Spring has arrived - time again for benefit plan cleaning, with the help of the Quarles & Brady Employee Benefits & Executive Compensation Law Practice Group. This alert is the second in the "Spring Cleaning" series. Over the next several weeks, we will provide you with various to-do items, reminders, and tips in the employee benefits and executive compensation areas.
On April 16, 2015, the Equal Employment Opportunity Commission ("EEOC") issued proposed regulations and interpretive guidance (the "Guidance") on the application of the Americans with Disabilities Act ("ADA") to employer wellness programs. On the same day, the Departments of Labor ("DOL"), Health and Human Services ("HHS"), and the Treasury (collectively, the "Departments") issued new Frequently Asked Questions about wellness programs. We know that this is the time of year where many employers are developing or at least starting to think about their wellness programs for next year. With freshly-issued guidance, this is a good time to review all aspects of compliance for your company's wellness programs and think about what you might need to clean up to comply with final EEOC regulations in the future.
Background. The ADA generally prohibits employers from conducting medical examinations or disability-related inquiries unless an exception applies. Medical examinations and disability-related inquiries include things like health risk assessments, nicotine tests, and biometric screenings. The ADA contains an exception for voluntary medical examinations and inquiries which are part of an employee health program available to employees at the work site to avoid, and many employers operated on the assumption (or hope) that a program that complied with the HIPAA nondiscrimination rules that apply to wellness programs would also mean compliance with the ADA.
However, in the last year or so, the EEOC has made it clear that in its view, compliance with HIPAA does not equate to compliance with the ADA. The agency even brought suit against Honeywell in 2014 for a wellness program that appeared to comply with the HIPAA nondiscrimination rules but that the EEOC still considered to be "involuntary." In the aftermath of that lawsuit, the EEOC promised regulations to help guide employers, and on April 16, 2015, finally proposed its new regime. While the Guidance incorporate many features of the HIPAA nondiscrimination rules, they are not identical. This alert describes the EEOC's regime, highlights where the Guidance is different from the HIPAA nondiscrimination rules and provides some tips for employers to considering in their "spring cleaning" process.
Employers with wellness programs may wish to review the EEOC guidance to see the direction in which the EEOC is heading, but are not required to change their programs now to comply with the Guidance. Additionally, employers may wish to submit comments on various topics raised by the EEOC.
Requirements for "Employee Health Programs". The Guidance would impose six requirements on "employee health programs," which is broadly defined to include things like wellness programs, health risk assessments, biometric screening, physical activity programs, coaching to help employees meet health goals, and administration of prescription drugs like insulin. These types of programs are referred to below as "programs' or "wellness programs".
Requirement 1: The wellness program must be reasonably designed to promote health or prevent disease. There are four factors that go into this analysis, including whether the program has a reasonable chance of improving the health of, or preventing disease in, participating employees, is overly burdensome, is a subterfuge for violating the ADA or is highly suspect in the method chosen to promote health or prevent disease.
The Guidance provides that collecting medical information on a health questionnaire without providing employees follow-up information or advice, such as providing feedback about risk factors or using aggregate information to design programs or treat any specific condition, is not reasonably designed to promote health. Additionally, a program is not reasonably designed if it exists mainly to shift costs from the covered entity to targeted employees based on their health.
The four factors listed above are similar to factors under the HIPAA nondiscrimination rules, but the Guidance adds the clarifications that a wellness program should not obtain personal health information without assisting individuals to address their risk factors or specific conditions, and that a wellness program that exists solely to shift costs to employees based on their health will not be a reasonably designed program. The FAQs issued by the Departments incorporate these clarifications into the HIPAA nondiscrimination rules. This clarification appears targeted at wellness programs that consist solely of detailed health risk assessments without any follow-up health and wellness programming.
