Part II – The Wellness Exception to HIPAA

What is the Wellness Exception to HIPAA?

There is a little recognized provision of the Affordable Care Act called, in brief, the Wellness Exception to HIPAA.  The full name of the section is Incentives for Nondiscriminatory Wellness Programs in Group Health Plans.  Those subjected to parts of it may certainly be suffering from its provisions, and object strongly to it,  but they do not know why they can be subjected to the invasion of privacy.  This is a link to the text of the section: https://www.federalregister.gov/articles/2013/06/03/2013-12916/incentives-for-nondiscriminatory-wellness-programs-in-group-health-plans#h-9  Ctrl-Click to access the link.

How do Wellness Programs Work?

Although some employers use a carrot approach with free or subsidized access to fitness facilities, etc, there are others that rely on the stick.  Under the guise of promotion of Wellness, many people who have insurance with employers are being required to provide their blood pressure, low density cholesterol (LDL), body mass index (BMI- a measuring appropriate weight for someones height) and waist circumference plus submit answers to extensive questionnaires or pay a stiff financial penalty in the order of several hundred to several thousand dollars.  The law allows a penalty of up to up to 30% of their  health insurance premium in general if they don’t comply and 50% if the employee smokes or perhaps, won’t provide proof that they don’t.  If they do comply, and they do not meet the wellness benchmarks, they may still be subjected to a penalty.

Physicians are usually required to either provide or sign off on the accuracy of the height, weight, LDL, fasting glucose, blood pressure report, and whether or not a physical examination was done.  Alternatively,  official copies of lab reports must be submitted to the wellness program. None of the information that either the patients or the physicians are submitting is protected by HIPAA ( not that HIPAA would provide much protection if it were as mentioned in Part I of this series).  This lack of protection by HIPAA was confirmed by Devin McGraw, Deputy Director for Health Information Privacy for HHS at the 2016 Patient Privacy Rights Summit. If employees do not answer these questions truthfully, they may be subject to termination of employment. In some cases, employer provided health insurance will be denied if the employee does not participate.

What is in those questionnaires?

The questionnaires can be an extreme invasion of privacy.  There is often a provision to notify the wellness program of a pregnancy as soon as it is known, whether or not a woman intends to become pregnant, a complete review of medical symptoms and problems, questions that have to do with mental health, causes of stress in the person’s life, their work performance, why they took time off from work, relationships with family and anticipated household income.  Here are some links to articles about these wellness programs.

Use Ctrl-Click to follow the links.

http://www.nytimes.com/2013/09/25/business/rules-sought-for-workplace-wellness-questionnaires.html

https://www.wsj.com/articles/SB10001424127887323455104579014653816536802

http://blog.aarp.org/2016/10/10/new-rules-on-workplace-wellness-programs-make-employees-pay-for-privacy/

https://www.littler.com/publication-press/publication/eeoc-issues-long-awaited-proposed-rule-employer-wellness-programs?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original

https://www.bloomberg.com/news/articles/2014-12-16/your-wellness-program-at-work-may-not-be-as-private-as-you-think

https://arstechnica.com/science/2016/10/wellness-programs-strong-arm-employees-into-giving-up-health-info-suit-says/?comments=1&post=32133381

https://hbr.org/2017/01/workplace-wellness-programs-could-be-putting-your-health-data-at-risk

http://www.workforce.com/2014/04/07/filling-up-on-wellness/

Wellness Programs, the American with Disabilities Act and the AARP Lawsuit

The Equal Employment Opportunity Commission (EEOC) published an advisory about this regulation in 2016 because of concerns related to the financial compulsion to provide information for those with disabilities.   https://www.eeoc.gov/laws/regulations/qanda-ada-wellness-final-rule.cfm  The AARP is now suing the EEOC over this by using the American with Disabilities Act as a possible wedge to stopping this practice. http://www.aarp.org/content/dam/aarp/aarp_foundation/litigation/pdf-beg-02-01-2016/EEOC-v-Flambeau.pdf Prior lawsuits that have attempted to stop it on a different basis have been dismissed by the courts. https://www.littler.com/publication-press/publication/wellness-program-awakens-district-court-rejects-eeoc-challenge 

Are our Lawmakers aware of what is going on?

