The government continues to watch electronic protected health information (PHI), and it’s not just HIPAA enforcers who are doing it.
That is, the agencies said in new and proposed rulemaking, as long as such programs are voluntary, guard employees’ PHI in accordance with HIPAA, and carry incentives that don’t exceed up to 30% of the insurance plan’s total cost of employee-only coverage.
The EEOC proposed rules apply to wellness plans that include disability related questions or medical exams, explains the National Law Review (NLR).
While the EEOC and OCR HIPAA-based rules largely overlap, a subtle difference between them is that the HIPAA regulations don’t put limits on incentives unless based on health status-related issues, according to the National Law Review.
Tobacco use is another difference.
Here’s how the NLR parses it.
”When tobacco use is a component of the incentive, the HIPAA regulations allow the incentive to go as high as 50% of the plan’s cost of providing employee only coverage,” the NLR says. “However, if the plan is going to be testing for nicotine use, the EEOC regulations will not allow that incentive (along with any other incentives that require a “medical exam” of some sort) to exceed 30% of the plan’s cost of employee only coverage.”
As for OCR’s HIPAA-based rules, they apply to corporate wellness programs for HIPAA-covered entities when wellness programs are part of a group health plan.
Importantly, when a workplace wellness plan is offered by an employer directly, not as part of a group health plan, the PHI the employer collects is not covered by HIPAA. However, OCR notes that other state or federal laws may apply and regulate the use and collection of such data.