skip to Main Content

Do Corporate Wellness Programs Violate Security and HIPAA Policies?

Do Corporate Wellness Programs Violate Security And HIPAA Policies?


It’s that time of year where many people are working hard to stay on top of their fitness habits, and companies are taking advantage of this need by offering corporate wellness programs to promote healthy lifestyles. While these programs are great motivators to get employees in shape (and in some cases, get your company discounts on their health insurance premiums), will programs like these cause you to learn more about your employees’ health than the law would like for you to know? And could running a wellness program that tracks health information put your business under the realm of HIPAA?


This can get a little hazy when employees are able to track their own fitness goals literally to their wrists from wearable technology—especially when employees are keeping those records in your company database. However, if you ARE tracking any health information of your staff, it’s important to know what your risks are.


Where HIPAA Comes In

Since HIPAA rules apply only to covered entities and business associates—and not to employers in their capacity as employers—the application of the HIPAA Rules to workplace wellness programs depends on the way in which those programs are structured. In this case, workplace wellness programs offered separately from an employer’s group health insurance plan are not protected by HIPAA.


Certain types of health data are not formally considered Protected Health Information unless it’s shared with a doctor, hospital, third-party vendors and therefore not subject to HIPAA regulations. In sum, HIPAA will protect employees’ health information held by a health insurance issuer but not a self-administered wellness program.


What Health Information Should be Protected, and What Shouldn’t?

To help protect the privacy of employee health information, the best thing you can do is allow individuals to choose if they wish to sign up. It’s easy for managers or smaller organizations to see this information, but you must determine what wellness data is shared and who the data may be shared with. Wellness programs that collect medical information, such as heart rate, prescription drugs, and blood pressure, must be voluntary and kept anonymous. But data such as weight loss goals or the amount of steps counted on a Fitbit is not a liability for your employees because this primary data collected is nondescript. However, with the rise of wearable technology, wellness and fitness program managers should secure a “firewall” between data collected by wearable technology and personal records.


Regardless of where and what information you choose to store, it’s best to keep it safe and implement a file sharing policy so no important health data is leaked. Even though most of us know these company wellness programs have good intentions, it’s better to be safe [and secure] than sorry!


To learn more about securing your employees’ health information contact us here to speak with a Technology Manager today!

Leave a Reply

Back To Top