did wonders for my sanity)

        3. FreakInTheExcelSheets*

          “At Her Majesty’s Pleasure” is probably one of my favorite quintessentially British euphemisms :) I’ve never been in a situation anywhere near as serious as yours, but can definitely agree that there is a lot of girding of (mental) loins involved in reporting a superior to a higher one, and that was when I was on good terms with the great grand boss as I had previously been her intern for a year and knew she wouldn’t dismiss me out of hand. I couldn’t imagine the stress involved of needing to approach a complete stranger and/or a lawyer. Though you are very right about them not being unapproachable – any interactions I’ve had have been, while not pleasant due to the subject matter (let’s just say related to a contentious custody battle/divorce of a friend), at least calm and cordial as well as understanding that it was difficult subject matter and I compassion to get through the interview.

          1. CoveredInBees*

            I’m glad I heard it in context because certain high level positions in the White House work “at the pleasure of the President”. A very different meaning there.

            1. doreen*

              I believe it’s used that way in the UK as well- as far as I can tell, it refers to either a government appointment or a period of incarceration with no set term.

            2. MM*

              It’s the same meaning, really. The person employed at the White House serves at the pleasure of the president, meaning, as it pleases the president and until it no longer does. The prisoner in England is imprisoned as it pleases her majesty and until it no longer does. The point is autonomous executive/sovereign power. In both cases the expression is an exaggeration if you look at the realities of how these things actually work today, and in that sense a bit anachronistic, but it’s the same meaning. It’s just that in one case the thing it pleases said power to bestow is privilege, and in the latter it’s restriction; but bestowing and withdrawing those are what that kind of power means.

          2. Lab Boss*

            I’ve heard the euphemism “spending some time as a guest” used in the rural midwestern US. If pressed for details… “a guest of the county.” Because we might not think it’s weird for people to go to jail, but we acknowledge it gives no pleasure to anyone involved :D

            1. Carol the happy elf*

              Foster parents sometimes describe it to children as “Time-Out for grownups.”

          3. Hornswoggler*

            As far as I recall, ‘at Her Majesty’s pleasure’ is a very specific legal term meaning an indefinite sentence, i.e. HMQ can decide when someone is released (obviously she doesn’t do it on her own – there’s a process).

            1. Gee*

              Colloquially, “at Her Majesty’s Pleasure” is now used in the UK for any term of imprisonment, however short.

    5. Oh so anon Fortune 500*

      That’s the sort of thing that coincidentally gets people laid off who coincidentally had major medical treatments in the last few years. I’m not in HR, but I’ve seen some really striking patterns in coincidences that I’m starting to think are more likely illegal than coincidental.

      1. Liz*

        This really makes me wonder about a friend who’s job was “eliminated” a few years back. She was the ONLY one in her group who did any work, and myself and another CW just thought it was because she wasn’t part of the “clique” of her group. But she also had some VERY significant health issues, requiring regular, VERY expensive treatment. So now I wonder if that had anything to do with it.

        1. Loredena Frisealach*

          It sadly wouldn’t surprise me! I know that this happened to a cousin when he worked for a very small company, before the ACA.

          I was laid off immediately after returning to work post my spouse’s multi-month stint in the hospital (as in the first week I came into the office!), w/my management knowing he might need a transplant. I couldn’t prove anything (and I did speak to a lawyer) so I took the substantial severance, and I found a much better job – but I’ve never knowingly purchased product from this major food manufacturer since.

        2. CoveredInBees*

          Yeah. I’m starting to wonder about my husband’s layoff a number of years. It happened to follow a long period of infertility treatments and I was 5 months into a healthy pregnancy. We always assumed he was included as a cover to avoid an age discrimination case. He was sent a list of everyone laid off and their ages (whyyyy?) and he brought down the average significantly. They had cut everyone who was fairly senior and had a long history with the company. My husband had just happened to start working there rather young and had stay there a long time. It stank enough that we might have gone to the media but this was a major media company. Also, the terms of their severance included a non-disparagement clause that terrified him, despite legal advice that this would not trigger it.

          1. Judy*

            “Your employer gave you this chart with a list of people’s positions and ages attached to a severance agreement, because they are legally required to do so by the Older Workers Benefits Protection Act (“OWBPA”) – and if you were “RIF’d” as they say, and your employer didn’t provide you with this chart, it may have broken the law.”

        3. Elizabeth West*

          Someone at OldExjob got laid off during what I refer to as the Great Purge (parent company hired a new VP to “bring XYZ Company into a new era” (translation: he cleaned house so he could hire people he’d worked with before. He decimated the place, then left.)

          This particular employee was one of their best salespeople—excellent with customers, always picked up the slack whenever anyone else was gone, occasionally annoying (he griped a lot) but an all-around good egg. He was so good with clients that I repeatedly told him if he wanted to change jobs I’d happily be a reference for him.

          But he also had a very serious health problem that landed him in the hospital for a good long while. He came back to work at full productivity once he’d recovered. I suspect his medical issues had something to do with the decision to let him go. They didn’t let French Perfume go and he barely did his job at all (I call him that because his cologne would stun small birds).

          (Note: the company that owns them now is shutting them down by year-end, so it wouldn’t have mattered anyway.)

      2. SheLooksFamiliar*

        A client of mine got in some well-deserved legal trouble in the late 80s for something along these lines. They fired someone without notice, a well-liked fellow that produced better quality work than most of his team. No PIPs, no complaints.

        Turns out someone in Accounting was checking employee credit reports at the request of the VP of HR, I never heard the reason(s) why. This employee was self-funding treatment for AIDS, and the payment plan showed up on his report. He had not submitted any claims through their group health insurance, so the VP of HR made a couple of calls to get details. This was in the pre-HIPAA days and is one of the reasons why we needed HIPAA.

        A lot of people self-funded their treatment in those days because they were concerned about AIDS discrimination, clearly justified. I don’t recall the outcome of the proceedings, but this situation is one of the reasons why I was a vocal opponent of pre-employment credit checks for most of my employer’s roles.

        Damn, I thought this kind of shitty behavior was mostly behind us.

        1. Marzipan Shepherdess*

          Well, in the ’80s AIDS was associated very largely with being a gay man and homophobia was going full blast then (with virtually no legal protection against discrimination about gay people.) So a diagnosis of AIDS was seen as a sure sign that the male employee was gay and said employee could be, and often was, fired as soon as this was revealed.

          1. SheLooksFamiliar*

            Yeah, I know. That’s why I called it ‘well deserved’ legal trouble, and said that concerns for discrimination were clearly justified.

            1. Former Employee*

              This makes me want to watch “Philadelphia” again. I haven’t seen it in years and “The Atlantic” just recommended it in one of their “watch something you might have missed/haven’t seen for awhile” recs.

              One of the best movies ever and it was my introduction to Anna Deavere Smith.

    6. AnonInCanada*

      I’m happy there’s a floor under my feet as well, or else my jaw would be half-way to China!

      WTF is with this company? I hope LW cuts herself loose from Crazytown and then reports this to EEOC or whatever authority oversees this, for LW’s own sake. I can see her personally being fined or even jailed if employees find out about this and can connect the dots.

      1. LifeBeforeCorona*

        Yes, she really needs to speak to an employment lawyer because I can see this company throwing her under the bus if investigated and declaring that the problem is solved.

        1. AnonInCanada*

          Me too. Hopefully OP will see this advice and call one, as this won’t end well for them and it’s CYA time.

        2. Carol the happy elf*

          The company that would do this would have absolutely no compunction about throwing you under the bus and walking on your corpse.

      2. DJ Abbott*

        Yes OP, don’t sign any reports or anything that has to do with this because that can make you legally liable. This is what I was told around 2006 to 2011 when I was working for an unethical person. You should take advice from an employment lawyer.
        Also when I worked at a hospital they told us we could personally be fined or jailed for breaking HIPAA laws.
        I think your next step is to see a lawyer ASAP.

    7. Pam Poovey*

      My one dropped so far into the earth it’s gonna awaken the Silurians if I try to retrieve it.

    8. TooTiredToThink*

      Not only am I in shock that a company is doing this – but that the insurance company is sending this information to the company too. I thought all of that information was private. ACK!

      1. Health Insurance Nerd*

        In this case the employer is almost definitely self-insured, which means that the company is technically the health plan, and the insurer is the administrator of that plan. Being self-insured gets companies a whole lotta loopholes when it comes to coverage and mandates and all kinds of other stuff. So, while what the employer is doing is unquestionably unethical, the insurance company isn’t doing anything they shouldn’t.

        1. TooTiredToThink*

          Yeah, I figured that it meant it was self-insured and while I assumed that the insurance company was sending info back to the company, I figured it was scrubbed – meaning that names weren’t attached to dollar amounts, etc…

          1. Health Insurance Nerd*

            That is typically how the reporting works- the cost, diagnosis and procedure codes are shared, but no other identifying information. If you’re at a smaller company it wouldn’t been too hard to figure out some of who is having what service, but not so much at a larger company. I know that at my company the default is to send the minimum amount of information, so if this company is getting the level of detail the LW says they are, they specifically asked for it. Even though it’s legal, it’s a gross violation of privacy on the employers part.

            1. Observer*

              I’m pretty sure that it’s actually NOT legal to share that information with people like the COO. Even within a provider, there is a need to know issue and there is no way to make the case the the COO actually has a need for this information, nor anyone in HR for that matter.

              1. Recruited Recruiter*

                At the last org that I worked HR for that had a self-insured plan, the only time HR got involved was when people were sitting on their reimbursement check for reimbursable expenses. And that was just because our accounting department did not have anyone who had enough internal customer service skills to be polite.

    9. Rob aka Mediancat*

      My eyebrows slammed into the ceiling, went through, and are currently in orbit somewhere over Guam.

    10. Jules the 3rd*

      +1. woooooooow.

      I don’t usually post ‘worst boss!’ candidates, but I’m gonna make an exception here. VP / COO are def candidates for worst boss.

  1. Clorinda*

    IANAL but you know who is? The person you need to talk to before you take the next steps. Take care and do right.

    1. Alexander Graham Yell*

      1000000x this.

      LW I really hope you’re able to get yourself out and have a good lawyer who can protect you if you speak up about this.

    2. Chauncy Gardener*

      Yes, flee rapidly!!!
      And I have no idea where my lower jaw is either. I thought I had seen everything, but this really takes the cake. And it’s an actual process! Holy cow

    3. KatieP*

      I couldn’t agree more! My next call would be an employment lawyer. I’d also get mentally ready to leave fast and understand that the bridge will be well and truly burned. It’s one of the rare few that should be.

      1. Never Boring*

        Just for the heck of it, here’s some info on whistleblower protections: https://www.whistleblowers.gov/ And you want to talk to a lawyer who specializes in them, not just any old employment lawyer. (Although you may want to talk to a general employment lawyer first if you can’t find a whistleblower specialist right away.)

        1. OpinionatedDogMom*

          The Department of Labor would also be incredibly interested to hear this. A few years ago, they upped their staff in massive proportions to audit employers.
          Things like this make their day, and will make life a living hell for the employer.
          Drop a tip and GET OUT. Get some marshmallows and watch it go.

    4. Van Wilder*

      Reminds me of this ethics video we had to watch at work… This guy who went to jail for fraud got caught up in it because his boss told him to change something on a financial report one time because he was sure there was a mistake.

      IANAL either but I would be wary about participating in activity that may be illegal. I would talk to a lawyer, who can advise you who to call.

      1. Former Employee*

        That sounds strange; I men the part about the employee ending up in jail. If the boss told an employee to change something and they did, that should have been the kind of thing that got that person off the hook in exchange for their testimony against said boss.

        1. DJ Abbott*

          With HIPAA laws, employees can personally be fined or go to jail for breaking them.
          Along with the punishment for the employer.

    5. Berkeleyfarm*

      Agreed. OP, if you are in California, I know someone good. Drop a comment and I will send info to Alison.

    1. Clorinda*

      It would be, because then everyone would see everyone else’s medical info, so that’s not the way to go.

      1. CJ*

        And you know the company would throw the person who left it on the printer right into the HIPAA Hippo’s mouth.

    2. Deborah*

      It would be a shame if every person who was let go after incurring high medical expenses somehow found out about this.

  2. ecnaseener*

    YIKES.
    OP, I know you said you didn’t want to go too far with this because you’re leaving soon, but I hope you’ll consider whistleblowing if you can safely.

    1. Not Tom, Just Petty*

      Can OP also inform of/share during whistle blowing the name of employee who let go following medical procedures?

    2. Ellie*

      If you’re leaving soon anyway, then this is the best time to whistleblow. You’re in a unique position OP, don’t sell your soul for a temporary gig.

    1. Jack Straw*

      Yes. As someone who hit her deductible and out of pocket max before mid-Feb, this scares the ish out of me. Please make this a big deal.

      1. DJ Abbott*

        I’ve had years like that.
        Has anyone else noticed her test-happy doctors have become? Any little thing, they want me to get an expensive test. My liver enzyme is one point above normal, get an ultrasound. I have a little digestive upset, get a couple of gallbladder tests. There is no mentality that this is probably minor and we could wait and see what happens. I’m the person who’s doing that thinking, not the doctor.
        My liver cleared up on its own with no tests. I showed hypothyroid a few years ago and that cleared up with supplements. Now I’m showing hyperthyroid but only slightly. Along with slight abnormalities in other levels. Show of hands for everyone who thinks this might be from stress and does not require expensive specialists or tests?
        Some of what OP is seeing is most definitely on the doctors, not the patients or anyone else.

        1. Dawbs*

          I seem to find quite a bit of the opposite.
          I press and ask for help for issue that is being blown off and doc reluctantly orders tests.

          Doc: “Hmm, these tests show this enzyme within the range of normal, so you’re clearly fine.

          Me: “but…*laundry list of symptoms causing me great amounts of pain*… I’m not fine, am I? I’m in huge amounts of pain that are affecting my daily life”

          Doc: “well, these tests show normal”

          Me: “can I see those test results? Wait… this says the ‘range of normal is 50- 295 ppm’. Mine is 294. The normal range is usually set based on men with a body weight higher than mine. And women generally have lower numbers than men. So we’re talking about ‘elevated and possibly problematic’ as opposed to ‘normal’. ”

          So put me firmly in the “opposite experience for essentially my entire life”

          1. DJ Abbott*

            I’m so sorry! I had a doctor like that and I changed to a nice woman doctor and reported him to his management. I hope you can find a better one!

        2. TeapotNinja*

          > Has anyone else noticed her test-happy doctors have become?

          That’s because otherwise things like this will happen:

          Doctor charged $273.33 for Foo Bar
          Insurance contracted price for Foo Bar: $27.54
          Insurance paid: $27.54
          Your balance: $0

          The healthcare industry in the US is fubar.

  3. Jean*

    HOO WEE this is a doozy. I know we aren’t supposed to get political on here, but all I can think of when I see stuff like this is that if we had medicare for all, these scumbags would need to find some other way to slime on their employees. Which I’m sure they would.

    1. Dan F*

      Speaking from Canada, where we have medicare that covers most things, there are still some expenses that are not covered but some employers have health insurance plans for: prescription drugs, dental, massage therapy, physiotherapy, and some other procedures and treatments that are not covered by our provincial health care plans. Any information about any of these things is still medical info that should never be in the hands of your employer.

      1. Catt*

        Work as a Corp Benefits Manager in Canada. I have no way of seeing what Health/Dental claims where paid, processed, etc.. for any individual employee, with the exception of disability claims. Even then, we rarely know what condition they might have unless they directly, voluntarily, disclose it to us (and we often tell them WE DONT WANT TO KNOW). So we don’t even get the opportunity to do ridiculous things like this.

