Paula Stannard summarizes a recent HHS guidance on workplace wellness programs:
On Thursday, April 16, 2015, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued guidance, consisting of two frequently asked questions (FAQs), on the application of the HIPAA Privacy, Security, and Breach Notification Rules to workplace wellness programs. HHS explains in one of the FAQs that the application of HIPAA to workplace wellness programs depends on whether the wellness program is offered as part of a group health plan for employees, or if it is offered independent of such a group health plan. If the wellness program is offered as a part of a group health plan, the HIPAA Rules are applicable to it and any individually identifiable health information gathered by the program is protected health information (PHI). HHS explains that if the program is offered directly by the employer, however, and not as part of the group health plan, any health information collected by the program is not protected by the HIPAA Rules – although HHS notes that other laws may apply to the collection and use of such information.
Read more on Alston & Bird Privacy & Data Security BLOG.