Employee Wellness Program HIPAA Compliance: What Employers Need to Know

HIPAA Applicability to Wellness Programs

When HIPAA applies

HIPAA protects the privacy and security of health information when your wellness initiative is part of a group health plan or provides medical care. Programs that collect, create, receive, or maintain protected health information—such as health risk assessments, biometric screenings, disease-management coaching, or flu shot clinics—are typically subject to HIPAA rules.

If the wellness program is integrated with your group health plan (for example, it affects eligibility, premiums, or cost-sharing) or is administered by the plan or its vendors, HIPAA generally applies. In these cases, the group health plan is the covered entity, and HIPAA governs how participant data may be used and disclosed.

When HIPAA may not apply

Purely educational programs, general fitness challenges that do not collect medical data, or gym reimbursements offered outside the plan may fall outside HIPAA. Even then, other laws—such as the ADA and GINA—still apply, and you should maintain strong privacy practices to meet nondiscrimination compliance expectations and employee trust.

Remember: the employer is distinct from the plan sponsor role. HIPAA obligations flow through the group health plan; your duties change when you act on behalf of the plan versus as the employer.

Employer Access to Protected Health Information

Plan sponsor boundaries

Employers do not automatically gain access to protected health information because they sponsor a plan. As a plan sponsor, you may receive PHI only for plan administration functions and only after your plan documents include the required HIPAA privacy provisions and you provide the necessary certification to the group health plan.

• Limit uses/disclosures to plan administration (not employment decisions) and apply the minimum necessary standard.
• Execute Business Associate Agreements with wellness vendors that handle PHI on the plan’s behalf.
• Use de-identified data whenever possible. Summary health information may be shared with the plan sponsor for obtaining premium bids or modifying coverage.
• Obtain an individual’s HIPAA authorization before using PHI for employment-related purposes (for example, performance management).

Establish administrative, physical, and technical safeguards—such as data segregation, access controls, and workforce training—to ensure PHI is accessible only to personnel performing plan administration duties.

Nondiscrimination Requirements for Wellness Programs

Program types and key rules

HIPAA’s nondiscrimination rules prohibit varying eligibility, premiums, or benefits based on health status. Wellness initiatives fall into two categories: participatory programs (no health standard to earn a reward) and health-contingent wellness programs (a health factor must be met or improved to earn a reward).

Health-contingent programs—whether activity-only (for example, walking 150 minutes per week) or outcome-based (for example, achieving a target BMI, blood pressure, or tobacco-free status)—must satisfy specific criteria to maintain nondiscrimination compliance. The core requirements cover reasonable program design, uniform availability with a reasonable alternative standard, disclosure of alternatives, frequency of opportunity to qualify, and reward size limitation.

Reasonable Program Design Criteria

Design with purpose, not penalties

Your wellness program must be reasonably designed to promote health or prevent disease. It cannot be a subterfuge for discrimination, overly burdensome, or a scheme to shift costs to less healthy employees. The design should be evidence-informed and give participants a realistic chance to succeed.

• Use attainable goals and incremental milestones, especially for outcome-based standards.
• Base activities and outcomes on credible health guidance; update them as evidence evolves.
• Offer tools and support—education, coaching, or devices—that help participants meet standards.
• Limit medical examinations to what is necessary for the program’s stated health purpose.

Frequency and Size of Rewards

Opportunity to qualify

Participants must have the opportunity to qualify for a reward at least once per year. This applies to both activity-only and outcome-based health-contingent wellness programs and helps ensure that life changes or new efforts can earn the incentive without long delays.

Reward size limitation

Incentives tied to health-contingent standards are capped to prevent discrimination. Generally, the total reward (or penalty) across all health-contingent wellness features under a plan cannot exceed a percentage of the total cost of coverage, and tobacco-related programs may allow a higher ceiling. Calculate the limit using the cost of coverage (employer and employee contributions), and if dependents can participate, base it on the tier in which the employee is enrolled.

• Aggregate all health-contingent incentives when testing the cap for a plan year.
• Common reward formats include premium differentials, deductible or copay reductions, contributions to accounts, or cash equivalents.
• State law or other federal rules (for example, ADA/GINA) may further constrain incentive design; coordinate across regimes.

Alternative Standards and Accommodations

Activity-only programs

If it is unreasonably difficult for a participant to meet the activity due to a medical condition, or if it is medically inadvisable, you must offer a reasonable alternative standard (or waiver). You may request medical verification when appropriate and should tailor the alternative to the individual’s circumstances, including following the participant’s physician’s recommendations.

Outcome-based programs

If a participant does not meet the targeted outcome (for example, a biomarker level), you must make the full reward available through a reasonable alternative standard without requiring medical documentation. Give participants a reasonable time to comply and allow them to requalify at least annually using the alternative path.

• Ensure alternatives are no more burdensome or costly than the original standard.
• For tobacco cessation, offer alternatives such as education or coaching if a nicotine test or attestation standard is not met.
• Communicate that participants may involve their personal physician to suggest a medically appropriate alternative.

Disclosure Obligations for Wellness Programs

What you must tell participants

Any materials that describe a health-contingent wellness program’s terms must disclose the availability of a reasonable alternative standard (or the possibility of a waiver). The notice must explain how to qualify for the reward through the alternative, include contact information, and state that recommendations of the participant’s physician will be accommodated.

• Include a privacy statement that PHI will be protected and used only for plan administration.
• Explain incentive timing, proration rules for midyear qualifiers, and how rewards are applied (for example, premium credits).
• Use clear, plain language; place the notice wherever the standard is described, not only in the summary plan description.

Sample disclosure language

If you think you might be unable to meet a health standard under this program, you may qualify for a reasonable alternative standard (or a waiver) to earn the same reward. Contact us at [contact] and we will work with you—and, if medically appropriate, with your physician—to find an alternative that is right for you.

Summary and next steps

• Decide whether your wellness initiative is part of the group health plan and map HIPAA responsibilities accordingly.
• Limit plan sponsor access to protected health information, and put BAAs and safeguards in place.
• For any health-contingent wellness program, confirm reasonable design, annual opportunity, reward size limitation, alternatives, and disclosures.
• Coordinate HIPAA with ADA/GINA and state law, and document your compliance decisions for each plan year.

FAQs

Does HIPAA apply to all employee wellness programs?

No. HIPAA typically applies when a wellness initiative is part of a group health plan or provides medical care and handles protected health information. Stand-alone programs that do not collect medical data may fall outside HIPAA, but other laws (like ADA/GINA) still apply.

How can employers access protected health information under HIPAA?

As a plan sponsor, you may receive PHI only for plan administration after amending plan documents and certifying compliance. Use the minimum necessary information, rely on de-identified or summary data when possible, and never use PHI for employment decisions without an individual’s authorization.

What are the reward limits for health-contingent wellness programs?

Federal wellness rules cap incentives for health-contingent standards based on the total cost of coverage, with a higher ceiling permitted for tobacco-related programs. Apply the cap across all such incentives in the plan year and calculate it using both employer and employee contributions.

What alternative standards must be offered for employees with medical conditions?

Activity-only programs must provide a reasonable alternative standard (or waiver) if meeting the activity is medically inadvisable or unreasonably difficult, and you may ask for appropriate medical verification. Outcome-based programs must offer an alternative to anyone who does not meet the goal—no medical documentation required—while accommodating the participant’s physician’s recommendations.