Interest continues to grow in employee wellness programs, which many argue can improve employee health and increase productivity. Workplace wellness programs involve the collection of individually identifiable health information from and about employees participating in them. Consequently, privacy and security are among the legal issues that arise with respect to these programs. The Equal Employment Opportunity Commission (EEOC) and the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) recently addressed this issue, releasing a Notice of Proposed Rulemaking (NPRM) and an FAQ, respectively, that address how  employees’ health information must be safeguarded when it is collected as part of an employee wellness program. A full description of the NPRM can be found in Manatt’s Employment Law Newsletter.

I. Health Information Laws and Employers

Employers are already regulated with regard to the collection of health information from employees. For example, employers offering “group health plans” (an employee welfare benefit plan under the Employee Retirement Income Security Act or ERISA that has 50 or more participants) are considered to be “health plans” under the Health Insurance Portability and Accountability Act (HIPAA) and must abide by HIPAA’s privacy and security regulations when they collect health information as part of administering those plans. Employers are restricted by the Americans with Disabilities Act (ADA) with respect to health information collected from employees for purposes of determining the terms and conditions of employment. Employers are covered by the Genetic Information Non-Discrimination Act (GINA) when they collect genetic information, either in their capacity as a group health plan administrator or in their capacity as an employer.

The EEOC’s NPRM proposes privacy provisions that largely address the application of the ADA to the collection of information by workplace wellness programs. But employers will need to consider how they are structuring their programs in determining the extent to which these laws—HIPAA, ADA and/or GINA—apply.

II. HIPAA’s Protections

Employers offering “group health plans” are permitted to collect individually identifiable information for purposes of administering the plan, but they are prohibited by HIPAA’s privacy regulations from using this information to make employment-related decisions. The employer is required to create firewalls that prevent this data from being accessed or used for employment decisions.  

HHS OCR’s FAQ, released on April 16, clarifies the application of these HIPAA provisions to wellness programs. According to the FAQ, where an employer’s workplace wellness program is offered as part of its group health plan, the individually identifiable health information collected from or created about participants in the wellness program is “protected health information” (PHI) and is protected by the HIPAA regulations. Consequently, employers offering wellness programs through their group health plans may treat information collected from the program in the same way they treat other group health plan information. For example, the FAQ also makes clear that disclosures of PHI from wellness programs may be made only in accordance with HIPAA’s privacy regulations. Therefore, certain disclosures that would otherwise be permitted under the ADA’s confidentiality requirements for employee health programs generally may not be permissible under the Privacy Rule for wellness programs that are part of a group health plan without the written authorization of the individual.

III. Privacy Requirements Under the EEOC’s NPRM

If an employer offers its workplace wellness program outside of its ERISA group health plan (either because the employer does not sponsor such a plan or because it decides to offer the wellness program directly as an employer instead of through the plan), the ADA governs how the employer collects information through the program.  In terms of health information privacy, the NPRM clarifies that medical information collected through a wellness program may only be provided to an employer subject to the ADA in aggregate terms that do not disclose and are not reasonably likely to disclose the identity of specific individuals, except as otherwise permitted under EEOC rules for necessary work restrictions or accommodations.

According to the NPRM, employers and wellness program providers should have clear privacy policies and procedures related to the collection, storage, and disclosure of medical information. Online systems and other technology should guard against unauthorized access, such as through use of encryption for medical information stored electronically. The NPRM also proposes that, as a best practice, individuals who handle medical information that is part of an employee wellness program should not be responsible for making decisions related to employment, such as hiring, termination or discipline. If individuals who handle medical information obtained through a wellness program also act as decision makers (which may be the case for a small employer that administers its own wellness program), they may not use the information to discriminate on the basis of disability in violation of the ADA.

The NPRM proposes that if an employer uses a third-party vendor, it should be familiar with the vendor’s privacy policies for ensuring the confidentiality of medical information. Employers that administer their own wellness programs need adequate firewalls in place to prevent unintended disclosure. Breaches of confidentiality should be reported to affected employees immediately and should be thoroughly investigated. Employers should make clear that individuals responsible for disclosures of confidential medical information will be disciplined and should consider discontinuing relationships with vendors responsible for breaches of confidentiality.

As noted above, where a wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from the employees by the employer is not protected by the HIPAA rules. However, other federal or state laws may apply and regulate the collection and/or use of the information.

Conclusion

Employers and health plans offering employee wellness plans should ensure that they are familiar with the rules for protecting health information collected under these programs. While the EEOC NPRM is subject to change based on public comments, which are due by June 19, 2015, the OCR FAQ is effective immediately.