The hoopla that came out of the CVS messaging around employees getting their biometrics and completing health risk assessments has brought up an important issue. Do your employees trust you concerning their confidential health care information? Even though you tell them, “We can’t access your personal health care information even if we wanted to,” do they believe you?
This issue is a real concern if you are ramping up your promotion of wellness activities, especially if you are requiring the completion of steps to earn discounts on coverage or to receive contributions to health savings accounts (HSAs). As your employees are completing their health risk assessment, are they being totally honest? Do they hold back because they are concerned their truthful responses will somehow be held against them in terms of higher premiums or deductibles, or even being passed over for a job promotion?
You might want to take this opportunity to reinforce the protections provided by the Health Insurance Portability and Accountability Act (HIPAA). I remember when HIPAA was rolled out in 1996. A number of communications were created to explain how it worked. As an HR pro, you may assume everyone understands HIPAA. But in light of today’s environment, I believe it’s time for a refresher.
The following are some points to build into your communications:
- HIPAA laws protect the privacy of all past, current and future employee health-related information.
- In the workplace, HIPAA ensures that individual employee health information is not provided to parties, such as employers, without the consent of the employee.
- The HIPAA Privacy Rule does allow the disclosure of personal health information among health care providers and insurers, but only as needed for patient care and other important purposes. Health care organizations and their employees can face both civil and criminal penalties for knowingly, and even unknowingly, violating a patient’s right to privacy.
- Under HIPAA, an employer can only ask an employee for a doctor’s note related to sick leave, workers compensation, wellness programs or health insurance.
- If an employer reaches out to a health care provider directly without the employee’s authorization, HIPAA prohibits the health care provider from disclosing the information.
Note: Additional information about HIPAA can be found on the Health & Human Services website.
Keep in mind that you can’t communicate these details in the same dry tone used above. Look for ways to creatively educate your employees:
- Sponsor a daily quiz on your intranet, entering participants into a prize drawing.
- Develop an interesting infographic for managers to share in meetings.
- Ask your CEO to address privacy protection in a companywide town hall meeting and reinforce his/her personal participation in the health risk assessment and wellness programs.
We can also help to create interesting ways to educate your employees about their rights and responsibilities around health care privacy. The important point to stress is that as far as your company is concerned, “what happens in health care stays in health care.”