Corporate Wellness Programs Best Practices: Ensuring the Privacy and Security of Employee Health Information
Despite the popularity of wellness programs among employers and assurances about their security and confidentiality, more than half of workers said they are hesitant about sharing their health information, and a quarter said they wouldn’t share their data under any circumstances, according to a survey by the Economist Intelligence Unit. More than one-quarter of employees said they were concerned their personal information wouldn’t remain confidential.
Schobert said her concerns about the privacy of her medical data cost her more than a hefty insurance premium. When she declined to participate in the wellness program health screening, she said management called her into a meeting to “quash any potential attitude of hers,” according to legal filings recounting her experience. A month later, she was fired in retaliation for her decision, the filings said. She was out of work for more than a year.
The EEOC sued Orion on her behalf, alleging the company violated federal law by requiring its employees to disclose health information that wasn’t job-related and firing Schobert when she objected.
Corporate Wellness Programs are on the Rise
Nationwide, corporate wellness programs are on the rise. By 2020 – corporate wellness is projected to be a $12 billion dollar industry. One reason for growth is due to the intended purpose of corporate wellness programs: to get employees involved in their own health care, thereby reducing absenteeism and insurance claims.
Reports like the one above demonstrate how corporate wellness programs may put employee privacy at risk. Perhaps this potential risk to the privacy of employee health information may be due to wellness contractors not being bound by the HIPAA Privacy Rule, and not all wellness information is protected by HIPAA. An additional concern is the potential risk to the privacy and security of shared employee health information and how it could support discrimination by employers.
Corporate Wellness Program Best Practices
To help you to protect the privacy of employee health information we have put together the following list of best practices if you choose to participate in a corporate wellness program.
- Determine what wellness data is shared and who the data may be shared with
- Understand who has access to lifestyle management information
Following your HRA, employees may be asked to participate in the lifestyle management program, which uses coaching and support materials to help employees engage in more healthful living. As part of the lifestyle management process, interventions including smoking cessation, weight managements, nutrition, stress management and others may be recommended. In addition, the wellness program vendor analyzes employee health care claims to identify employees with chronic conditions: asthma, CAD, atrial fibrillation, CHF, stroke, hyperlipidemia, hypertension, diabetes, low back pain, and chronic obstructive pulmonary disease. Employers and employees should understand what lifestyle management information may be shared, and who the health information with be shared with. Moreover, employers and employees should determine how employee health information obtained and analyzed during the lifestyle management process is safeguarded.
- Ensure group results reports are safeguarded
A third party vendor administers the HRA and compiles the results of the biometric screening. Reports on findings are provided on a companywide and site level, and employees are mailed their individual results from the biometric screenings. The information provided in the group reports is de-identified; however, it may be easy for managers or smaller organizations to match worker identities with results from group reports. Because there is a potential for identification, these group reports should be properly safeguarded. Further, the information contained in the group reports should only be used as a snapshot of how your organization is doing as a whole and never as a tool to evaluate a worker’s job performance. More importantly, these reports must never support discrimination.
Participation in corporate wellness programs are on the rise. The surge in corporate wellness program participation requires employers and employees to determine how to ensure the privacy and security of employee health information. As healthcare professionals, HIPAA provides us with the necessary framework to protect patient health information. However, a corporate wellness program offered separate from an employer’s group health insurance plan is not protected by HIPAA.
We recommend determining what wellness data will be obtained and analyzed as part of the corporate wellness program, and who that information will she shared with. Group reports are useful as a snapshot to see how your organization is doing as a whole. However, these reports must be safeguarded and there should be no attempts at re-identifying individuals. Employees participating in corporate wellness programs should be afforded assurances their employee health information will be safeguarded, and any results that may be learned or discovered about the employee, will never be used to discriminate against them.