        It’s just so appalling all around, I really feel for OP.

  4. not a doctor*

    My eyebrows are currently somewhere in orbit.

    How and why is the insurance company even passing the codes along? Because that certainly seems like confidential information to me! I don’t know much about benefits — is it normal to even send along the names of the employees with claims?

    1. ENFP in Texas*

      Including the codes.in the claims reports (all codes, not just high-cost claims) is pretty standard, I think. If you Google “What Does Your Employer Know About Your Health” there is a CNN article from 2014.

      It sounds like identifying information about the individual is generally removed, and it sounds like the emoyer here may be violating HIPAA by tracking down, identifying, and passing along personal health information to people not authorized to receive it.

      1. Richard Hershberger*

        It is the identifying information about the individual employee that makes my eyebrow rise. Listing the CPT codes the insurer paid for makes sense, as it explains the bill. But why do these need to be linked to specific employees? Because yes, you can take a pretty good stab at inferring the ICD-10 codes that led to the CPT codes.

        1. quill*

          If the company is sufficiently small even providing the CPT codes and treatment locations could be identifying.

          1. Raine*

            Yeah, totally. And even if they weren’t, the fact that someone is being tasked to a) look up the diagnosis codes (the hell!?) and b) report what they mean, which means it won’t take too much detective work to make the connections from there.

        2. Clisby*

          That was my take. I didn’t see the codes as confidential; the problem was linking them to a particular employee.

    2. LTR/FTP*

      Yes, I’d like to know more about how this works. My cancer treatment was very expensive and I didn’t realize that my (former) company was getting billed for part of it. They laid me off without cause and I always suspected it was related to my illness, but if I was costing them a significant amount of money that makes me doubly suspicious.

      1. Cranky lady*

        Many large companies “ self insure” so the company pays the bills and the insurance company just handles the claim processing. In that respect, it’s possible your company was paying your bills. And it sucks!!! Lots of insurance rules don’t apply to self-insure situations.

      2. Sometimes I know things*

        Depending on the size of your company it is probable your employer was paying all of the claims. Many larger employers are what’s called “self insured” which means that while the insurance company cuts the actual checks in conjunction with what the plan administrator (employer) wants, the plan administrator is the one actually paying the bills. We have access to reports about who, what, when and how much because ultimately it is our responsibility to ensure that the claims are being paid correctly and for the correct people. I have 11,000 belly buttons on my plan. I sure as heck don’t have time to look at everyone’s stuff, nor would I want to, but it would definitely be a HIPAA violation if I were to share our reports with folks like my Director or the CFO/COO. We also get a large claims report monthly which lists all claims running over 50k. From a budgetary standpoint this does help because we can monitor how a claim is going and if we think it will continue to increase or not. For example, a NICU baby is very expensive – far more than you’d think. When we see the claim start to taper off we know that claim is probably done. Cancer can be a roller coaster the whole time a person is in treatment.
        To your specific case regarding cancer, there are probably a lot more factors here than you are thinking about. Please note I’m assuming you are in the US. If you aren’t, this all goes out the window including the health insurance bit above. If your employer has over 50 employees in your location they are required to offer you FMLA. If you’ve exhausted your FMLA with no projected ability to return, they are under no obligation to keep you on. There are some ADA accommodations that go along with this but if your prognosis is “we don’t know when LTR could return to work” there’s no reasonable accommodation that would work. More than once I’ve had to lay someone off because there is no reasonable accommodation available to them and we needed the employee.

        1. Rational Lemming*

          (US only reply) Yes, this is what I was going to say too. If a company is “self-insured” they technically own the medical data. The insurer is essentially an administrator (acting as an accumulator/adjudicator). I am in pharmaceutical consulting. I do reporting for lots of companies and “high-cost claimants” is a VERY standard report that we do. This information is de-identified for reporting purposes. HOWEVER – if I (or the company) wanted to look up Joe Smith’s claims for whatever time period, I could totally do that. I will say that most of the time this is used in positive ways – for example – Joe’s XYZ script just doubled in price, we can go into the claims and figure out why that is.
          I guarantee that companies either have actuaries in-house or are working with consulting firms that employ armies of actuaries, that look up this information to set health insurance premiums for the coming year.

          1. Observer*

            I do reporting for lots of companies and “high-cost claimants” is a VERY standard report that we do. This information is de-identified for reporting purposes.

            But the de-identification is the key here. Yes, people COULD look it up, but unless there is a legitimate needs, that’s actually not legal.

        2. LTR/FTP*

          To clarify, I returned to work after treatment (I took short term disability during the worst of the chemo) and was laid off a year later. I worked full time for that year, aside from a week off for some additional cancer-related surgery. I just feel like they assumed I was going to ultimately need more treatment (certainly possible) and they didn’t want to foot that bill anymore.

        3. Former Employee*

          I found this last part confusing. I was under the impression that firing someone because they were ill was wrongful termination, but that if they will be gone longer than so many weeks/months, they can be replaced with the understanding that when they are able to return they will have first dibs on any opening for which they are qualified.

      3. laser99*

        I wonder how often this kind of thing occurs because we lack universal health care. Actually, never mind, I don’t want to think about it.

    3. What's normal in this situation?*

      That was my thought! I’ve truly never stopped to think about what happens after you sign up for healthcare from the company perspective.

      In my experience, I sign up for healthcare in annual enrollment and it clearly states my monthly fee as the employee is X, and my company is contributing Y monthly. I always assumed that they are just paying their portion of the monthly fee and then I’m managing my health and expenses whether in-network or copay or whatever based on the plan I choose. I would think the company just gets a monthly bill for their portion of ALL employees’ insurance. Like you have 250 employees and 100 are on a HDHP, 200 on the mid plan and 50 on the high plan so your total employer contributions are X this month owed to Acme Insurance. Why would they even see specific procedures or even look at anything on an individual employee level?

      Does anyone have expertise on this and can share what a benefits admin “normally” (I realize it could vary by company) sees or pays for health insurance?

      1. LikesToSwear*

        Some companies self-fund their insurance. So they pay an administrative fee to the carrier, the carrier does the day to day administration, but bills the employer for all claims. The employer pays the carrier for the claims, the carrier sends payments to the providers.

        1. Extroverted Bean Counter*

          Yes, I learned about self-funding when I went on a rampage the other year after finding out that my employer sponsored insurance did not cover – and in fact explicitly prohibited – “routine ultrasounds” during pregnancy. Diagnostic, yet. Routine, no. This apparently included the 20 week anatomy scan.

          Turns out that because it’s a self-funded policy my employer attached a rider prohibiting the ultrasounds from coverage. Because the company is the one actually paying for all the covered procedures they had the ability to assess/deny whatever they wanted.

          [My best guess is that some clueless person in the benefits department at some point recognized that a handful of unscrupulous OBs will do an ultrasound at most/all appointments to generate more revenue. Doing them as a matter of “routine” rather than with a stated purpose. But the person who wrote the rider didn’t define “routine” and the unintended consequence is that very important ultrasounds that are done as a matter of routine because of how vital they are got lumped in. That is my charitable guess. My youngest child is almost 3 and I am still on my crusade to get this fixed because I continue to get nowhere with it]

          1. Rusty Shackelford*

            Seems like word should go around at your company that it’s good to have some weird symptoms at 20 weeks; symptoms that call for a diagnostic ultrasound.

            1. fhqwhgads*

              What’s weird is the anatomy scan IS diagnostic. They’re looking for potential birth defects. I mean, they’re doing other things too, but this is weird all around.

              1. Rusty Shackelford*

                Not really. Compare it to a diagnostic vs routine mammogram. Yes, they’re looking for issues, but the diagnostic one means they have reason to suspect something.

            2. MissBaudelaire*

              What’s that? The baby isn’t moving quite as much as anticipated? Oh no, you were really borderline on the NST. Hmmm, better do an ultrasound.

              I’ve had medical professionals feed me certain phrases to say to get what I needed. It’s insane we have to do that.

              1. sacados*

                Yup. Just the other week, I went in for a physical and wanted to get my thyroid checked (I’ve not been experiencing any symptoms in particular, but my mom has a lot of problems with it and I wanted to be safe).
                My doctor was basically like “you said you feel fine, but I’m gonna write down here that you’re experiencing fatigue, because that way the insurance will cover the testing.”

          2. HBJ*

            I wouldn’t say it’s only that. I expect a large part of it is also that women request them just because they want to see the baby or just because they’re worried without any indication something is wrong. I saw this all the time when I was participating in pregnancy forums. There was absolutely no indication anything was wrong but they were “just so worried” over perfectly normal things that their medical provider and forum members assured them were normal. And then they went on to have a healthy baby, or, if they got the ultrasound, there baby was shown to be perfectly fine.

            1. MissBaudelaire*

              I have heard providers say they just do the ultrasound because it puts everyone’s mind at ease. If this simple thing that harms no one is going to make you feel better, might as well do it? I think a lot of providers do it because then if something (God forbid) *did* go wrong, the patient couldn’t say “But if you had just done the ultrasound…”

              People, quite rightly, get very touchy about their babies. With good reason!

              1. WorkInProgress*

                I had a perfectly normal pregnancy with nothing worse than morning sickness.

                I had a “routine” ultrasound at 30 weeks. The cord was breaking down and the baby was undersized with a low amniotic fluid level. That routine ultrasound led to an emergency c-section 4 days later. If I had gone full term he would have died or been profoundly disabled.

                He starts his junior year of high school tomorrow, perfectly normal, healthy, and an honor student.

                Routine tests are important and save lives and money.

                1. Observer*

                  This actually points up a really serious problem with obstetrics (and possibly other medical fields.) Your OB should have known there was a problem without the scan. Because it’s perfectly possible to get a good handle on the size of the baby and a sense of how much fluid there is.

                  My kids are adults but at every routine visit, the mid-wives checked the size and the fluid without any scans. Of course, had there been ANY question about the baby’s size or the fluid, they would have insisted on a scan (and their primary office actually had a machine, so if you came in during “normal” business hours their US tech could even do an emergency scan.)

                2. MissBaudelaire*

                  I’m not disagreeing with you at all!

                  My second kid, they couldn’t find half of her heart on the ultrasound. We had to have another. She was fine, remains fine, and is a three year old terror, which is how she should be.

                  The tests are there for a reason, and it’s asinine when an insurance company says “We’ve decided you don’t need it for reasons. We know better than your actual doctor.”

                  Insurance companies are in the habit of tripping over dollars to pick up pennies.

                3. DJ Abbott*

                  Yes, I’ve seen more than One doctor get annoyed by the insurance companies interference. One of them cut back her practice because of it.

          3. Mrs. Smith*

            My previous employer self-funded and managed to write the policy to cover pregnancy but specifically exclude any care for the baby once he was out of my body cavity. Inside, totally covered. Outside, cash only for every washcloth, eye ointment, routine test, etc. And I had a c-section so I couldn’t exactly leap out of there in 12 hours to save the $3k or whatever hex was gonna cost me. I explained all this in advance to the incredulous OB and pediatrician and I suspect they conspired to just somehow fail to record some stuff (perhaps because I threatened to send baby out with Dad to the hospital lobby where I would nurse every hour or whatever till I was discharged). It’s still astonishing to me and that kid is 15 now.

        2. Quinalla*

          Yes, the employer gets the bills directly if self-funded insurance, but they are NOT supposed to have identifying info!!!

          1. Health Insurance Nerd*

            That’s actually not true, although it could vary by state, in many states there is nothing that prohibits the insurance company from sharing this information with the self-insured employer.

            1. Observer*

              This is not a state issue – HIPAA means that there ARE limitations on who gets to see that information.

      2. nona*

        As someone who used to do this for a small company, yes, the monthly bill would just be for the premiums, because we were a company that just bought insurance coverage. I don’t know what it would look like for a company that self-insures.

        The prep for annual enrollment would involve the company looking at what the premiums would be for the next year, and the insurance company would base that, in part, on what the premiums were last year. And whether the payouts from the insurance company (for medical claims) exceeded the premiums collected. There would be a formula about your specific company premiums, and whatever pool you were in to determine what next years premiums were. That discussion might have some information on the amounts of the biggest claims, maybe some high-level information on what they were for, because that’s affecting next year’s premiums. And because it was a small company, someone could have a pretty good idea of who that was. But in our case, that wasn’t used against them.

        1. Darsynia*

          There was one year where in my husband’s small company we were one of three couples who happened to be pregnant at the same time they renewed the insurance and filled out the forms. I felt guilty for a long time because it felt like our choice to have a baby contributed to making everyone else’s premiums more expensive that year.

          1. The Price is Wrong Bob*

            Unless you are president, a member of congress, a senator, or a lobbyist, it was never your job to worry about that. The company also chose to pass additional costs on to employees, nothing beyond greed and poor leadership was stopping them from eating the increase themselves.

          2. nona*

            Don’t feel guilty at all. That’s what insurance is for. And it was probably going to go up to some degree regardless of what any individual employee did. I believe (at least in my state) most smaller companies are also part of a pool with other small companies covered by that employer, so rates were determined by a combination how the individual company did combined with how the pool did as a whole. So the risk/costs were spread out over a larger area than just the company.

      3. Two Dog Night*

        Some companies are self-insured–they pay for the actual expenses rather than for insurance. In those cases they’d need more info about what procedures were done… but I’m side-eying the administering company for including employee info. Link to follow.

      4. Chauncy Gardener*

        I’m not in benefits, but on the finance side of companies. If there is a lot of high dollar usage of health insurance, the company’s premiums can sometimes (significantly) increase in the next period.
        That being said, as a finance person, THAT IS WHAT THE INSURANCE IS THERE FOR!!!!!
        I cannot even begin to imagine doing what these people are doing.

          1. Elizabeth West*

            So insurance companies can make money.

            Wealth tax and let’s just have universal healthcare already because ARRRRGGGHH.

            1. MissBaudelaire*

              Insurance was once explained to me like a bet. Only even when the insurance loses, they don’t pay up.

              It kills me. UHC for all. I’m begging.

      5. RosyGlasses*

        The premium portion you pay just goes back to the company usually – you’re not actually paying it to the provider directly. At our small business, we pay 100% of the premium – the deduction off payroll offsets what we pay to the healthcare provider. For larger employers (100+ EEs) they will get utilization reports and they can see what types of procedures are getting higher use, but I haven’t worked in a larger employer to know if they attach utilization codes to actual employee data.

    4. Non,non, nonamous*

      Agreed – I’m medical adjacent, and in the processing dept – we send the most generic codes possible to the insurance companies. But why in the bloody blue hazes are those billing codes going from insurance to the employer?!?!?! This would be a direct ticket to”FIRED FOR CAUSE, INELIGIBLE FOR REHIRE” where I work.

    5. tiny moon*

      This is absolutely confidential—it’s protected health information about someone’s medical care. It is 100% inappropriate for that employer to share the information with staff who don’t need to know it to do their actual jobs.

    6. Jay*

      When I was a primary care doc, I had two phone calls in one morning that just made me want to scream. The first was from a patient I’d sent for a screening mammogram. “Dr. Jay, I need you to change the order to a diagnostic mammogram because my insurance doesn’t cover screening tests but will cover diagnostic tests and I can’t afford the out-of-pocket cost.” Second call was from a patient who had found a lump in her breast. “Dr. Jay, I need you to change the order to a screening mammogram because my insurance covers screening tests without a deductible but diagnostic tests are subject to the deductible and I can’t afford it right now.”

