The Department of Health and Human Services (HHS) recently issued guidance on “HIPAA Privacy and Security and Workplace Wellness Programs.” The guidance helps employers determine whether or not the health information it may receive through its worksite wellness program is covered by HIPAA.
The guidance explains that in general, any health information that is created, collected and maintained, accessed, used, and disclosed through a workplace wellness program that is part of a company’s group health plan is covered by HIPAA. If the workplace wellness program is offered by an employer directly and not through the company’s health plan, other laws may apply, but HIPAA does not apply.
The guidance further explains that the information relating to the workplace wellness program may not be shared with the employer as the plan sponsor without the employees’ written consent or only if the employer as plan sponsor “amends the plan documents and certifies to the group health plan that it agrees to, among other things:
- establish adequate separation between employees who perform plan administration functions and those who do not;
- not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule;
- where electronic PHI is involved, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information, including by ensuring that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions; and
- report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.”
Finally, the guidance reminds group health plans that if there is a breach of unsecured PHI, it is obligated under the HIPAA breach notification requirements to notify the individuals, the Office for Civil Rights, and potentially the media of the breach.
Employers may wish to review the guidance and their HIPAA compliance regarding worksite wellness programs. The short guidance can be accessed here.