HHS OCR details HIPAA app to workplace wellness programs

Guidance published this week by the Department of Health and Human Services Office for Civil Rights details how and when the Health Insurance Portability and Accountability Act (HIPAA) applies to workplace wellness programs.

OCR Director Jocelyn Samuels (pictured), in a post to HHS.gov accompanying the guidance, explains that HIPAA only applies to those programs that are part of an employer-sponsored group health plan. For example, the guidance notes, if an employer offers rewards such as reduced premiums in exchange for participation in such a program, any individually identifiable information collected for that program would be protected under the HIPAA Privacy Rule.

"While HIPAA rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA," the guidance states. Additionally, HHS notes, employee health information "held by the employer as plan sponsor" is also protected.

The Security Rule, meanwhile, requires "reasonable" technical and physical safeguards--such as firewalls--to be put in place when PHI is stored or transmitted electronically, the guidance notes.

OCR has released several guidance documents on HIPAA to improve stakeholder understanding of the privacy and security rules for protecting data, some in conjunction with the Office of the National Coordinator for Health IT. For instance, in January, guidance on the Privacy Rule unveiled by Samuels and the agency focused on explaining patients' general rights to their protected health information (PHI), which data is excluded from that right to access, how an individual may request access and how an entity must provide the information.

Guidance unveiled in February focused on protection of PHI in terms of use on mobile applications. That guidance focused on two questions, in particular:

  • How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
  • When might an app developer need to comply with the HIPAA rules?

Despite the latter guidance, lawmakers last week blasted HHS, calling its technical compliance guidance for HIPAA "sluggish" and "disappointing."

"While HHS can point to the publication of a single document earlier this month as progress, the sum of its efforts reveals a worrisome lack of urgency," eight House members wrote in a letter to HHS Secretary Sylvia Mathews Burwell.

To learn more:
- read the FAQ guidance
- check out Samuels's post