For many wellness vendors, a key component of a corporate wellness program is client reporting and evaluation of the program. A legal question often tied up in that reporting component is what individual employee health information, if any, can the vendor provide to the employer client?
HIPAA privacy and security rules do not always apply to workplace wellness programs. According to guidance by the federal Department of Health and Human Services (HHS), where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by the HIPAA privacy rules. However, other federal or state laws may apply and regulate the collection and/or use of the information.
One of those other laws that applies to all workplace wellness programs that collect employee health information is the Americans with Disabilities Act (ADA). The federal agency that enforces employer ADA compliance, the EEOC, issued rules in May 2016 that help answer the question what, if any, individual employee health information can a wellness vendor provide an employer client.
“…Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by the HIPAA privacy rules. However, other federal or state laws may apply and regulate the collection and/or use of the information…”
The answer depends on whether the employer administers any aspect of the wellness program. For example, does the employer administer wellness incentives and therefore needs to know which employees earned the incentive under the program? If so, then under the ADA, a wellness vendor may disclose individual employee health information needed by the employer to administer that part of the wellness program. To reduce risk, wellness vendors should limit disclosure to only that information necessary for the employer to conduct its administrative function. So, if the employer administers the incentive and all that is needed for an employee to earn the incentive is to take a health risk assessment (HRA), then the wellness vendor should only provide the employer with the names of the employees who took the HRA; it would be unnecessary in this situation to provide the employer with the HRA results.
If, however, the employer does not administer any part of the wellness program, then the ADA rules prohibit the employer from receiving any individual employee health information. Rather, the wellness vendor should only provide the employer with aggregate information that does not disclose, or is not reasonably likely to disclose, the identity of any employee. See 29 CFR § 1630.14(d)(4)(iii).
According to the EEOC, both the employer and wellness program provider (who acts as the employer’s agent) must ensure compliance with this disclosure requirement. As a result, wellness vendors should adopt policies and procedures that address ADA requirements when disclosing employee health information to employer clients.