The Department of Health and Human Services (HHS) recently posted clarification for how HIPAA regulations would potentially apply to workplace wellness programs. With the Equal Employment Opportunity Commission (EEOC) also publishing a proposed rule earlier this month concerning updates to workplace wellness programs, it is important for organizations to understand how the federal compliance rules could potentially affect them.
HIPAA regulations do not necessarily apply to workplace wellness programs, as HIPAA is designed for covered entities and business associates. However, HIPAA rules could potentially come into play for those workplaces depending on how the wellness programs are structured, according to HHS.
Where a workplace wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is PHI and protected by the HIPAA Rules. While the HIPAA Rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA, and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates).
Moreover, when the plan sponsor is administering certain aspects of the plan, such as wellness program benefits, PHI could be held by the employer as plan sponsor. In that case, HIPAA regulations would also protect individuals’ PHI.
HHS also explained that there are restrictions to how a group health plan may allow an employer as plan sponsor access to PHI. If the employer administers certain aspects of the group health plan, possibly including administering wellness program benefits offered through the plan, then it must establish that it agrees to do the following:
- Establish adequate separation between employees who perform plan administration functions and those who do not;
- Not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule;
- Where electronic PHI is involved, implement reasonable and appropriate administrative, technical, andphysical safeguards to protect the information, including by ensuring that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions; and Report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.
The proposed rule by the EEOC centers around the regulations and interpretive guidance implementing Title I of the Americans with Disabilities Act (ADA) as they relate to employer wellness programs.
“This proposed rule provides guidance on the extent to which the ADA permits employers to offer incentives to employees to promote participation in wellness programs that are employee health programs,” the EEOC stated.
In a separate statement posted on its website, the EEOC explained that the proposed rule “does not change any of the exceptions to confidentiality requirements provided in the EEOC’s existing ADA regulations but adds a new subsection.” The new sections states that a covered entity can receive data from a wellness program “ in aggregate form that does not disclose, and is not reasonably likely to disclose, the identity of specific individuals except as is necessary to administer the plan.”
“Wellness programs that are part of a group health plan, including those administered by employers, generally are subject to HIPAA requirements that mandate certain safeguards to protect the privacy of personal health information and set limits and conditions on the uses and disclosures of that information,” the statement read.
Moreover, the proposal explains that compliance with the ADA’s rules on voluntary employee health programs does not relieve CEs of their obligation to comply with other employment nondiscrimination laws.
“Employers must provide reasonable accommodations that allow employees with disabilities to participate in wellness programs and obtain any incentives offered,” the EEOC said on its website. “Employers also must ensure that they maintain any medical information they obtain from employees in a confidential manner.”
Source: http://ift.tt/1Am87af
from health IT caucus http://ift.tt/1I1ftYD
via IFTTT
No comments:
Post a Comment