Most of us become familiar with HIPAA requirements when we go to the doctor’s office or hospital and are given privacy notices and consent forms to review. But employees of your organization may wonder how privacy rights come in to play when it comes to voluntarily participating in a work-place wellness program. To gain employees’ trust, it is essential to have transparency in all forms of communication about how the wellness program is administered, with due diligence and respect to employee confidentiality. When considering partnering with a third-party wellness vendor and implementing a comprehensive wellness program, HR teams and safety professionals will need to know what areas of HIPAA compliance require their attention.
As a primer, let’s overview the law, key terms and distinctions, generally applicable to worksite wellness programming:
First, let’s note that HIPAA has two As and one P and not the other way around. The HIPAA law refers to the Health Insurance Portability and Accountability Act that Congress created back in 1996 to modernize healthcare information systems and prevent fraud and theft of protected health information (PHI). HIPAA privacy and security rules were written almost 20 years ago, and then updated in 2013 to include language about how to deal with HIPAA breaches and business associates.
The HIPAA privacy rule is concerned with the physical security and confidentiality of individual employee PHI in all formats – electronic (ePHI), paper, and oral. This rule also puts restrictions on the sharing of employee PHI between the group health plan and the employer sponsor of the plan, which may be administering wellness program benefits (e.g., distributing incentives offered through the plan).
The HIPAA security rule pertains to protection requirements of ePHI created, received, maintained, or transmitted during worksite wellness program participation. It is incumbent upon third-party wellness vendors to implement adequate physical, technical, and administrative safeguards that protect individual employee ePHI (e.g., email encryption, cloud storage). The federal agency that oversees HIPAA compliance and how HIPAA privacy and security rules apply to workplace wellness programs is the U.S. Department of Health and Human Services (DHHS) Office of Civil Rights (OCR).
HIPAA-Covered Entities are organizations that deal with health-related data, such as healthcare provider organizations, health plans, state governments and educational institutions. In accordance with OCR guidance, workplace wellness programs that are part of a group health plan are HIPAA-bound because the group health plan qualifies as a covered entity. Third-party wellness vendors, providing health coaching to employees as part of this plan, are HIPAA-bound “Business Associates.” They are performing functions or activities on behalf of or services to the covered entity that involve access to PHI.
Business Associate Agreements (BAAs) Prior to a third-party wellness vendor (i.e., Business Associate) collecting, storing, processing, and interacting with employee PHI, a BAA must in place imposing safeguards on how this covered entity will use and disclose PHI. Other BAAs may further be needed with data protection software vendors, cloud infrastructure providers and cloud-based file collaboration platform vendors.
PHI is broadly defined as any data associated with an individual’s physical or mental health status, including any related treatments or payments. PHI also in practice includes PII or personally identifiable information such as names, social security numbers, addresses and any healthcare-centric information (e.g. medical record numbers, insurance plan member IDs, medical device identifiers and serial numbers). If a worksite wellness program is being offered as part of a group health plan or major medical plan, and there are participation-based incentives like premium reductions, the program is subject to HIPAA compliance obligations. PHI, then is any individually identifiable health information, privately and personally collected from or created about employees participating in the wellness program.
Worksite wellness programs, along with EAPs, are also subject to the HIPAA Rules to the extent they are group health plans that provide medical care. Although the role and scope of a health coach is considered by and large non-clinical, these common wellness program benefits in particular are considered medical care with HIPAA compliance obligations:
HRA administrations and biometric screenings, which are regarded as a form of clinical assessment of an employee’s health, intended to indicate an increased risk of certain health conditions (heart disease, diabetes, etc.)
Chronic disease management and smoking cessation services, that are designed to assist with specific health conditions.
Individualized health coaching by trained wellness professionals
Deidentification PHI is only considered PHI when an individual could be identified from the information. If all identifiers are stripped from health data, and the covered entity has a reasonable basis to believe it cannot be used to identify individual, the information is deemed “de-identified,” not subject to the HIPAA requirements and can be disclosed.
To compete in the marketplace and not be liable for sanctions, third party wellness vendors abide by the Minimum Necessary Standard in all work practices with clients when providing services (onsite and remote) and being responsive to requests. This means ensuring employee PHI is not accessible to anyone except those who have a verified business need for it (i.e., contracted health coaches); carefully monitored during such access; encrypted while in storage and during transfer on any unprotected network, and only moved to an authorized location; and deidentifying all reports contractually provided or for purposes of wellness program administration. When it is time to formally demonstrate outcomes from wellness program participation, third party wellness vendors will strictly showcase aggregate data or statistical analyses that do not contain any individual PHI, and only on group sizes greater than 50. For example, annual data presentations would depict the total percentage of the employee population actively participating in the wellness program; the cost risk profile of that group (percentage scored as low risk, medium risk, high risk); the top 10 behavior/cost risk incidences of that group reflected in percentages, and risk score and risk incidence percentage change over time of the cohort group.
Sources: