Now more than ever, workplace wellness programs are becoming increasingly popular among employers. A common concern many employers have is how to design a meaningful workplace program intended to improve the health of participating employees while complying with HIPAA’s privacy and security rules. Although employers are not covered entities, HIPAA may apply to an employer’s workplace program if it is part of the group health plan. In a blog post last year, OCR Director Jocelyn Samuels sought to further explain how employers can use health data collected for wellness program purposes and what measures are necessary to protect health information under HIPAA.

The blog described several key points on how wellness information must be protected under HIPAA:

  • Employers are not permitted to use or disclose health data for employment-related actions or anything not specifically allowed by HIPAA (e.g., marketing).
  • The employer, on behalf of the group health plan, must establish firewalls or other security measures to ensure the data cannot be accessed for employment functions (e.g., employers or manages using health data to make job decisions).
  • Should collected health data be accidentally or deliberately disclosed to an unauthorized third party, or otherwise accessed by an unauthorized individual, the group health plan has a responsibility to notify HHS and all persons who had their data exposed or disclosed in accordance with the HIPAA Breach Notification Rule.

The penalties for failing to comply can include investigations into potential violations, corrective action, and civil penalties of more than $50,000 for each HIPAA violation. Those penalties can increase to a maximum of $1.5 million per calendar year for multiple violations of the same provision.