Recognizing the different situations that might lead to HIPAA violations is part of enforcing better practices and a higher level of security. On its website, the Department of Health and Human Services recommends paying attention to the specifics of workplace wellness programs to determine whether or not they need to be compatible with HIPAA guidelines. As with other cases related to HIPAA, understanding what constitutes Protected Health Information (PHI) is crucial.
One distinction the HHS makes is between a program offered by a group health plan or one offered directly by the employer. Generally, employer-offered plans do not fall under HIPAA rules. However, a group plan does count as a HIPAA-protected entity, and generates PHI.
When acting as plan sponsor, an employer has to be careful to abide by safeguards that help to lower the risk of data exposure. The sponsor has its own responsibilities to follow, though, in the event of a security breach, and must notify affected individuals as needed.
An example of the importance of HIPAA compliance and wellness program occurred last month, when the Equal Employment Opportunity Commission (EEOC) issued a proposed rule to match employer wellness programs with the standards of the Americans with Disabilities Act (ADA). In a press release from the Commission, the chair of the organization, Jenny Yang, mentioned the relationship between this notice of proposed rulemaking (NPRM) and HIPAA.
"The EEOC worked closely with the Departments of Labor, Health and Human Services, and Treasury in developing this NPRM to harmonize the ADA's requirement that medical inquiries and exams that are part of an employee health program must be voluntary, and HIPAA's goal of allowing incentives to encourage participation in wellness programs," Yang said.
For any concerns regarding PHI and government regulations, HIPAA compliance consulting specialists will work with companies to improve accuracy and security.