On Thursday, April 16, 2015, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued guidance, consisting of two frequently asked questions (FAQs), on the application of the HIPAA Privacy, Security, and Breach Notification Rules to workplace wellness programs. HHS explains in one of the FAQs that the application of HIPAA to workplace wellness programs depends on whether the wellness program is offered as part of a group health plan for employees, or if it is offered independent of such a group health plan.  If the wellness program is offered as a part of a group health plan, the HIPAA Rules are applicable to it and any individually identifiable health information gathered by the program is protected health information (PHI).  HHS explains that if the program is offered directly by the employer, however, and not as part of the group health plan, any health information collected by the program is not protected by the HIPAA Rules – although HHS notes that other laws may apply to the collection and use of such information.

In the second FAQ, HHS addresses the HIPAA protections (and restrictions) applicable to the ability of the employer as plan sponsor to access PHI about participants in a wellness program when the program is offered through the group health plan.  Absent written authorization from the individual, the employer may have access to such PHI only to perform plan administration functions, provided that the employer, as plan sponsor, has amended the plan documents and certified to the group health plan that it will provide certain protections for the PHI.  Otherwise, the group health plan can disclose to the employer only information on which individuals are participating in the group health plan (or enrolled in coverage offered by the plan) and/or summary health information if requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan.  Importantly, HHS makes clear that if a group health plan knows of a breach of unsecured PHI by the plan sponsor (the employer), such as an unauthorized use or disclosure that compromises the privacy or security of the PHI, the group health plan is required by the Breach Notification Rule to notify the affected individuals, HHS, and, in some instances, the media.