- The U.S. Equal Employment Opportunity Commission released this morning final rules to clarify how the American with Disabilities Act (ADA) and the Genetic Information Nondiscrimation Act (GINA) apply to employer wellness programs.
- The two rules provide guidance to both employers and employees about how workplace wellness programs can comply with the ADA and GINA consistent with provisions governing wellness programs in the HIPAA, as amended by the ACA.
- The final rules, which will go into effect next year, apply to all workplace wellness programs, including those in which employees or their family members may participate without also enrolling in a particular health plan.
The rules come in the wake of a report from research firm IBISWorld last year that stated corporate wellness vendors are on track to become a $12 billion industry by 2020. With employers increasingly utilizing these vendors' wellness programs, pushback had emerged from some employees and privacy experts over employees being asked to share health data with companies that may or may not be bound by HIPAA who may potentially use or share the data with other vendors for other purposes.
Thanks to differing instructions between the ACA and the law outlined in the American with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA), employers were stuck in a regulatory mire. The ACA encourages employers to offer incentives for participating in certain wellness programs. But the EEOC had been suing companies over wellness policies that supposedly violated the ADA due to "unlawful" penalization of employees who opted out of the same wellness programs the ACA encouraged.
Both the ADA and GINA generally prohibit employers from obtaining and using information about employees' own health conditions or about the health conditions of their family members, including spouses. Both laws, however, allow employers to ask health-related questions and conduct medical examinations, such as biometric screenings to determine risk factors, if the employer is providing health or genetic services as part of a voluntary wellness program.
The final rules permit wellness programs to operate consistently with their stated purpose of improving employee health, while including protections for employees against discrimination.
Both rules seek to ensure wellness programs actually promote good health and are not just used to collect or sell sensitive medical information about employees and family members or to impermissibly shift health insurance costs to them.
The final EEOC rules are outlined below.
The ADA rule
- Corporate wellness programs that ask questions about employee health or include medical examinations can only offer incentives up to 30% of the total cost of self-only coverage.
- It also specifies that employers must give participating employees a notice that explains what information will be gathered in a wellness programs, who will see it and for what purpose.
The GINA rule
- Maximum incentive for having a spouse participate may not pass 30% of the total cost of self-only coverage, either.
- Incentives for spouses are allowed for health assessments, biometric screenings, and questions about current health status, but are not allowed if tied to questions about family history or genetic tests.
- The rule bars exchanges of "current or past health status information" of employees' children for incentives altogether.
Both final rules state “information from wellness programs may be disclosed to employers only in aggregate terms.”
In March, an HHS blog post listed four main points on how wellness information must be protected under HIPAA:
- A prohibition against employers using or disclosing members' health data for employment-related actions or anything not specifically allowed by HIPAA, such as marketing.
- A requirement that these programs establish firewalls or other security measures to ensure the data can not be accessed for employment functions, for example, by a supervisor making job decisions.
- A requirement that any program that uncovers an unauthorized use or disclosure of protected data by the employer notify the affected individuals and HHS in accordance with the HIPAA Breach Notification Rule.
- Ramifications for those entities that fail to comply, which can include investigations into potential violations, corrective action, and civil penalties of "up to $50,000 or more" for each violation, and as much as $1.5 million per calendar year for multiple violations of the same provision.