AOL CEO Tim Armstrong reversed proposed changes to his company's 401(k) policy following widespread public criticism because he blamed those changes on two "distressed babies" of company employees who needed expensive emergency care in 2012. But some are arguing that Armstrong might not be able to undo the entire aftermath of his comments, as what he said could potentially violate federal laws governing patient privacy. So do they? The answer, in short, is that it's possible, but complicated. 

In case you somehow missed the whole controversy, here is what Armstrong said to justify a new 401(k) policy that would have financially punished employees who either quit or left the company in the middle of the year: 

“Two things that happened in 2012. We had two AOL-ers that had distressed babies that were born that we paid a million dollars each to make sure those babies were OK in general. And those are the things that add up into our benefits cost. So when we had the final decision about what benefits to cut because of the increased healthcare costs, we made the decision, and I made the decision, to basically change the 401(k) plan.”

Speaking to the Wall Street Journal, Patient Privacy Rights founder Deborah Peel suggested that Armstrong's statement could violate the The Health Insurance Portability and Accountability Act, or HIPAA, which contains the federal privacy regulations governing the disclosure of a patient's medical history. The argument here is that Armstrong's remarks publicly disclosed "protected health information," or PHI, about two specifically identifiable employees. Although Armstrong didn't say the names of the two employees, it's possible that he left enough breadcrumbs to make it clear who they were. Assuming one of the individuals involved files a complaint with the relevant division of the Department of Health and Human Services, the federal government could end up investigating whether there's a HIPAA violation somewhere along the way to Armstrong's statement. 

Among other things, HIPAA is supposed to prevent health plans and insurance providers from disclosing information about covered individuals to the employer providing the coverage. Crucially, HIPAA's protections are intended to prevent employers from taking an adverse action against an employee with, say, a sick child at home. Kirk Nahra, a Washington, D.C. attorney at Wiley Rein who specializes in health care privacy and security, told the Wire that any possible violation of HIPAA here is "mainly going to depend on where the information came from." 

It's possible, Nahra added, that Armstrong received a perfectly legal report containing the distribution of health care costs for his employees, from which he based his remarks. But if Armstrong then decided to independently dig up more information on two particularly expensive medical cases after reading a non-identifying report, that could represent a violation. We don't know what Armstrong knew, or how he knew it — it's not even clear from what he said that he knew the specific identities of the two families he mentioned.

In other words, there are a lot of variables at play, making it very tricky to answer whether a violation happened somewhere along the way, and who would be at fault if there were a violation. And if there is a transgression, its unlikely that the government would throw the book at AOL for it. Nahra said that the chance any investigation would find a major violation of HIPAA privacy laws is "exceedingly small." To make things even more difficult to parse, there's virtually no comparable legal precedent to refer to in this case. It's basically uncharted territory, mired in a complicated law with tricky, sometimes imaginary-seeming distinctions. 

Whether Armstrong did provide enough information to identify the two families he mentioned or not , the identity of one of the two families in question is now public. Deanna Fei, one of the mothers of a "distressed baby" covered by AOL's insurance, self-disclosed in a devastating piece in Slate on Sunday.  In it, Fei outlined both the care her child needed to survive, and the fallout of Armstrong using her near family tragedy to make a business argument. "For the record: It was me," Fei wrote: 

 "I don’t work for AOL; my husband does. One of those “distressed babies” was our daughter. We pay our premiums for a family health plan through AOL, which is why we had coverage on the morning  I woke up in acute pain, only five months into what had been a completely smooth pregnancy." 

Fei added that her husband, who still works for AOL, began fielding questions about whether Armstrong was talking about their child within "minutes" of his statement at an employee town hall meeting.

Until a possible HHS investigation gets underway, the question of a HIPAA violation will have to remain unanswered. It wouldn't, however, be the first time Armstrong faced scrutiny for his alleged treatment of employee family health crises. In 2005, the then-Google executive was sued for allegedly demoting a pregnant employee after she informed him of her pregnancy and of a series of medical complications she experienced as a result. That suit went into arbitration, but it's making the rounds once more thanks to Armstrong's recent remarks. He has since apologized for mentioning "specific health-care examples in trying to explain our decision making process around our employee benefit programs."