It seems the reaction whenever the word HIPAA is whispered is generally avoidance, hatred or plain frustration. While everyone wants their health information kept private and secure, and corporations are happy to provide that peace of mind, aspects of the law are commonly viewed as burdensome, complicated and even at times over bearing. But yet, this massive federal regulation has managed to be brushed aside by many in the wellness industry. As employers move away from in-house wellness offerings and look to the experts to engage their employees, they have stepped right into a massive loop hole.
In its most technical form, many wellness offerings are considered standalone products, not automatically tied with any health plan or benefit offering. Therefore, despite the amount of personal health information collected and processed by these programs, as these wellness programs are not, by definition, Covered Entities under HIPAA, they are not necessarily subject to the rules of HIPAA. This can put members in a tough situation not knowing fully the obligations the wellness company is required to follow as it pertains to their information. Employers are always anxious to get as much data as possible to better incentivize their members, increase engagement and therefore improve their population’s health. The question then remains, at what point should or shouldn’t a wellness company be compliant with HIPAA.
A standalone wellness program may become subject to the obligations under HIPAA once it becomes a “part of” or “tied to” the employer’s health plan. Unfortunately, this threshold is not well defined and therefore continues the trend of uncertainty among wellness program members.
Regardless of whether or not your wellness program is technically obligated to the rules and obligations of HIPAA, always be sure to review the terms and conditions and privacy policy to understand where your data is going, how it is being used and how the provider is keeping it secure. Luckily, there are wellness programs out there that do follow HIPAA. Vitality has a long history of not only always abiding by HIPAA, but also all local laws pertaining to personal health information privacy and security. A company rooted in insurance, we take a conservative approach to ensure no matter what, the member’s privacy is always a priority. Using methods such as Vitality Status, we are able to provide the employer with meaningful measures of engagement without ever sharing your personal data. Can your wellness provider say that?
Lauren Chana, General Counsel- maintains her argumentative savvy through continual & vocal support of the Packers and Badgers despite being a Chicago native.
