OCR Issues Advice on HIPAA and Workplace Wellness Programs
Protected Health Information (PHI) is safeguarded under Health Insurance Portability and Accountability Act Rules, which place a number of requirements on covered entities (CEs) to implement a number of controls to ensure that healthcare data is not disclosed to unauthorized individuals. Should that occur, or if the data is stolen, covered entities also have a requirement to notify the Office for Civil Rights (OCR) and any persons affected by the breach, with the rules and regulations for doing so laid down in the Breach Notification Rule.
These rules cover most healthcare providers, health plans and healthcare clearinghouses; however, the OCR has recently issued to advice on Workplace Wellness Programs, as there appears to be some confusion about coverage under HIPAA Rules.
Are Workplace Wellness Programs Covered by HIPAA?
The confusion over HIPAA and Workplace Wellness Programs is understandable, because whether these schemes are covered under HIPAA depends on how the wellness programs have been set up, and if they are provided through an employer as part of a group health plan.
In many cases, employees are encouraged to join Workplace Wellness Programs that are provided as part of a group health plan, with the employer receiving certain benefits for increasing the number of individuals signed up to the program. The employer may, for instance, receive a financial benefit such as a reduction in premiums in exchange for signing up more employees. However, a wellness program may also be offered directly by an employer.
The HIPAA rules for both of these are quite different. When a program is provided as part of a group health plan, the data that is obtained from the employee is considered to be Protected Health Information, as group health plans are covered under HIPAA Rules.
However, if an employer provides a wellness program directly, since the employer is not covered by HIPAA Rules, neither is the Workplace Wellness Program, even though the same data may be collected in both cases. As pointed out by the OCR, in some cases, even though HIPAA doesn’t cover the data, other federal and state legislation may do so some data privacy protections may still be provided.
If the Wellness Program is provided as part of a group health plan, there are restrictions over the information – PHI – that can be passed to an employer. Oftentimes, these schemes involve the employer providing some sort of service or assistance with the management of the program.
The OCR points out that “Where this is the case, and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents”
The employer must also agree not to disclose any of the PHI for the purposes of “employment-related actions” and must ensure that sufficient controls are put in place to ensure that PHI is safeguarded in accordance with HIPAA Security Rule requirements. The employer must also report any unauthorized or accidental disclosures of PHI to the group health plan, which will be responsible for the breach response and issuing notification letters to those affected.
However, it is important to note that an employer that does not perform any administrative functions for the group health plan would not be permitted to access the PHI of the program members without written authorization having first been obtained from the persons in question, although there are exceptions. For example, a summary of health information may be provided for “the purposes of modifying the plan or obtaining premium bids for coverage” and information about “information on which individuals are participating in the group health plan” can also be legitimately disclosed.
It is important that any employer who provides wellness plans in the workplace is familiar with the HIPAA Rules covering those plans, and for employees to also familiarize themselves with the rules covering disclosure of their PHI, and whether their data actually constitutes PHI.