I find it interesting that I have not found any evidence that Senators and Representatives have been subjected to these questionnaires.  I wonder if it is because the federal government knows these tactics will not be tolerated despite the fact it was a federal law that is allowing this to happen and that the wellness industry does not want them to see what these questionnaires have in them?  The Wellness Industry is very big industry and they would not want to lose this part of their business.  I have had it suggested to me that this program was a bone thrown to the insurance industry because the Affordable Care Act would not allow them to rate patients for pre-existing conditions, so this was added to the law as another way to do something similar and to entice them to cooperate with the insurance exchanges.

The Affordable Care Act is up for Revision – Now is the Time to ACT!   (SEE ADDENDUMS BELOW)

Please call or write your Representative and Senators and Tom Price, MD, head of HHS, to protest these intrusive questionnaires and your health data collection.  Here is a link to help you find the address and telephone number of your Representative or Senators and contact Tom Price.

http://www.opencongress.org/people/zipcodelookup

Nancy Anthracite, MD

ADDENDUM – 3-11-2017 & 3-12-2017,  7-15-2017, 7-19-2017, 8-25-2017,  10/26/2017 and 12/21/2017

3-11-2017

As offensive and invasive as some of the questionnaires and testing that are required now, proposed bill HR 1313 is going in a direction I did not think anyone would EVER consider acceptable.   Genetic testing could actually be required as part of the Wellness program!  I expect this was conceived of as a way around the AARP suing the EEOC, but the ramifications for everyone are disastrous.  As I read this, all employers, not just those offering health insurance to their employees, could get away with this.  Although the amount of money associated with this is called an “incentive”, it is so significant that only those who are very well off financially could realistically be expected to refuse to submit to these exams, blood tests and questionnaires.  I also expect Wellness companies to contract with employers to guarantee a profit to companies who subject their employees to this because the information is very valuable.

Please see the following two links

https://www.yahoo.com/news/house-republicans-let-employers-demand-100034946.html

https://www.congress.gov/bill/115th-congress/house-bill/1313/text

There is also more news on the AARP suit against EEOC.  The government is trying to claim that AARP does not have standing.

http://www.modernhealthcare.com/article/20170303/NEWS/170309958

3-12-2017

I am thrilled to have found this and find that it has a lot of opposition. I apparently was late in finding out about this. This gives me some real hope that the backlash might put an end to the privacy invasion associated with Wellness, although the very fact this outrageous bill got out of a committee is, I think, a testament to the power of the wellness industry which will be difficult to oppose.

https://www.washingtonpost.com/news/to-your-health/wp/2017/03/11/employees-who-decline-genetic-testing-could-face-penalities-under-proposed-bill

3-13-17

Politico this AM posted that Tom Price was not thrilled with this proposed legislation and that the Senate would be unlikely to pass it.  Let’s hope they are right.  They pointed out that “Federal anti-discrimination law prohibits employers from asking employees about non-job-related health information, but employer-sponsored wellness programs are an exception – if they are “voluntary.” But what’s voluntary about a choice that might affect half your health insurance payment?”

http://www.politico.com/tipsheets/morning-ehealth

5-23-2017

Here is another excellent article about the problems, fallacies and privacy invasion of workplace wellness.

http://www.slate.com/articles/health_and_science/the_ladder/2016/09/workplace_wellness_programs_are_a_sham.html

7-15-2017

Although HR 1313 has slipped out of the news (see 3 12-2017 addendum), from my queries and reading about the replacement plans for the Affordable Care Act, there is no evidence that the Wellness provisions will be watered down nor have the plans for the content of HR 1313 to eventually be part of  Workplace Wellness been scrapped.  The AARP is pressing on to block the onerous provisions of Workplace Wellness but some law makers are working on making Wellness an exception to the protection provided by the American with Disabilities Act.

This wonderful Op-Ed points out how valuable genetic data is to businesses and why they are lobbying to get their hands on it and why Americans need to be very careful where their genetic testing results are available.  The cancer research databases are not mentioned here, but they, too, are a potential source of genetic information that can be mined for other purposes.  Cancer patients have very little if any control about what information about them is given to cancer registries.

http://dailycaller.com/2017/07/14/americans-unwittingly-subject-themselves-to-genetic-discrimination/

7-19-2017

This editorial about HR. 1313 was published in the July 6th New England Journal of Medicine.  Rumors that I am hearing indicate that HR. 1313 is still very much alive and likely to be passed in this form or some other because of pressure from the business community.

http://www.nejm.org/doi/pdf/10.1056/NEJMp1705283

8-25-2017

AARP prevailed in court in its suit against EEOC.  However, it is not over yet because the judge gave the EEOC a second chance to provide sufficient data to justify their position that imposing a 30% penalty or incentive premium is not coercive for providing genetic or private information as part of a wellness program.  The Judge failed to void the rules completely giving the EEOC time to try again because to justify their position in court.

