Getty Images

HHS Reviews HIPAA Regulations for Workplace Wellness Programs

Employers must comply with HIPAA Regulations when collecting PHI for wellness programs as part of a health plan, HHS states.

A recent Department of Health and Human Services (HHS) blog post by Jocelyn Samuels, the Director of the Office for Civil Rights, discusses how HIPAA regulations apply to wellness programs that are part of an employee-sponsored group health plan.

With the growing trend of workplace wellness programs, more employers are gathering employee health information as part of a health initiative, Samuels writes. HHS aims to explain how employers can use health information, especially PHI, and what they need to do to protect health information under HIPAA Rules.

Workplace wellness programs provide employees with support for improving their health while helping to reduce healthcare spending for employees and employers. However, not all wellness programs require employers to protect health information, such as a direct program through an employer.

If a wellness program is part of an employer-sponsored health plan, then it must abide by HIPAA regulations. Some examples include incentives related to a group health plan benefits, like premium reductions or cost-sharing.

Determining if a program must comply with HIPAA rules can be difficult, the blog explains. Samuels urges individuals to ask employers if they are uncertain about the nature of a wellness program.

A majority of programs require that employers collect PHI and other employee health information through health risk assessments or other ways. Employers need to be aware of how this information is protected under HIPAA regulations, Samuels explains.

She also emphasizes four major points to keep in mind when dealing with HIPAA regulations and wellness programs.

First, an employer must protect PHI and other health data under HIPAA rules collected from a wellness program. Employers cannot use or disclose “individuals’ health information for employment-related actions or other purposes not permitted by HIPAA (for example, for marketing without your express authorization).”

Second, if an employer conducts a wellness program as part of a group health plan, the employer must create firewalls and other security measures as outlined by HIPAA. The health information cannot be shared and used for employment-related purposes. Samuels uses an example of a supervisor making decisions about an employee’s job based on the individual’s health information.

A previous statement adds that the health information must be protected by appropriate administrative, technical, and physical safeguards. These security measures must ensure that there is separation between program administration and employment functions.

“While the HIPAA Rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA, and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates),” explained HHS the previous statement.

Samuels’ third point in her blog post highlights the procedure for a health security breach.

“A group health plan that learns of an unauthorized use or disclosure of individuals’ protected health information by the employer that is administering aspects of the wellness program must notify the affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, of the breach, in accordance with the requirements of the HIPAA Breach Notification Rule.”

Fourth, employers must abide by HIPAA regulations or they can risk being investigated by the Office of Civil Right at HHS.

“Entities that are investigated may be required to take corrective action, or can face civil penalties of up to $50,000 or more for each violation and up to $1.5 million in a calendar year for repeated violations of the same provision,” wrote Samuels.

HHS hopes to educate and remind employers of the ways they can obtain and use health information, especially with many legal changes that may expand wellness programs.

As previously reported by HealthITSecurity.com, the Equal Employment Opportunity Commission (EEOC) proposed changes to the Federal Register on the Genetic Information Nondiscrimination Act of 2008 (GINA) that may also impact how employers collect data through wellness programs.

The proposed changes state that employers can obtain genetic information when it is used to promote health and prevent disease. Employers can also use financial incentives of up to 30 percent of the cost of the family health plan.

However, the amendment explains that employers cannot acquire spouse or dependent health information, even if they are part of the health plan. Spouses can volunteer their health information through written authorization, but employers cannot access information about dependents.

 
Workplace wellness programs, HIPAA regulations reviewed

Dig Deeper on HIPAA compliance and regulation