A company that provides the online Health Assessment for my insurer has just contacted me by email through an online survey company. I have never created an account with the wellness company, so therefore I have never agreed to their service agreement. Yet they have my email address, and have given it to an online survey company to contact me with a survey. I didn’t complete the survey, but I did look at the questions. The first question was, “Have you completed the Health Assessment?” I said no. Then the next page contained several questions asking about my health and exercise habits. Is this a violation of my HIPAA privacy rights?
I have never contacted this company. The only way they could have my email address is through my insurer, and I have never given them permission to share my contact information for any reason other than to pay claims.
Dear Private Person,
Your insurer is allowed to give the wellness company your e-mail address under the “Treatment, Payment, Operations” provisions of HIPAA. All insurers have the right to conduct these functions without express permission by the individual; these functions include paying claims, managing your care, and providing wellness programs. The wellness company is contracted by your insurer to distribute the health risk assessment; under that contract, they are given contact information of insured members. This contract also binds them to obeying all confidentiality and security requirements.
So, the wellness vendor having your e-mail address is not in itself a HIPAA violation. You can choose to participate in the health assessment or not. Any information that you share via the assessment would still be protected by confidentiality. The goal is for the program to identify health issues and help members address these. Participating is entirely voluntary, however. (Whether these kinds of programs are valuable or successful is an entirely different question, and experts debate it constantly.)