HIPAA Rules for Workplace Wellness Programs

There has been some confusion surrounding the HIPAA Rules for workplace wellness programs. This week, the Department of Health and Human Services’ Office for Civil Rights has taken action and has issued new guidance which clarifies how HIPAA applies to certain workplace wellness programs.

HIPAA Rules for Workplace Wellness Programs Clarified by OCR

The Health Insurance Portability and Accountability Act covers healthcare providers, health plans, and healthcare clearinghouses, along with business associates of covered entities. HIPAA does not apply to most employers. However, a group health plan sponsored by an employer is a covered entity and therefore HIPAA Rules apply. HIPAA Rules for workplace wellness programs do not apply if a workplace wellness program is not part of an employer-sponsored group health plan.

Oftentimes, employers offer rewards to employees such as reductions in premiums if they participate in a workplace wellness program. Any employee that takes part in such a scheme would be protected under the HIPAA Privacy Rule and their data will be safeguarded by their employer, who acts as the plan sponsor.

Under the Privacy Rule, employers are not permitted to disclose employees’ PHI for employment related actions or marketing purposes without first obtaining authorization from the individual in question. A number of other restrictions apply, as detailed in the HIPAA Privacy Rule.

HIPAA Rules for workplace wellness programs apply to any data that were collected as part of the program, and appropriate administrative, technical, and physical controls must be used to safeguard those data. Safeguards include access controls and firewalls to prevent unauthorized viewing of PHI. Data must also be protected by employers when they are transmitted electronically.

In the event of a breach of PHI, all affected individuals must be notified of the exposure or disclosure of their data in accordance with the HIPAA Breach Notification Rule. OCR must also be informed of the breach within 60 days of discovery if more than 500 individuals are affected, and the media must also be notified. Smaller breaches do not require a media notice and OCR can be informed annually of these.

OCR Director Jocelyn Samuels felt it necessary to clarify the HIPAA Rules for workplace wellness programs as the schemes are becoming more popular. There also appears to be some confusion about when HIPAA applies. In a recent blog post, Samuels points out that compliance is mandatory and the OCR may choose to investigate employers. A civil monetary penalty may be issued if OCR investigators discover HIPAA Rules have not been followed.

Further information can be found on the Office for Civil Rights website

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news