New Guidance On Wellness Programs

The U.S. Equal Employment Opportunity Commission (EEOC) recently issued proposed new rules  clarifying its stance on the interplay between the Americans with Disabilities Act (ADA) and employer wellness programs. Officially called a “notice of proposed rulemaking” or NPRM, the new rules propose changes to the text of the EEOC’s ADA regulations and to the interpretive guidance explaining them. 

If adopted, the NPRM will provide employers guidance on how they can use financial incentives or penalties to encourage employees to participate in wellness programs without violating the ADA, even if the programs include disability-related inquiries or medical examinations.  This should be welcome news for employers, having spent nearly the past six years in limbo as a result of the EEOC’s virtual radio silence on this question.

A Brief History: How Did We Get Here?
In 1990, the ADA was enacted to protect individuals with ADA-qualifying disabilities from discrimination in the workplace.  Under the ADA, employers may conduct medical examinations and obtain medical histories as part of their wellness programs so long as employee participation in them is voluntary.  The EEOC confirmed in 2000 that it considers a wellness program voluntary, and therefore legal, where employees are neither required to participate in it nor penalized for non-participation.

Then, in 2006, regulations were issued that exempted wellness programs from the nondiscrimination requirements of the Health Insurance Portability and Accountability Act (HIPAA) so long as they met certain requirements.  These regulations also authorized employers for the first time to offer financial incentives of up to 20% of the cost of coverage to employees to encourage them to participate in wellness programs. 

But between 2006 and 2009 the EEOC waffled on the legality of these financial incentives, stating that “the HIPAA rule is appropriate because the ADA lacks specific standards on financial incentives” in one instance, and that the EEOC was “continuing to examine what level, if any, of financial inducement to participate in a wellness program would be permissible under the ADA” in another.

Shortly thereafter, the 2010 enactment of President Obama’s Patient Protection and Affordable Care Act (ACA), which regulates corporate wellness programs, appeared to put this debate to rest.  The ACA authorized employers to offer certain types of financial incentives to employees so long as the incentives did not exceed 30% of the cost of coverage to employees.

But in the years following the ACA’s enactment, the EEOC restated that it had not in fact taken any position on the legality of financial incentives.  In the wake of this pronouncement, employers were left understandably confused and uncertain.  To alleviate these sentiments, several federal agencies banded together and jointly issued regulations that authorized employers to reward employees for participating in wellness programs, including programs that involved medical examinations or questionnaires.  These regulations also confirmed the previously set 30%–of-coverage ceiling and even provided for incentives of up to 50%of coverage for programs related to preventing or reducing the use of tobacco products. 

After remaining silent about employer wellness programs for nearly five years, in August 2014, the EEOC awoke from its slumber and filed its very first lawsuit targeting wellness programs, EEOC v. Orion Energy Systems, alleging that they violate the ADA.  In the following months, it filed similar suits against Flambeau, Inc., and Honeywell International, Inc.  In EEOC v. Honeywell International, Inc., the EEOC took probably its most alarming position on the subject to date, asserting that a wellness program violates the ADA even if it fully complies with the ACA.

What’s In The NPRM?
According to EEOC Chair Jenny Yang, the purpose of the EEOC’s NPRM is to reconcile HIPAA’s authorization of financial incentives to encourage participation in wellness programs with the ADA’s requirement that medical examinations and inquiries that are part of them be voluntary.  To that end, the NPRM explains:

• what an employee wellness program is;

• what it means for an employee  wellness program to be voluntary;

• what incentives employers may offer as part of a voluntary employee wellness program; and

• what requirements apply concerning notice and confidentiality of medical information obtained as  part of voluntary employee wellness programs.

Each of these parts of the NPRM is briefly discussed below.

What is an employee wellness program?
In general, the term “wellness program” refers to a program or activity offered by an employer to encourage its employees to improve their health and to reduce overall health care costs.  For instance, one program might encourage employees to engage in healthier lifestyles, such as exercising daily, making healthier diet choices, or quitting smoking.  Another might obtain medical information from them by asking them to complete health risk assessments or undergo a screening for risk factors. 

The NPRM defines wellness programs as programs that are reasonably designed to promote health or prevent disease.  To meet this standard, programs must have a reasonable chance of improving the health of, or preventing disease in, its participating employees.  The programs also must not be overly burdensome, a pretext for violating anti-discrimination laws, or highly suspect in the method chosen to promote health or prevent disease.

How is voluntary defined?
The NPRM contains several requirements that must be met in order for participation in wellness programs to be voluntary.  Specifically, employers may not:

• require employees to participate in a wellness program;

• deny or limit coverage or particular benefits for non-participation in a wellness program; or

• take any adverse action against employees for non-participation in a wellness program or failure to achieve certain health outcomes. 

