1. Who owns the information provided by participants in a health risk assessment? RESPONSE: The answer to this question will depend on what type of entity is providing these services and under what conditions. For example, if a healthcare provider is providing this type of occupational health services, the provider would “own” the patient protected health information/health records, but the patient/participant would “own” the information contained in the health records and all federal and state patient health record disclosure laws would apply.
If the provision of occupational health services results in the authorized disclosure of patient protected health information/health records to the sponsor, plan, and/or employer, upon receipt, the entity would be the owner of the information received.
If the provision of occupational health services results in the development of aggregate data to be disclosed to the sponsor, plan, and/or employer, once received, this information would be owned by the entity receiving the aggregate data.

2. Depending on ownership of the health risk assessment participant information, what state and federal regulations are applicable for use and disclosure?
RESPONSE: The answer to this question will depend on what type of entity is providing the services and under what conditions. A healthcare provider would be subject to all federal and state laws addressing the creation, management, and retention of patient health records. A payor may be subject to the same, but with additional requirements for the management of payer records.

3. When can the owner of the health risk assessment participant information share the information with external parties (e.g., health plans, employers, providers, participants, etc.)?
RESPONSE: Information may only be shared with other external parties in compliance with federal and state laws as well as the terms of the arrangement and the conditions of disclosure authorized by the participants. Information that has been aggregated and/or otherwise de-identified generally will not require participant authorization. Information that includes identifying information should only be shared with participant authorization/agreement.

4. When does the information to be shared regarding health risk assessments need be de-identified or aggregated?
RESPONSE: When there is disclosure that is not authorized by the participant or not in compliance with the terms of the arrangement. The disclosure of de-identified or aggregate data should be limited to minimum necessary information.

5. May a health plan disclose to a sponsor (employer) whether an employee/plan participant has completed a health/wellness assessment? Would this decision be impacted by the employer-provided incentives or premium discounts for participation?
RESPONSE: When the employee/participant has agreed to the terms of the health risk assessment and has elected to complete the assessment, the completion status can be disclosed to the sponsor. This would not be impacted by incentives or premium discounts for participation.

6. If an occupational health services provider promotes a wellness activity such as a smoking cessation or weight loss class, can the provider report employee/plan participant participation to the health plan? To the employee/participant’s employer?
RESPONSE: This information should not be disclosed without the authorization of the employee/participant.

7. May a participant in a health risk assessment later request an amendment to or a restriction of the assessment information?
RESPONSE: Information created and maintained by a covered entity (e.g., healthcare provider, health plan), is subject to the HIPAA Privacy Rule which allows a patient to request an amendment and/or a restriction of access to his or her protected health information, as well as exercise all other privacy rights.

8. When is a “Wellness Coordinator” considered a healthcare provider?
RESPONSE: When the coordinator is recognized as a healthcare provider, or is working under the supervision of a healthcare provider, including, but not limited to: licensed nurse, chiropractor, dentist, physician, podiatrist, physical therapist, certified occupational therapist, occupational therapy assistant, physician assistant, respiratory care practitioner, dietician, licensed optometrist, certified acupuncturist, licensed psychologist, certified social worker, marriage and family therapist, professional counselor, licensed speech language pathologist, audiologist, partnership or corporation of any providers listed above.

9. Should anything different be done to protect the privacy of participants of smaller health plans (say under 50 employees) which are provided occupational health services to prevent employers from determining an employee’s health status based on deduction from the small population size?
RESPONSE: From a regulatory perspective there does not seem to be any indication that size of the plan would have an impact. However, the provider of the services may want to consider informing participants of the potential risk of disclosure/identification when participating in a small population group. Additionally, the provider may want to consider obtaining an authorization from the participations for disclosure of aggregate/de-identified results.