Does HIPAA Apply to Wellness Programs?
The Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules apply only to covered entities. According to the U.S. Department of Health and Human Services, a covered entity is a health care provider, health plan or health care clearinghouse.
A group health plan is a covered entity and must therefore comply with HIPAA rules. If your wellness program is linked to your group health plan, it, too, must adhere to HIPAA.
Applicable wellness programs
As stated, wellness programs associated with a group health plan are subject to HIPAA. For instance, a group health plan may offer employees incentives or rewards related to the group health plan — such as lower cost-sharing amounts for medical coverage — provided they participate in the wellness program.
HIPAA also applies to wellness programs that deliver medical care to employees. For example, biometric screenings are usually regarded as medical care because they often require the health care provider to draw blood, perform clinical assessments and diagnose medical conditions. In addition, wellness programs that offer disease management and flu shots are considered medical care since they are structured to assist with specific medical conditions.
If the wellness program is offered separately by the employer, rather than through a group health plan, it is not covered by HIPAA — though other laws may apply.
Privacy and security
Wellness programs covered by HIPAA must protect any "individually identifiable health information" collected from participants in the program. This information, which can be received in any format — including verbal and electronic — is formally called protected health information, or PHI.
PHI relates to:
- The person's past, present or future health condition.
- Health care services provided to the individual.
- Any past, present or future payments for health care services provided to the individual that can be used to identify them.
The individual's name, Social Security number, birth date and address are considered PHI if they can be connected to the above health information.
If your wellness program is operated as part of your group health plan, you cannot use or share participants' PHI for reasons prohibited by HIPAA. For instance, you must obtain participants' express consent to be able to disclose their phone numbers or addresses for marketing purposes. To ensure security of PHI, your wellness program must have appropriate administrative, physical and technical safeguards (as defined by HIPAA).
Developing policies and procedures
It takes substantial time to create HIPAA policies and procedures. So to simplify things, you may want to extend the HIPAA policies and procedures for your group health plan to your wellness plan if the two programs are connected.
Note that your wellness program's policies and procedures should address any other applicable laws besides HIPAA, such as the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act.