• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

HHS Issues Guidance on HIPAA and Workplace Wellness Programs

April 22, 2015 By Privacy & Data Security Team

On Thursday, April 16, 2015, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued guidance, consisting of two frequently asked questions (FAQs), on the application of the HIPAA Privacy, Security, and Breach Notification Rules to workplace wellness programs. HHS explains in one of the FAQs that the application of HIPAA to workplace wellness programs depends on whether the wellness program is offered as part of a group health plan for employees, or if it is offered independent of such a group health plan.  If the wellness program is offered as a part of a group health plan, the HIPAA Rules are applicable to it and any individually identifiable health information gathered by the program is protected health information (PHI).  HHS explains that if the program is offered directly by the employer, however, and not as part of the group health plan, any health information collected by the program is not protected by the HIPAA Rules – although HHS notes that other laws may apply to the collection and use of such information.

In the second FAQ, HHS addresses the HIPAA protections (and restrictions) applicable to the ability of the employer as plan sponsor to access PHI about participants in a wellness program when the program is offered through the group health plan.  Absent written authorization from the individual, the employer may have access to such PHI only to perform plan administration functions, provided that the employer, as plan sponsor, has amended the plan documents and certified to the group health plan that it will provide certain protections for the PHI.  Otherwise, the group health plan can disclose to the employer only information on which individuals are participating in the group health plan (or enrolled in coverage offered by the plan) and/or summary health information if requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan.  Importantly, HHS makes clear that if a group health plan knows of a breach of unsecured PHI by the plan sponsor (the employer), such as an unauthorized use or disclosure that compromises the privacy or security of the PHI, the group health plan is required by the Breach Notification Rule to notify the affected individuals, HHS, and, in some instances, the media.

Filed Under: Data Breach, Health Privacy, Regulation, Workplace Privacy Tagged With: HIPAA

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy