Silicon Valley startups seek to “disrupt” regulated industries and shift paradigms; however, these “outside-the-box” thinkers must be careful to not leave the regulatory box behind entirely. For a recent example, consider the tale of Zenefits. This firm was a one-time darling of the tech world, recruiting employees with lavish perks and holding itself out as an Uber-like disruption within the world of health insurance. In the span of 12 months, this company has fallen from the limelight in part because of failing to have a compliance program or controls necessary within the existing regulatory framework for insurance brokerage. Since this news broke in February, even more information came out regarding the culture of Zenefits – a culture of compliance with traditional frat house values, if that.
It is with some irony that the WSJ broke news of Zenefits’ compliance issues on February 16, 2016, and then published an article regarding the firm Castlight Healthone day later. Castlight Health, and firms like it, provide employers with aggregated health trends minded from employee health data. Employees must opt-in to share their data with Castlight, but little information is provided as to how employers advertise or encourage participation with such services. Fortune Magazine immediately raised and dismissed the HIPAA protections for such health data use: HIPAA only protects information that patients share with their healthcare providers, and Castlight gathers its information from unprotected consumer sources.
The news outlets and commentators have yet to draw a connection or parallel between these simultaneous news stories. Both Zenefits and Castlight serve employers seeking to manage the cost of employee healthcare. Both Zenefits and Castlight seek to disrupt the current industry that supports largely self-insured health plans governed outside state laws by the requirements of the Employee Retirement Income Security Act (ERISA). And both Zenefits and Castlight should raise compliance concerns that their disruption can be done in an ethical manner.
There are of course noted differences between these firms: nothing that Castlight offers is designed to break any existing laws, while Zenefits corporate profits appear to have been structured on a flagrant disregard of the existing regulatory framework for insurance brokerage. Castlight provides information gathered from those voluntarily providing it, and it is up to their clients, large employers, to use that information in an ethical manner.
But it should give pause to those companies looking to utilize the Zenefits and Castlight of the world to look beyond the slick marketing and consider the downstream pitfalls market disruption has to offer. Castlight mentions that information is shared with the individual’s employer in its terms and conditions – but how prominently? And while Castlight says that protecting individual privacy is central to its operations, HIPAA compliance sets a floor for data use, not a pinnacle to be reached. Moreover, HIPAA may not even fully apply to Castlight’s operations, thus that statement could be considered as relevant as a statement that this blog is fully compliance with the Securities and Exchange Commission. At the end of the day, employees and customers will judge a company for the choices it makes.
- Professor Nicholas Terry of Indiana University Robert H. McKinney School of Law, notes the personal privacy issues: “the ethics of tracking employee health information are “questionable, at best” and there is currently no legislation out there regulating these types of big data companies[,] . . . “It is incumbent upon the employer to be completely transparent and to demonstrate how this is being done exclusively to the employee’s benefit.””
- Professor James Hodge of Arizona State University Sandra Day O’Connor College of Law notes the possible employment discrimination issues: “If [an employer] originally thought that 15% of the women in its employee base may become pregnant, but data shows it’s closer to 30%, that could lead an employer to say we cannot hire as many female employees this year because we can’t afford them being out for family leave.”
Additionally, as this blog also seeks to raise security issues, companies should question how employee’s health information will be handled to prevent data breaches and security losses. Castlight, in particular, offers a search portal by which data is collected and aggregated, and security gaps in network traffic or server storage can expose personal information worth much more on the black market than a wallet full of credit cards.
The ultimate take-aways from these examples:
- Would-be startup founders with stars in their eyes need level-headed legal advice and guidance.
- Lawyers and compliance professionals in “traditional” industries looking to partner with “disruptive” service providers need to vet their agreements and consider if the disruption will be in alignment with their corporate values.