My insurance company has a wellness program online that is operated by an outside vendor . When you login, you are required to agree to a service agreement which states that the vendor may use any information you provide in the wellness program to contact you about selling you services or products related to your health. They may also share this information with other companies, and they are not responsible for the other companies in keeping your information private. The insurance company logo is on this page, and unless you carefully read these agreements, which are quite long, you are not aware that this program is not being provided directly through the insurance company. Most members would not expect that information they provide online would be given directly to a company like Rite-Aid. They expect their insurance company to keep their health information private – yet as part of the wellness program, you are sharing your health information with who knows how many companies. How does this not violate the HIPAA privacy rules? I have asked my insurance company this question, and they have not replied.
Healthy in Maine
Dear Healthy in Maine,
You are correct that your insurance company cannot share information with other companies, unless it is one of the allowed uses defined by HIPAA or you permit them to do so. The situation you describe is very interesting because you had the impression that you were still on your insurer’s website. Thus, you thought you were dealing with an organization that you already had a relationship with, rather than a vendor. I can see why that would be confusing or misleading, but it’s not a HIPAA violation by itself.
The service agreement that you describe would allow the wellness vendor to do things that would not be permitted by HIPAA. The agreement asks your permission. If you permit it, they can proceed. The agreement seems to open up the door for direct marketing to you, something that HIPAA specifically protects against. I agree many members would be uncomfortable with this. The vendor can point to the agreement that the member authorized, however.
Meanwhile, the insurer is keeping your data private, unless you permit them to do otherwise. The service agreement is permitting them to do “otherwise”. As long as members are voluntarily agreeing to the program, then the insurer and wellness vendor are acting appropriately. (The fact that members may not realize what they are agreeing to is another matter entirely.) I wouldn’t assume that the insurer is violating HIPAA rules, in other words.