      AARGHHHHH (this was years ago before the ACA changed the rules about screening tests, but the second one would definitely still happen)

  5. it's me*

    Wow that’s crazy.

    Years ago I worked for a pharmacy benefits management company and I’d take notes on meetings with clients. It was not uncommon for clients (usually people in HR) to casually mention that they had employees with expensive prescriptions (think monthly injections that can run into the tens of thousands per). They didn’t name names, but.

    1. NoNotNan*

      A self-insured employer I worked for did this during an all hands meeting. They were discussing benefits and explained that when we didn’t take the generic prescription or we didn’t refuse pricy prescriptions, the company ended up paying more. So we were implored to consider them in our medical decisions. They listed off the highest priced drugs used in the previous year by people on the health plan and how much less the generic or alternative medications are. But the insurance administration company already had an approval process in place to reduce drug prices! Doctors had to explain to the administration company why cheaper alternatives or generics wouldn’t work!

      We had under 150 employees in 3 locations, it was a lot less anonymous than it seemed. I have worked hard to avoid smallish companies for this reason.

      1. WellRed*

        It’s bad enough when insurers play doctor. Having employers do it is just… I’m speechless.

      2. Irish girl*

        i have co-worker who has a daughter who is on growth hormones until she is a teenager. Our company pulled the meds she was using off our approved list without letting him know because it was so expensive. It was also one that she was able to use herself which made it convenient. They told him to get a different one that was approved which there was only 1 and no generic option. This required him to go back to using vials and individual needles. Now every year he has to get a list of the approved medications at open enrolment to make sure that his daughter can get her meds without costing him $30k a quarter.

      3. Snarkus Aurelius*

        I had a self-administered plan as well, and our head accountant let it slip that I was seeing a psychiatrist.

        Never again.

      4. MissBaudelaire*

        I snorted.

        Sorry, employer, your well being is the last thing I consider when taking my life saving medications. I think “Well, this is what my doctor said I should take and I like not being dead so… better do that.”

    2. (anon for privacy)*

      I am a person who has to take a maintenance medication that runs my insurer about $120,000 annually. The drug is almost 20 years old but because of the way patents can work there is still no generic alternative, and the price rises in concert with newly introduced drugs as they hit the marketplace. (Treatments for my condition have expanded DRAMATICALLY since roughly 2000.)

      It’s still cheaper than me having constant relapses would be but I definitely feel more secure when I work for extremely large employers than when I work for very small ones, because then at least I know the medication that is keeping me alive and well is a rounding error. And I hate that it’s this way.

      1. The Price is Wrong Bob*

        This is why I would never ever work for an employer with under 75 people in a location unless the US gets universal healthcare. It is not worth some small business tyrant ruining your health if you can avoid it.

        1. Polecat*

          It’s not so much the size of the company but whether they are self-insured. I worked for a very large company that was self insurance and they complained about individual peoples medical issues that cost them money. Not by name but by condition, “we had a brain cancer this quarter and that’s really expensive”.

    1. Construction Safety*

      Or they are self-insured & their HI company is just the administrator.

      I did HR for a while & all I saw was a report so sanitized/normalized that it just had a dollar amount each quarter.

      1. AVP*

        My guess is that they’re self-insured because otherwise why do the specific dollar amounts and procedures even matter?

        Does anyone else remember a story about Amazon or Microsoft specifically calling out parents whose kids had cancer as being bad bottom-line contributors at an all-hands meeting? I can’t believe someone heard that story and thought “hmm yes a good business tactic I should emulate!”

        1. The Prettiest Curse*

          I remember there was a story a few years back of the parents of a premature baby being called out by their employers for having high medical bills associated with the hospitalization. Having a premature baby is not something people deliberately plan (unless early delivery is medically indicated, in which case the planning is necessary) to give their employers big medical bills, so I’m not sure what the employer was hoping to achieve there.

          1. Rob aka Mediancat*

            “Those selfish employees should have thought of the company’s bottom line before they had this kid prematurely.”

            1. Properlike*

              “Rather than thoughtlessly have this child seven weeks early due to sudden pre-eclampsia and imminent death, I will instead only get pregnant planning to go full-term, because those weeks in the NICU and follow-up appointments and extra pediatric monitoring are SO MUCH FUN and I didn’t realize they cost extra. My bad.”

          2. Cat Tree*

            Wow, they literally want this family to sacrifice their child’s life for the financial benefit of the company. If a mustache-twirling villain like this showed up in fiction, it would be criticized for being unrealistic. And yet, here we are.

        2. Reba*

          Yes, I was trying to look for that story! It was actually AOL (omg) with premature babies. One of the parents who was unfairly blamed by the CEO wrote a personal essay in Slate about it, “My Baby and AOL’s Bottom Line,” worth a look.

  6. Michelle Smith*

    If you still remember the name of the person who was let go, please for the love of god reach out to them on their social media and ask to set up a meeting to reveal what you know. They deserve to be able to file a claim for unlawful termination if they can prove it, and you ought to participate by testifying at a deposition and/or trial if necessary since you were participating in this clearly unethical and horrifying practice.

      1. Dave*

        Yes to going through a lawyer for this. In fact a lawyer might be able to contact them for you to help provide and added layer of protection that you aren’t disclosing information out of school

    1. Nicotena*

      True, I can understand why OP isn’t eager to lead a lawsuit against her own employer, but this fired employee may be more motivated (although it’s hard to know why they were really fired, I admit).

    2. Butterfly Counter*

      If I was the OP, this might be what I’d feel best about doing. OP feels uncomfortable in making this her fight, but if she gives the information to someone who has potentially been damaged by these policies, they will likely make it their own fight so that OP will be involved in providing testimony/depositions, but the heavy lifting will go to the person most likely to see some benefits of litigating this.

  7. samecoin*

    so speaking as someone who has dealt with Health insurance professionally for a long time- Companies that self insure ( Ie they pay all premiums and claims for their employees) have access to this information so they can understand what they are paying out and see if they want to authorize additional services on their plans. now this information should always be deidentified, but this information in and of itself going to the head of HR seems normal if this company self insures ae AND THE EMPLOYEES ARE DEIDENTIFIED.

    1. NoNotNan*

      I worked for a self-insured company once and one of my bosses got too chatty and said they just came out of a meeting where they had reviewed such a deidentified report and looked up medication prescribed and medical procedures to try and figure out who was getting the treatment and why. It was a meeting of the highest leadership, just sitting around and speculating about their employees. This boss was super gross and said they use what they’re learning about “certain types of people” to help them make “better” hiring decisions. The next 12 months of hiring was a lot of young white guys fresh out of college and under 26, so probably, likely on their rich parents’ insurance.

      1. Richard Hershberger*

        On their parents’ insurance is nice, but for lots of guys that age they have essentially no medical expenses. Many go for years at a time without seeing a doctor.

        1. quill*

          Doesn’t mean that’s a good decision though – lots of guys that age also accumulate medical damage by just typical daily activities (sportsball, drinking a bit too much, bad diet, turns out drinking red bull every day is bad for you, etc.) and ignoring it. Aside from the financial burden of birth control being pretty much 100% on those of us with uteruses, there’s really no different prevalence of medical issues between guys ages 22-27 and girls ages 22-27.

          1. Richard Hershberger*

            Far be it from me to suggest that guys in their 20s make good decisions. I just got back from a memorial service. We all stayed at a resort that featured a party pool: A swimming pool jammed packed with twenty-somethings standing in the water, holding alcoholic beverages. Not a mask to be seen. My family? We all gave that pool wide clearance, while wearing masks.

          2. Rusty Shackelford*

            I assume there’s some statistical knowledge of who tends to need more expensive medical treatment at that age, just as we know who tends to have more car wrecks at that age.

      2. MassMatt*

        The gross thing (well, something that makes a gross thing even more gross) is that this isn’t even restricted to employees. The case of the AOL CEO’s gaffe was about the selfish employee whose wife gave birth prematurely and greedily wasted money making in an attempt to have the baby, uh, live. These young bros might be healthy but their spouses and kids still may not be.

    2. quill*

      Possibly they’re small enough to be able to tell from location and other demographics who is covered. If you only have, for example, one female employee who would be treated by Ramen Island Hospital and the code comes back for “mammogram”…

    3. FridayFriyay*

      That was my thought too. There is absolutely no legal or business justification to provide identifiable information here. I too suspect they’re self insured but attaching employee names to these claims and procedures/diagnoses can really only be used to discriminate. There is not a single other purpose I can think of.

    4. Ghostwriting is Real Writing*

      This was my first thought — this company is self insuring. If so, it is super common for their benefits and operations people to see reports of claims so they can see where their money is going. They might find that certain services are being used a lot and others not so much, so they drop the not-so-much services to put more capital toward the more accessed coverages. Or they might find something they are offering is costing them too much and they just can’t afford it and need to limit it in some way. But in all cases — No Names Should Be Attached! They should be looking for trends, not individuals. We don’t know how this company is using the information — they might be using it the way every other self-insured entity does — but requiring names is problematic (and possibly illegal).

      1. Observer*

        We don’t know how this company is using the information — they might be using it the way every other self-insured entity does — but requiring names is problematic (and possibly illegal).

        Based on the OP’s description, we know that they are not just looking for trends, but for specifics. It’s not just that you don’t need the names for trend-spotting. It’s that they are looking up the particular conditions as well, and making predictions about what further treatment these INDIVIDUALS are going to need. Then the detailed list is being submitted to the COO for “approval”. “Approval” doesn’t come into play when doing analysis of trend or pretty much anything else.

    5. Weird*

      Non-HR person, but I’m curious what’s the difference between a company self-insuring and not? As a regular employee, is there something I would look for or that stands out to me to know if my company was self-insured or not?

      1. LTR/FTP*

        Yes, I am curious to know how you can tell about the company’s type of insurance, as a regular (or prospective) employee.

      2. FridayFriyay*

        It’s pretty hard to tell even by looking at plan documents. I work in this field and when I needed to use an area of health care that was included in a state insurance mandate that self insured employers were exempt from and in scouring plan documents often the only sign that an employer was SI was lack of coverage for that specific group of services (which otherwise would have been against state law not to cover.) HR will typically know if you ask them, but lower level HR staff and regular non-HR management often don’t even know what that means, never mind whether they have it.

        1. Risha*

          The only reason I know my small-ish company is self insured is because last year’s pre-Annual Enrollment presentation had a half an hour’s spiel about thinking carefully about our use of our medical insurance, complete with personal, ‘heartwarming’ stories about their families using urgent care instead the emergency room. I thought “ah, we’re self-insured, and they’ve gotten the bill for my IVF.”

      3. Sharon*

        Some large companies choose to pay all the health claims out of their own money rather than paying insurance premiums and having an insurance company pay. Essentially, they have decided that their employee population is similar enough to the general population that there is no outsized risk to insure against. If you have 10 employees and 2 of them get cancer or are in a serious accident, you could end up spending way more than you planned on health expenses. But, if you have 10,000 employees, you would expect X number of them to have serious medical issues at any given time and budget accordingly.

        BUT one of the main reasons for having an outside administrator manage the payments is so that the company doesn’t have access to protected employee health information.

      4. noahwynn*

        I worked for a smallish company that was partially self-insured, so it isn’t just big companies. It was almost like there were two layers of insurance. The company was responsible to pay the first $1o,000 of claims submitted in a plan year per employee. After that $10,000 the insurance company paid the rest.

        It was a way for the company to drastically reduce healthcare premiums. It was cheaper for the company to just pay out the costs of the occasional doctors visit compared with paying a higher premium each month. It was risky though, if several people were ill or had severe accidents they would quickly overtake the premium saved.

        I left the company is 2018, so not sure how they fared with this plan through the pandemic.

        1. Richard Hershberger*

          Lots of trucking companies have similar arrangements for their liability insurance. They might have a policy with, say, a hundred thousand dollar deductible. It makes negotiating a settlement interesting. So long as the discussion is within the deductible, you are talking to the company itself. As soon as the number goes higher, you are talking to the insurance company.

        2. Nicotena*

          Yeah well it sounds like this is the Plan B; if someone gets sick in some expensive way, they get rid of them.

      5. Don't Remember*

        I used to work in the field and specialized in self-insured. Self-insured is where the insurance company is actually a third party. The employer gets to write their plan to determine what benefits are covered and how (subject to laws). The third party is responsible for processing the claims according to the contractual plan. This is supposed to eliminate the bias and liability to the employer. As mentioned above, the reporting the company is receiving isn’t the problem, it’s that it’s not deidentified. Now there is a lot of liability on the employer and in my experience, nothing good will come from it. I had to put in writing my refusal to provide such information to a client once because of the laws. Thankfully, when I was able to provide the law, my boss supported me.

        1. Software Dev*

          Asked a friend who works adjacent to this industry and is getting a masters in a subject related to insurance, she said this:

          It’s really hard to prove that they fired that guy based on his expensive medical care; the HIPAA violation is really hard to prove. If they’re self-funded (I know she says the insurance company, but she also says she’s not experienced in benefits, and she probably means the TPA), unfortunately the individual claim approval practice is probably legal, and they’re probably /not/ paying the insurance company; they’re deciding whether to approve or deny claims themselves, which they can do if they’re self-funded.
          Which yes is f*ed up, but not actually uncommon
          (They can also “approve” it, but pass the cost on to the employee, depending on how their plan is structured).

          I asked about the data being identifiable:
          afaik that’s not actually illegal unless the employee can prove they were discriminated against because of it. Claims processing /is/ individual, and if they’re self-funded, processing that claim and approving/denying it counts as a legitimate use of the data.

          (Be interested to hear perspectives from other people in the industry)

          1. MissBaudelaire*

            Yeah, as far as the firing/termination, I think you have to have really solid proof. So they could say “Heavens, of course we didn’t fire him for that!” and if you couldn’t prove that they did, then… well it’s your word against theirs.

            We all know what’s going on, and it’s wrong, it’s just that whole proof thing

          2. Observer*

            I asked about the data being identifiable:
            afaik that’s not actually illegal unless the employee can prove they were discriminated against because of it. Claims processing /is/ individual, and if they’re self-funded, processing that claim and approving/denying it counts as a legitimate use of the data.

            I’m pretty sure she’s wrong on this. Even within a covering entity, there are restrictions on who gets to see identifiable data. And clearly here there are people who have no actual need (as regards to actually providing coverage) that are getting this information.

    6. Observer*

      but this information in and of itself going to the head of HR seems normal if this company self insures ae AND THE EMPLOYEES ARE DEIDENTIFIED.

      Yeah, well it’s the deidentification that’s the issue here. The detail is not just an addendum, albeit in capitals. It is the KEY to the whole situation. And I’m pretty sure that they are doing is not legal.

  8. learnedthehardway*

    OMG!! I think your coworkers would be appalled to find out that their employer was prying into their personal health information like this. (sarcasm font on) Seems to me that it would be a crying shame if they found out (sarcasm font off)

    The fact that the VP HR is involved in this indicates to me that that individual is unable or unwilling to push back against unethical (and even illegal) requests by management.

  9. pretzelgirl*

    “I definitely don’t plan on sticking around long-term so I don’t want to make a huge deal out of this, but at the same time I don’t feel right sending this information around like that.”

    I am truly not trying to be jerk here but…. PLEASE MAKE A BIG DEAL OUT OF THIS!

    1. Momma Bear*

      Especially since LW doesn’t plan on staying – it won’t affect them the same as if they were going to stay long-term. I agree that they should speak up.

