How Do HIPAA Regulations Affect Workplace Wellness Programs?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2015/04/29/how-do-hipaa-regulations-affect-workplace-wellness-programs/

The Department of Health and Human Services (HHS) recently posted
clarification for how HIPAA regulations would potentially apply to
workplace wellness programs. With the Equal Employment Opportunity
Commission (EEOC) also publishing a proposed rule earlier this month
concerning updates to workplace wellness programs, it is important for
organizations to understand how the federal compliance rules could
potentially affect them.

HIPAA regulations do not necessarily apply to workplace wellness programs,
as HIPAA is designed for covered entities and business associates. However,
HIPAA rules could potentially come into play for those workplaces depending
on how the wellness programs are structured, according to HHS.

Where a workplace wellness program is offered as part of a group health
plan, the individually identifiable health information collected from or
created about participants in the wellness program is PHI and protected by
the HIPAA Rules. While the HIPAA Rules do not directly apply to the
employer, a group health plan sponsored by the employer is a covered entity
under HIPAA, and HIPAA protects the individually identifiable health
information held by the group health plan (or its business associates).

Moreover, when the plan sponsor is administering certain aspects of the
plan, such as wellness program benefits, PHI could be held by the employer
as plan sponsor. In that case, HIPAA regulations would also protect
individuals’ PHI.

HHS also explained that there are restrictions to how a group health plan
may allow an employer as plan sponsor access to PHI. If the employer
administers certain aspects of the group health plan, possibly including
administering wellness program benefits offered through the plan, then it
must establish that it agrees to do the following:

Establish adequate separation between employees who perform plan
administration functions and those who do not;
Not use or disclose PHI for employment-related actions or other purposes
not permitted by the Privacy Rule;
Where electronic PHI is involved, implement reasonable and appropriate
administrative, technical, and physical safeguards to protect the
information, including by ensuring that there are firewalls or other
security measures in place to support the required separation between plan
administration and employment functions; and Report to the group health
plan any unauthorized use or disclosure, or other security incident, of
which it becomes aware.

The proposed rule by the EEOC centers around the regulations and
interpretive guidance implementing Title I of the Americans with
Disabilities Act (ADA) as they relate to employer wellness programs.

“This proposed rule provides guidance on the extent to which the ADA
permits employers to offer incentives to employees to promote participation
in wellness programs that are employee health programs,” the EEOC stated.

In a separate statement posted on its website, the EEOC explained that the
proposed rule “does not change any of the exceptions to confidentiality
requirements provided in the EEOC’s existing ADA regulations but adds a new
subsection.” The new sections states that a covered entity can receive data
from a wellness program “ in aggregate form that does not disclose, and is
not reasonably likely to disclose, the identity of specific individuals
except as is necessary to administer the plan.”

“Wellness programs that are part of a group health plan, including those
administered by employers, generally are subject to HIPAA requirements that
mandate certain safeguards to protect the privacy of personal health
information and set limits and conditions on the uses and disclosures of
that information,” the statement read.

Moreover, the proposal explains that compliance with the ADA’s rules on
voluntary employee health programs does not relieve CEs of their obligation
to comply with other employment nondiscrimination laws.

“Employers must provide reasonable accommodations that allow employees with
disabilities to participate in wellness programs and obtain any incentives
offered,” the EEOC said on its website. “Employers also must ensure that
they maintain any medical information they obtain from employees in a
confidential manner.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!