Here is a link to the AARP press release:

https://press.aarp.org/2017-08-24-AARP-Scores-Federal-Court-Victory-Workers-Challenge-Workplace-Wellness-Rules

And a link to Judge Bates written decision:

http://opensourcevista.net/NancysVistAServer/AARPvsEEOC-DistrictCourtDC-JudgeBatesOpinion-8-22-17.pdf

10/26/2017

It seems that Wellness programs have may have figured a way around the restriction that the AARP decision seemed to impose.  The latest test I have seen no longer requires that a number of questions about physical health and abilities be answered to avoid a financial penalty,  but now the questions are a rather comprehensive psychological test!  Also, I have not seen any evidence that the plan for HR1313 to ultimately be passed has been abandoned.  That contains language to void the American with Disabilities Act for the Wellness programs.

The HR1313 Summary states:

Preserving Employee Wellness Programs Act

This bill exempts workplace wellness programs from: (1) limitations under the Americans with Disabilities Act of 1990 on medical examinations and inquiries of employees, (2) the prohibition on collecting genetic information in connection with issuing health insurance, and (3) limitations under the Genetic Information Nondiscrimination Act of 2008 on collecting the genetic information of employees or family members of employees. This exemption applies to workplace wellness programs that comply with limits on rewards for employees participating in the program.

Workplace wellness programs may provide for more favorable treatment of individuals with adverse health factors, such as a disability.

Collection of information about a disease or disorder of a family member as part of a workplace wellness program is not an unlawful acquisition of genetic information about another family member.

12/21/2017

Classic Good News and Bad News

Good new is that the AARP won in court again and in January of 2019 the, Wellness questions about our physical health should go away.  However, I still don’t know it that will stop the psychological test questionnaires.  I hope to learn more about that in the new year.

Now here is some bad news.  Congress, who cooked up HR1313 has now cooked out  new bills, H.R. 4805 (114) [https://www.congress.gov/bill/114th-congress/house-bill/4805] and  S. 3530 (114)  [https://www.congress.gov/bill/114th-congress/senate-bill/3530]  that were, thankfully, brought to light by POLITICO and reported in their eHealth newsletter this AM.  Since the link to the news letter has a new story every day, I have pasted this section in below.  The link to the daily news is:

http://politico.com/morningehealth

********From POLITICO Morning eHealth today********

– Stealthy bill:  A bill submitted Dec. 11 that just came to our [POLITICO’s ] attention would create a major new role in health care for data brokers like Experian and Availity. The Ensuring Patient Access to Healthcare Records Act, introduced by Rep. Cathy McMorris Rodgers, gives clearinghouses the right to share and sell health data and analysis to patients, provider organizations, public health agencies, drug companies and others.

The companies already process hundreds of millions of health-related transactions, but can’t share data widely due to HIPAA restrictions. They are sometimes classified as business associates. So the companies want to be able to combine data from multiple sources into longitudinal records that can be provided directly to patients and used to prepare analysis and reports for health care companies.

The legislation has been percolating in Capitol Hill for a while. A previous version – which appears to have arisen from a lobbying campaign backed by Experian, The SSI Group and Availity – was first introduced in March 2016 as H.R. 4805 (114). A Senate version (S. 3530 (114)) was introduced last December by Bill Cassidy.

Some of the lobbyists behind the bill have connections with the co-sponsors. Keith Studdard, a lobbyist from Jeffrey J. Kimbell and Associates, used to work for co-sponsor Marcia Blackburn. Another lobbyist from the same firm, John Ray, worked for co-sponsor Mike Kelly.

At least one data transparency advocate is not a fan of the bill. “I don’t think their intentions are pure,” said former CMS data officer Niall Brennan, now CEO of the Health Care Cost Institute. “They want to sell patients own data back to patients – they should be able to get it for free.”

******************************

2/8/2018

Hopefully, one more bit of information to help deep 6 this program was cited in this Federal Soup article.  A study of a workplace wellness in Illinois program showed it did not help!

https://federalsoup.com/articles/2018/02/07/hf-study-workplace-wellness-programs-not-working-out.aspx?s=FDHealth_070218

http://www.nber.org/workplacewellness/

*******************************

2/17/2018

No wonder EEOC is not bothering to rewrite the rules since the success of the AARP court case against the Wellness section of the Affordable Care Act with this bill still in the works!