      1. Not Tom, Just Petty*

        I wouldn’t want to stick around either because I wouldn’t want to be named as a witness in the lawsuit. /s
        I think OP should do some whistle blowing.
        I don’t think this will even come to a civil lawsuit, it’s so straight up criminal…

      2. quill*

        Yeah. #1 is lawyer, #2 is start arranging your escape now, steps #3-whatever, in the order your lawyer advises, are document, record your objections, blow whistle.

    2. kiki*

      *Because* LW isn’t planning on staying longterm, they are actually in a better position to make a big deal of this than many of her coworkers! If LW has other references especially, this is their golden opportunity to make a fuss!

  10. Moose*

    But the company, as far as the OP can see, has done nothing illegal. OP is inly seeing half of the “activity” and doesn’t know if they are using the info for illegal purposes. And the part they do not see is the pivotal part of the whistleblower act.

    If the company is using the info for not-really-illegal reasons, then OP would be really up shit creek for blowing things up without all the facts. Just suppose that they are using the info to forecast future insurance costs with zero negative effects to individuals on that list, that isn’t a whistleblower issue.

    I am not saying tha OP is wrong to be concerned, but ffs, cya and be sure with whats happening first.

    1. not a doctor*

      There’s absolutely no reason to include anyone’s name on such a report. As Donna said, the company is at best flirting with a HIPAA violation for passing them along.

    2. Cake or Death?*

      Forecasting future insurance costs wouldn’t require the names of the employees, though.

    3. FridayFriyay*

      It is not the OP’s job to investigate this sort of misconduct. Even so, the actions described by the OP re: passing along identifiable medical information is almost certainly a HIPAA violation which indeed makes it illegal.

      1. Need More Sunshine*

        Yep, part of the deal with HIPAA is that the reason the info is passed doesn’t matter. HIPAA stipulates that if you pass on any info, it must be de-personalized and must pass on the minimum amount of info needed for the purpose. If the COO and VP or HR are designated to see the info, that could be a loophole, but otherwise, simply passing the info with any identifying info is a HIPAA violation.

    4. LTL*

      I’m not sure that plausible deniability is enough to keep the company out of legal trouble. The situational factors are so sketchy.

      Definitely recommend OP reaching out to a lawyer.

    5. feral fairy*

      The LW is participating in HIPAA violations and as an individual, they are liable for violating HIPAA & not reporting the fact that their company is violating HIPAA. Additionally, there are state confidentiality laws that are even stricter than HIPAA for certain diagnoses like HIV, mental illness, and substance use disorder so if this employer operates in a state where those laws exist, they are likely violating them as well.

      We don’t know if the company is using this information to fire people or retaliate, but at minimum, the company is violating at least one law. A lot of companies get away with this kind of illegal behavior because no one feels like they know enough to report them. Fortunately, the LW doesn’t need “all the facts” to do something here because that would be the investigators’ job. They know enough to know that their employer is asking them to do something flagrantly illegal. They don’t need to know why before they report it.

      1. Kyrielle*

        They are aware of it, but not yet participating, unless knowledge alone counts: “For now this particular duty has been delegated to my manager (who has experience in benefits but only started at this company a week before me), so I haven’t been doing it, but I’m worried about when the time comes for me to take it back on.”

        I would strongly advise they not take it back on, even if they have to refuse (and/or quit without something lined up).

    6. fhqwhgads*

      The specific request to include names with the codes is already illegal. There’s no legal business reason for the person asking for that information to include that. The codes and amts by themselves? Yes. Once they add names, noperoo.

      1. Black Horse Dancing*

        If the report lists dates of services, it would be easy to ID who got what treatment.

        1. Observer*

          That’s true, but it could be harder to tie that to a clear HIPAA violation. But actually putting the names on the list? That’s a slam dunk.

    7. HR & Cats*

      Agreed with the other comments in this thread but also worth noting that most whistleblower laws (I think all, but saying most just in case since IANAL) include provisions that protect an employee making a claim in good faith, even if everything is actually fine. I can’t imagine anyone not seeing concerns over this practice not being in good faith.

  11. Rose*

    I’m sort of surprised by how vague this legal advice was.

    I’ve worked in healthcare almost my whole career, including a long stint in health insurance. I’ve had to do aprox 1000 trainings on privacy law.

    Unless everyone has signed off to this happening, which seems unlikely, this is 100% illegal in every state.

    1. Not Tom, Just Petty*

      My brother is a lawyer. I’ve asked him hypothetical questions, questions about cases in the news, historical cases. His answer is not necessarily vague, but he will not make hard and fast statements. He qualifies his opinions and clarifies that different states have different rules. OP will need to consult a lawyer to get hard advice/info.

      1. Generic-username*

        Yeah, this is how lawyers talk. You learn it during your first week of law school

        “It depends”

    2. FridayFriyay*

      No lawyer is going to give clear and specific legal advice to a stranger on the internet without all the relevant information and facts of the case, some of which weren’t provided in the letter. That would essentially be legal misconduct. OP needs her own legal consult.

      1. A Poster Has No Name*

        Yes, this, and Donna doesn’t know what state the LW is in, so she gave advice more specific to the state where she practices, but can’t at all be specific about what the LW should do in any other state.

        1. Elizabeth West*

          The fact that she said “WHAT!?!” is pretty telling, though.
          (I second the advice that OP should get a lawyer.)

  12. Beautiful, talented, brilliant, powerful musk-ox*

    Wooooow. And I thought it was sus when a company I worked for went from “You’re underutilized and we want to give you more responsibilities” to “we don’t need you. It’s nothing personal, but your position it obsolete” like three days after the new office manager found out I’d used mental health benefits in the past (which she kind of pressured me to disclose — her bosses, who were technically my bosses, already knew this).

    I cannot imagine any reason to collect this information that isn’t at least unethical if not illegal. Huge yikes.

  13. Teapot Repair Technician*

    Every week, we receive a report from our health insurance company with the names of employees who had a claim processed that week, and the costs associated with their claims. The file itself doesn’t contain anything confidential, but it does have the medical codes associated with the employee’s claim.

    Is it normal (or necessary) for employers to receive such a report?

    1. Construction Safety*

      I got a quarterly report which had gross dollars and no identifying information or medical codes.

    2. Sharon*

      Everything about this report is confidential health information tied to specific employees – the fact that an employee had a claim, the date of the claim, and especially the code associated with the claim.

      1. Need More Sunshine*

        If the company has a self-insured plan, it’s very normal, but they also should have specific designated individuals who have access to this info/report (for HIPAA reasons), and the intent of the report is not to then track down individuals and mess with their medical plans. It’s for identifying trends in the plan and figure out which parts to invest more in, which the company can drop, etc.

        1. Jess*

          But it is NOT normal or legal to have the employees’ names attached to the medical codes. Self-insured or not, this is a HIPAA violation. The COO and HR could get *anonymous* reports about claims and costs, but no names – not even other “identifying information” should be given to them.

  14. A Library Person*

    As someone from the US, I am trying to imagine explaining this to someone whose country has a centralized healthcare system. This right here seems like a pretty good argument for getting employers out of health insurance entirely (along with many, many other strong arguments that I fully support). I think the crux of the issue is that there is no legitimate reason for the company to want this information; the only plausible reasons (to my mind at least, and apparently to Alison’s and Donna’s) relate to retaliation against employees who happen to require medical care.

    1. Crivens!*

      Yeah, this is a prime example of why insurance should absolutely not be tied to employment.

      And here I am getting upset and offended about our yearly “biometric screenings”. At work. Which shouldn’t be a thing.

    2. mreasy*

      There are about a million reasons to separate healthcare from employment. This is an outlier reason but definitely is one!

    3. Bamcakes*

      Coming from outside the US— I’m kind of surprised by the shock! I mean, it seems like a logical outcome of employers being responsible for healthcare costs, so I’m surprised it’s not either normal practice or specifically outlawed. The fact that it seems to be in legally dubious area is what surprises me: I can’t believe they are the first company to think of it.

      1. Not Tom, Just Petty*

        Oh, not even close. AAM has gotten letters here about companies that have a monthly newsletter listing people who had accidents at work (Sara slipped in the parking lot. Shame on Sara. Don’t be like Sara) And the amazon story and other less monolithic companies. It’s just that the people involved don’t typically write to Alison for advice about it.

  15. McThrill*

    I know you said the info doesn’t contain anything confidential, but the fact that you can match specific medical procedures and costs to individual employees seems to say otherwise.

    I can think of no legitimate reason for a company that is not a health insurance broker to be able to have that information.

      1. Dave*

        What I find interesting is at some companies, especially those family ones, who has access to confidential information can be disturbing. I have known owners who thought they had a right to ever piece of info no matter what and who said what no matter because it was their company. And then they turn around and do stupid stuff. The pressure there was to go on your spouses insurance. It did have the added benefit of them no being in my business and made the job change easier.

    1. Need More Sunshine*

      I work for a health insurance broker and we have even less reason to see these reports than the employer. Really only the insurance carrier and whoever is in charge of benefits at the employer should have access to view a report like this.

    2. stefanielaine*

      Right – obviously OP’s employer is the real problem here but it worries me that OP classifies a report with employee full names, cost, and CODES! as “doesn’t contain anything confidential.” My goodness. That’s as confidential as it gets.

  16. butwhytho*

    This whole thing is bonkers. But I do have a serious question here…

    Do all health insurance companies send a list of claims and their corresponding medical code to the companies they work with? How is this possible/legal?

    1. Daisy-dog*

      Yes. Not all include employee data though. It’s to aid in making decisions on healthcare choices.

    2. Need More Sunshine*

      This is typical for a self-insured plan, wherein the employer uses a TPA for the administrative side of things (like ID cards), but pays all claims directly to the provider. This is more common in larger employers (think over 100 employees).

      Smaller employers usually are fully-insured (so the insurance carrier pays the claims and the employer literally just sees the monthly premium per person) or are level-funded, which is like self-insured-lite. They’d still get a report, but it would likely not have any names or PHI (personal health information) on it, just aggregate numbers.

      It’s legal because with a self-insured plan, the employer is the administrator of the plan and manages everything. Fully insured plan are ruled by the ACA, so all the medical care available is mandates. With a self-insured plan, the employer can decide to opt-out of some of those, or include extra care, so these reports are to (1) show the claims to be paid since the employer pays those directly and (2) track trends to decide how to alter the plan at renewal time. But it’s not legal to share the PHI with just anyone – it can only be shared with a designated individual (so I wouldn’t be surprised if the VP or HR is one of those people) or with the permission of the employee whos PHI it is (obviously not the case here).

    3. Jess*

      I feel like this part is not being emphasized enough in comments: any claims information sent to the employer should NOT have employees’ identifying information on it. That means no names, and no information that would let the employer figure out who it is (so, no name, no home address, etc)

      HIPAA has really clear privacy standards.

      1. Tessie Mae*

        +2

        Just watched Clue a couple of days ago after someone made that comment. We lost Madeline Kahn much too soon.

  17. Gwen Soul*

    Sounds like a self funded plans and they are figuring out coverage and if something falls outside of what they agreed to cover. pretty crappy.

    1. Butterfly Counter*

      It sounds as though it’s something they agreed to cover, but is expensive. So rather than state they deny coverage for the procedure/medicine, they just fire the employee.

      1. MissBaudelaire*

        This is what I suspect.

        “Hmmm, we noticed Jimmy Maureen is has an awwwfuullll lot of appointments here… They’re sick, and they’re costing us money. They gotta go.” or “We noticed Jacqueline Peter’s husband is undergoing some veeeerrry expensive treatment. That’s too expensive. They’re outta here.”

        It sounds all well and good to offer benefits, and to have employees pay their fair share. But insurance is like a bet, and when you lose the bet you have to pay out. And that’s expensive, and they don’t want to do that. Easier to just dump the employee for other reasons that have nothing to do with it, no sir, we’re appalled you’d think otherwise.

  18. Daisy-dog*

    That report is strange! My insurance company provides a report of all claims and the amounts associated with those claims, but does not provide any PII. When I worked at a small company, it was pretty obvious who it was for the high claims. I didn’t share it with anyone though.

    We used the report to determine if we should make changes to our insurance choices.

  19. CatCat*

    I’d (1) find a new job, and after that, (2) file a HIPAA complaint with the health plan, whatever state body regulates the plan, and the U.S. Department of Health and Human Services.

    1. Tread carefully*

      Yes. Being a whistleblower can have huge fallout for the rest of your life. You’re not obligated to ruin your life over this. Gather your proof, get a lawyer & give the info to the lawyer (since you may get in trouble if you take company info with you when you leave). THEN leave. See if you can submit the claim anonymously, even if they THINK it’s you.

    2. Jack Straw*

      Yes. I work in healthcare and my HIPAA and PHI (private health information) alarm bells were going crazy as I read this letter!

  20. Texan In Exile*

    I work in an industry (not healthcare) that collects medical information from customers. There is no reason I, in my role, would ever need to see that information. If I even tried to get such information, I would be fired. (As would someone who has a role that requires using that information and who shares that information with someone who doesn’t need to have it.)

  21. Quickbeam*

    My company is self insured and uses a TPA (third party administrator) to process claims. Its been obvious for a long time that everyone at a management level knows what my health issues are. I don’t think this is that unusual though awful. When I was a manager we got a file on all employee EAP issues.

    1. Utahn*

      When I was a manager we got a file on all employee EAP issues.

      I’m sorry, WHAT.

      At my company we were explicitly told that our company is given a total number of employees who utilized the EAP each month and that is it. No issues identified, no individuals identified, no differentiation between usage by an employee vs dependent.

      1. MissBaudelaire*

        Yeah, that feels super icky. If I go to EAP, I don’t think my managers need a neat little file about all the stuff I went for. If I went for a crippling fear of clowns, that’s my business. If I went for anxiety, my business. Family issues? MY BUSINESS.

        My manager only needs to know that I’ve punched in and am getting my work done.

    2. Urbanchic*

      I don’t agree with it, but this is a real appeal for companies doing self-insurance. They have access to medical information, and can have better foresight into future medical costs. A lot of companies design wellness plans based on this data. Agree it is not OK, but just so the OP is aware that this is the reality in some places.

      1. Utahn*

        Right but at no point-even if self-insured-should individual names be connected with individual costs/procedures and reported to other people (even if they are senior corporate decision makers).

    3. feral fairy*

      Do the employees know that the managers have access to their EAP information? Because if not, that should change. There are cases in which people can explicitly give permission for their employers to get info from the EAP provider but from my understanding, that would only be if the employer is making the employer go through EAP as a condition of them staying employed there.

      1. RosyGlasses*

        Yeah – my jaw dropped again reading that. Our EAP is completely confidential. The only time there would be “EAP issues” tied to an employee is if HR/manager made a direct referral to EAP as a condition of employment, as you stated. Hoping that’s all this person was referencing…?

    4. Observer*

      . Its been obvious for a long time that everyone at a management level knows what my health issues are. I don’t think this is that unusual though awful. When I was a manager we got a file on all employee EAP issues.

      Depending on how your management is getting the information, that may be illegal. Same for the EAP – in many cases that would be illegal if.

      Most well run EAP’s actually don’t provide that kind of information unless the company doesn’t actually want people to use it.

    5. EAPerson*

      I work part-time for a small business that was just acquired by a larger company. They offer such amenities as direct deposit, a selection of healthcare plans, and an EAP. Most of my colleagues have only ever received a physical paycheck, a handwritten W-2, and had never heard of an EAP. The new management has been laying on the anonymity of the EAP so thick that I’ve started feeling skeptical, and now I’m really concerned!

