The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules (the HIPAA Rules) protect individuals’ identifiable health information held by covered entities and their business associates (called “protected health information” or “PHI”). Covered entities under HIPAA are health care clearinghouses, health plans, and most health care providers. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve access to PHI.
The Privacy Rule, among other things, regulates the uses and disclosures that a covered entity or business associate may make of PHI. The Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to secure electronic PHI. The Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media (and business associates to notify covered entities), of breaches of unsecured PHI.
Q1: Do the HIPAA Rules apply to workplace wellness programs?
A1: Since the HIPAA Rules apply only to covered entities and business associates – and not to employers in their capacity as employers -- the application of the HIPAA Rules to workplace wellness programs depends on the way in which those programs are structured. Some employers may offer a workplace wellness program as part of a group health plan for employees. For example, some employers may offer certain incentives or rewards related to group health plan benefits, such as reductions in premiums or cost-sharing amounts, in exchange for participation in a wellness program. Other employers may offer workplace wellness programs directly and not in connection with a group health plan.
Where a workplace wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is PHI and protected by the HIPAA Rules. While the HIPAA Rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA, and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates). HIPAA also protects PHI that is held by the employer as plan sponsor on the plan’s behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan.
Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by the HIPAA Rules. However, other Federal or state laws may apply and regulate the collection and/or use of the information.
Q2: Where a workplace wellness program is offered through a group health plan, what protections are in place under HIPAA with respect to access by the employer as plan sponsor to individually identifiable health information about participants in the program?
A2. The HIPAA Privacy and Security Rules place restrictions on the circumstances under which a group health plan may allow an employer as plan sponsor access to PHI, including PHI about participants in a wellness program offered through the plan, without the written authorization of the individual. Often, the employer as plan sponsor will be involved in administering certain aspects of the group health plan, which may include administering wellness program benefits offered through the plan. Where this is the case, and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents and certifies to the group health plan that it agrees to, among other things:
- Establish adequate separation between employees who perform plan administration functions and those who do not;
- Not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule;
- Where electronic PHI is involved, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information, including by ensuring that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions; and Report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.
See 45 CFR 164.314(b) and 164.504(f)(1)(i) and (f)(2).
Further, where a group health plan has knowledge of a breach of unsecured PHI at the plan sponsor (i.e., an unauthorized use or disclosure that compromises the privacy or security of the PHI), the group health plan, as a covered entity under the HIPAA Rules, must notify the affected individuals, HHS, and if applicable, the media, of the breach, in accordance with the requirements of the Breach Notification Rule.
Where the employer as plan sponsor does not perform plan administration functions on behalf of the group health plan, access to PHI by the plan sponsor without the written authorization of the individual is much more circumscribed. In these cases, the Privacy Rule generally would permit the group health plan to disclose to the plan sponsor only: (1) information on which individuals are participating in the group health plan or enrolled in the health insurance issuer or HMO offered by the plan; and/or (2) summary health information if requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan.