Dive Brief:
- An HHS blog by the agency's Office for Civil Rights director Jocelyn Samuels highlights how HIPAA applies to wellness programs offered through employer-sponsored group health plans.
- It states that the proliferation of these programs has led to more employers gathering employee health data through risk assessments and other means.
- As a result, HHS is aiming to answer questions regarding how employers are allowed to use that data and how they are required to protect it.
Dive Insight:
The March 14 blog follows on the heels of criticism against HHS for its lack of clarity regarding how developers and providers can comply with HIPAA in the mobile landscape, and appears to aim to head off related criticism regarding HIPAA complicance in the wellness sphere.
The blog lists four main points on how wellness information must be protected under HIPAA:
- A prohibition against employers using or disclosing members' health data for employment-related actions or anything not specifically allowed by HIPAA, such as marketing.
- A requirement that these programs establish firewalls or other security measures to ensure the data can not be accessed for employment functions, for example, by a supervisor making job decisions.
- A requirement that any program that uncovers an unauthorized use or disclosure of protected data by the employer notify the affected individuals and HHS in accordance with the HIPAA Breach Notification Rule.
- Ramifications for those entities that fail to comply, which can include investigations into potential violations, corrective action, and civil penalties of "up to $50,000 or more" for each violation, and as much as $1.5 million per calendar year for multiple violations of the same provision.