  22. PT*

    I’m shocked so many of you are shocked. You haven’t been in benefits meetings where they say, “We’ve had a lot of employees with expenses this year, like cancer or heart attacks, so we’re switching to a cheaper carrier?”

    They know. They all know. Even the companies that act like they’re following HIPAA and keeping your health information confidential. They aren’t and they’re keeping track.

    1. The Prettiest Curse*

      Yeah, I am entirely unsurprised by this, I heard so many horror stories while working for a nonprofit focusing on a specific medical area.
      I also had a relative fired for taking too much time off to care for their spouse, who was dying of cancer. (This was more than a decade ago and the company deliberately kept their employee numbers low so that state and FMLA would not apply to them – state law has since changed to apply to almost all companies with employees.) So honestly, nothing about this letter surprised me.

    2. FridayFriyay*

      There’s a huge difference between this happening on an aggregated level, and this happening at the level of personally identifiable medical information.

      1. nona*

        And a big difference in “we’re switching carriers” and everyone stays employed, but has to use Insurance B instead of Insurance A, and “we’re laying off Employees C and D because they used too many benefits”.

      2. Rusty Shackelford*

        Right. “Five employees had cancer, so we’re looking for cheaper options” is way different from “Fred had cancer, so he’s getting laid off.”

    3. Miss Muffet*

      Still – having this information in the aggregate (which is more typical for benefits depts to get, de-identified) in order to inform benefits decisions, is a FAR cry from having this informationtied to EEs in a way that people know what procedures and diagnoses a specific EE is getting, is illegal/unethical.
      Having worked in benefits my entire career – for many large orgs – I don’t think the larger/better companies are keeping track. I mean, with 50,000 employees, how would you even do that.

    4. Beautiful, talented, brilliant, powerful musk-ox*

      There’s a massively huge difference between knowing which benefits have been utilized overall and knowing individual employees’ health claims. I don’t expect my employer to be in the dark regarding which services are being used, but I also don’t expect some random C-level to know the exact treatments and tests I’ve undergone as an individual. One helps with overall decision making; the other helps with personal discrimination.

    5. fhqwhgads*

      It’s normal they know what they paid for. It’s not normal for them to know exactly who is attached to the claims.

    6. Observer*

      You haven’t been in benefits meetings where they say, “We’ve had a lot of employees with expenses this year, like cancer or heart attacks, so we’re switching to a cheaper carrier?”

      That’s gross. We all get that. And we all get that there are companies that do this. But that is NOT the same thing as a company getting a detailed list of who is getting which specific treatments, when. The former is gross but legal. The latter is gross+ AND illegal.

    7. rudster*

      Of course I have. And felt horrible for the poor people that everyone knew had been out with major medical issues shuffling their feet and nervously staring at the floor.

    8. Keymaster of Gozer (she/her)*

      I’m not in the US so am probably wrong, but from my understanding it’s one thing to be told ‘hey, X number of people had stuff related to stress’ and absolutely another to be told ‘oh Dave has been prescribed antipsychotics and Shelia had a miscarriage and..’.

      The personal identification bit, or trying to get that information, is what is shocking. No employer has a need for that, because there’s simply no way they can justify it.

        1. Keymaster of Gozer (she/her)*

          Thanks for responding :)

          Absolutely it’s time to talk, just talk at first, to a lawyer. Not sure of the specialisation in the US but the one I spoke to (‘hey, is this dodgy? Also if it is worth a case can you recommend who to go to next if it’s not yourself?”) wasn’t the one who eventually took on the case but gave me the ‘heck YES this is illegal – call this firm, they handle this, it’s too big for my league’ talk for free.

  23. kjolis*

    I sometimes worry this. I take an injection every 8 weeks that costs $25k/shot. My insurance keeps bumping me from one prescription fulfiller to the next to find a cheaper price. How aware is my employer regarding my treatement, and coudl they ever retaliate some way?

    1. Kristin*

      I have a very similar worry with similar costs for medication (I’ve looked at what my insurance pays and have been shocked at the cost). Thankfully, I don’t think my current employer will do anything about it (unless something changes), but it definitely makes me nervous about moving to a different company. This just furthers supports my position that health insurance should not be dependent on employment/employers.

    1. Gwen Soul*

      If it is self funded it actually isn’t a violation since the company technically is the insurer

      1. goducks*

        It is a violation if they’re giving PII to people who don’t have a need to receive it. HIPAA requires that they keep that close, and not just distribute it to every exec who is curious. There’s a lot of reporting that can happen on the plan without disclosing PII, including claims forecasting.

        1. Insurance Q&A*

          Yeeaahhhh this violates the minimum necessary rule 6 ways from Sunday.

          OP, please DO make a stink about this. Not planning on staying at the company long actually puts you in a great position because they’ll have less leverage over you.

      2. feral fairy*

        They can have access to this information but what makes it a HIPAA violation is that identifying details are being attached to PHI and then passed on to the directors at the company who have no business knowing who specifically got the medical treatments.

      3. Observer*

        If it is self funded it actually isn’t a violation since the company technically is the insurer

        Nope. There is a limit to who is allowed to see that information. Only the people actually administering the plan are entitled to see that information. This information is going well beyond that.

        1. Keymaster of Gozer (she/her)*

          Forgive me if I’m wrong (not in US) but in my limited understanding it’s a data protection thing – like if I’m technically allowed to go into the HR database to fix a problem that doesn’t mean I’m free to look up everyone’s details and share them?

          So even though a company as a whole might administer the insurance, it’s only those doing it as their day to day jobs are allowed that information – not everybody else who by position of e.g. seniority or admin rights might conceivably gain access?

  24. Carol*

    I worked at a (pretty big) company where a former head of benefits was receiving this kind of information, and continued to receive it even after being reorged, for absolutely no administrative reason whatsoever. No suspicion it was used to penalize anyone more generally, but it could have been. The person more likely wanted to satisfy nosiness and feel like they had special knowledge.

    I, too, have no idea how it’s legal for an insurance company to even send info like that. I think the file had employee names and perhaps general descriptions of claims? This was a major insurance provider, too.

  25. Old, but techno savvy*

    Joining into all of the WOW’s! Working in Healthcare IT, I have the occasion to see files that contain potential PII. The compliance training we go through is pretty intense and I’m so far outside of knowing what any of the ID numbers match up to it’s not even funny, but those are the rules we follow to keep the data of our clients safe and secure. I can’t even imagine having the requirement to look up that type of information that can be directly identified to a colleague. WOW – just WOW

  26. HarvestKaleSlaw*

    I wish I were as shocked as other commenters here, but I’ve seen this more than once. There is a segment of business owners – I would say a pretty sizeable chunk of your own local Chamber of Commerce types – who believe it is 3000% their business what treatment employees are getting “on their dime.” And yes, it is common to fire people who get sick to keep costs down.

    A lot of people buy their own press, on the whole ‘Galt/entrepreneur/job creator’ thing, and they will admit to doing this without any shame at all – in fact, they will be really self-righteous about it.

    It’s part of why I moved to a different region of the country, where I no longer encounter this. But go to certain regions or certain industries, and it is the norm.

    1. HotSauce*

      I hate that mentality. It’s not on “their dime”, that dime is earned by the employee as part of their compensation package. That is a big part of why I will never step foot inside of a Hobby Lobby for the rest of my life. They shouldn’t get to choose how I spend my health insurance benefits any more than they should have the right to dictate how I spend my paycheck. It’s such an infuriating subject that I see red every time I think about it.

    2. Gumby*

      You can find it across regions and industries too. I know someone who was “mysteriously” fired from a huge, well-established, German-based multinational (she worked at a large branch office in the US, in California) right before her husband was scheduled for a surgery. And it was extremely obvious. Really, really obvious and I deleted the details but suffice to say she did “win” whatever legal-type action she took and the company was forced to pay for the surgery, but in the meantime it was a major source of stress.

  27. Ben Marcus Consulting*

    It’s clear that there’s some form of self-funding going on here. If not the entire health plan, then at least a health reimbursement arrangement for the plan’s cost-sharing. It’s possible that this process is meant to provide on-going oversight to better allow for plan funding*, but I agree that it’s weird so many heads are getting this info.

    *If this were the case, it would be prudent to know why claims are coming in and if there’s going to be expected near-term followup.

    The health systems that I manage have started doing this at the patient level using annual care-plan cost estimates. This allows the patient to make adjustments to their health benefits such as more or better insurance policies, HSA/FSA contribution adjustments, seek out care credit or other health financing accounts, source out alternate coverage, and so on.

    1. alioelj*

      Yep, and heaven forbid that they (the business owners”) are evangelical Christians and you are a woman with the audacity to get an abortion or prescription birth control……

    2. Utahn*

      It’s possible that this process is meant to provide on-going oversight to better allow for plan funding*,

      *If this were the case, it would be prudent to know why claims are coming in and if there’s going to be expected near-term followup.

      Right, but individual names should never be connected to procedures/diagnostic codes for that type of report or analysis!

      1. Ben Marcus Consulting*

        I don’t think we know enough. It is possible that it’s only for the funding analysis, it’s also possible that this is part of the adjudication process* (at which point a name is important else verifying benefits eligibility would be impossible).

        *In this case, the information is important for verifying several factors including whether the claim exists within a global period of coverage, if it’s technically a repeat procedure that would be anatomically impossible to repeat, if the procedure/diagnosis are medically necessary for the age/gender of the employee, if similar services are being received by another healthcare professional, and so on.

        1. Jess*

          So, first: the OP says these are claims already approved. This isn’t claim adjudication. Second: to be claim adjudication, you need more than employee names and medical codes. Third: the “group health plan” and the plan sponsor are legally different entitites (yes, in a self-funded plan – they are legally distinct). That means a group health plan has to be very careful who gets sent any actual identifying information – it cannot go to the plan sponsor just because the plan sponsor self-funds. The exception is anonymous summary data, of course, for the funding analysis you mention. But no PHI can be involved.

          In a theoretical world, the group health plan (the legal entity) can process and adjudicate its own claims, but then it wouldn’t have a third party administrator (the company who processed and approved the claims, in the OP’s question). And again, it’d be the group health plan itself handling claims, with specific designated and trained and qualified claims people – that would be their job; it would not be the COO or head of HR, as approving claims is its own full-time job.

          1. Ben Marcus Consulting*

            While the TPA may take care of the self-funded plan, it is still possible that there’s an HRA that would be managed by the sponsor. There’s also no indication here if there is a TPA, the employer may have established a trust and designated a Fiduciary (which could very well be the COO or head of HR).

            I agree that this arrangement seems off, but it also isn’t so unusual that I haven’t run into it before.

            The more that I think about it, the more this feels like an attempt to lessen the impact of shock claims. Whether that’s by prepping the plan funds or an attempt to push out healthcare-expensive employees, I can’t really say. I think it’s reasonable to assume the latter considering the assigned employee hasn’t been emboldened to handle this.

        2. Observer*

          It is possible that it’s only for the funding analysis, it’s also possible that this is part of the adjudication process* (at which point a name is important else verifying benefits eligibility would be impossible).

          There is no way that this information is needed for funding analysis. And it’s also quite obviously not about the adjudication process, as this is a standard report of ALL treatments, not of “disputes” or “questionable coverage” issues or anything like that.

  28. quill*

    1) We don’t need a “worst company policy” poll this year, I don’t think we’re gonna get worse.

    2) 3,000 is SUCH a low bar for this. That’s just like, getting one x-ray done (been there) or going to get routine bloodwork and it getting billed to the wrong insurance (also been there).

    1. AVP*

      I mean, anyone with a normal regular-risk pregnancy can rack up those bills monthly if you try hard enough!

      1. quill*

        Yup! In practice they’re not just retaliating against anyone with significant medical conditions, they’re retaliating against anyone with any health problem worse than a case of strep ever. Not like it would be better if the barrier was higher, except that OP is probably going to be asked to violate medical privacy of their coworkers every week when they set it this low…

    2. Atlantic Toast Conference*

      Your point #2 was what struck me immediately, too– obviously this is a horrible practice no matter what their definition of “high cost” is. But $3k?? Just go ahead right now and report that you’re likely to see at least one “high cost” procedure from every employee, every year, for eternity.

      1. quill*

        Like… let’s see, Jane broke a finger, John had a gallstone, Tangerina needed stitches while she was out of network. Clearly August was a banner medical month for the teapots department!

    3. Parakeet*

      Yeah my neuropsych evaluation cost more than that (even with my copay subtracted). A sleep study costs more than that. An awful lot of things do.

      1. quill*

        Or just “got temp crown. Bit down on a peanut, broke crown. Had to schedule second temp crown / emergency real crown.”

        Pretty sure your kid breaking the wire on their braces could cost this much…

        1. Nina*

          as someone living in a country with universal-except-for-anything-dental-related healthcare, I am ACTUALLY SHOCKED that breaking a braces wire would cost $3000.
          My spouse had to get a couple teeth crowned in the past year. Out of pocket (our pocket, no subsidy), $1500.

        2. Carol the happy elf*

          My son’s middle school had a “Dummy Smack” game where they would hit each other in the back of the head if the wrong color was worn on game day.
          Son was wearing red, and getting a drink from the fountain. FOUR crowns that day.

  29. Alton Brown's Evil Twin*

    OP says this is a new company. It can’t be an ordinary small startup, what with having multiple employees making medical insurance claims every week.

    So whoever in the C-suite who set up this policy has probably done it at their previous place of work. Or if this new company is the result of spin-off, rollup, LBO, or other financial engineering, the money people are the ones behind it.

  30. animaniactoo*

    When you are looking up CPT codes… O. M. G.

    Actually… why is the insurance company attaching names to their report of coverage? What your company does is mind-boggling. But the more I think about it, I am fairly sure that the insurance company is not supposed to be reporting names as part of the data.

    Anybody with insurance experience can weigh in on that, and whether that would be something the LW can follow up on?

  31. foolofgrace*

    I agree that this is a big deal and something should be done about it, but I would recommend first finding a new job, and in the meantime, take home copies of offending documentation for evidence, including documentation about the employee who was terminated, the poor soul. Then you can blow the whistle without losing your job and not having another set up. This blows my mind.

    1. lazuli*

      Taking home personal copies of people’s public health information is probably not a good idea. The OP needs to consult with a lawyer.

        1. lazuli*

          And I just realized I wrote “public” rather than “private” there. I’m so used to abbreviated PHI that I missed it.

  32. Gwen Soul*

    I am thinking a lot of people would be shocked to find their employer is actually self funded and the insurance company on the insurance they think they have is just he administrator, most large employers do this I think. I work for one of the top 5 insurance companies and half our customer are like this which means while your card may say “Major Company” we actually are not your insurance company, your employer is, we just do the paperwork and legal documentation.

    1. psychiatric disaster zone*

      Yeah, this is news to me! As an employee, is there any way to discreetly find out if your company is self-funded or not? I mean, short of asking someone in HR directly.

      1. Tasha*

        It is spelled out explicitly in the plan documents that your employer is required to give you every year. They are probably available on your intranet. Most employees ignore them, or the required notice that they are available.

    2. FridayFriyay*

      Employers that self insurer are also bound to HIPAA and other relevant laws and regulations. This is not normal even for self insured plans.

      1. The Bad Guy*

        At the same time, it’s not exactly abnormal either depending on the data practices of the insurer. If the company is self insured, the data technically belongs to the company underwriting the claims. Often, companies don’t want this liability but some of the smaller “mom & pop” self insured accounts play fast and loose with the law.

