Hey Wellness Industry! Get Serious about HIPAA

The collection and use of employee data is under scrutiny this week after a recent Wall Street Journal article raised questions about how employers and wellness vendors use such data.

For all involved, this is a very sensitive topic. Employees worry about privacy violations or potential discrimination, while employers and vendors fear running afoul of the many confusing laws governing private health information (PHI).

In light of all this, we think it’s worth taking the time to briefly recap the relevant HIPAA regulations. As a disclaimer, Wellter is made up of healthcare and data analysts.  Our advice should not be taken as a substitute for legal counsel.

HIPAA – otherwise known as the Health Insurance Portability and Accountability Act – sets standards for the protection of PHI by health professionals (such as providers, insurers, and their business associates). These include wellness vendors in many cases.

Whether a wellness vendor is subject to HIPAA laws depends on the structure of the wellness program operated. Generally speaking, wellness programs will be governed by HIPAA if one or more of the following is true:

  1. The wellness program offers incentives/penalties that are related to an employer-sponsored health plan such as lower premiums.
  1. The wellness program offers incentives/penalties that are tied to health status, such as smoking or alcohol abuse.

When an employer contracts with a wellness vendor or other third-party to analyze their employee data, they must be careful to select companies who are committed to the protection of PHI. Best practices include:

  1. The vendors should be directed to de-identify the data, especially if there are concerns about their security practices. There are third party companies – like Wellter – that specialize in anonymizing healthcare data, including PHI. These third party companies often have security practices and procedures in place (for example, encryption) that exceed the HIPAA regulations. In addition, specialized healthcare data aggregators can re-identify the data on demand if the wellness vendor or a population health firm wants to follow up with individual employees.
  1. All the employees of the wellness vendors or third party companies who handle PHI must be regularly trained on HIPAA practices and procedures.
  1. Vendors and third parties must have a robust and secure technology platform in place to manage PHI. This platform must meet the requirements of the HIPAA regulations.

Always remember: when an employee gives consent for their data to be accessed, it is essential that they have confidence in the providers, insurers, and wellness vendors using their highly personal information. While the above list is not a comprehensive guide to HIPAA compliance, the practices we recommend are key to being able to securely maintain employee data – and employee trust.