The Equal Employment Opportunity Commission (EEOC) released two separate sets of final regulations relating to wellness program compliance under the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA). Despite a few recent court rulings against the EEOC on these issues, the final rules generally clarify and confirm what the EEOC previously proposed last year, while expressing EEOC’s reasons for disagreeing with the court decisions.

Incentives and Limits

The EEOC spent most of its effort focusing on wellness incentive limits. Those rules are extremely complicated, particularly because they are inconsistent with similar rules under HIPAA, as amended by the Affordable Care Act (ACA). We've developed a handy tool designed to sort out this part of the rules.

Notice and Privacy

Among the EEOC rules is a requirement to provide participants a notice clearly explaining what medical information will be collected, how it will be used, who will have access to it, and how it will be kept confidential. In addition, the EEOC requires that any information available to an employer that is collected through a wellness program be provided only in aggregated form, though there is a narrow exception permitting disclosure of individual identities only to the extent necessary to administer the plan. For example, a wellness vendor might provide an employer a list of who has participated in a health risk assessment or earned a requisite number of wellness points so the employer can apply the proper premium credit or award the proper incentive amount. The EEOC rules also apply HIPAA-privacy-and-security-like requirements to the maintenance and protection of wellness program data—including policy and procedure development, workforce training, encryption, breach notification, etc.—even where HIPAA does not apply, such as wellness program information obtained outside of a HIPAA-regulated group health plan.

Fortunately (and we're using the word "fortunately" very liberally here), the EEOC gave employers some direction on what it expects as far as its its notice, privacy and security expectations go by tipping its hat toward HIPAA, which of course has very established requirements, technologies and processes. In a set of questions and answers released alongside its final regulations, the EEOC unequivocally pointed to HIPAA as the standard:

Generally, wellness programs can comply with EEOC's final rule by complying with their obligations under the HIPAA Privacy Rule, and employers can comply with their obligations by certifying that they will not use any personally identifiable information for employment purposes and abiding by that certification.

Similarly, in the questions and answers released contemporaneously with its model wellness notice, the EEOC had this to say:

1. If wellness program participants already get a notice under the Health Insurance Portability and Accountability Act (HIPAA), do they need to get a separate ADA notice?

Employers that already provide a notice that informs employees what information will be collected, who will receive it, how it will be used, and how it will be kept confidential, may not have to provide a separate notice under the ADA. However, if an existing notice does not provide all of this information, or if it is not easily understood by employees, then employers must provide a separate ADA notice that sets forth this information in a manner that is reasonably likely to be understood by employees.

So what does all this mean?

Practical Pointers

Review Plan Document HIPAA Privacy Provisions

Many employers have at least some access to protected health information (PHI), and so they should have plan documents in place that certify the employer's compliance with HIPAA. (HIPAA requires this certification, by the way.) If your plan documents include this HIPAA certification, make sure there is a sentence like this one: "The Company shall not use PHI for employment-related actions and decisions...." In order for HIPAA compliance to satisfy the EEOC, your plan documents must include that certification. If they do not, you'll need to amend. If you don't have formal plan documents, you need to prepare some.

Update HIPAA Notice of Privacy Practices

The HIPAA privacy, security and breach regulations, which the Department of Health and Human Services (HHS) restated in 2013 already requires that employer notices of privacy practices (NPP) provide examples of the three HIPAA-permitted disclosure types (i.e., treatment, payment and healthcare operations) in addition to a fourth category, disclosures to and use by the plan sponsor/employer. The EEOC requires in its privacy notice that employers describe the type of medical information that will be obtained in a wellness program and the specific purposes for which the medical information will be used. The HIPAA NPP already describes the plan's privacy, security and breach obligations, so with a few quick edits to the treatment, healthcare operations and plan sponsor disclosure paragraphs—voila—you have your EEOC wellness notice. 

Distribute HIPAA NPP Annually

HIPAA requires that either the full NPP or a shorter notice of availability of the NPP be distributed once every three years. The risk of forgetting about a triennial obligation like that is pretty high, so many employers just do it annually. Employers choosing to comply with the EEOC wellness regulations in this fashion will no longer have an option and will need to distribute the NPP or notice of availability of the NPP every year because the EEOC says employees "must receive it before providing any health information, and with enough time to decide whether to participate in the program." Wellness programs typically involve data collection each year, so this effectively becomes an annual notice requirement.

Make Sure the Wellness Program Is Part of Your Group Health Plan

On a technical note, it is very likely your HIPAA NPP will, by its terms, only apply to the group health plan. So if the wellness program is not formally documented as being part of a specific group health plan, then the EEOC notice requirement won't be met with your group health plan NPP. Formalizing your wellness program as part of your group health plan also helps to ensure that, in operation, your HIPAA security protections will be applied to your wellness program. (There are lots of other good reasons to formally document your wellness program as being part of a larger group health plan, which you can read about here.)