    3. Kyrielle*

      I mean, my current company is, but I was told that upfront. I also assume they are handling that legally/responsibly, which would not include names tied to claim codes and amounts. (The last two, sure, but not the first.) If they’re using the info incorrectly, I really hope someone who knows that would whistle-blow. But I don’t think they are – I don’t think most self-insuring companies are. I hope.

  33. HotSauce*

    Holy Hannah. I can’t even begin to process how deeply offended I feel for the employees at this company. There is no way this information is being used for good purposes. LW, get out asap & report this to every org that can stop it.

  34. NW Mossy*

    In a way, it’s so much worse because it’s not just employees who are impacted – it’s any family members covered by the company’s insurance also. Those family members have no relationship with the employer outside of the health insurance and it’s even harder for them to realize what’s happening to them and fight back against the data misuse.

  35. No.*

    For the first time in my adult life, I have a strong desire to change careers entirely and go to law school and become an employment lawyer, just to take on employers like this. What. The. Living. Hell. did I just read?

  36. CrankyPants*

    I worked in a place once where the entire management team would meet regularly with the CEO and the HR director would occasionally bring up people who were using the plan for psychiatric care.

    When I was in the ICU for something my mom overheard someone at the nurses station saying my name, she found my bosses daughter trying to get specifics from them. My mom called her on it and she thought it was funny that her father (CEO) had initially sent her there to confirm I was in fact in the ICU and when she called him to tell him I was he started demanding info.

    When I got back to work after a month long stay in the hospital both his email (which I covered), his sons (I covered), and his father’s (also covered) where just full of clients, staff, and industry associates who found out I was ill and wanted to send something……all were met with “don’t bother” and I mean that is verbatim the response they received. Virtually every single one of them pushed back and were then told no one knew which hospital I was in.

    Obviously I quit that job shortly after.

  37. Dennis Feinstein*

    I’m not from the US and I’m frequently flabbergasted/horrified at the letters and comments I read on AAM about the awful working conditions Americans are expected to tolerate, but this is truly horrifying. I just cannot fathom why on earth health insurance is connected to employment and WHY ON EARTH an employer thinks its employees’ private medical issues are any of its business! This is one of the most disturbing letters I’ve ever read on here and that includes the one about the boss who made his assistant leave a note at a grave. (By the sound of it, it’s only a matter of time before OP’s employer starts leaving medical bills at late employees’ graves).
    OP please find another job asap and please report your repulsive employer to the appropriate authorities in your area).

    1. Lisa*

      This comment is obnoxious and unnecessary. We know we have problems and we don’t need condescending Europeans telling us how flabbergasted they are every chance they get. Also, letters on AAM are not representative of what it’s like to work in the US. People write in when they have problems, not when everything is fine and functioning normally.

        1. fhqwhgads*

          Alison usually posts a note at the top of the comments when a post involves US healthcare specifically asking people NOT to post exactly what Dennis Feinstein did. Lisa’s comment is roughly the same as that very very very very common warning on this site.

        2. Cat Tree*

          Whoa, I think you need to calm down. Lisa was also just expressing an opinion. Or maybe just learn that telling someone to calm down is both ineffective and a bit of a jerk move.

      1. EBStarr*

        That seems a little harsh! Personally as an American reader I find it valuable to get perspective from people in other countries, even though obviously I am already aware that this country is messed up. I understand why not everyone might find that valuable, but I don’t see any reason to call anyone condescending/obnoxious. Dennis Feinstein’s comment seemed outraged on our behalf which is completely fair.

      2. Mona-Lisa Saperstein*

        Huh, I didn’t find Dennis Feinstein’s comment condescending. I thought they meant it in more of a supportive way…because, I mean, the worker protections in the US do suck, and I think letters to AAM are probably an understatement of what actually goes on because this column skews toward people in professional environments, not the types of environments (eg, food service, retail) where more significant abuses are more common. Heck, I’m a lawyer with a federal contractor, and I’m regularly surprised at the kind of stuff my employer does. They have actually done something somewhat similar to what happened to this LW, and it was worse because they did so publicly.

      3. Lu*

        Agreed. My 6 year old just had a $50k diagnostic procedure done that was fully covered by insurance and the only comment from my employer was “take whatever time off that you need for her recovery.” They know medical insurance is part of the EVP and they work their butts off every year to provide two plan options and absorb as much of the cost as possible. But letters like that wouldn’t give Alison a lot to advise on.

      4. The Prettiest Curse*

        Yeah, and what about the Americans in this thread who are outraged? Are they allowed to be outraged only because they’re American?

        1. AnnieAnnie J*

          As European, I’d like to say that some of the stories I’ve read on ask a manager are horrific, and I don’t mean that in a hyperbolic way but the comments stating that this is normal in the US are even more shocking.
          Just the idea of not having something as basic as a contract, or the whole concept of at will employment, the idea that I could walk into work one day and be fired on the spot without any recourse my whole life could be turned upside down just seems incredible to me.

          1. Boof*

            There just tends to be a lot of pushback on making things required in the us i think; sometimes it makes sense, sometimes it doesn’t matter, sometimes it’s probably less efficient. I think it tends to boil down to a difference in philosophy / priorities rather than one of them being clearly the obviously correct and best way of doing things.

          2. Observer*

            but the comments stating that this is normal in the US are even more shocking.

            Those comments are shocking, but it’s actually not the case. I’ll point out that a lot of the people who are saying that this is normal are pretty clearly conflating reasonable anonymous reports with what this company is doing. And it’s just not the same thing.

            As for being fire for taking “too much time off” that’s not just an American thing…

          3. Dennis Feinstein*

            Exactly. As NOT A EUROPEAN, I find it shocking that employees don’t have contracts and that your boss can basically just go: “I don’t like your face” one day and that’s it! No more job.

      5. Submerged Tenths*

        I am FROM the US, and totally agree with Dennis! Sorry, Lisa, but our “functioning normally” IS pretty effed up, especially as regards medical insurance and vacation allowance.

        1. quill*

          Yeah, it’s much more helpful for a european to be saying “hey, this is horrifying” over a letter that is horrifying EVERYWHERE than seventeen europeans saying “oh, you only get one sick or vacation day a month??? How does that work???” every time we talk about americans overall having a subpar amount of leave.

      6. Darsynia*

        It sounds like you’re taking ‘US vs. Europe’ very personally seriously. Unless you have personal decision-making stake in how the country’s healthcare system is administered, there’s no reason to feel that way.

        Normalizing behaviors can go both ways, and this is a known issue for the US. It’s reassuring and helpful for letter writers to be told what’s shocking and abnormal, and as you’ve probably observed, there are more and less extreme responses. I’ll file both of your responses on the ‘more extreme,’ I guess? But you’re not personally culpable for the way the country does business! You don’t have to feel like it’s a competition.

        1. Darsynia*

          ((I apologize, I had the page loaded for a while before I responded, and when I did, there were only 3 responses. I wouldn’t have ‘piled on’ otherwise))

        2. Spencer Hastings*

          It sounds like you’re taking ‘US vs. Europe’ very personally seriously. Unless you have personal decision-making stake in how the country’s healthcare system is administered, there’s no reason to feel that way.

          And that’s why he’s preaching to the choir.

      7. Dennis Feinstein*

        1) I’m not European (or a man).
        2) I am actually SYMPATHETIC, not condescending. I am genuinely horrified at some of the truly awful things Americans seem inured to.
        3) Reading AAM makes me realise how many things I take for granted (paid sick leave, maternity leave, Medicare that is not in any way reliant on my employment, etc)
        I really hope this OP gets out of his/her awful situation, but, judging by the comments from so many others about the problems caused by the employment/healthcare relationship, s/he is by no means Robinson Crusoe…

    2. Teapot Repair Technician*

      As a European living and working in the US, I want to point out that letters to AAM are not representative of general conditions in the US. Obviously no one needs to write to this column when things are just fine.

      I don’t love having my health insurance tied to my employment, but I can report that in 25 years it’s rarely been a problem for me personally.

      I suspect a lot of people might hesitate to live in (or even visit) the US because they’ve heard horror stories about the healthcare system and working conditions here. I believe some of those fears are overblown.

    3. Boof*

      As i understand it the practice of tying health insurance with employment started with ww2 – there was a shortage of workers (because they were fighting etc) and a wage freeze to keep employers from trying to grab workers that way, so employers started adding benefits. I think this was about the same time Britain started to develop the nhs.

    4. CommanderBanana*

      It’s a terrible unintended consequence of wage freezes. Obviously I am way oversimplifying this, but the Stabilization Act of 1942 froze wages but allowed “insurance and pension benefits” to change. Coupled with worker shortages, the only bargaining chip that companies had was insurance and pension benefits when hiring. That kicked it off – there were several compounding pieces of legislation and other events and it snowballed, but that started it.

  38. Heathen*

    OK, we are all shocked, but how about more actionable advice for the OP? Honestly, in their position I’m not sure I’d have the inclination to go to a lawyer (paying for them myself??) or contacting government agencies. The OP is literally saying they don’t want to make a big deal out of this. What is it in it for them? I was looking for applicants for a low-skill job and got someone highly overqualified in a somewhat different field – they told me they were blackballed in their whole industry after filing a supposedly anonymous whistle-blowing complaint while employed. If the owners are well connected, and they knew the OP is questioning these practices while employed, it might not be difficult for them to figure out who it was. Even if retaliation is prohibited, there are ways to do so, subtly. I think the most expedient thing might be to just leave, wait a little bit to make it less obvious who they are, and then file a complaint?

    1. quill*

      If nothing else OP should go to a lawyer to make sure that they can make their escape without being liable for this company’s breach of privacy while they were forced to do it as a job duty.

      Ethically, whistleblowing is the right thing, but a lawyer is ALSO better poised than the commentariat to figure out how to do it the most anonymously, or Just Get Out without going down with the whole illegal ship.

    2. Aggretsuko*

      I agree with this. On the one hand this clearly needs to be blown, but on the other hand, whistleblowing is usually really bad for the person who does it. Like career-destroying.

      I would leave the job first.

    3. Detective Amy Santiago*

      I’d argue that LW has an ethical obligation to report this to someone. They should absolutely contact an attorney first and potentially wait until they leave though.

      1. quill*

        From a purely self-serving perspective, the OP needs a lawyer to determine if they have a legal responsibility to report on this, to object to performing it, or to testify later in order to not be liable for what the company is doing!

        1. Jack Straw*

          This. Even if you remove the altruism aspect, if the LW has knowledge of this practice and doesn’t report it, when someone *does* report it, they may be liable or involved.

    4. feral fairy*

      I think the LW needs to find a new job ASAP but they also need to report this. If they don’t, they could be personally liable but also just from a moral standpoint, if you know that a company is systematically violating the privacy of their employers and collecting information that they can use to exploit or retaliate against them, you have an obligation to do whatever you can to put a stop to it. In this case, that would be contacting a lawyer and reporting the company to every relevant agency.

      I get that it might put her at risk, but as it stands, dozens of people she works with (and most likely some of their families) are having their rights trampled on. There are certain scenarios where it makes sense for someone not to sue their employer like in cases where an individual experiences sexual harassment and decides the risks of reporting it to outweigh the benefits. In that case, the individual is the victim. In the LW’s scenario, they unwittingly became part of a process that is victimizing their coworkers.

      In the long term, if LW decides to not report the employer, down the line the risks to their professional reputation are far greater. Someone else will eventually report the company and when they are investigated, LW will be a witness whether or not they still work for the company. They could still face legal repercussions for participating and for not reporting the legal violations.

      It’s not fair that the LW got put into this position by her employer, but to me the choices are 1. do the right thing, report company & face short term repercussions but in the long run help her coworkers pursue justice or 2. say nothing and eventually face serious repercussions. Based on the fact that they wrote this letter in the first place, they are aware that their coworkers’ rights are being violated on a weekly basis and if I was in LW’s shoes, if I didn’t do anything to stop it it would weigh on my conscience for a very long time. So to answer your question, what’s in it for LW is that they can avoid the feeling of guilt and shame that comes with witnessing an injustice and doing nothing to intervene.

      1. HelenofWhat*

        I was also thinking about her professional reputation. If this blows up and she was found to not have reported it, she may have a hard time being hired in future benefits or HR related roles. Or really any role that requires handling confidential data. HIPAA violations risk tens of thousands of dollars in fines per incident. Better to get a lawyer and get ahead of it.

    5. LTL*

      I’m not sure if lawyers who work in this area of the law have free consultations, but OP should check if that’s a possibility.

    6. nothing rhymes with purple*

      I wish we could do a whip-round for LW to see a lawyer, but whatever the cost for an hour’s visit it’ll be money well spent if it helps the LW avoid legal responsibility for this mess. So that’s what I’d advise.

    7. Observer*

      The OP is literally saying they don’t want to make a big deal out of this.

      And the actionable advice here is that they should rethink their stance. At least when they leave. And that’s the other piece of actionable advice – that they should be looking to get out of there sooner rather than later.

      Oh, and although it’s not technically actionable, it’s worthwhile for them to be aware that the list they are looking at *IS* actually highly confidential.

      What is it in it for them?

      Human decency? Protection if (or when) their employer tries to make them the scapegoat or when the Feds come after their employer. Because if the OP does take on the task at some point, they will be personally liable along with their employer. NOT a good place to be.

      1. Keymaster of Gozer (she/her)*

        Seconded on the cover your own backside point. I didn’t consider that when I turned whistleblower but I think, in theory, if the case had got to the high court and my name had been found in conjunction with having seen/heard/processed data for (I was the IT department) any of the egregious crimes I’d have ended up with a court summons.

        (Given this got to the highest court in the land I had enough fun dodging the press as the one doing the right thing. If I’d been called in for hiding information…man I need a cup of tea.)

    8. Never Boring*

      Lawyers in some fields will provide a consultation for free, and this may be one of those fields. And the LW may actually be concerned with helping to right a wrong. That’s the LW’s decision to make.

  39. Lady_Lessa*

    I wonder if this happened to me. I had two treadmill tests done in a week, because I had a spell of weakness. The first one didn’t show enough, so I had the radioactive isotope done as well. Also an echocardiogram.

    Didn’t find anything, but within a year, I was let go.

  40. feral fairy*

    LW, you could be liable to fines and other legal repercussions for the HIPAA violations alone.
    I’ll be on one of my parent’s insurance for one more year and in the last two years, the costs have been high because I was getting ongoing treatment for heroin addiction. I cannot imagine if someone at my parent’s company sent all of that information to the directors- it would be a serious violation of my own privacy as well as my parent’s. If I was on my own insurance through my employer, this would be my worst nightmare. Many people are afraid of getting help for mental illness or addiction because of privacy concerns through insurance and medical providers, even though we are reassured that there are laws protecting us (and in the case of mental illness, substance use disorder, and HIV a lot of states have their own confidentiality laws that are stricter than HIPAA which your company is also likely violating).

    You did the right thing by reaching out. I implore you to report this to HHS and your state’s labor department. I understand how it feels when you realize a company that you’re working for is engaging in unethical behavior. If you do not report this, you will be complicit. Contact a lawyer and start looking for a new job. I’ll be thinking of you.

    1. foolofgrace*

      I hope you don’t take this the wrong way, but I have so much admiration for your fortitude in seeking treatment. I once upon a time had a little coke habit that was rough for a while, but that’s no comparison. I don’t think I could cope. You go [,girl]! (Don’t know your gender.)

  41. Judge Judy and Executioner*

    As soon as I saw that they were looking at a list of medical codes by person my heart dropped into the pit of my stomach. I have not yet recovered.

