HIPAA and Workplace Wellness Programs

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses whether HIPAA applies to workplace wellness programs that are offered by employers to their workforce.

How Does HIPAA Apply to Workplace Wellness Programs?

The HIPAA rules apply only to covered entities and to business associates. HIPAA does not apply to employees in their capacity as employers. Many employers offer workplace wellness programs to their workforce, or to those employees participating in the employers' group health plans. As discussed in HHS guidance, whether and how HIPAA applies to workplace wellness programs depends upon how the programs are structured.

Many employers offer workplace wellness programs as part of their group health plan. These employers might offer certain incentives or rewards related to group health plan benefits, such as reductions in premiums or cost-sharing amounts, in exchange for participation in a wellness program.

When a workplace wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program constitutes PHI, which is protected by the HIPAA rules.

While HIPAA rules do not apply to employers in their capacity as employers, a group health plan sponsored by the employer IS a covered entity under HIPAA - and, HIPAA protects the individually identifiable health information held by the group health plan (or its business associates).

HIPAA also protects PHI that is held by an employer as plan sponsor on the plan's behalf when the plan sponsor is administering aspects of the plan including wellness program benefits offered through the plan (however, though, as the guidance notes, an employee welfare benefit plan that has fewer than 50 participants and is self-administered is not a group health plan as defined at 45 CFR 160.103, and thus, not a covered entity, under the HIPAA Rules).

Where a workplace wellness program is offered through a group health plan, what protections are in place under HIPAA with respect to access by the employer as plan sponsor to individually identifiable health information about participants in the program?

According to the HHS guidance, the HIPAA Privacy and Security Rules place restrictions on the circumstances under which a group health plan may allow an employer as plan sponsor access to PHI, including PHI about participants in a wellness program offered through the plan, without the written authorization of the individual. Often, the employer as plan sponsor will be involved in administering certain aspects of the group health plan, which may include administering wellness program benefits offered through the plan.  Where this is the case, and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents and certifies to the group health plan that it agrees to, among other things:

• Establish adequate separation between employees who perform plan administration functions and those who do not;
• Not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule;
• Where electronic PHI is involved, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information, including by ensuring that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions; and Report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.

See 45 CFR 164.314(b) and 164.504(f)(1)(i) and (f)(2).

Further, where a group health plan has knowledge of a breach of unsecured PHI at the plan sponsor (i.e., an unauthorized use or disclosure that compromises the privacy or security of the PHI), the group health plan, as a covered entity under the HIPAA Rules, must notify the affected individuals, HHS, and if applicable, the media, of the breach, in accordance with the requirements of the Breach Notification Rule.

Where the employer as plan sponsor does not perform plan administration functions on behalf of the group health plan, access to PHI by the plan sponsor without the written authorization of the individual is much more circumscribed.  In these cases, the Privacy Rule generally would permit the group health plan to disclose to the plan sponsor only: (1) information on which individuals are participating in the group health plan or enrolled in the health insurance issuer or HMO offered by the plan; and/or (2) summary health information if requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan.