It's not that surprising, experts say. Employers, especially at large companies, often know about high-cost medical treatments that their workers and dependents are undergoing. Their benefits administrator will often send them reports about claims their employees incur, particularly outsized ones.
This may not sit well with many Americans, especially amid mounting concerns about the disclosure and misuse of personal data.
But these reports don't include any identifying information about the employee, said Bruce Elliott, manager of compensation and benefits at the Society for Human Resource Management. And even privacy experts say companies have the right to know general information about claims since they are often footing the bill.
Though employees don't realize it, many large firms are self-insured. This means they pay the health costs of all their workers and insured dependents. Most also hire an outside company, such as a health insurer, to administer the benefit. And increasingly, employers are contracting with independent firms to offer disease management or wellness programs, which also cull or solicit additional employee medical information with the aim of keeping costs down.
The administrators typically send annual or quarterly updates to a company's human resources or benefits finance departments, said Jim Winkler, chief innovation officer for health and benefits at Aon Hewitt. They may contain a summary of all claims year-to-date, as well as specific claims above a certain threshold, often $100,000. Each high-cost claim will also note the underlying condition, such as pregnancy or cancer, and whether it was for an employee, their spouse or their child.
Employers need this information to be able to manage their funding of health care benefits, experts say. For instance, if claims are running higher than expected or if a number of employees come down with costly chronic conditions, companies might need to increase their reserves. And it wouldn't be unusual to share this general info with a chief executive or chief financial officer, especially since health benefits are an expensive outlay for companies.
Smaller employers that contract with insurance companies to provide -- and pay for -- employee health benefits also get reports, but more likely on an annual basis when premiums are set for the coming year. They also want to learn about the costs employees have incurred.
But that's all they want to know.
"Most employers don't want to know who has what from a medical standpoint," Winkler said. "It just opens the door to all kinds of issues."
The issues could derive from violations of the Health Insurance Portability and Accountability Act, a complicated law that protects patients' medical information. HIPAA doesn't govern employers, but the health plans they run are governed by it so it does control the sharing of employee health files.
"The rules prohibit firing or adverse job actions" based on medical data, said Kirk Nahra, a Wiley Rein attorney who specializes in health privacy. "That's not administering the health plan."
In Armstrong's case, it's not known whether the CEO knew the identities of the employees he called out. But experts say he probably didn't violate HIPAA.
What may irk some employees is companies' increasing use of disease management and wellness programs to keep down costs.
A growing number of businesses have contracted with insurers or other independent firms to keep an eye on trends in employee claims for evidence of medical conditions or diseases, such as diabetes, heart conditions or pregnancy. The insurer or firm will then proactively contact the worker to offer assistance in managing the issue, such as referrals to doctors or support programs or assistance in losing weight.
Companies are also offering more wellness programs, which include incentives to engage in healthy behaviors like exercises, or meet goals, such as lowering blood pressure. Some 64% of employers now offer the benefit, according to SHRM.
It's this growing trend that has some privacy experts concerned. Many of these wellness programs collected detailed health data that's normally beyond the reach of insurers, including blood test results, drinking habits, weight and blood pressure. And if companies run these programs in-house, there's a greater chance the information could be shared.
"In the name of health and wellness, there's an increasing amount of intrusion," said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. "It's chipping away at the right to keep sensitive information private."