Advice on HIPAA and Workplace Wellness Programs Issued by OCR

by | Apr 21, 2015

Protected Health Information (PHI) is kept secure  under Health Insurance Portability and Accountability Act Rules, which requires adherence from covered entities (CEs) to put in place a number of controls to ensure that healthcare data is not disclosed to unauthorized people.

Should that happen, or if the data is stolen, covered bodies also have a requirement to notify the Office for Civil Rights (OCR) and any persons affected by the violation, with the rules and regulations for doing so stated in the Breach Notification Rule.

These rules relate to most healthcare providers, health plans and healthcare clearinghouses; however, the OCR has recently released advice on Workplace Wellness Programs, as there appears to be a lack of clarity about coverage under HIPAA Rules.

This confusion in relation to HIPAA and Workplace Wellness Programs is understandable, because whether these schemes are included in HIPAA depends on how the wellness programs have been set up, and if they are provided through an employer as part of a group health plan.

In many examples, members of staff are encouraged to join Workplace Wellness Programs that are provided as part of a group health plan, with the employer receiving certain benefits for increasing the number of employees signed up to the program. The employer may, for instance, receive a financial bonus such as a reduction in premiums in exchange for signing up more staff members. However, a wellness program may also be offered directly by an employer to its workforce.

The HIPAA rules for both of these are actually different. When a program is provided as part of a group health plan, the data that is taken from the employee is considered to be Protected Health Information, as group health plans are included in HIPAA Rules.

However, if an employer provides a wellness program directly, since the employer is not covered included in HIPAA, neither is the Workplace Wellness Program, even though the same data may be gathered in both cases. As pointed out by the OCR, in some cases, even though HIPAA doesn’t cover the data, other federal and state legislation may do so some data privacy protections may still be in place.

If the Wellness Program is provided as part of a group health plan, there are security measure in place in relation to the information – PHI – that can be passed to an employer. Oftentimes, these schemes include the employer providing some sort of service or assistance with the management of the program.

The OCR states that “Where this is the case, and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents”

The employer must also agree not to release any of the PHI for the purposes of “employment-related actions” and must ensure that sufficient security measures are put in place to ensure that PHI is safeguarded in accordance with HIPAA Security Rule requirements. The employer must also make known any unauthorized or accidental disclosures of PHI to the group health plan, which will be responsible for the breach response and sending notification letters to those affected.

However, it is vital to note that an employer that does not perform any administrative functions for the group health plan would not be allowed to access the PHI of the program members without written authorization having first been received from the persons in question, although there are some exceptions. For example, a summary of health information may be provided for “the purposes of modifying the plan or obtaining premium bids for coverage” and information relating to “information on which individuals are participating in the group health plan” can also be legitimately disclosed.

It is important that any employer who supplies wellness plans in the workplace is familiar with the HIPAA Rules governing those plans, and for employees to also familiarize themselves with the rules governing disclosure of their PHI, and whether their data actually constitutes PHI.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy