HIPAA compliance is a mandatory requirement for those listed as a covered entity under the law. Essentially, being compliant ensures there are measures in place to protect patient private health information, as mandated by the Health Insurance Portability and Accountability Act, passed in 1996. This act sets regulatory HIPAA requirements around how private health information should be stored and what kind of security must be put in place to ensure protected privacy. HIPAA wellness program regulations apply to both the online and offline healthcare companies and while the regulations around offline compliance are fairly cut and dry, cybersecurity is not only more complex, but often where healthcare companies leave themselves open for potential liability.
Does HIPAA Apply to Corporate Wellness?
As previously mentioned, HIPAA regulations apply applies to covered entities, which are: health plans, healthcare clearinghouses, and healthcare providers. Health plans are the individual and/or group plans that provide or pay the cost of medical care. Healthcare providers include any provider who transmits health information electronically to other covered entities. Healthcare clearinghouses are those that process nonstandard information they receive from other entities or vice versa.
Because employers administering wellness programs are not technically covered entities, remaining HIPAA-compliant requires a unique approach in this case. Overall, the application of HIPAA requirements depends on the way in which employers administer the programs to their employees.
If employers offer incentives, rewards, or additional benefits, related to the group health plan, in exchange for participating in the wellness program, HIPAA rules must be followed. Again, HIPAA does not apply to the employer, but rather covers the group health plan; therefore, any personal health information exchanged between employer and health plan in regards to the wellness program must remain secure by HIPAA standards. If an employer offers workplace wellness programs on their own, not related to a health plan, then following HIPAA regulations is not required, just recommended.
Employers are at the center of HIPAA wellness program regulations. Because employers are responsible for administering workplace wellness programs, they will need to have access to some employee PHI. If an employer must have access to employee health information, then they must:
- Put measures in place to ensure only employees who have administrative duties in regards to the wellness program have access to employee PHI
- Not use or disclose any employee PHI for employment purposes or any other purpose not permitted by the Privacy Rule
- Put measures in place to protect any PHI that is transmitted or stored electronically
If the employer has no administrative role in the program or health plan, then they only have access to information on which of their employees are participating in the group health plan, and any general information required for the purpose of modifying the group health plan.
Maintaining HIPAA Compliance for Workplace Wellness
Address Any Employee Privacy Concerns
Right away, be sure to be clear with your employees about how and where their personal health information will be transmitted and stored. This may be the first time their employer has access to PHI, and concerns may arise about the safety and security of their information. It may be beneficial to help them understand how you will follow HIPAA regulations, whether it be with a HIPAA-compliant EHR or limiting the administrators who have access to the information. Healthie’s platform also provides secure ways to send messages, emails, documents, forms, and faxes virtually, to support your practice.
Use a HIPAA-Compliant Platform to Store and Diffuse Information
The best way to follow HIPAA wellness program regulations and keep employee information secure is to use a HIPAA-compliant EHR and program platform. Leveraging an EHR can be extremely beneficial if you are working with a group health plan to administer the wellness program. Information can be stored and accessed by the provider, employers, and employees and transmission is seamless. If you are disseminating your wellness program virtually as well, be sure that this program is following HIPAA requirements as well. Employees will likely be uploading and sharing health information as part of the program, so it’s important to keep it safe no matter what software is being used. Healthie’s free Starter plan is completely HIPAA- & PCI compliant, sign up for a free account today.
Use HIPAA-Compliant Telehealth Services
The most glaring pitfall for many healthcare companies’ ability to follow HIPAA wellness regulations lies in the third-party companies relied on to store private health information. With the growing urgency to provide telehealth care options and the newness of telehealth, many have turned to third-party companies that are not HIPAA compliant and will not be held responsible for not adhering to HIPAA requirements in the event of a breach of cyber security. When it comes to HIPAA and telehealth, many of the “freemium” services offered by companies such as Skype or Google Drive among others are not, in their standard usage, HIPAA compliant.
In the time since the start of telehealth, fully HIPAA compliant software specifically designed for virtual care has been created. Regardless of whether a telehealth provider is HIPAA compliant, business associate agreements (BAAs) still must be put in place to ensure that the telehealth provider will be held accountable for breaches in cybersecurity. If you employ telehealth for your wellness program, be sure to use a platform that is following all HIPAA wellness program regulations and is willing to sign a BAA to ensure your employees’ health information remains secure.
Healthie for Virtual Wellness Programs
Healthie enables corporate wellness providers, and the companies they partner with, to streamline program processes, deliver on-site & virtual counseling to employees alike, offer expanded nutritional care programs, and track health outcomes. Healthie reduces the administrative time of corporate wellness professionals by over 40%, and enables real-time communication within an organization and with clients. Healthie’s Plus, Group, and Enterprise levels all integrate with HIPAA-compliant Zoom. To set up a free Starter account to test out other features, click here.
Healthie’s centralized web & mobile platform is designed specifically for nutritional care, follows all HIPAA regulations, and enables corporate wellness organizations to:
- Deliver wellness programs automatically (videos, courses, surveys, e-mails)
- Engage directly with employees in one-on-one or group, in-person or virtual formats
- Bolster ongoing communication: message with employees to provide advice & recommendations, share information on upcoming events
- Track outcomes and metrics from wellness programs
Make more time to grow your business
Use a platform that automates the administrative, so you can focus on growth and care.
Stay Up to Date with Healthie
Sign up for our monthly newsletter