HIPAA and workplace wellness programs

HIPAA's requirements apply to workplace wellness programs when offered as part of a group health plan because the group health plan, as a covered entity under HIPAA, is responsible for safeguarding employee protected health information (PHI).

What is a workplace wellness program?

A workplace wellness program is a structured program or initiative implemented by employers to promote and support the health and well-being of their employees. These programs are designed to improve employees' physical, mental, and emotional health, increase productivity, reduce healthcare costs, and improve employee satisfaction.

Related: Is HIPAA employee awareness training enough?

How are workplace wellness programs governed by HIPAA?

Workplace wellness programs as part of a group health plan

If a workplace wellness program is offered as part of a group health plan, the individually identifiable health information collected or created about participants in the wellness program is considered PHI and is protected by the HIPAA Privacy, Security, and Breach Notification Rules. 

The group health plan, which is a covered entity under HIPAA, is responsible for complying with the HIPAA Rules concerning the protection and privacy of PHI. Acting as the plan sponsor, the employer may have access to PHI related to the wellness program for plan administration purposes but must adhere to certain restrictions and safeguards outlined in the HIPAA Privacy Rule.

Workplace wellness programs offered directly by the employer

If a workplace wellness program is offered directly by the employer and is not part of a group health plan, the health information collected from employees is not protected by the HIPAA Rules. However, it's worth noting that other Federal or state laws may still apply and regulate the collection and use of this health information.

Methods of preventing protecting employee PHI

The HIPAA Privacy Rule outlines certain restrictions and safeguards to protect the privacy and confidentiality of PHI, and covered entities (such as group health plans) must adhere to these requirements. Here are some strategies to prevent employer access to PHI:

1. Authorization requirement: The group health plan, as a covered entity under HIPAA, is generally required to obtain written authorization from individuals before disclosing their PHI to the employer. The authorization must be specific, clear, and inform the individual about the purposes of the disclosure. The employer cannot access PHI without obtaining this written authorization, except in specific situations allowed by the HIPAA Privacy Rule.
2. Limited disclosure: The group health plan should only disclose PHI to the employer when necessary for plan administration purposes. The plan should limit the disclosure to the minimum necessary information required for the employer to perform its plan administration functions. PHI not relevant to plan administration should not be shared with the employer.
3. Separation of functions: To ensure adequate separation between employees who perform plan administration functions and those who do not, the group health plan should implement policies and procedures that prevent unauthorized access to PHI by individuals who do not need it for their job roles.
4. Data security measures: The group health plan should implement reasonable and appropriate administrative, physical, and technical safeguards to protect electronic PHI from unauthorized access. This includes having proper firewalls or security measures to prevent unauthorized access by unauthorized personnel.
5. Secure messaging channels: The group health plan should utilize secure messaging channels to communicate with plan administrators and sponsors. HIPAA compliant email services provide the necessary safeguards, such as encryption and access controls, to protect the confidentiality and integrity of PHI during transmission. 
6. Business associate agreement (BAA): If the employer is acting as a business associate and performing functions on behalf of the group health plan that involves access to PHI, a written business associate agreement (BAA) must be in place between the group health plan and the employer. The BAA outlines the responsibilities and obligations of the employer as a business associate and helps ensure compliance with HIPAA requirements.

Related: How to promote smart cybersecurity behavior to employees