Additionally, for wellness programs that are part of a group health plan, employers must provide a notice to employees clearly explaining what medical information will be obtained, how it will be used, who will receive it, restrictions on its disclosure, and the protections in place to prevent its improper disclosure.

What incentives may you offer?
The NPRM clarifies that the offer of limited incentives is permitted and will not render wellness programs involuntary.  Under the NPRM, the maximum allowable incentive employers can offer employees for participation in a wellness program or for achieving certain health results is 30% of the total cost of coverage to employees who participate in it.  The total cost of coverage is the amount that the employer and the employee pay, not just the employee’s share of the cost.  The maximum allowable penalty employers may impose on employees who do not participate in the wellness program is the same. 

What about confidentiality?
The NPRM does not change any of the exceptions to the confidentiality provisions in the EEOC’s existing ADA regulations.  It does, however, add a new subsection that explains that employers may only receive information collected by wellness programs in aggregate form that does not disclose, and is not likely to disclose, the identity of the employees participating in it, except as may be necessary to administer the plan. 

Additionally, for a wellness program that is part of a group health plan, the health information that identifies an individual is “protected health information” and therefore subject to HIPAA.  HIPAA mandates that employers maintain certain safeguards to protect the privacy of such personal health information and limits the uses and disclosure of it.

Keep in mind that the NPRM revisions discussed above only clarify the EEOC’s stance regarding how employers can use financial incentives to encourage their employees to participate in employer wellness programs without violating the ADA.  It does not relieve employers of their obligation to ensure that their wellness programs comply with other anti-discrimination laws as well.

Is This The Law?
The NPRM is just a notice that alerts the public that the EEOC intends to revise its ADA regulations and interpretive guidance as they relate to employer wellness programs.  It is also an open invitation for comments regarding the proposed revisions.  Anyone who would like to comment on the NPRM must do so by June 19, 2015.  After that, the EEOC will evaluate all of the comments that it receives and may make revisions to the NPRM in response to them.  The EEOC then votes on a final rule, and once it is approved, it will be published in the Federal Register.

Since the NPRM is just a proposed rule, you do not have to comply with it just yet.  But our advice is that you bring your wellness program into compliance with the NPRM for a few reasons.  For one, it is very unlikely that the EEOC, or a court, would fault you for complying with the NPRM until the final rule is published.  Additionally, many of the requirements that are set forth in the NPRM are already required under currently existing law.  Thus, while waiting for the EEOC to issue its final rule, in the very least, you should make sure that you do not:

• require employees to participate in wellness programs;

• deny health insurance coverage to employees for non-participation in wellness programs; or

• take adverse employment action against employees for non-participation in wellness programs or for failure  to achieve certain health outcomes.

In addition you should provide reasonable accommodations to employees with disabilities to enable them to participate in wellness programs and obtain any incentives offered (e.g., if an employer has a deaf employee and attending a diet and exercise class is part of its wellness program, then the employer should provide a sign language interpreter to enable the deaf employee to participate in the class); and ensure that any medical information is maintained in a confidential manner.

ACA Information Reporting Creates Data Privacy and Security Issues

During this year, businesses will be hearing a lot about the Affordable Care Act’s (ACA’s) information reporting requirements under Code Sections 6055 and 6056. Information gathering will be critical to successful reporting, and there is one aspect of that information gathering which employers might want to take action on sooner rather than later – collecting Social Security numbers (SSNs), particularly when required to do so from the spouses and dependents of their employees. There are, of course, ACA implications for not taking this step, as well as data privacy and security risks for employer and their vendors.

Under the ACA, providers of “minimum essential coverage” (MEC) must report certain information about that coverage to the Internal Revenue Service (IRS), as well as to persons receiving that MEC. Employers that sponsor self-insured group health plans are providers of MEC for this purpose, and in the course of meeting the reporting requirements, must collect and report SSNs to the IRS. However, this reporting mandate requires those employers (or vendors acting on their behalf) to transmit to the IRS the SSNs of employee and their spouses and dependents covered under the plan, unless the employers either (i) exhaust reasonable collection efforts described below, (ii) or meet certain requirements for limited reporting overall.

Obviously, employers are familiar with collecting, using and disclosing employee SSNs for legitimate business and benefit plan purposes. Collecting SSNs from spouses and dependents will be an increased burden, creating more risk on employers given the increased amount of sensitive data they will be handling, and possibly from vendors working on their behalf. The reporting rules permit an employer to use a dependent’s date of birth, only if the employer was not able to obtain the SSN after “reasonable efforts.” For this purpose, reasonable efforts means the employer was not able to obtain the SSN after an initial attempt, and two subsequent attempts.