      1. Judge Judy and Executioner*

        TY! Borrowed from Hot Fuzz, one of my favorite films; “He’s NOT Judge Judy and executioner!!”

  42. alioelj*

    to the OP: Does your organzation not have a General Counsel? It seems that they may be out of the loop here and might want a heads up of the giant legal pain in the ass they are in for!

    1. FridayFriyay*

      Don’t do this before getting independent legal advice from your own counsel. The company’s legal team has a vested interest in protecting the company – full stop. That may very well misalign with the interests of the OP in this case. She could put herself at risk by tipping them off.

  43. I suspected as much*

    I always wondered if something like this gets done. I saw on our benefits person’s desk a list from the insurance of the claims for that month. I didn’t see any identifying markers, no names or employee ID #s, but I wondered how hard it would be to request that.
    I was so worried about this I took PTO and paid out of pocket for a mental health treatment because I was afraid my company would find out about it and use it against me.

    1. Observer*

      I didn’t see any identifying markers, no names or employee ID #s, but I wondered how hard it would be to request that.

      If the administrator is both competent and ethical, then it would be hard.

  44. The Bad Guy*

    I’ll say that when I worked in private health insurance, we would provide these reports to large employers who underwrite their own claims all the time but they were ALWAYS blinded. Side note: it’s still not a leap to get from hearing “Cindy has cancer” to seeing a big experimental cancer treatment on the monthly report, but that’s why I’m not in insurance anymore. To me, it makes perfect sense that the VP of HR and the COO would need to know what these major costs are for and whether they are expected to continue for budgeting purposes. Since they are underwriting their own claims, they do have to pay all of the associated costs after the out of pocket max is met. It is completely inexcusable though that these are unblinded reports; as we say in data work, one column makes all the difference.

  45. Ginger Baker*

    Not sure if this has been suggested yet, but you might want to [also] flag for the insurance company that they should *not* be sending this report with names attached (and particularly if – if accurate – you can point out the liability risk for the insurance company, this has got to be something HIPAA would apply to? I would think??). Easiest solution for you is if the insurance company “suddenly, wow shocker huh” changes its practice and going forward refuses to divulge specific patient names because “their lawyer told them they should cease doing so immediately”.

    1. HoundMom*

      The reality is that the data IS legally allowed. HIPAA permits the disclosure of claim data for the administration of the medical plan. The claim data is owned by the client, not the carrier. As long as the data is being provided by the TPA/carrier to the employees that are within the HIPAA firewall, there is no liability on the part of the carrier/TPA.

      The issue is that the data is being shared with employees beyond the HIPAA firewall for what appears to be reasons beyond the administrative needs of the plan. If the data is being utilized to fire people with certain dollar amount of claims, or certain health conditions, that is a violation by the employer, not the TPA/carrier.

      I have worked as an insurance broker for many years, an employer that would do this is extremely rare. The majority of employers would never do this.

  46. Retro*

    Reminds me of the time Tim Armstrong, CEO of AOL, cut the company-provided retirement, citing the birth of two premature babies.

    I read an interview with one of the parents where the parent spoke about getting crap from some of the employees who had their benefits cut – they were justifiably upset and unjustifiably blaming the parent and newborn. Awful.

        1. Rabbit*

          I was thinking specifically of chemo boss or liver boss, but those also count. Or abusive-boss-who-is-dating-my-dad, or a few more that I’m probably forgetting. One of the reasons letters like this one can be so disturbing is that this isn’t down to one terrible individual, the whole leadership is fundamentally messed up when it comes to normal ethical behaviour

          1. quill*

            Yeah, upthread I mentioned that this is probably the standout for worst company policy, rather than worst boss.

  47. AnonyNurse*

    Patient names are, in and of themselves in the context of medical information, what HIPAA calls “patient identifiers.” Aka confidential.

    Diagnosis and treatment codes associated with a person are confidential.

    OP, amongst all the other stuff here, please reframe for yourself: the file you get is, itself, confidential. It has confidential information. There’s no distinction between a list with diagnostic codes and a list of diagnoses.

    So even if the plan is self-funded, even if there’s somehow a legitimate explanation for all of this: The list does, for once, actually fall under HIPAA and the information contained in it must be protected.

    And if you haven’t been provided with annual training on HIPAA prior to being given access to this information so that you could identify it as protected, that is by itself a violation – even if it is just once, even if it is temporary.

  48. ACC*

    LW here. To clarify, this company is self-insured and we use a TPA to process our medical claims. Since I’ve written in to AAM, I looked at our plan document and it does state that our VP of HR (the COO has since relinquished their duty to look at this report), HR Specialist, and HR Generalist at the company can view PHI. But this doesn’t change the way I feel about outing employees to executives and based on the way the plan document outlined how PHI should be used, I don’t think they’re in compliance with that either. The TPA that we use doesn’t send this report directly to us, they just send an email stating that the report is ready, we go to their website and download the report and look up the medical codes.

    1. Heathen*

      Thanks for writing in, LW. So I guess it makes sense that HR would receive the summary plan costs, but not the fact that you can access individual names. Would it work to, perhaps, very naively ask your boss why the report is not anonymized – maybe wondering aloud what would happen if somebody who was fired (legitimately) might use this fact to claim it was based on their medical history? In a “please explain this job to me” way? Is it even slightly possible that they are genuinely unaware that this looks terrible, or are you already 100% sure that they are doing this in order to weed out expensive employees?

      1. quill*

        Lawyer and start looking for escape options first, but this is a decent idea to run by a lawyer.

      2. JSPA*

        If nobody had yet been injured, and if LW planned to stay, and if the company were otherwise legit and aboveboard in all dealings, I could see doing this.

        but

        a) it’s a nest of bees
        b) LW has good reason to believe people have already been injured
        c) LW needs to get out for a dozen reasons, not only this
        d) there’s zero likelihood that it improves LW’s position to be identified as the increasingly squeaky wheel
        e) The most likely outcome of asking those questions is that the company rushes to hide the evidence, which is even more illegal, and gives LW no clean exit, where the legal risk doesn’t follow LW for years to come.

        LW, I’m sorry you found yourself in this, but unless you plan to drown your memories in substances (really not encouraged!), I’d say you have to do the opposite–stay quiet with the bosses, and take this to outside regulators. And, soon.

      3. ACC*

        I’m not 100% sure that that’s what it is. Like I said about the employee I mentioned in my letter, it isn’t something I can prove, but seeing the way they’ve handled other situations here, and knowing how stingy they can be with money, it wouldn’t surprise me if they were just looking for one little slip-up to use as an excuse to get rid of a costly employee. But naively asking may be a good approach.

    2. Greige*

      They probably need to be authorized to view PHI for enrollment administration (like paycheck adjustments.) IANAL, but I doubt that means HR gets to access whatever they want for no legitimate purpose.

    3. quill*

      When you go see a lawyer, definitely bring this aspect up, it sounds like it could be relevant to who is ilable.

    4. Observer*

      I looked at our plan document and it does state that our VP of HR (the COO has since relinquished their duty to look at this report), HR Specialist, and HR Generalist at the company can view PHI.

      Almost certainly illegal. It’s really, really hard to make the argument that this level of detail is required for appropriate administration of the plan.

      The TPA that we use doesn’t send this report directly to us, they just send an email stating that the report is ready, we go to their website and download the report and look up the medical codes.

      In other words they are trying to create plausible deniability in that they can claim that they are not sending the information to anyone who shouldn’t have access and it’s not their job to make sure that the people who have the credentials to get the report actually should have access.

      Yeah, your feeling is spot on. Shady as all get out.

    5. Keymaster of Gozer (she/her)*

      Speaking as one who has been a whistleblower (comments up toward the top of the post) it’ll do you no harm to ask a lawyer in real life what they’d recommend doing.

      I’m not in the US but I do work in data security and this is sending ripples of nausea through my spine.

      Even if you decide to not take action (and I can’t judge anyone who doesn’t. Truly I can’t, I got through the stress of it but others may feel it’s too much of a risk to their mental health and mate, I can well understand that) it can help to get a calm legal outside view on it.

      Really wish you luck. You’ve been put in a horrible situation.

  49. Meep*

    We are a small company of about 10 people but our VP/my former manager treats medical conditions as if they are hot office gossip. She did it with employees with chronic conditions. She has done it with their spouses. I have been diagnosed with PTSD due to her treatment of me during the pandemic last summer and am in therapy. (I am looking for another job. I am also getting my Master’s to open up my options.) I make a careful note to say it is a “doctor’s appointment” every two weeks or if I can take it during my lunch break without informing anyone I will.

    I could totally see her doing something this vile. I would definitely report them. Obviously not to higher up because they are OK with it. This isn’t just fireable, it is suable. Whistleblower protections may not help you but you can also sue for wrongful termination.

    1. Former Employee*

      If anyone gets nosy, you can say you are being tested/treated for allergies. Between testing and treatment (allergy shots), regular appointments are required and seem to go on forever, from what I’ve been told. I never went for it because of the the it seemed like a long term commitment.

      It’s even sort of true as it seems you’ve developed an allergy to this VP.

  50. Retro*

    OP, you should speak to a lawyer. There’s individual liability under HIPAA and it’s not the type of thing you want to go to prison for, so you should assess the risks of that with a lawyer.

  51. Mad Harry Crewe*

    What is the insurance company *doing* sending this information over to the employer??? WTF WTF WTF

    1. Mad Harry Crewe*

      Ah, I see more info in the comment from ACC (LW) – still. Why are names attached to this info?

  52. middle name danger*

    If I knew that any person at my company knew the details of my healthcare, I’d leave without notice. I’ll figure something out to make ends meet while I job search. I have the benefit of being able to jump on my partner’s health insurance if I lose my own coverage, though.

    On top of things like expensive physical medical treatments, I can only imagine how employees using mental health coverage must feel in this situation.

  53. A Poster Has No Name*

    Aaaaand this one shoots right to the top of the “Worst Boss of the Year” rankings, for me (so far).

    Assuming bosses several levels above you count, as the COO and HR VP are really, really awful bosses.

  54. Jam Today*

    You need to contact both your local branch of the US Attorney General’s office, and your state AG’s office.

  55. JSPA*

    OP, if you need motivation: Far better to be the one blowing the whistle, than having the whistle blown on you. Ignorance of the law not being a defense, and all that.

  56. Software Dev*

    Asked a friend who works adjacent to this industry and is getting a masters in a subject related to insurance, she said this:

    It’s really hard to prove that they fired that guy based on his expensive medical care; the HIPAA violation is really hard to prove. If they’re self-funded (I know she says the insurance company, but she also says she’s not experienced in benefits, and she probably means the TPA), unfortunately the individual claim approval practice is probably legal, and they’re probably /not/ paying the insurance company; they’re deciding whether to approve or deny claims themselves, which they can do if they’re self-funded.
    Which yes is f*ed up, but not actually uncommon
    (They can also “approve” it, but pass the cost on to the employee, depending on how their plan is structured).

    I asked about the data being identifiable:
    afaik that’s not actually illegal unless the employee can prove they were discriminated against because of it. Claims processing /is/ individual, and if they’re self-funded, processing that claim and approving/denying it counts as a legitimate use of the data.

    (Be interested to hear perspectives from other people in the industry)

    1. PT*

      The last few places I worked it was pretty common for people to find themselves pushed out or demoted to part-time without benefits after they put in a pricey medical claim combined with medical leave. You don’t need to be a rocket scientist to realize that hey, getting expensive treatment and taking leave means you’ll be demoted or forced out means that there’s no strict data separation on the back end.

    2. HoundMom*

      I am in the industry and I agree with your friend. HIPAA is ambiguous — the amount of data that can be provided is a “reasonable” level in order to administer the plan. I am not saying that getting personally identified list of claims is the norm — it is not. But, it would be tough to prove that there is a tie between a legal report sent to people inside the firewall and a firing by someone outside the firewall.

  57. Blue*

    Yeah, I can’t see any possible interpretation of this other than that they want to know who to fire.
    OP, this is a horrible situation for you to be in and I’m sorry, but I really hope you’re able to blow the whistle on this. You could literally save some lives. (And that really shouldn’t be on you, but this is the shitty system we have).

  58. Bubbly*

    Pre-ACA I applied to a veterinary practice and the owner asked me straight out if I had any serious medical conditions because I couldn’t be offered the employee plan because it was too expensive and she was already paying a lot for an existing employee with MS. This office had 5 staff members so figuring it out would have taken zero effort. I am now thrilled that they retracted my offer after I asked them to pay my license fee for the state (I was broke) when I didn’t even have an offer and she wanted me to get the process started anyway.

  59. AnnieAnnie JAnnie J*

    OP: I respect that you don’t want to make a big deal out of this and really it doesn’t have anything to do with you so if you want to completely ignore it, you’d be well within your rights to do so, you shouldn’t feel obligated to pay for a lawyer out of your own pocket for this and of course you need to take care of yourself first and foremost.
    If you do want to go down the whistleblowing route, you should be aware that there is a possibility that you could be blackballed in your industry, there is very little privacy when it comes to these matters, and most industries have a black list of employees that they will not hire for various reasons.
    However, whatever you decide, I hope you do start job searching and applying to other roles as there could be a potential lawsuit in this, and you may be implicated.

    1. Observer*

      really it doesn’t have anything to do with you so if you want to completely ignore it, you’d be well within your rights to do so,

      Actually, this may not be true. And it CERTAINLY is not true if the OP gets pushed into actually doing this work.

      The OP needs to talk to a lawyer.

  60. Llama face!*

    Do you think this OP’s bosses all just got a back spasm from the collective AAM rage and horror directed their way this morning?

    Sorry OP that you have to work with these scuzzballs. I hope you can get out soon and that, if you are able to*, you can help make sure they face consequences for this unethical/illegal behaviour.

    *and if you can’t safely do it, I hope at least you can tip off someone else who can follow up.

  61. I'm just here for the cats!*

    This has to be a HIPPA violation at the least. “HIPAA requires that employers who gain access to employee medical information due to providing health insurance limit the people who can access this information to those who need the information for plan administration purposes”. The VP doesnt need this info!

    1. Pocket Mouse*

      Yeah, aside from the (gigantic glaring) identifier piece, it sounds like OP and their boss don’t need this info either, since the purpose they currently have it for is atrocious.

      OP isn’t even doing the deed—if they’ve seen the report or heard specifics/identifiers from it, it’s a violation of the kind you mention.

  62. Girasol*

    This is so wrong, but then, medical discrimination is so easy without doing this. So many companies avoid hiring women because they might get pregnant, avoid hiring older people and push their older staff into “voluntary” early retirement, avoid hiring the obese because “they just don’t seem like a good fit for our culture,” and fire people who have asked for ADA accommodations for minor infractions that other employees get away with all the time. The excuse for keeping them out of the employee pool isn’t medical but the reason can be. If I were OP I’d want to dissociate myself with anything as blatant as this, but what does HR do (or do they do anything?) to stop medical discrimination that isn’t so blatant but is thinly disguised?

  63. Observer*

    OP, I hate to say this, you really do have an ethical obligation to push back and /or file a complaint. What this company is doing *IS* illegal, and beyond unethical.

    I understand if you are afraid to risk your job. But you say “I definitely don’t plan on sticking around long-term so I don’t want to make a huge deal out of this,”

    I think you have it backwards. If you were going to be stuck there I could see why you would focus on protecting yourself first. Not a GREAT decision, but I could understand it because I get that not everyone has the ability to put their employment at risk. But if you are leaving anyway, then you don’t even have that as a reason to keep this quiet. At least at the point when you leave, you absolutely SHOULD file a complaint.

