The government recently released guidance for employers to use when structuring wellness programs. See our prior articles on wellness programs here. One additional item employers will have to consider when implementing a wellness initiative is the application of HIPAA privacy and security rules.
The HIPAA privacy and security rules require covered entities and their business associates to extend protections to individually identifiable health information, or PHI. A covered entity is a health plan, health care clearinghouse, or a health care provider. An employer, on its own, is not a covered entity.
Because the HIPAA rules apply to covered entities, some employer wellness programs may not have to follow the HIPAA rules.
If the wellness program is an initiative of the employer with no health plan involvement, it will not be covered by HIPAA. Such programs include, for example, monetary rewards, discounts, and reductions on premiums or cost-sharing.
If the wellness program is part of the group health plan, any individually identifiable protected health information about participants would be PHI and subject to HIPAA’s rules. In such circumstances, there are restrictions on the ability of the employer, as plan sponsor, to access PHI without the written authorization of the individual. If the employer obtains information from the plan with regard to wellness participation or results, the employer will have to
- maintain separation between employees to work with the plan and those who do not;
- not use or disclose PHI for employment-related actions; and
- implement reasonable and appropriate safeguards to protect the information.
Wellness programs are an important part of many employers’ employee benefits structures; employers will have to pay attention to privacy and security surrounding the wellness program participation and results.