Workplace Wellness and Employee Privacy

A recent article by Kaiser Health News (KHN), picked up by CNN, raised concerns about the privacy of employee health data collected through participation in workplace wellness programs.

Personal health data is typically covered by strict privacy laws known as the Health Insurance Portability and Accountability Act (HIPAA). But these laws apply only to covered entities and their business associates:

  • Covered entities include any healthcare provider who transmits health information electronically, health plan, and healthcare clearinghouse.
  • Business associates are any person or organization who performs a function on behalf of, or provides services to, a covered entity that involves individually identifiable health information.

For many employees, their employer and the companies providing the workplace wellness program may not be covered entities or business associates of a covered entity. So there is no statutory assurance that this employee health data is protected. The KHN article highlighted concerns by employers and their employees that personal health data might be disclosed to third parties, resold, or otherwise misused.

PDHI operates in accordance with HIPAA Privacy and Security Regulations and the statutes of the various states that touch on the protection of personally identifiable information including protected health information. When delivering service to clients who are covered entities or business associates, we operate as a business associate. If the client is not a covered entity or business associate, then data privacy is covered by the confidentiality and data ownership provisions in our license and service agreements.

It is the responsibility of each PDHI client to provide a privacy policy that defines how employee wellness program data will be used and protected. Where a client chooses to allow employees direct entry into the ConXus Wellness Portal, PDHI will display the privacy policy to the user and require acknowledgment before registration. Where the employee is connecting using single sign-on from a client portal, the client is responsible for display and acknowledgment of the privacy policy at their portal.

Comments are closed.