    And start looking for a new job NOW. These people are unethical at base, and are clearly not too careful with the law. I have no doubt that they will warp your sense of normal and ethical workplace behavior. And I also have no doubt that they will be happy to chew you up and spit you out if it seems to save the $1.

    1. Observer*

      By the way, THIS: The file itself doesn’t contain anything confidential, but it does have the medical codes associated with the employee’s claim. By itself is an indicator of what I was saying about norms.

      That list is be definition confidential information – just because it’s a code doesn’t make it less confidential. It is a list of who got what treatments in a certain time period. That’s as confidential as you get, codes or not.

    2. Annie J*

      With respect, there really is no ethical obligation for the OP and I think framing it this way is damaging.
      Firstly, we don’t know whether what the company is doing is illegal because we don’t know what they’re doing with the information, true it doesn’t look great but there may still be a legal explanation, I don’t know how many lawyers have weighed in on this thread but I think the debate around legality should be left to those who have the training to make those points.
      secondly, although the OP is planning to leave the company soon, whistleblowing could have a significant impact on them, to the point where they could be blacklisted in their industry.
      I think the OP should only do what they feel comfortable doing, and they have already said that they don’t want to make a big deal out of it, I think we should respect that decision.

      1. Boof*

        I’m not lawyer enough to be sure if op has a legal obligation, but they should def talk to a lawyer about it.

      2. quill*

        I think the overwhelming consensus here is that OP needs a lawyer to determine their legal obligations, legal options, and exit route from this job. Because quite frankly, the cost / benefit of a whistleblowing situation is always full of huge, potentially career destroying pitfalls whether you speak up or keep your head down.

        OP will have to choose the least-worst scenario for them, but in this case it’s going to take money and expert advice to make sure they actually have a least worst scenario to chose.

        1. Annie J*

          Lawyers can be expensive, I don’t know of many that were discussed this kind of situation for free.
          Also, I think the OP should try and get away from the company as soon as possible, but really I don’t see how they could be implicated in a potential lawsuit if they no longer work at the company, though thinking about it in more detail, it doesn’t even look as though what the company is doing is illegal.
          or proving that it is will be very difficult and time-consuming, and expensive to boot in so I don’t know how many people in the company would actually consider a lawsuit over this.

          1. Observer*

            though thinking about it in more detail, it doesn’t even look as though what the company is doing is illegal.

            You are flat out wrong about that. Please stop repeating this. I am not going to say that it is DEFINITELY illegal – but it’s extremely likely to be illegal. Why are you so set on trying to convince the OP that all is fine here? And that they shouldn’t try to protect themselves?

            Because aside from the ethical implications, the OP could most definitely be facing issues. Certainly if the stuff hits the fan while they are still working there. But even once they leave, if they were in any way involved in doing this task, they would be at risk. And you can bet that even if the OP is not technically legally liable, these beauties ARE going to try to dump the dirt on everyone else. Which means that the OP is dealing with a risk no matter WHAT they do.

            So, on a purely self interested level, the OP should most definitely try to get some solid legal advice on how to best protect themselves.

          2. quill*

            It is VERY worth checking if this is illegal with law sources outside the company & commentariat, as the guest advisor instructed. I doubt that a one-time consult with a lawyer would be free, I just figure it would be cheaper in the long run than many of the potential consequences of not consulting a lawyer: aka whistleblowing without legal advice, raising ethical concerns to OP’s boss, or potentially being partially liable if the company is investigated for this via someone else’s whistleblowing or suing.

      3. Observer*

        Firstly, even if something is legal, it doesn’t make it ethical. And what this company is doing is DEFINITELY unethical. It’s also almost certainly illegal, because under HIPAA this information needs to be tightly controlled and may only be given to people who have need of it in order to administer the plan. And there is no really good argument to be made that HR needs to know who is getting what treatments and when they are getting them.

        When one knows that a person or entity is doing something that is flagrantly unethical and almost certainly illegal, they DO have an ethical obligation. Human beings DO have obligations to do things that they may not be comfortable with.

        Like I said, I’m not going to judge the OP too hard if they are not in a position where they believe that they can afford the risk. But I *am* judging the idea that there simply isn’t any obligation, that one’s “comfort” is all that matters, and repeated attempts to actually discourage the OP from even talking to a lawyer.

        1. HoundMom*

          In all fairness, for many companies the VP of HR is also in charge of benefits. If that is the case, that individual may be within the HIPAA firewall and may need SOME of this data. When setting up a self-insured plan, the TPA will ask if the client wants to see identifiable data or non-identifiable data. I have not had a client in 20+ years that wanted identifiable data — even before HIPAA was a law. This is primarily due to the fact that employers do not want even a thought that someone’s health situation biased their hiring/firing/promotion decisions.

          The unethical (and potentially illegal) issue is if the data is being utilized for non-plan administration purposes, such as hiring/firing/promotions. This is very difficult to prove.

          There is the option of reporting a concern to the DOL and that may prompt inquiries from various government agencies. This would be anonymous and could prompt multiple audits.

  64. Lauren*

    I am glad to know there are whistleblower laws, but in practicality – OP can be fired and they just attach another reason why. Very few people can afford to be out of work let alone hire a lawyer or wait months for an EEOC complaint to be taken seriously.

  65. Black Horse Dancing*

    If the report lists dates of services, it would be really easy to ID who got what treatment.

  66. Anonymous Hippo*

    Heck. I thought it was bad when my company wanted to figure out a way to assign costs by department for people getting medical care when we went to self insurance. I had a fit, and said there was no way we were handling it like that as it would lead to exactly this, people being punished for higher medical costs. Only thing to do is allocate across the board the entire cost.

  67. Person of No Interest*

    Even if the company self-insures, this is a huge, huge, HUGE liability– I won’t say it’s criminal because I don’t know how to determine that, but it’s a prima facie violation of the HIPAA privacy rule if true, plus whatever else they’ve violated by using the information for anything but administration of the program. Self-insurance does not mean you don’t have to comply with the law, it just means you’re running your own insurance and paying those costs.

    I would love to know how this ends, and how big the crater is once regulatory enforcement gets hold of this. OP, I know whistleblowing is hard, and you should make whatever choice is best for you– but having said that, what this organization is doing is pretty awful. I’d like to think it was ignorant and not evil, but it’s probably evil. Speaking up couple potentially help a lot of people.

  68. CHRO*

    HR exec here…. this happened in the HR department I worked in several years back (without my involvement, but I did become aware of it at some point). The top leader who requested and received at the highly confidential info was also very pro life, and whenever birth control or pregnancy termination claims came through, she lost her mind over it. She kept a running tally in her head of who had what expensive illness and shared that freely with other top leaders. The company was a sham and I didn’t stay long.

    1. middle name danger*

      I thought about this as well – certain companies trying to refuse to cover birth control sprang to mind. Besides expensive treatment, I’d be concerned about discrimination for birth control/pregnancy related care, treatment for STIs, and about homophobia and transphobia. (PrEP, gender affirming surgery/hormones).

    2. Keymaster of Gozer (she/her)*

      My boss at a very toxic firm would have invented literally any excuse to get rid of anybody who had a termination. I lived in fear that he’d somehow find out about my medical past because he’d managed it, somehow, before and it was very difficult to prove. And this was in the UK. Nosy judgemental managers exist everywhere but definitely are scarier in a place where the firm actually pays the medical expenses because the information is easier to access (I know legally it shouldn’t).

      I’m very glad you got out of there. I can’t even imagine how stressful that must have been for you.

  69. Tech lady*

    I’m confused as to how people’s medical issues cost a company money? I thought the company paid the premium (or a portion of it), the employee covered the copays and any deductible, and the health insurance company pays the rest. Is that not the case? If you have a $10,000 treatment and your copay is $1000, who pays the remaining $9000? Your employer or the health insurance company? I’m in the US so I understand we don’t have universal healthcare.

    1. The Bad Guy*

      It depends on the size of your employer. A huge trend in large employers (150+ employees) recently has been self insurance. That means that your company is actually your insurance company and the name on your insurance card is someone that your company is “renting the network” from. This means that your employer is actually acting as your insurer with all that entails, including needing to manage the risk of medical cost for employees.

    2. Turtles All The Way Down*

      If a company’s employees are very expensive for the insurance company, the insurance company will raise their rates the following year – which usually affects both the employees and the employer.

  70. Heffalump*

    It’s really unfortunate that health insurance is tied to one’s employment in the USA, unlike every other prosperous Western country. Don’t get me started.

  71. JustKnope*

    OP, there’s been some iffy advice in the comments so far today. Please talk to an employment lawyer ASAP so you can figure out the best way to protect yourself and also help get this company’s practices reported. Do not pass go, do not collect $200, go straight to a lawyer.

    1. shocked*

      As an employment lawyer in a non-US jurisdiction, I wholeheartedly second this advice.

      Make an appointment with a specialist employment lawyer, preferably one with specialist whistleblower law knowledge, and make it ASAP.

  72. Jennifer Juniper*

    OP, get the hell out now.

    They will throw you under the bus when they get caught. Are you willing to go to jail or pay six or seven figures in lawsuit costs for this company?

    1. Observer*

      100%

      These are not people you can trust. Not just that they don’t have you interests at heart. They will actively harm you if they think it will give them a crumb.

  73. Turtles All The Way Down*

    Joke is on them – when I was let go from a terribly toxic company with absolutely amazing (state-mandated) health insurance, I stayed on COBRA for 18 months and burned through around $100k of health insurance coverage.

    If they let someone go who may need medical treatment, they have every incentive in the world to go on COBRA, to schedule things they need while they’re unemployed, and to use whatever health insurance they can in the next year and a half.

  74. Antisocialite*

    Sadly, this is not the only company doing this, we’re just hearing about this one.

    I have a genetic collagen disorder that causes all sorts of medical issues, and had to undergo genetic testing for evaluation. So, I’m also protected under the DOL’s GINA provision– Genetic Information Discrimination. If any of you have a genetic condition, you’re protected under this, too.

    https://www.eeoc.gov/genetic-information-discrimination

  75. No Tribble At All*

    TIL that my employer could be self-insuring and could have access to every doctor’s office visit I’ve ever done :(

    As an American, I expect garbage, but this is an extra hot pile of flaming garbage.

  76. CommanderBanana*

    Honestly? I’d be tempted to leak it to a gossipy coworker so that others knew that their medical – medical!! – information is being treated this way. This sounds like something that a group pushing back on may get more traction with than an individual.

    And it’s disgusting.

    1. NameWithHELDtoprotecttheguilty*

      I like this idea. Good one!!! Alison always says their is strength in numbers

  77. Cj*

    There are so many times when a letter writer asks Alison “is this illegal?” The answer is usually it sucks, but no, it’s not illegal. Like Donna, I can’t imagine any use the company can have for this info that is *not* illegal.

  78. A Feast of Fools*

    I was once a contractor at a small company that wanted to hire me on as a full-time employee. I had said something in passing once about a cancer scare and how it was something that needed to be monitored.

    They actually sat me down at performance review time to tell me how much they loved my work and how much they’d love to bring me on board… BUT… their health insurance premiums would go through the roof with someone like me added to the group plan so, sadly, they could not offer me the job.

    It was a mom-and-pop, “We’re all one big family” company that is now no longer in existence.

    The business was property restoration services. The techs were paid hourly but if there weren’t any jobs to do, they sat around the office waiting for an emergency call. (Think something like a water heater in the attic bursting and flooding the entire house, so jobs weren’t consistent).

    The owners got miffed that they had to pay the techs to “do nothing” (i.e., be on call), so they made them wash their personal vehicles and the vehicles of their adult children and their spouses, and made them mow the owners’ lawn at their home and pressure-wash the driveway. On a regular basis.

    I’m super surprised they didn’t make the techs clean their toilets, too.

  79. Lizard*

    Wow… I feel kind of sick just reading this. Please get out OP, and be public about why.

    A few years ago at my company (small, employee owned), the then-president suggested at our yearly benefits review that we all use less of our health insurance. Because our premium quotes were too high due to people actually using their benefits! He didn’t last long after that… makes me ill to think he might have gone to the lengths your company is to get “hard data” on who is costing the company money.

  80. BenefitsProfessional*

    Wow, this is awful. I also work in employee benefits and our health/dental are self insured – we pay an insurer for ASO (admin services), but even so we are not privy to this level of detailed information about employees’ claims. Even if we were to ask, the insurer would not share this type of information with us so I’m super surprised that’s provided to the company to begin with. Mind you, I am in Canada. Feel bad for the employees who are having their privacy invaded and don’t even realize..

  81. NameWithHELDtoprotecttheguilty*

    I told my company that I had cancer. I was clear and open about it. I told my management and HR. I wrote an email stating that I was starting chemo and would go on disability if I could not do my job on chemo. I used some legal type words such as reasonable accommodations, etc…. I was VERY lucky I did not have any issues with my chemo other than losing my hair. I worked through the entire treatment. My work did not miss a beat – again I was lucky. This was my way of telling them I KNOW that my cancer – breast cancer, is a disability, so mess with me at your own risk……but of course, I did not phrase it that way. And, I had a reputation as a top performer. Make no mistake – I would have gotten a lawyer and sued the #)%(#)$ out of them if they tried to target me, terminate me – whatever… I did not hide my cancer – but I did not make it an issue either. Of course, if I could not do my job, I would have gone out on disability for my treatment and I had a lawyer ready to stick it to the insurance company if they tried to deny my claim. The fact that I even had to plan this strategy – so to speak – while staring at a breast cancer diagnosis is, as others have stated, why health insurance SHOULD not have ANYTHING to do with your employment – PERIOD.

  82. shocked*

    I worked as an employment lawyer for years and years (not in the USA), and I saw some horrible employers do some terrible things.

    This is up there with some of the worst, though. I am so sorry you’ve been unfairly dumped in the middle of this, OP.

    I also have to say that the more I find out about the US health system with so much of health coverage tied to employment, especially knowing what I do about the complete lack of legal protections in place for most US workers, the more horrified I am.

    I mean no disrespect at all, but I am just really generally horrified for all my American fellows., that you guys have to put up with this nonsense. No system is perfect, but my God you guys were sold a pup.

  83. iglwif*

    Can’t type, too busy retrieving dropped jaw from the ground floor (I live on the third). What the HELL, LW. I hope you are looking for a new job because for your sake I want you to not be working for this incredibly slimy company any longer than you absolutely have to.

  84. commonsensesometimesmakessense*

    LW, I would definitely recommend that you report the insurance company to HIPAA and name the parties and the fact that they are providing the diagnoses to the employer and how the employer is looking up this information. That should put a stop to the insurance company giving the company access to that information. Also, look for other jobs and follow the advice of the employment lawyer (or better yet, consult one in your jurisdiction)!

  85. Anon55*

    Either you work for my former employer or there are multiple companies out there doing this. There was one staff meeting where my manager said that too many employees in the department were on anti-depressants so we needed to do more stress-relieving activities (while still expecting everyone to do the work of 2-3 people with no extra compensation) so people can stop taking those meds and save the company money. It was so tone deaf and showed a clear ignorance of the myriad of issues that are not stress related that are treated by SSRIs. I pointed out that they should be happy their employees are seeking mental health help and leave it at that and never heard about it again so I don’t know if they dropped it or excluded me from future conversations.

    Shortly before I left I heard several reliable reports that employees with expensive to treat conditions were being encouraged to pursue medical tourism and have their procedures done overseas for cheaper and the company would reimburse airfare in exchange. Horrifying.

Comments are closed.