Your Welcoa membership has expired.

What are the Top Five Things To Know About Wellness Programs and Data Privacy?

The following article does NOT constitute legal advice and should not be used as such. It is for educational purposes only. Readers should retain legal counsel to obtain definitive answers.

Many wellness programs collect employee health data, either through health risk assessments or biometric screens. Individuals who work with wellness programs that are part of a group health plan may also have access to insurance claims data. With all this health data at the fingertips of wellness professionals, it is important to know the law surrounding the use and disclosure of that data. Here are the top five things you should know about the law and wellness data:

  1. HIPAA doesn’t always apply. Whether HIPAA privacy and security rules apply to your workplace wellness program depends on whether it is part of a group health plan. If it is, then HIPAA privacy and security rules apply. If it is not, then according to the federal Department of Health and Human Services (HHS), HIPAA doesn’t apply. However, many wellness programs adopt HIPAA privacy and security standards even if those programs are not technically subject to those standards.
  2. Regardless of whether HIPAA applies, employers should not receive individually identifiable health information unless needed for plan administration. Employers who take part in administering their wellness program, such as determining which employees earn incentives under the program, may receive the individually-identifiable health information necessary for the employer to administer that aspect of the program. Under the HIPAA “minimum necessary” rule, however, employers or their agents should not be receiving any more information than what is needed for the plan administration purpose. According to HHS, HIPAA covered entities must explicitly state in their policies and procedures who needs a person’s entire medical record and justify that need. Thus, no one should be receiving an individual’s entire record unless that person needs it to do their job, the full access is documented in the covered entities policies and procedures, and there is reasonable justification for that full access.
  3. Data privacy issues are at the heart of many of the wellness program lawsuits. Case in point: Kwesell v. Yale University, 19-cv-01098. As part of their complaint, the plaintiffs allege that the wellness vendors involved with administering the wellness program had access to the plaintiffs’ insurance claims data without their permission. Complaint, ¶¶ 49-54. This means that employees care about their data privacy and are willing to make formal complaints about unauthorized access. It also means that some employees read notices, authorization forms and privacy policies to determine who is seeing their information and why.
  4. HIPAA allows business associates (BAs) access to health information if needed to do the job the BA was hired to do. Despite the plaintiffs’ complaint in the Yale University case, in its response, Yale University points out that its wellness vendors are subject to a HIPAA-compliant Business Associate Agreement (BAA). BAAs are required between HIPAA covered entities, such as group health plans, and their vendors who need access to protected health information in order to perform the tasks for which the group health plan hired the vendor to perform. See 45 CFR § 164.504(e)(1). The BAA sets forth how the BA will protect and use the health information to which it has access. Hence, it is likely legal for a group health plan to hire a wellness vendor to view claims data, without an individual’s prior authorization, in order for the group health plan to improve enrollee health or reduce health care costs. See 45 CFR § 164.501 (definition of “healthcare operations”).
  5. Don’t take data collection lightly. As I state in Chapter 9 of my book, Rule the Rules of Workplace Wellness Programs, data is the new gold. Even if your wellness program does not abuse the use and disclosure of the data collect, it does not mean that some other downstream organization is not collecting and manipulating your employees’ data for profit. It is no wonder that employees voice concerns about who sees their data and what is done with it. Wellness professionals have a duty to safeguard the data they collect and to be aware of where the data goes once collected.
Barbara Zabawa

Barbara J. Zabawa

President of the Center for Health and Wellness Law, LLC

Health Promotion Program Legal Updates*

Every 3rd Wednesday from 10:00–11:00 AM CT

*This is an exclusive WELCOA Member Resource.