HIPAA and Personal Health Records (PHRs)

Question 9

Some group health plans want to require that their employees complete a health risk assessment (HRA) in order to be eligible for coverage. The plan would use the PHI obtained in the HRA in order to assess what types of wellness programs would work best to improve health outcomes in the plan. Would this practice violate HIPAA privacy?

Proposed Answer

No. HIPAA privacy regulations allows the use of the PHI by a covered entity for health care operations, which includes population-based activities related to improving health or reducing healthcare costs.  It does not prohibit the disclosure of PHI by a plan participant as a condition of eligibility for health coverage.

Answer

OCR agreed with the answer, adding that HIPAA’s Privacy rules do not address the determination of eligibility for a group health plan.  They have forwarded inquires on this topic to the Department of Labor’s, Employee Benefits Security Administration, who is working with EEOC to address these types of questions.
Note: The EEOC is currently against the practice of requiring an employee to take a health risk assessment in order to be eligible for coverage in the employer’s group health plan.

For the full text of the Q&A session, click here.

If you know someone who would like to receive our newsletter, email subscribe-path@dpath.com with their name, company name, telephone number, and email address and they will be added to the mailing list.

If you want to unsubscribe, send a blank email to unsubscribe-path@dpath.com.