The HIPAA Privacy Rule and the HIPAA Security Rule work together to protect individually identifiable health information held by covered entities and business associates. Under the HIPAA Privacy Rule, covered entities include health care clearinghouses, health plans, and health care providers. Under HIPAA rules, business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity, that involve access to protected health information (PHI). The HIPAA Privacy Rule requires entities to implement safeguards to prevent unauthorized use or disclosure of PHI. The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to secure electronic protected health information (ePHI). Both HIPAA regulations apply to workplace wellness programs, which are programs implemented by employers designed to improve employee health and wellness.

What Kinds of Workplace Wellness Programs Exist?

Generally, workplace wellness programs consist of one or more of the following services designed to promote health and wellness:

• Weight loss
• Gym membership discount or on-site exercise facility
• Smoking cessation programs
• Health coaching programs
• Nutrition and healthful living classes
• Biometric screening
• Online wellness resources
• Wellness newsletters
• Flu shots or vaccines
• Employee Assistance Programs (EAPs)

Does HIPAA Apply to Workplace Wellness Programs?

The HIPAA Privacy Rule and the HIPAA Security Rule apply to covered entities and business associates – NOT to employers in their capacity as employers. 

Therefore, whether HIPAA Rules apply to workplace wellness programs, depends upon the way in which those workplace wellness programs are structured.

Some employers may offer a workplace wellness program as part of a group health plan for employees.  For example, some employers may offer certain incentives or rewards related to group health plan benefits, such as reductions in premiums or cost-sharing amounts, in exchange for participation in a workplace wellness program.  Other employers may offer workplace wellness programs directly and not in connection with a group health plan.

Workplace Wellness Programs That are Offered as Part of a Group Health Plan

Where a workplace wellness program is offered as part of a group health plan, individually identifiable health information collected from or created about participants in the wellness program is PHI (or ePHI, if in electronic form) and protected by the HIPAA Rules.  While the HIPAA Rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA,and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates).  

HIPAA also protects PHI that is held by the employer as plan sponsor on the plan’s behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan.

Workplace Wellness Programs Not Offered as Part of a Group Health Plan

Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by the HIPAA Rules. However, other federal or state laws may apply and regulate the collection and/or use of the employer wellness programs’ information.

Can an Employer Access PHI as Plan Sponsor?

The HIPAA Privacy and Security Rules place restrictions on the circumstances under which a group health plan may allow an employer as plan sponsor to access PHI, including PHI about participants in a wellness program offered through the plan, without the written authorization of the individual.  

Often, the employer as plan sponsor will be involved in administering certain aspects of the group health plan, which may include administering wellness program benefits offered through the plan.  Where this is the case and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents and certifies to the group health plan that it agrees to, among other things:

• Establish adequate separation between employees who perform plan administration functions and those who do not;
• Not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule;
• Where electronic PHI is involved, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information. 
  • Such safeguards may include firewalls or other security measures that support the required separation between plan administration and employment functions; and 
  • Report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.

What Must Group Health Plans Do In The Event of A Breach?

Where a group health plan has knowledge of a breach of unsecured PHI at the plan sponsor (i.e., an unauthorized use or disclosure that compromises the privacy or security of the PHI), the group health plan, as a covered entity under the HIPAA Rules, must notify the affected individuals, HHS, and if applicable, the media, of the breach, in accordance with the requirements of the HIPAA Breach Notification Rule.