Here Is The Situation in Plain English

The City is the drug plan sponsor and the unions the fiduciaries of the individual union welfare funds. (More on that later). Emblem/UnitedHealthcare administers the medical plan. Prime Therapeutics administers the pharmacy (drug) benefit.

The proposal is to combine medical and pharmacy claims data into an AI-driven system to:

Identify high-risk members

Predict future costs

Manage care

Contain spending

Technically, this is called claims data integration or enterprise analytics.

But Is It Legal?

Most likely, yes, if done properly.

Under HIPAA, health plans are allowed to use protected health information (PHI) for:

Care management

Quality improvement

Risk stratification

Fraud detection

Cost containment

Utilization review

AI-based analysis of medical and drug claims typically fits under “health care operations.” So combining pharmacy and medical data is not automatically illegal.

But legality depends on:

Proper administrative agreements between the City, United, and Prime. Use is limited to plan administration and health care operations. Compliance with the “minimum necessary” standard. No secondary commercialization of the data. No use of PHI for employment decisions.

If those safeguards are in place, the structure can comply with HIPAA.

Where the Real Concern Starts

The harder question isn’t “Can they?” It’s “Should they?”

Because once medical and drug data are merged into a predictive AI system, several things change.

Predictive Risk Scoring Can Shape Access to Care

AI risk models can:

Flag high-cost members

Trigger utilization review

Increase prior authorizations

Narrow formularies

Guide case management

Influence network design

Even if technically legal, predictive models often shift the system from:

“How do we treat illness?”

to

“How do we manage financial risk?”

That shift matters.

AI systems trained on combined medical and pharmacy claims can:

Predict who will be expensive

Flag members for prior authorization

Identify “over-utilizers”

Suggest tighter formularies

Recommend utilization controls

Those functions can be framed as “care management,” but they can also:

Increase denials

Increase prior authorization burdens

Restrict access to high-cost medications

Shift costs to members

The concern isn’t that AI exists. It’s how it is used.

Cost Containment vs. Care

“Cost containment” is legally permitted under health care operations. But in practice, cost containment can mean:

More denials

More step therapy

More prior authorization

Steering toward lower-cost treatments

Steering toward managed care models

The question becomes whether AI is being used to improve outcomes or optimize spending at the expense of access. Legality doesn’t answer that. The analytics system may be incentivized to reduce spending, not necessarily improve care.

Cost containment is legally allowed. But when cost containment drives coverage policy, members often feel it as restricted access.

Data Power Imbalance

When drug + medical data are merged:

The administrator gains enormous insight into member behavior.

Predictive modeling becomes more precise.

Individual cost profiles become clearer.

That creates leverage. If the City later wants to restructure benefits, negotiate labor terms, or justify plan redesign, this integrated data becomes powerful evidence. That may not violate HIPAA. But it shifts the balance of power. Even if not used improperly, it gives the administrator enormous informational power over members.

That’s where the ethical question arises.

The Ethical Question for the City & Union Leaders

Even if allowed under HIPAA, the City is a public employer and Labor has long administered welfare Fund benefits financed with city dollars. The union is funded by the City for that depending on how much they bargained for. Both the city and welfare fund must ass:

Is the AI model transparent?

Are members informed?

Is the data used solely for care improvement?

Are safeguards in place to prevent denial optimization?

Is there independent oversight of the algorithms?

Is the vendor allowed to use the data beyond this plan?

Because once AI infrastructure is built, it tends to expand.

Public-sector employers have a broader trust obligation than private corporations. The public expects fairness, not algorithmic cost pressure. Public employees expect their employer to protect them, not analyze them as financial risk units.

When a governmental employer builds predictive models on employee health behavior, it raises trust concerns, even if legal.

Now the Union Welfare Funds Question…

This is where things get more serious. Union welfare funds are typically:

Separate legal entities

Managed by trustees

Often governed by fiduciary standards

Even when not subject to ERISA ( like our public plans), trustees generally have fiduciary duties similar to ERISA principles:

Duty of loyalty (act solely in members’ interest)

Duty of prudence

Duty to avoid conflicts

Duty not to subordinate member interests to third parties

That fiduciary duty is stronger than HIPAA compliance.

