Personal health data is typically covered by strict privacy laws known as the Health Insurance Portability and Accountability Act (HIPAA). But these laws apply only to covered entities and their business associates:
- Covered entities include any healthcare provider who transmits health information electronically, health plan, and healthcare clearinghouse.
- Business associates are any person or organization who performs a function on behalf of, or provides services to, a covered entity that involves individually identifiable health information.
For many employees, their employer and the companies providing the workplace wellness program may not be covered entities or business associates of a covered entity. So there is no statutory assurance that this employee health data is protected. The KHN article highlighted concerns by employers and their employees that personal health data might be disclosed to third parties, resold, or otherwise misused.
PDHI operates in accordance with HIPAA Privacy and Security Regulations and the statutes of the various states that touch on the protection of personally identifiable information including protected health information. When delivering service to clients who are covered entities or business associates, we operate as a business associate. If the client is not a covered entity or business associate, then data privacy is covered by the confidentiality and data ownership provisions in our license and service agreements.