Requirement 2: The wellness program must be voluntary. To be "voluntary," an employee health program must:
- Not require employees to participate,
- Not deny coverage under any of its group health plans or particular benefits packages within a group health plan for non-participation, or limit benefits for employees who do not participate except to the extent the limit is the result of forgoing a permissible financial incentive,
- Not take any adverse employment action or retaliate against, interfere with, coerce, intimidate or threaten employees, and
- For wellness programs offered as part of a group health plan, the program must provide employees with a notice that explains the program to employees and contains specific content regarding the type of medical information involved and the use of that information.
If the disclosure rules are finalized as proposed, wellness programs that are part of group health plans should confirm that their disclosures are compliant.
In addition, the guidance proposes that a plan cannot fail to offer coverage to an otherwise eligible employee for a benefit package within a group health plan because the employee fails to participate in the wellness program. Plan sponsors who restrict access to certain benefit packages (e.g., PPO options, or low-deductible options) to wellness program participants should review this guidance to determine whether changes to their plan design may become necessary when the rules are finalized. Such plan sponsors should also note that even before issuance of the guidance, the EEOC's longstanding position has been that using a wellness program to restrict access to health coverage violates the ADA.
Requirement 3: A wellness program offered as part of a group health plan must limit financial incentives. The EEOC proposes that such wellness programs limit incentives to 30% of the total cost of employee-only coverage. The total cost of family coverage cannot be considered. Wellness programs that do not require disability-related inquiries or medical examinations — such as attendance at nutrition, weight loss, or smoking cessation classes — are not subject to this limit on financial incentives.
This requirement differs from the HIPAA nondiscrimination rules in several ways. The EEOC Guidance limits incentives for participatory wellness programs that are part of group health plans and that involve asking disability-related questions or conducting medical examinations (such as completing a health risk assessment), whereas the HIPAA nondiscrimination rules do not limit incentives for such participatory wellness programs.
Also, the HIPAA nondiscrimination rules allow a wellness program to include an incentive of up to 50% of the cost of coverage if the incentive beyond 30% is due to a smoking cessation program. The EEOC Guidance effectively prohibits employers from taking advantage of the maximum incentives possible under the HIPAA nondiscrimination rules unless the smoking cessation program can be carved out of the group health plan. According to the EEOC, a smoking cessation program that merely asks employees whether or not they use tobacco is not subject to the incentive rules and an employer could offer incentives up to 50% of the cost of employee coverage for the program.
The Guidance is completely silent on incentives that may be tied to the participation by an employee's spouse or children in the wellness program. Under the HIPAA nondiscrimination rules, an employee with family coverage can be offered incentives of up to 30% of the total cost of family coverage (50% if the additional 20% is due to a smoking cessation program) for a wellness program that is either activity-based or outcomes-contingent. If the incentive rule is finalized as proposed, employers would be disappointed, as the rule would prohibit employers from offering the maximum incentives possible under the HIPAA nondiscrimination rules for employees covered under family coverage.
Requirements 4 and 5 Address the Security and Use of Health Information: Requirements 4 and 5 are identical to existing ADA requirements, which require that information obtained through an employee health program not be used for any purpose inconsistent with the ADA, and require that information obtained through the employee health program generally must be collected and maintained on separate forms and in separate medical files and be treated as confidential medical records.
Significantly Enhanced Privacy Requirements. Requirement 6 is "new" for ADA purposes. It draws upon — but seems to go beyond — HIPAA's Privacy Rules. It would require that information obtained through the employee health program regarding the medical information or history of any individual only be provided to an ADA covered entity in aggregate terms that does not disclose the identity of any employee unless the information is necessary to administer the health plan or another specific exception applies.
The "interpretive guidance" which accompanies the proposed regulation discusses these enhanced privacy requirements. The guidance requires employers to "take steps" to protect the confidentiality of employee medical information. The guidance lists some actions steps for employers and notes that some of the steps are "required by law," while others may be "best practices." Unfortunately, the interpretive guidance generally does not tell us which is which. So employers may need to treat them all as being "required by law" (that is, required by this new guidance under the ADA).