Something can be legal under HIPAA and still violate fiduciary principles.

A Fiduciary Duty of Loyalty

They must act solely in the interest of participants and beneficiaries.

A Duty of Prudence

They must make decisions as a prudent fiduciary would under similar circumstances.

That means:

They cannot act primarily to benefit the employer.

They cannot prioritize political or institutional relationships.

They must weigh privacy risks and benefit impacts.

They must ensure data sharing is necessary and in members’ best interests.

If union fund managers agree to share granular claims data:

In exchange for financial credits,

To help the employer meet savings targets,

Or to facilitate plan restructuring,

which could raise fiduciary questions, even if not illegal.

The standard is not “is it permitted under HIPAA?”

The standard is: Is this in the exclusive interest of participants? Fiduciary duty requires that member interests come first, not the City’s budget goals.

Key Difference: Legal Compliance vs. Fiduciary Responsibility

HIPAA asks:

Is this a permitted use of PHI?

Fiduciary law asks:

Is this in the best interest of the beneficiaries?

Those are not the same question.

Here’s where concerns legitimately arise:

AI outputs influencing denial rates

Data used to steer coverage changes

Vendors monetizing algorithm development

Lack of algorithm transparency

Members are unaware that their data feeds predictive models

Data sharing tied to financial credits or labor deals

None of those are automatically illegal.

But they may conflict with fiduciary obligations or ethical governance. You may forever lose the trust, faith and support of your members if you do.

Union fund managers must ask:

Does this materially improve member care?

Does it expose members to increased restrictions?

Is there independent oversight of AI outputs?

Is the data limited to what is strictly necessary?

Are we giving up member privacy for financial concessions?

Even if not illegal, a fiduciary could be criticized for:

Failing to negotiate strict use limitations

Failing to audit the AI system

Failing to inform participants

Failing to assess long-term impacts

Fiduciary duty is about loyalty and prudence — not just legality.

Bottom Line

Legally, integrating medical and pharmacy data for AI-driven cost management can be permissible.

But legality is the floor — not the ceiling.

For the City:

The question is transparency, governance, and trust.

Public employees may reasonably expect stronger privacy protections than private-sector norms.

For union welfare fund trustees:

The question is fiduciary duty.

They must evaluate whether the benefits to members outweigh privacy and utilization risks.

They cannot justify the move solely because it is legal or because it helps meet savings targets.

In short:

Yes, they can.

The harder question is whether they should, and whether member interests are truly the primary driver of the decision.

And in this scenario, it was not. It was in the 100 pages of redacted financial dealings in the NYCEPPO contract that only the MLC executive board saw. The $100,000,000 “savings” that was built into this ASO for the plan was hidden away. Hidden so well, no one can show it to you, and unions whose members on the city drug rider were not even aware that by implementing this plan, it gave the city the right to give your health data to the insurance company without them knowing, never mind their members.

Alan Klinger used the lame excuse that it would lead to “better coordinated care” because the insurance company knows what drugs you are taking, not your doctor. I am not sure what century Alan went to the doctor last, but Doctors know your medication history primarily through Electronic Health Records (EHR) that aggregate data from pharmacies and insurers, and by accessing state-mandated Prescription Drug Monitoring Programs (PDMPs) for controlled substances. These systems, often connected to pharmacies, allow doctors to see prescriptions filled at various locations. Pharmacists and doctors can access comprehensive online drug databases to check for dangerous drug interactions.

This is what happens when you sign yet another contract without reading it and accepting it with redacted content.

Union leaders should have learned from the last time the MLC and Alan Klinger led the MLC to do this. Fire Alan Klinger and replace the MLC leadership. NOW. They are not being honest with you. For those unions whose members are on the City drug rider, you were never told your members’ drug data would be shared automatically with the passage of the NYCEPPO, because that fact was hidden in the ASO. And sadly, you didn’t ask. Again.

Hire the Retirees. We won’t let you down.