HHS OCR details HIPAA app to workplace wellness programs

Guidance published this week by the Department of Health and Human Services Office for Civil Rights details how and when the Health Insurance Portability and Accountability Act (HIPAA) applies to workplace wellness programs.

OCR Director Jocelyn Samuels (pictured), in a post to HHS.gov accompanying the guidance, explains that HIPAA only applies to those programs that are part of an employer-sponsored group health plan. For example, the guidance notes, if an employer offers rewards such as reduced premiums in exchange for participation in such a program, any individually identifiable information collected for that program would be protected under the HIPAA Privacy Rule.

"While HIPAA rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA," the guidance states. Additionally, HHS notes, employee health information "held by the employer as plan sponsor" is also protected.


Home State Health Leverages Conversational AI to Activate Their Members, Address SDOH, and Improve Quality Measures

Like many health plans, engaging and activating vulnerable populations at scale is critical to Home State Health. This case study from Home State Health focuses on engaging Medicaid members at scale on numerous topics leading to desired outcomes including: working with the State to develop the most optimal opt-in program; the benefits of Conversational AI in orchestrating tailored dialogues at scale; and how to design and launch Conversational AI programs.

The Security Rule, meanwhile, requires "reasonable" technical and physical safeguards--such as firewalls--to be put in place when PHI is stored or transmitted electronically, the guidance notes.

OCR has released several guidance documents on HIPAA to improve stakeholder understanding of the privacy and security rules for protecting data, some in conjunction with the Office of the National Coordinator for Health IT. For instance, in January, guidance on the Privacy Rule unveiled by Samuels and the agency focused on explaining patients' general rights to their protected health information (PHI), which data is excluded from that right to access, how an individual may request access and how an entity must provide the information.

Guidance unveiled in February focused on protection of PHI in terms of use on mobile applications. That guidance focused on two questions, in particular:

  • How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
  • When might an app developer need to comply with the HIPAA rules?

Despite the latter guidance, lawmakers last week blasted HHS, calling its technical compliance guidance for HIPAA "sluggish" and "disappointing."

"While HHS can point to the publication of a single document earlier this month as progress, the sum of its efforts reveals a worrisome lack of urgency," eight House members wrote in a letter to HHS Secretary Sylvia Mathews Burwell.

To learn more:
- read the FAQ guidance
- check out Samuels's post

Suggested Articles

The Centers for Medicare & Medicaid Services reached a settlement with inpatient rehabilitation hospitals in disputes over denied Medicare claims.

Quartet Health has expanded to two new states with a growing focus on supporting Medicaid beneficiaries with mental health conditions.

As Senate lawmakers examined legislation aimed at curbing runaway healthcare costs Tuesday, solutions to surprise medical bills remained key points.