MaPSAC Management and Professional Staff Advisory Committee

HIPAA protects personal info collected via Healthy Boiler Wellness Program

Trenten D. Klingerman, deputy general counsel in Purdue’s Office of Legal Counsel, provided APSAC with this article as a follow-up to issues discussed in a recent town hall meeting.

During a recent benefits forum, the discussion turned to the Healthy Boiler Wellness Program, a program in which faculty and staff can earn financial incentives by participating in (and logging) various healthful activities. The program, which is offered by Purdue Human Resources and its health and wellness partners first launched in 2017 and is growing in popularity. Still, a staff member mentioned during the forum that they did not participate in the program because the health choices they make “aren’t any of my employer’s business.” 

The person who made the comment is, of course, 100% correct that employee health information, including health and wellness choices submitted to the Healthy Boiler Portal, should not be viewed and monitored by their employer. Several federal laws ensure that such information is confidential and may only be shared when authorized by an individual. 

The Health Insurance Portability and Accountability Act, or HIPAA, applies to wellness programs like Health Boiler that are offered in connection with an employer’s group health plan. HIPAA protects all personal health information collected in connection with such programs and makes it unlawful to use or share this information to make employment-related decisions. The Affordable Care Act, the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act (GINA) also apply to wellness programs. These laws make clear that:

  • medical and genetic information may not be disclosed to an employee’s supervisors or management; 
  • individuals who handle medical information generally should not be responsible for making employment decisions, and 
  • notifications are required if protected health information is breached; 
  • programs are voluntary; and 
  • employees cannot be required to disclose medical information to their employer in order to participate in the program.

The Health Boiler program complies with each of these federal laws. In fact, Purdue and its Healthy Boiler partners makes the following promises to each employee who registers for the program:

  • Your health information will not be disclosed (to Purdue employees or others) except as necessary to respond to a request from you for a reasonable accommodation needed to participate in the program, or as expressly permitted by law.
  • Your health information will not be disclosed to your supervisors or managers and may never be used to make decisions regarding your employment.
  • Your health information will not be sold, exchanged, transferred, or otherwise disclosed except to the extent permitted by law to carry out specific activities related to the program, and you will not be asked or required to waive the confidentiality of your health information as a condition of participating in the program or receiving an incentive.
  • The only individual(s) who will receive your personally identifiable health information are those to whom you choose to disclose it (such as a health coach, nurse, physician, etc.) in order to provide you with services under program.
  • If a data breach occurs involving your health information, Purdue and its partners will notify you immediately.

 

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2015 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Office of XYZ

Trouble with this page? Disability-related accessibility issue? Please contact Office of XYZ at XYZ@purdue.edu.