Possible steps for employers include:
- Having policies and procedures related to the collection, storage and disclosure of medical information
- Systems and technologies should guard against unauthorized access to the medical information, including through the use of encryption
- As a best practice, individuals who handle medical information should not be responsible for making decisions related to employment, such as hiring, termination or discipline
- If a third-party vendor is used, the employer "should be familiar" (presumably, ask for a copy of) the vendor's privacy policies
Few employers ask for the privacy policies of their vendors. This new statement (whether it is a "best practice" or is "required by law") will likely cause employers to ask for those policies now. It could also put employers in an uncomfortable position of possibly having to review those policies and determine whether those policies are sufficient.
- If an employer administers its own wellness program, it needs "adequate firewalls" to prevent unintended disclosure"
- Breaches of confidentiality should be reported to affected employees "immediately" and should be "thoroughly investigated."
An "immediate" standard is vague in a "bad" way for employers and their vendors. Does "immediate" truly mean "immediate" — i.e., within a few minutes of a breach being discovered? Note that the HIPAA breach rules specifically allow covered entities a fair amount of time (often 60 days) to determine if a breach occurred, its scope, and what action steps affected individuals can take. Query whether these rules provide for much less time than HIPAA's 60-day standard. If they do, then typical business associate agreements with wellness vendors would need to be modified, to "speed up" the time by which the wellness vendors inform employers of a breach experienced by the vendors.
- Employers should "make clear" that individuals responsible for disclosures of confidential medical information will be "disciplined" (presumably only if the disclosure is improper). This may require an employer to modify its employee handbook, to include this concept
- Employers "should consider" discontinuing relationships with vendors responsible for breaches of confidentiality. This may require an employer to modify its agreement with its vendors, to ensure that the employer can quickly terminate the agreement if the vendor has a breach of confidentiality with respect to the medical information.
New FAQ Published by the Departments Addresses Tax Treatment of Wellness Incentives. The FAQ clarifies that a wellness program's compliance with the HIPAA nondiscrimination rules does not mean that it automatically complies with all other laws, including the Code. The FAQ notes the specific example of reimbursements for fitness center fees, noting that such reimbursements are "not excluded from income" and should "generally be added to the employee wages reported on the Form W-2 Wage and Tax Statement."
Unlike the EEOC proposal, the FAQ is not "proposed" law but is current law. Plan sponsors of plan that reimburse participants for fitness center fees on a pre-tax basis may wish to review applicable tax laws to determine the proper tax treatment of the reimbursements.
Comments on the EEOC Proposed Rule. Public comments on the proposed rule must be received by June 19, 2015. In addition, the EEOC solicits comments on a variety of topics including
- Whether additional protections for low-income employees are needed,
- Whether entities that offer incentives to encourage employees to disclose medical information must also offer similar incentives to employees who choose not to disclose the information but instead provide certification from a medical professional stating that the employee is under the care of a physician and that any medical risks identified by that physician are under active treatment,
- Whether financial incentives for asking employees to respond to disability-related inquiries and/or undergo medical examinations may not be so large as to render health insurance coverage unaffordable under the Affordable Care Act (i.e., if employee-only coverage would exceed a specified percent of household income),
- Whether there are other methods to reconcile the ADA's "voluntary" requirement and the Affordable Care Act, and
- Whether employers should be required to obtain written confirmation from employees that their participation in wellness programs that include disability-related inquiries and/or medical examinations, and that are part of a group health plan, is voluntary.
The proposed guidance will have a period of public comment. The EEOC will review the public comments and decide what to include in the final guidance. Typically when final guidance of this sort is published, employers have a period of time in order to bring their plans into compliance before the final guidance becomes applicable. However, employers will want to consider the Guidance in designing their wellness programs for 2016, and particularly if those employers are contemplating the use of a wellness program as a gateway to major medical coverage.