On April 16, the U.S. Department of Health and Human Services (HHS) issued guidance on whether the HIPAA Privacy and Security Rules apply to workplace wellness programs. Whether HIPAA applies depends on how the specific wellness program is structured. As a reminder, HIPAA applies to “covered entities” which is defined to include health plans. An employer is not covered by HIPAA, but the employer-sponsored health plan is covered by HIPAA. Therefore, HHS explains that when a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information collected by the employer is not subject to the HIPAA Privacy and Security Rules. However, when a workplace wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is PHI and subject to the HIPAA Privacy and Security Rules.

HHS cites as an example a program that offers incentives related to group health plan benefits, such as reductions in premiums or cost-sharing amounts, in exchange for participation in the wellness program. Such a program is subject to HIPAA. The HHS guidance also serves as a reminder that if the wellness program is covered by the HIPAA Privacy and Security Rules, the health plan as a general rule cannot share PHI from the wellness program with the employer. However, where the employer performs administrative functions for the health plan it sponsors, the health plan can disclose PHI to the employer to the extent necessary to perform those administrative functions as long as the employer amends its plan documents and agrees to certain requirements like not using or disclosing PHI for employment related purposes. The HHS guidance states that HIPAA protects the PHI held by the employer when administering the wellness program benefits offered through the plan.

Furthermore, HHS states that when the health plan has knowledge of a breach of unsecured PHI at the employer, the health plan must comply with the breach notification rules and notify all affected individuals. Where the employer does not perform plan administrative functions, the HIPAA Privacy Rule only allows the health plan to disclose to the employer (1) information on which individuals are participating in the wellness program; and (2) summary health information if requested for the purpose of modifying the plan or obtaining premium bids for coverage under the plan. With the issuance of this guidance now is a good time to review your workplace wellness program to determine whether it is subject to the HIPAA Privacy and Security Rules, and if so, ensure compliance.