Many employers offer health and wellness programs to benefit employees and reduce absenteeism and health care costs. These workplace wellness programs may result in the collection and creation of individually-identifiable health information from and about program participants. Do the HIPAA Privacy, Security, and Breach Notification Rules ("HIPAA Rules") apply to this information? The answer depends upon whether the employer offers the wellness program independently, or as part of a group health plan. The U.S. Department of Health & Human Services' Office for Civil Rights – which administers the HIPAA Rules – recently issued guidance on "HIPAA Privacy and Security and Workplace Wellness Programs."
HIPAA Rules Generally
The HIPAA Rules protect individually-identifiable health information held by "covered entities" and their "business associates." Covered entities include group health plans, health care clearinghouses, and most health care providers. Business associates are persons or entities who perform services, functions, or activities for covered entities involving access to PHI. When held by a covered entity or business associate, individually-identifiable health information is known as "protected health information" or "PHI."
The Privacy Rule governs how a covered entity may use and disclose PHI, and individuals' rights regarding their own PHI. The Security Rule requires covered entities and business associates to use administrative, physical, and technical safeguards to protect electronic PHI. The Breach Notification Rule requires covered entities to give certain notifications (including to individuals) when unsecured PHI is breached.
HIPAA Rules and Workplace Wellness Programs
The HIPAA Rules apply only to individually-identifiable health information held by covered entities or business associates acting in those capacities. They do not apply to employers acting in their capacity as employers. For example, a health care provider may be a HIPAA covered entity when acting in its capacity as a provider of health care to patients, but not when acting in its capacity as an employer.
Some employers offer workplace wellness programs as part of a group health plan. In that case, because the plan is a covered entity, information collected from or created about program participants is PHI and protected by the HIPAA Rules. An employer-sponsored group health plan is a HIPAA covered entity, and the HIPAA Rules protect individually-identifiable health information held by the plan and its business associates. When the employer is the plan sponsor and administers parts of the plan (including wellness program benefits offered through the plan), individually-identifiable health information held by the employer as plan sponsor on behalf of the plan is PHI and covered by the HIPAA Rules.
When the employer offers a wellness program directly – and not as part of a group health plan – information collected from or created about program participants is not PHI and the HIPAA Rules do not apply. However, other federal laws, and/or state law, may regulate the employer's collection and use of this information.
Access By the Employer as Plan Sponsor
When the employer is also the sponsor of a group health plan, HIPAA restricts the employer-sponsor's access to PHI held by the plan – including PHI about individuals participating in wellness programs that the plan offers – without the individuals' authorization.
In some cases, the employer-sponsor may administer parts of the plan, including wellness benefits offered by the plan. In that case, the plan may allow the employer-sponsor to access PHI necessary to perform the employer-sponsor's administrative functions, but only if the employer-sponsor amends the plan documents and certifies to the plan that it agrees to, among other things:
- Establish adequate separation between employees who perform plan administrative functions and those who do not;
- Not use or disclose PHI for employment-related actions or other purposes not allowed by the Privacy Rule;
- Regarding electronic PHI, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information; and report any security incident of which it becomes aware to the plan.
The Breach Notification Rule requires that the group health plan, as a covered entity, make certain disclosures to individuals and others if it becomes aware of a breach of unsecured PHI at the plan sponsor.
When an employer-sponsor does not administer the group health plan, HIPAA imposes even more limits on the employer-sponsor's access to PHI held by the plan (including individually-identifiable health information generated as part of a wellness program offered through the plan). As a general rule in these cases, without the individuals' written authorization, the plan may disclose only the following PHI to the employer-sponsor:
- Information on which individuals are participating in the plan or enrolled in the health insurance issuer or HMO offered by the plan; and
- Summary health information, if requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan.