How HIPAA Applies to Certain Workplace Wellness Programs
Workplace wellness programs provide an opportunity to improve employees’ health, while also helping to control health care spending. The recent increase in these types of programs also means that more employers are collecting employee health information as part of these programs. This may raise questions as to what employers are allowed to do with the information they collect for wellness program purposes through health risk assessments or other means, and what their responsibilities are to protect the information. While the Health Insurance Portability and Accountability Act (HIPAA) does not apply to all workplace wellness programs, it does apply to programs offered as part of an employer-sponsored group health plan. It may not be obvious to you whether your employer’s workplace wellness program is or is not offered as part of a group health plan; if you have questions about protections for data collected as part of a workplace wellness program, you should ask your employer. Below are a few important facts to help you understand how your health information is protected.
- An employer that administers a wellness program as part of a group health plan is prohibited from using or disclosing individuals’ health information for employment-related actions or other purposes not permitted by HIPAA (for example, for marketing without your express authorization).
- HIPAA requires that an employer that administers a wellness program as part of a group health plan establish firewalls or other security measures to make sure information collected as part of their plan administration functions is not allowed to be accessed and used for employment functions. For example, an employer must ensure that your health information collected through the wellness program cannot be used by your supervisor to make decisions about your job.
- A group health plan that learns of an unauthorized use or disclosure of individuals’ protected health information by the employer that is administering aspects of the wellness program must notify the affected individuals, the Department of Health and Human Services (HHS), and in some cases the media, of the breach, in accordance with the requirements of the HIPAA Breach Notification Rule.
- There are serious implications for entities that fail to comply with HIPAA, including employers who are subject to the law. The Office for Civil Rights at HHS oversees compliance with HIPAA and investigates potential violations. Entities that are investigated may be required to take corrective action, or can face civil penalties of up to $50,000 or more for each violation and up to $1.5 million in a calendar year for repeated violations of the same provision.
For additional information, view OCR’s guidance on HIPAA and workplace wellness programs here.
The Health Care Industry Cybersecurity Task Force
Getting Care Where I’m Most Comfortable—at Home