health-risk-assessments.com is a resource to Health Risk Assessments (HRA) - Appraisals, Wellness Programs & Quotes.

Health Risk Assessments and HIPAA Regulations

Health Risk Assessments: Background

In an attempt to control ever-spiraling healthcare costs, many employers and health plans are providing incentives to employees and participants to improve their health status (e.g., lose weight or get in better shape). Health risk assessments provide a tool for evaluating health status, identifying opportunities for improvement, and provide valuable feedback to the participant regarding personal health and risk factors for chronic diseases such as diabetes or heart disease. Additionally, many health plans and employers also provide incentives for participants completing the health risk assessment. Incentives may include:

  1. Reduced healthcare premiums.
  2. Reduced healthcare premiums.
  3. Expanded healthcare services.
  4. Dollars allocated to wellness activities.
  5. Cash bonuses or other incentives such as tangible rewards (e.g., exercise equipment) or paid days off.

Information from health risk assessments is used to identify risks within a population, deliver follow-up interventions for those at risk, and track and analyze population health trends over time. Health risk assessment questions generally focus on the individual’s health habits and may address the following topics: physical activity, food selection, tobacco use, sun exposure, women’s health, chronic conditions, preventive services and health screenings, alcohol use, sexual behavior, and others.

It is important to understand “who” is performing health risk assessments and under what classification of services to determine how to access, use, and disclose the data. Health risk assessments may be carried out in a variety of methods. Limited examples are as follows:

  • Directly by the employer with all subsequent control of information maintained by the employer.
  • Directly by the employer’s health plan with all subsequent control of information maintained by the health plan.
  • Outsourced to a healthcare provider which may provide the services:
  • As a covered entity with all health information subject to HIPAA Privacy and Security Rule standards, as well as other federal and state health record regulations.
  • As a carved out “hybrid” entity which is not considered part of the covered entity and is not subject to HIPAA Privacy and Security Rule standards and may or may not be subject to other federal and state health record regulations.
  • Outsourced to an entity which does not meet the classification of a healthcare provider (e.g., organization which specializes in developing and analyzing data collection tools, surveys, assessments, etc.; may or may not include healthcare providers on staff; does not classify entity as a healthcare provider).