From an ACA standpoint, employers with self-insured plans that have not collected this information should be engaged in these efforts during the year (2015) to ensure they are ready either to report the SSNs, or the DOBs. At the same time, collecting more sensitive information about individuals raises data privacy and security risks for an organization regarding the likelihood and scope of a breach. Some of those risks, and steps employers could take to mitigate those risks, are described below.

• Determine whether the information is subject to HIPAA. Employers will need to consider whether this information, collected for ACA group health plan reporting requirements, is protected health information under HIPAA (PHI) or within the HIPAA “employment records” exception.

• Implement appropriate safeguards.  For an employer that determines the information collected for this purpose is PHI, it will need to ensure the appropriate steps are taken under the HIPAA privacy and security rules. Either way, employers need to take steps to safeguard this data. A number of states, such as California, Connecticut, Florida, Maryland, Massachusetts, New York, Oregon require reasonable safeguards be in place to protect such information. Examples of good practices include: (i) design forms to collect only the information needed; (ii) direct responses to the requests for the information to go to a single location; (iii) if collected online, make sure the connection is secure; (iv) limit who has access to the information; and (v) after the information is captured and input, destroy all copies of the information other than as needed for appropriate documentation.

• Ensure your vendors will protect this information. The IRS reporting regulations permit the use of third party vendors to assist employers in the reporting process. Whether the vendor is a “business associate” under HIPAA or a third-party service provider under state law, employers should be sure the vendor is contractually bound to maintain and implement appropriate privacy and security practices, including data breach preparedness.

Employers navigating through ACA compliance and reporting requirements have many issues to be considered. How personal information or protected health information is safeguarded in the course of those efforts is one more important consideration.

HHS Enhanced Enforcement of HIPAA Rules Is On The Horizon

Under the 2013 Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules provisions, employers must update their health information disclosure policies and retrain employees to ensure compliance.

The Department of Health and Human Services (HHS) issued the new HIPAA regulations on January 25, 2013, to execute major changes that were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) as well as the Genetic Information Nondiscrimination Act (GINA).

New Requirements for Business Associates

HIPAA regulations previously generally covered any business associate who performed or assisted in any activity involving the use or disclosure of individually identifiable health information, such as third-party administrators, pharmacy benefit managers and benefit consultants. Under the new regulations, business associate status is triggered when a vendor “creates, receives, maintains, or transmits” personal health information (PHI).

The key addition in this part of the regulation is found in the word ‘maintains’ because any entity that ‘maintains’ PHI on behalf of a covered entity- even if no access to that information is required or expected- will now be considered a business associate.

This change has some important consequences for group health plans that rely on cloud storage as a repository for their PHI or that outsource information-technology support and other functions and do not have business associate agreements (BAAs) with such vendors.

If you give PHI to a vendor before a BAA is in place, you will be in violation of HIPAA, and if you are a vendor, you can’t receive PHI without a compliant BAA in place. There must be a compliant BAA in place first.

Another change is that plan sponsors must enter into a sub-BAA with agents or subcontractors who are retained to help a business associate with covered functions for an employer-sponsored health plan. Plan sponsors should include BAA language that states that a business associate can’t subcontract work without prior permission, and then to monitor compliance with those agreements.

Presumption of PHI Breach Introduced

Under the previous rules, an impermissible use or disclosure of PHI- including electronic PHI- was a breach only if it posed a significant risk of harm to the individual. The HHS included in the new rules a presumption that any impermissible use or disclosure of PHI is a breach, subject to breach-notification rules.

Under the new rules, the only way now to get out of this presumption is by a demonstration that there is a low probability that the PHI was compromised. 

To demonstrate low probability, the health plan or business associate must perform a risk assessment of four factors- at a minimum:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

    

2. The unauthorized person who used the PHI or to whom the disclosure was made

    

3. Whether the PHI was actually acquired or viewed

    

4. The extent to which the risk to PHI has been mitigated

    

The HHS has indicated that it expects these risk assessments to be thorough and completed in good faith and to reach reasonable conclusions. If the risk assessment does not find a low probability that PHI has been compromised, then breach notification is required.

Action Advised for 2013

While the new regulations bring certainty to employer-sponsored health plans and their business associates on HIPAA compliance issues, they also emphasize the department’s intention to subject business associates and their subcontractors to heightened scrutiny.

Employers should review and revise their BAAs to ensure compliance with the security rule, paying special attention to the inclusion of subcontractors. Employers should also review and revise (or create) breach-notification procedures that detail how a risk assessment will be conducted. It is also important to train employees who have access to PHI on these updated policies and procedures.

The final regulations take effect September 23, 2013 and the HHS has provided another one-year transition period for some covered entities and their business associates that had a BAA in place on January 1, 2013.  HHS also published an updated version of a template BAA, but it does not address all the unique situations that may arise between a covered entity and a business associate. Employers should ultimately ensure that their business associate agreements are appropriately tailored to their individual circumstances and business needs.