Despite your best intentions to meet the requirements of HIPAA regulations, your employees may still feel that your workplace wellness activities – such as health risk assessments, drug screenings and no-smoking discounts – violate their privacy rights. How do you stay in compliance with the Health Information Privacy portion of the Health Insurance Portability and Accountability Act (HIPAA) while still providing these benefits?
In a BLR webinar titled "2012 Employee Wellness Programs: Overcome HIPAA, COBRA, and ADA Hurdles," Mark Jones outlined some guidance.
HIPAA Regulations and Employee Privacy Rights: How is Employee Privacy Protected?
"A lot of wellness programs involve encouraging employees – or even requiring employees – to disclose information about their current health status. The disclosure of that information may be subject to certain protections. As a common sense matter, you probably don’t want anyone and everyone knowing information about your health. For the same reason, it’s important that plans and employers that obtain that information keep it private, unless the disclosure of it is necessary for the operation of the wellness program or the health plan." Jones advised.
Your first step to protect employee privacy is to understand your obligations under HIPAA regulations. HIPAA imposes standards restricting the ability of group health plans and health care providers to share participants’ protected health information (PHI). In general, a plan or provider may share PHI with a third party only for purposes of providing treatment, obtaining payment or facilitating health care operations.
"Protected health information" includes any health information maintained by a health plan or health care provider that identifies the patient, even if not by name. It may include, for example:
- An employee’s smoking status collected to determine whether the employee qualifies for a discount on health care premiums for non-smokers.
- Claims information that identifies employees who may benefit from a specific program, such as coordination of care for high-risk pregnancies.
- Results of mandatory drug, alcohol or readiness-to-work tests.
While this list is obviously not all-inclusive, with just these examples it’s easy to see how this type of information could be prevalent in employer records, so how do you protect employee privacy while staying within the boundaries of HIPAA regulations? Jones gave some guidance during the webinar on how to protect yourself; here are some legal best practices.
HIPAA Regulations and Employee Privacy Rights: Legal Best Practices
- Use a third party to implement corporate wellness programs. "That will shield you, as the employer, from receiving protected health information or genetic information." Jones noted, which lowers your risk of breaching employee privacy rights under HIPAA.
- "To the extent that you do receive protected health information or genetic information, take all necessary steps to maintain the confidentiality of it. That is, it can only be used . . . for treatment, payment, or healthcare operations." Jones continued.
- If you must request medical information for an employee (for example, to verify that he or she is eligible to return to work), direct the individual or health care provider not to provide genetic information.
- Enter into a business associate agreement with any third party holding protected health information (PHI) to limit the use and disclosure of PHI.
- Enter into an indemnification agreement with any third party holding PHI or genetic information requiring them to indemnify you for any breaches of confidentiality or violations of applicable law.
- Train workers who implement and manage your corporate wellness programs to comply with the law and company policy.
Remember, despite your best intentions, workplace wellness programs can lead to unintended legal consequences. Things like health screenings, restrictions on employee conduct, and the collection of health information may violate the employee privacy rights, and you should implement practices to ensure this doesn’t happen. Are you in compliance?
For more information on HIPAA regulations as they relate to employee privacy or to other employee wellness program issues, order the webinar recording. To register for a future webinar, visit http://catalog.blr.com/audio.
Mark Jones, Esq., is senior associate in the Los Angeles office of Pillsbury Winthrop Shaw Pittman LLP. He advises employers on the full range of healthcare and medical benefits in the workplace, from drafting agreements and plan amendments to managing self-insured plans and multi-employer plans.