HHS OCR details HIPAA app to workplace wellness programs

Guidance published this week by the Department of Health and Human Services Office for Civil Rights details how and when the Health Insurance Portability and Accountability Act (HIPAA) applies to workplace wellness programs.

OCR Director Jocelyn Samuels (pictured), in a post to HHS.gov accompanying the guidance, explains that HIPAA only applies to those programs that are part of an employer-sponsored group health plan. For example, the guidance notes, if an employer offers rewards such as reduced premiums in exchange for participation in such a program, any individually identifiable information collected for that program would be protected under the HIPAA Privacy Rule.

"While HIPAA rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA," the guidance states. Additionally, HHS notes, employee health information "held by the employer as plan sponsor" is also protected.

Free Webinar

Take Control of Your Escalating Claim Costs through a Comprehensive Pre-payment Hospital Bill Review Solution

Today managing high dollar claim spend is more important than ever for Health Plans, TPAs, Employers, and Reinsurers, and can pose significant financial risks. How can these costs be managed without being a constant financial drain on your company resources? Our combination of the right people and the right technology provides an approach that ensures claims are paid right, the first time. Register Now!

The Security Rule, meanwhile, requires "reasonable" technical and physical safeguards--such as firewalls--to be put in place when PHI is stored or transmitted electronically, the guidance notes.

OCR has released several guidance documents on HIPAA to improve stakeholder understanding of the privacy and security rules for protecting data, some in conjunction with the Office of the National Coordinator for Health IT. For instance, in January, guidance on the Privacy Rule unveiled by Samuels and the agency focused on explaining patients' general rights to their protected health information (PHI), which data is excluded from that right to access, how an individual may request access and how an entity must provide the information.

Guidance unveiled in February focused on protection of PHI in terms of use on mobile applications. That guidance focused on two questions, in particular:

  • How does HIPAA apply to health information that a patient creates, manages or organizes through the use of a health app?
  • When might an app developer need to comply with the HIPAA rules?

Despite the latter guidance, lawmakers last week blasted HHS, calling its technical compliance guidance for HIPAA "sluggish" and "disappointing."

"While HHS can point to the publication of a single document earlier this month as progress, the sum of its efforts reveals a worrisome lack of urgency," eight House members wrote in a letter to HHS Secretary Sylvia Mathews Burwell.

To learn more:
- read the FAQ guidance
- check out Samuels's post

Suggested Articles

Learn how health plans can demonstrate agility with analytics to shape benefit plans in a time of healthcare transformation.

HHS Secretary Alex Azar announced the government will distribute 30,000 doses of a new COVID-19 antibody cocktail on Tuesday.

Employers are increasingly integrating their health benefits as a way to achieve cost savings, according to a new report from Anthem.