It seems the reaction whenever the word HIPAA is whispered is generally avoidance, hatred or plain frustration. While everyone wants their health information kept private and secure, and corporations are happy to provide that peace of mind, aspects of the law are commonly viewed as burdensome, complicated and even at times over bearing. But yet, this massive federal regulation has managed to be brushed aside by many in the wellness industry. As employers move away from in-house wellness offerings and look to the experts to engage their employees, they have stepped right into a massive loop hole.
In its most technical form, many wellness offerings are considered standalone products, not automatically tied with any health plan or benefit offering. Therefore, despite the amount of personal health information collected and processed by these programs, as these wellness programs are not, by definition, Covered Entities under HIPAA, they are not necessarily subject to the rules of HIPAA. This can put members in a tough situation not knowing fully the obligations the wellness company is required to follow as it pertains to their information. Employers are always anxious to get as much data as possible to better incentivize their members, increase engagement and therefore improve their population’s health. The question then remains, at what point should or shouldn’t a wellness company be compliant with HIPAA.
A standalone wellness program may become subject to the obligations under HIPAA once it becomes a “part of” or “tied to” the employer’s health plan. Unfortunately, this threshold is not well defined and therefore continues the trend of uncertainty among wellness program members.
Lauren Chana, General Counsel- maintains her argumentative savvy through continual & vocal support of the Packers and Badgers despite being a Chicago native.