I get this question very often, and the answer is, “it depends.” Specifically, it depends on whether the wellness program is part of an employer’s group health plan, or if it is a stand-alone program offered directly by the employer. Many providers of wellness services contract with group health plans as well as employers directly, which means some wellness programs are offered to group health plan participants only, and others are offered to all employees, regardless of the employee’s health insurance status.
“Specifically, it depends on whether the wellness program is part of an employer’s group health plan, or if it is a stand-alone program offered directly by the employer.”
For programs that are offered by group health plans to group health plan participants only, the answer to the HIPAA privacy and security question is an unequivocal “yes.” Group health plans are one type of “covered entity’ under the HIPAA privacy and security rules. Therefore, any wellness provider who contracts with those health plans must comply with HIPAA privacy and security as a “business associate.”
For wellness programs that are offered to all employees, however, HIPAA privacy and security rules likely do not apply. The federal Department of Health and Human Services (HHS) recently released subregulatory guidance about when and how HIPAA privacy and security rules apply to workplace wellness programs. HHS concludes that HIPAA privacy and security rules apply to workplace wellness programs when those programs are part of a group health plan for employees. The wellness vendor in that situation would be a “business associate” of the group health plan “covered entity” under HIPAA. As a result, the wellness vendor would need to comply with the HIPAA security rule, have a HIPAA-compliant business associate agreement, and have policies and procedures in place for issues like data breaches.
Wellness programs that are offered by employers directly and not as part of a group health plan are not subject to HIPAA privacy and security rules. However, other federal or state laws may apply and regulate the collection and/or use of employee health information.
Even if HIPAA Privacy & Security Do Not Apply, It May Be a Good Idea to Comply Anyway.
Some wellness programs decide to comply with HIPAA privacy and security rules even when those rules do not technically apply to them. If a wellness program collects sensitive health information from employees and family members, it may be a good idea to adopt HIPAA security privacy and security standards to help protect the information from unauthorized use and disclosure.
Indeed, in July 2016, HHS released a Fact Sheet regarding ransomware. Ransomware is a type of malicious software that denies access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the software, until a ransom is paid. Ransomware attacks are skyrocketing, particularly on health and wellness organizations. According to HHS, there was a 300% increase in ransomware attacks between 2015 and 2016. Health information is more valuable than other types of personal information. According to one source, health record information is ten times more valuable than credit card information. This is because credit card information is insured, while health information has less protection.
HHS states that HIPAA compliance can help entities prevent infections of malicious software, including ransomware. HIPAA security rules require entities to take the following actions that could prevent a ransomware attack:
- Implement a security management process, including a risk analysis to identify threats and vulnerabilities to health information;
- Implement security measures to mitigate or remediate those risks;
- Train users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
- Implement access controls to limit access to electronic health information to only those persons or software programs requiring access.
As a result, if your wellness program collects health information, regardless of whether you are subject to HIPAA privacy and security rules, it may be prudent to comply with those rules anyway. Compliance can help safeguard your wellness program from a ransomware or other type of unauthorized use and disclosure. It can also give wellness program clients and participants confidence in how you handle health data.