On April 20, 2015, the U.S. Equal Employment Opportunity Commission (EEOC) published a much-anticipatedproposed rule that seeks to amend the EEOC’s prior regulations with respect to employer “wellness programs” and address the implications of such programs under the Americans with Disabilities Act (ADA). While the primary focus of the proposed rule concerns the extent to which employers may use incentive-based programs to encourage employees to participate in wellness programs, the rule also addresses best practices and requirements with respect to maintaining the confidentiality of employee medical information.

The proposed rule does not change any of the exceptions to confidentiality requirements set forth in the existing EEOC and ADA regulations, but the proposed rule does add a new subsection to the regulations. The proposed rule states that a covered entity may only receive information collected by or through a wellness program in “aggregate form”—such that it does not disclose, and is not reasonably likely to disclose, the identity of specific individuals except as necessary to administer the plan. The proposed rule explains that both employers that sponsor wellness programs as well as administrators of wellness programs acting as agents of employers have obligations to ensure compliance with the confidentiality requirements.

Wellness programs that are administered as part of a group health plan, including those administered by employers, generally remain subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which mandates certain safeguards for the protection of the privacy of personal health information. Therefore, the proposed rule provides that a wellness program that is part of a group health plan and that must be in compliance with HIPAA may satisfy its obligation to comply with the proposed rule’s privacy standards through compliance with HIPAA. The aggregate information collected through wellness programs that are not being administered as part of a group health plan must be de-identified in accordance with HIPAA as well.

In addition to outlining an employer’s obligations with respect to confidentiality, the proposed rule provides employers with the following “best practices” for protecting employee medical information provided as part of a wellness program or otherwise:

  • Employers and program providers should have clear privacy policies and procedures related to the collection, storage, and disclosure of medical information. Online systems and other technology, such as data encryption, should be used to guard against unauthorized access to medical information.
  • Individuals who handle medical information should not be responsible for making decisions related to employment, such as hiring, termination, or discipline. Use of a third-party vendor may reduce the risk that medical information will be disclosed to individuals who make employment decisions, particularly for employers whose organizational structure makes it difficult to provide adequate safeguards.
  • Employers that administer their own wellness programs need adequate firewalls in place to prevent unintended disclosure.
  • Individuals who handle medical information obtained through a wellness program and who also act as decision-makers (such as those working for small businesses), may not use the information to discriminate on the basis of disability in violation of the ADA.
  • Employers should thoroughly investigate breaches of confidentiality and report them to affected employees immediately.
  • Employers should make it clear that employees who are responsible for disclosures of confidential medical information will be disciplined.

Although these best practices are offered by the EEOC for application in the context of wellness programs, they also serve as a reminder of best practices to follow with respect to the collection of employee medical information in general.