In April 2015, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued two “frequently asked questions” providing guidance on workplace wellness programs under the HIPAA Privacy, Security, and Breach Notification rules. OCR reiterated that employers, as such, are not covered entities. Therefore, whether HIPAA applies to an employer’s wellness program will depend on how the program is structured. The program will be subject to the HIPAA privacy and security rules if it is part of the employee group health plan. Offering incentives or rewards related to plan benefits in exchange for wellness program participation would suggest that the wellness program is part of the group health plan. Individually identifiable health information obtained in connection with the wellness program will be protected by HIPAA if the program is part of the plan. OCR stated that “HIPAA also protects [protected health information (PHI)] that is held by the employer as plan sponsor on the plan’s behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan.” HIPAA will not protect wellness program information when the program “is offered by an employer directly and not as part of a group health plan.”
If the wellness program is offered through a group health plan, HIPAA protects the PHI in a number of ways. When the employer is the plan sponsor and is involved in administering aspects of the group health plan, the employer may access PHI as necessary to perform its plan administration functions even without employee authorization, provided that the plan documents have been amended as required by HIPAA. Additionally, the plan sponsor must certify to the group health plan that it has established adequate firewalls to separate employees who perform plan administration functions from those who do not. The certification must also provide, among other things, that the PHI will not be used for employment-related actions or other purposes not permitted by HIPAA. Electronic PHI must also be safeguarded, and required notices must be provided if there is a breach of unsecured plan PHI at the plan sponsor. If the plan sponsor does not administer the plan, its access to information of a plan’s wellness program information will be much more limited, absent the patient’s written authorization.