I was digging up the URL for the proposed legislation, HR 1313, to send to someone and found that they amended the proposed legislation on December 11, 2017.  It appears they are again trying to get around the court ruling and keep the ability for companies to demand personal information and collect employees genomes under threat of an up to 50% increase in their health insurance premium alive and well!

https://www.congress.gov/bill/115th-congress/house-bill/1313

This is the amended part at the above URL:

(Sec. 3) This bill exempts workplace wellness programs from: (1) limitations under the Americans with Disabilities Act of 1990 on medical examinations and inquiries of employees, (2) the prohibition on collecting genetic information in connection with issuing health insurance, and (3) limitations under the Genetic Information Nondiscrimination Act of 2008 on collecting the genetic information of employees or family members of employees. This exemption applies to workplace wellness programs that comply with limits on rewards for employees participating in the program.

Workplace wellness programs may provide for more favorable treatment of individuals with adverse health factors, such as a disability.

Collection of information about a disease or disorder of a family member as part of a workplace wellness program is not an unlawful acquisition of genetic information about another family member.

I also found that HR 4805 is back as HR 4613

https://www.congress.gov/bill/115th-congress/house-bill/4613

giving clearinghouses the right to share and sell health data and analysis to patients, provider organizations, public health agencies, drug companies and others.

**************************

9/22/2018

I think I see one of the ways that the court ruling on the Wellness Exceptions to HIPAA will be circumvented.  Once again we are seeing the pattern of financial penalties if you don’t provide private information.  Again it is being called a reward.  Please see this page which describes what the John Hancock company wants to do with wearables.

https://www.politico.com/newsletters/morning-ehealth/2018/09/21/murray-at-center-of-opioid-privacy-fight-347188

I am waiting to see what other schemes surface as companies put their heads together with their lawyers to see what they can get away with in financially coercing people to provide them private information.

If you are thinking, “Oh, this is just a Fitbit”, let me point you to these two links:

https://www.cnn.com/2018/01/28/politics/strava-military-bases-location/index.html

https://thedatamap.org/index.php#Demonstration

John Hancock does not require you have your Fitbit give them data directly, but it would be easiest to do it that way and for them, it will give them access to much more data about you.  Even if only user recorded information about activities is provided, users need to think carefully about what they are revealing and the unintended consequences before they decide this is a “good deal”.

Nancy Anthracite

11/7/2018

I am delighted to see that the NEJM contained an editorial about the ethical conflict physicians have with the wellness programs and today there is an open article that discusses it.  For those of you who have access to the New England Journal of Medicine, this is the link for you: Lamkin M. The physician as double agent—conflicting duties arising from employer-sponsored wellness programs. N Engl J Med. 2018;379:1297-1299

And this is the link to an article I think anyone can read about it: http://www.medicalbag.com/ethics/employee-wellness-programs-ethical-dilemma/article/812813

I am sorry to say that all of what I see strongly suggests that the lawyers have been busy working on ways to get around the court ruling on the wellness questionnaires and companies are coming up with even more invasive ways of gathering information and continuing to charge customers who don’t agree to providing it.

12/4/2019

Wellness programs ineffective

On April 16, 2019, the Journal of the American Medical Association (JAMA) published a Harvard study entitled “Effect of a Workplace Wellness Program on Employee Health and Economic Outcomes”.  The results showed, despite employees engaging in more healthful activities, “there were no significant effects on clinical measures of health, health care spending and utilization, or employment outcomes after 18 months”. This program, as most wellness programs, did not just provide services to the employees, but collected private information about patients activities and health in the process.  You can read the study here:  https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6484807/   An article commenting on the $8B Wellness Industry ineffectiveness  is here:  https://www.healthaffairs.org/do/10.1377/hblog20191001.231439/full/

