Are Workplace Wellness Programs Secure and Confidential?

One of the most common questions of employees with workplace wellness programs is this: “Is my health information kept confidential?”

Yes! Workplace Wellness Programs are Confidential

It has to be; it’s the law. Third-party healthcare providers are required by HIPAA laws to protect the privacy of patient health information. As a provider, we cannot share personal health information with the employer and must keep it confidential– not with the HR Department, upper management, no one.

It is vital to share this message with patients repeatedly in order to maintain strong engagement rates. It’s a common misconception of employees with employer-sponsored health centers to think that because their employer is sponsoring the health center, they are entitled to see the health records.

That is absolutely not the case, and we recommend a robust communications program (including flyers, emails, posters, and letters) to explain privacy rights and give employees peace of mind.

We also recommend that these communications come from the third-party provider to dispel any misconception that personal health information is available to the employer and isn’t actually kept confidential.

Physical PHI Safeguards

In order to protect personal health information (PHI), there are certain physical safeguards all employer-sponsored health and wellness providers should follow.  They include:

• Using privacy screens on computer screens
• Turning computer screens away from the public’s view
• Locking filing cabinets if they contain PHI
• Shredding paper PHI as soon as it has been scanned into an EMR
• Logging out of the computer or removing the security token when away from the computer
• Deleting any PHI that has been saved to a computer once it has been scanned into the EMR
• Limiting any PHI that is laying out in offices and instead keeping the documents locked in drawers until they are no longer needed.

Family-Shared Programs

Many employers offer workplace health and wellness programs to their employees’ spouses and children. It is common under this scenario for eligible employees to call the health center and request their spouses’ usernames and passwords. Can the providers share that information? 

No. That information is kept confidential. One spouse does not have the right to access the other spouses’ PHR without spousal permission. While we recognize the inconvenience of this, we as providers are required to protect the personal health information of each spouse

Education on Patient Health Rights

We also recommend posting a list of patient health information rights at the health center to educate patients about privacy laws.

For example, by law, patients have the right to:

• Obtain a paper copy of Notice of Privacy Practices upon request;
• Inspect and obtain a copy of their health record as provided for in 45 CFR §164.524;
• Amend your health record by submitting a written request;

We hope you find this information useful as you consider implementing a workplace wellness center. Privacy is paramount.