Get access to the exclusive HR Resources you need to succeed in 2018.
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 14 cities across the U.S. this fall.
Gain the skills you need to rise to the next level in your career. Jon us at SHRM's Leadership Development Forum, October 2-3 in Boston.
Specify what wellness providers can and cannot do with health information
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
HR professionals are being encouraged to review contracts with wellness program providers to ensure that the providers do not disclose employees’ health information.
The federal Health Insurance Portability and Accountability Act (HIPAA) forbids release of an individual’s personal health information without his or her authorization. But legal experts say health information that does not include the names of employees or that aggregates the medical data of multiple workers falls into a gray area. That opens the door for such information to be sold by unscrupulous wellness providers. “HIPAA doesn’t prevent the practice of disclosing aggregate data,” said Eric S. Boos, an attorney with Shook, Hardy & Bacon in Miami. “It doesn’t really speak to that.”
Legal and wellness program experts told
SHRM Online that they have no direct knowledge of wellness providers selling or sharing employee health information. But they noted that if any financial incentives exist, the data is at risk. Health care corporations’ regional and national marketers “can do a lot with aggregate data,” observed Boos.
“There are (wellness) companies that do protect the data. There are companies that play fast and loose with the data,” said Jonathan Edelheit, president of the Corporate Health & Wellness Association in Palm Beach Gardens, Fla. “It exposes employers to tremendous liability.”
Employer wellness programs have collected millions of data points about employees’ personal lives as they seek to help workers become healthier and to curb employers’ health care costs. Through evaluations that workers fill out, the providers learn the prevalence of certain health issues, said David Chenoweth, Ph.D., president of wellness provider Chenoweth & Associates Inc., in New Bern, N.C. For example: What percentage of the company’s workers have diabetes or want assistance to stop smoking or lose weight? However, wellness providers “don’t need to know the names” of the employees who reported such concerns, he stated.
Given the amount of data being collected, the potential for its misuse and the constant threat from hackers, “There is just so much risk now,” said Chenoweth.
Legal experts say HR professionals should initiate reviews of existing wellness program contracts and should insist that their organizations perform due diligence when considering new programs. Contracts should specify that wellness providers may not share health data except in circumstances spelled out by the employer.
“Companies need to protect their brand and protect their employees. They need to vet their contracts,” said Adam C. Solander, an attorney with Epstein Becker Green in Washington, D.C.
Edelheit said most employers do a good job of following HIPAA rules internally. However, when it comes to arrangements with business associates such as wellness providers, “They don’t always think to look at the terms and disclosures and other language.” Wellness providers considering selling health information probably will not disclose that intent in the fine print of their contracts with employers. “There will be only vague language such as ‘we respect your privacy,’ ” noted Edelheit.
“There’s always a significant potential for misuse of this information,” said Andrew B. Wachler, managing partner of the law firm Wachler & Associates in Royal Oak, Mich. “Be clear in any business associate agreement that health information is for the employer’s health care operations and not for the benefit of the business associate.”
Wachler added that employers should segregate wellness program data from other employee information. There should be no opportunity for managers to use health information when making employment decisions, which could lead to costly litigation.
“The onus is really on the employer,” said Boos. He urged HR professionals to develop a clear idea of what they want to accomplish with their wellness programs and to specify what the wellness provider can and cannot do with health information.
Edelheit stated that the volume of personal medical data will continue to grow as more Americans use wearable devices that measure their heart rate and other health conditions. Now used primarily for fitness, such devices are expected to become a big part of mainstream medical care, sending health information electronically to users’ doctors. “These devices will collect a lot of data,” he said. “No one is asking the question: What are they doing with the data?”
Experts suggest that HR professionals address the issue of medical information security proactively with workers. “Be really transparent with employees,” said Edelheit, who noted that if employees don’t trust their employer to protect their data, they won’t participate in wellness programs.
Any indication that workers’ health information has been sold or shared “could really adversely affect employee morale,” said Solander.
Chenoweth said severe penalties for violating HIPAA and other privacy laws should act as a deterrent to wellness providers tempted to sell individuals’ or companies’ health data. He added that most reputable wellness firms won’t jeopardize their reputation by sharing such information. “We don’t have a lot of charlatans” in the wellness industry, he stated. “The regulatory landscape is making companies of all sizes more vigilant.”
Steve Bates is a freelance writer in the Washington, D.C., area and a former writer and editor for SHRM.
SHRM Online Safety & Security page
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Get recognized as an HR expert. Earn your SHRM-CP and SHRM-SCP certification, and set yourself apart.
SHRM’s HR Vendor Directory contains over 10,000 companies