04 Jun Employee Health Information – Who Can See What?
This blog was written by a member of our legal advisory council, Barbara J. Zabawa, JD, MPH
One of the more confusing areas of employee wellness programs, especially those programs that gather employee (and family member) health data, is who can see that data and what data exactly can they see?
These are important questions because lingering in the background of these wellness programs are employee privacy and data security concerns. Collecting employee health data should not be treated lightly. This blog post aims to outline key questions for those who might be wary about disclosing their health information in the workplace.
Is the Workplace Wellness Program Part of a Group Health Plan?
If your workplace wellness program is part of an employer’s group health plan (i.e., it may be available to only those employees who sign up for an employer’s health plan, or it is part of a self-insured employer’s summary plan description), then the health data collected is subject to HIPAA privacy and security rules. If your workplace wellness program is not part of the employer’s group health plan, then the data collected is not subject to HIPAA privacy and security rules, but it is subject to requirements under the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA), discussed later.
My Workplace Wellness Program is Part of a Group Health Plan, so Who Can See My Health Data?
Because HIPAA privacy and security rules apply to these wellness programs, those rules dictate who can see employee health information. There are three possible types of people who may want to see employee health data from a group health plan wellness program:
- Employer sponsors (other employees or supervisors of the employer)
- Employees who work for the group health plan (such as benefits personnel)
- Vendors who contract with the group health plan (such as brokers and wellness vendors)
Under HIPAA, the access of each of these groups should be as follows:
Only under certain conditions can employers (and employees of the employer) see an employee’s individual health information from a workplace wellness program. First, the employer must amend its group health plan documents to incorporate certain provisions listed under the HIPAA privacy rule. See 45 CFR § 164.504(f). Before a group health plan releases individual health data to that individual’s employer, the group health plan employees must ensure that the employer has amended its plan documents to include the provisions required by the HIPAA privacy rule. These provisions include, in part, statements that the employer:
- Will not use or disclose the individual health information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the employer;
- Will not use or further disclose the individual information other than as permitted or required by the plan documents or as required by law;
- Restrict the access and use of the individual employee health information to only certain employees, classes of employees or others under the control of the employer for plan administration functions only.
Second, and importantly, even after amending the plan documents, the group health plan may disclose to the employer individual employee health information only if the employer needs that information for plan administration functions. HIPAA defines plan administration functions as those functions performed by the employer on behalf of the group health plan and excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor. 45 CFR § 164.504(a). Thus, if an employer does not perform any plan administration functions for the group health plan of which the wellness program is a part, the employer should not be receiving any individually identifiable health information without the employee’s specific authorization.
What Information Can Be Disclosed to Employers with Group Health Plan Wellness Programs?
Under HIPAA privacy rules, most uses and disclosures of individual health information must be limited to the “minimum necessary.” HIPAA imposes this minimum necessary requirement on both the group health plan and any vendors who contract with the group health plan, such as broker agents. Specifically, group health plans and their vendors must make reasonable efforts to limit individually identifiable health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. See 45 CFR § 164.502(b).
There are some important exceptions to the minimum necessary rule, such as uses and disclosures relating to treatment of an individual, disclosures pursuant to an individual’s authorization, or disclosures required by law. But, these exceptions are unlikely to apply to most workplace wellness uses and disclosures. Therefore, group health plans and their vendors should adhere to the minimum necessary rule when using and disclosing individual employee health information from a wellness program. This means that group health plans and their vendors should not be using and disclosing an employee’s entire wellness profile if seeing the results of the entire profile is not necessary to accomplish what the group health plan or vendor needs to accomplish with that information.
As for what employers can see, group health plans and their vendors should provide employers with only the minimum amount of individual employee health information needed for the employer to accomplish its plan administration functions for the group health plan. Any more than the minimum amount necessary would be a violation of the HIPAA privacy rule.
What Happens if the Employer or Third Party Uses or Discloses More than the Minimum Necessary?
As stated above, failure to adhere to the minimum necessary standards could lead to a complaint being filed to the Office of Civil Rights (OCR) within the federal Department of Health and Human Services (HHS) and a penalty imposed by OCR. In certain circumstances, OCR may impose a penalty even if a group health plan or vendor of the group health plan corrects the violation. These circumstances are when the HIPAA violation is due to “willful neglect” by the group health plan or vendor. HIPAA defines “willful neglect” as “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA. 45 CFR § 160.316. This means that if the group health plan or vendor is aware of its obligation to comply with HIPAA privacy requirements, but throws caution to the wind and chooses not to comply, OCR must impose a financial penalty between $10,000 and $50,000 per violation, even when the group health plan or vendor corrects the violation. See 45 CFR § 160.404(b).
What if the Employer Only Wants to Know Who is Participating in the Group Health Plan Wellness Program?
HIPAA permits group health plans to disclose to employers, without an employee’s authorization, information about whether an individual is participating in the plan. See 45 CFR § 164.504(f)(iii). Thus, if an employer merely wants a list of wellness program participants with no other health information provided, a group health plan could disclose such a list to the employer without first obtaining the employee’s authorization. Of course, other laws such as the Americans with Disabilities Act (ADA) would prohibit the employer from using that list to penalize employees who are not on that list (see next question).
What if My Workplace Wellness Program is not part of a Group Health Plan? What Information Can the Employer See?
According to OCR, if your workplace wellness program is not part of a group health plan, HIPAA privacy and security rules do not apply to your program. But, if your non-group health plan workplace wellness program still collects employee health data, ADA protections apply. The ADA requires employers who collect employee health information through a voluntary wellness program to maintain those records in a confidential manner and not use those records for any purpose that would violate the ADA. Thus, employers would not be able to use employee health records to limit insurance eligibility or to discriminate against the employee.
Although the ADA permits disclosure of employee health information to managers and supervisors in connection with necessary work restrictions or accommodations, according to the EEOC, “such an exception would rarely, if ever, apply to medical information collected as part of a wellness program.” 81 Fed. Reg. at 31142 (May 17, 2016).
The ADA permits employers to see individual employee health information if the employer needs such information to administer the employer’s wellness program. 81 Fed. Reg. at 3142 (May 17, 2016). If the employer does not administer any part of the wellness program, for example because the employer delegates program administration to a third-party vendor, then the vendor should not provide the employer with individually identifiable employee health information. The vendor should provide aggregate information only. The EEOC expects both employers and agents of employers to comply with these confidentiality requirements under the ADA. Id.
Looking for more information about disclosure? See our Quick Guide to Disclosure, Privacy, & Medical Certification Forms.
If you need more information on employment rights, see our Employment resources page!