OCR Clarifies How HIPAA Rules Apply to Workplace Wellness Programs
Office for Civil Rights Director Jocelyn Samuels has written a blog post to clear up confusion about how HIPAA Rules apply to workplace wellness programs provided through employer-sponsored group health plans.
Workplace wellness programs have become increasingly popular in recent months and more employers are now offering workplace wellness programs to employees to improve their health.
Providing workplace wellness programs to employees requires employers to gather health data through health risk assessments and various other means, and those data must be protected under Health Insurance Portability and Accountability Act Rules. HIPAA also places severe restrictions on how health data can be used.
HIPAA does not apply to all workplace wellness programs, only those that are offered through an employer-sponsored group health plan.
Samuels explained in the post that employers are not permitted to disclose any health data for employment-related actions, nor are data allowed to be used for marketing purposes or any other reason not permitted by HIPAA Rules.
The HIPAA Security Rule requires all covered entities to implement technical, administrative, and physical safeguards to prevent protected health information from being viewed or accessed by unauthorized individuals. Samuels points out that employers must therefore use firewalls or other security measures to prevent collected health data from being accessed or used for employment functions. Samuels confirmed that HIPAA Rules do not permit employers or managers to use collected health data to make decisions about employees’ jobs.
Should collected health data be accidentally or deliberately disclosed to an unauthorized third party, or otherwise accessed by an unauthorized individual, the group health plan has a responsibility to notify all persons who had their data exposed or disclosed.
The Breach Notification Rule requires the group health plan to issue breach notification letters to affected employees within 60 days of discovery of a disclosure or exposure of protected data. OCR must also be informed of the breach within 60 days if more than 500 individuals’ data have been disclosed or exposed. A notice must also be issued to the media. The group health plan must report smaller breaches (affecting fewer than 500 individuals) on an annual basis (before March 1 of the following year).
Samuels explained that the penalties for failing to comply with HIPAA Rules are severe. Group health plans, and employers who are subject to the law, can face civil penalties for HIPAA violations and corrective action can be taken by the Office for Civil Rights as well as state attorneys general. HIPAA civil penalties of more than $50,000 can be issued for each HIPAA violation. Those penalties can increase to a maximum of $1.5 million per calendar year.
Employers offering workplace wellness programs for employees and group health plans can find further information on how HIPAA Rules apply to workplace wellness programs on this HHS link.