Protected Health Information (PHI) is kept secure under Health Insurance Portability and Accountability Act Rules, which requires adherence from covered entities (CEs) to put in place a number of controls to ensure that healthcare data is not disclosed to unauthorized people.
Should that happen, or if the data is stolen, covered bodies also have a requirement to notify the Office for Civil Rights (OCR) and any persons affected by the violation, with the rules and regulations for doing so stated in the Breach Notification Rule.
These rules relate to most healthcare providers, health plans and healthcare clearinghouses; however, the OCR has recently released advice on Workplace Wellness Programs, as there appears to be a lack of clarity about coverage under HIPAA Rules.
This confusion in relation to HIPAA and Workplace Wellness Programs is understandable, because whether these schemes are included in HIPAA depends on how the wellness programs have been set up, and if they are provided through an employer as part of a group health plan.
In many examples, members of staff are encouraged to join Workplace Wellness Programs that are provided as part of a group health plan, with the employer receiving certain benefits for increasing the number of employees signed up to the program. The employer may, for instance, receive a financial bonus such as a reduction in premiums in exchange for signing up more staff members. However, a wellness program may also be offered directly by an employer to its workforce.
The HIPAA rules for both of these are actually different. When a program is provided as part of a group health plan, the data that is taken from the employee is considered to be Protected Health Information, as group health plans are included in HIPAA Rules.
However, if an employer provides a wellness program directly, since the employer is not covered included in HIPAA, neither is the Workplace Wellness Program, even though the same data may be gathered in both cases. As pointed out by the OCR, in some cases, even though HIPAA doesn’t cover the data, other federal and state legislation may do so some data privacy protections may still be in place.
If the Wellness Program is provided as part of a group health plan, there are security measure in place in relation to the information – PHI – that can be passed to an employer. Oftentimes, these schemes include the employer providing some sort of service or assistance with the management of the program.
The OCR states that “Where this is the case, and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents”
The employer must also agree not to release any of the PHI for the purposes of “employment-related actions” and must ensure that sufficient security measures are put in place to ensure that PHI is safeguarded in accordance with HIPAA Security Rule requirements. The employer must also make known any unauthorized or accidental disclosures of PHI to the group health plan, which will be responsible for the breach response and sending notification letters to those affected.
However, it is vital to note that an employer that does not perform any administrative functions for the group health plan would not be allowed to access the PHI of the program members without written authorization having first been received from the persons in question, although there are some exceptions. For example, a summary of health information may be provided for “the purposes of modifying the plan or obtaining premium bids for coverage” and information relating to “information on which individuals are participating in the group health plan” can also be legitimately disclosed.
It is important that any employer who supplies wellness plans in the workplace is familiar with the HIPAA Rules governing those plans, and for employees to also familiarize themselves with the rules governing disclosure of their PHI, and whether their data actually constitutes PHI.