The U.S. Department of Health & Human Services has recently published an article explaining how HIPAA applies to certain workplace wellness programs. In this article, Jocelyn Samuels, the Director of the Office for Civil Rights, explains that workplace wellness programs give employees the opportunity to improve their health while simultaneously controlling health care spending. The following is a summarization of the article:

Employers are collecting employee health information as a part of these wellness programs. Questions are then raised about what employers are allowed to do with the collected information, as well as what their responsibilities are to protect the confidentiality of the information. The Health Insurance Portability and Accountability Act (HIPAA) does not apply to all workplace wellness programs, but it does apply to programs offered as part of an employer-sponsored group health plan.

If you are unsure whether your employer’s workplace wellness program is offered as part of a group health plan, or if you have questions about the protection of the collected health data, you should ask your employer. There are a few important facts helpful in understanding how your health information should be protected:

1. If an employer’s wellness program is part of a group health plan, they are prohibited from using or disclosing your health information for employment-related actions or other purposes not permitted by HIPAA, such as marketing without your express authorization.

1. If an employer administers a wellness program as part of a group health plan, HIPAA requires they establish firewalls or other security measures to make sure collected information is not allowed to be accessed and used for employment functions, such as your supervisor using the health information to make decisions about your job.

1. HIPAA also requires that if there is a breach in your wellness program health information, your employer must notify you, the Department of Health and Human Services (HHS), and in some cases, the media. They must do so in accordance with the HIPAA Breach Notification Rule.

1. The Office for Civil Rights at HHS oversees compliance with HIPAA, and there are serious implications for entities that fail to comply. Violating entities may be required to take corrective action, or can face civil penalties of up to $50,000 or more for each violation. If repeated violations of the same provision occur, an entity could face up to $1.5 million in penalties in a calendar year.

For additional information, view the OCR’s guidance on HIPAA and workplace wellness programs at http://www.hhs.gov/hipaa/for-professionals/privacy/workplace-wellness/