Wellness Questionnaires after your mental health and financial wellness

In January of 2019, Judge Bates ruling was to take effect prohibiting Wellness questions about health that would violate the American with Disabilities Act.  Even before that happened, I found the Wellness industry  switched their tactics to submitting those who did not want to pay extra for their insurance to answering hundreds mental and financial well being questions with optional physical health questions and this has persisted after the January 2019 deadline.   This change in questionnaire tactics is coupled with additional “activities”  that are tracked, sometimes with Fitbit like devices and sometimes with online reporing,  that are required to receive the  “incentives”.   This tactic has persisted after January 2019 even though the American with Disabilities Act protects persons with mental as well as physical illness.  I have no information to indicate that the AARP is intending to pursue this further in  court or that there is any interest in Congress in stopping this practice.  Note that whether you call these financial burdens “incentives” or “penalties” is of little consequence as they are all coercive as Judge Bates pointed out in his decision. http://opensourcevista.net/NancysVistAServer/AARPvsEEOC-DistrictCourtDC-JudgeBatesOpinion-8-22-17.pdf

Google and Project Nightingale

Google’s announcement of the intention to purchase Fitbit almost at the same time Project Nightingale was exposed by the Wall Street Journal (WSJ) caused an uproar and is bringing more attention to healthcare privacy.   Project Nightingale is a collaboration between the Ascension and Google where Google is receiving and analyzing data, that has not been de-identified, on millions of Ascension patients.  The WSJ article is closed to non-subscribers, but this link is to one of many articles discussing what was in the WSJ and pointing out that this is only one of many similar collaborations going on throughout industry.    https://www.theverge.com/2019/11/11/20959771/google-health-records-project-nightingale-privacy-ascension 

Google and Ascension are vigorously defending themselves by pointing out they are doing nothing illegal according to HIPAA.  As a result,  there seem to be some lawmakers, particularly in the Senate, who are finally making public comments that HIPAA needs “updating” to protect patients in this era of Big Data.  The Department of Health & Human Service’s Office of Civil Rights is investigating to see if there were any HIPAA violations but does not expect to find any.  For the most part, Congress has recently been passing legislation that weakens the already insufficient previsions of HIPAA, not trying to strengthen or update it.  HHS itself is engaged in gathering data and redistributing healthcare data and has shown no interest in doing anything of consequence to update HIPAA, HHS tells users of the data they  redistribute to police themselves and not attempt to re-identify data.

Like the other privacy protection movements currently in the House and Senate, things are bogged down and nothing is likely to change to improve HIPAA in favor of patient’s rights.  Industry is rapidly putting privacy “protections” in place  assuage lawmakers but keep their options to collect and analyze data wide open.  Lobbyists are pushing to have federal legislation enacted that will block states from enacting more stringent privacy legislation such as California is doing.

California Legislation, the GDPR, and California’s blatant privacy invasion

Ironically, while California is planning to essentially mirror the European Union’s General Data Privacy Regulation (GDPR) protections (see https://en.wikipedia.org/wiki/General_Data_Protection_Regulation ),  California itself is broadly invading their own citizens privacy.  California is collecting extensive quality measure data from physicians and hospitals that is personally identified and more extensive than the federal quality measure reporting requirements.   It is also forcing its citizens and physicians to participate in a Parkinson’s disease registry kept by the Department of Health.   This is particularly alarming as this program was the result of legislation enacted as the result of pressure from those seeking the data.  Dementia is one Parkinson’s disease’s late manifestations,  so those with early disease who show few or minimal manifestations are particularly likely to want to keep their disease confidential to prevent adverse consequences for their careers, etc.  Unless their physicians are willing to chance a $500 a day fine (see Section 102870 (f) of California Health & Safety Code  https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=HSC&division=102.&title=&part=2.&chapter=1.6.&article=), physicians must report their patients to this registry without patient consent.  As the FAQ’s at the web site explain to patients, they have no option to opt out of this reporting before or after their personal demographic and health data is delivered to the registry.      https://www.cdph.ca.gov/Programs/CCDPHP/DCDIC/CDSRB/Pages/California-Parkinson’s-Disease-Registry.aspx

More people now subject to Wellness Programs

Previously, those subjected to the Wellness provisions of  the ACA  were limited to those receiving health insurance through their employer.  Now  section 2705(l) of the Public Health Service Act (PHS Act) is allowing Health & Human Services to allow anyone receiving insurance through Health Insurance Exchanges  to be subject to the Wellness provisions of the ACA.

The Wellness Demonstration Projects regulation that allows this can be found at the link that follows.  As a reminder, none of the information collected is protected by the woefully inadequate HIPAA regulations.   https://www.cms.gov/CCIIO/Resources/Regulations-and-Guidance/Downloads/Wellness-Program-Demonstration-Project-Bulletin.pdf

Nancy Anthracite, MD